Search found 1107 matches

by palinka
2019-10-19 18:35
Forum: Scripting
Topic: NSLookup / PTR check
Replies: 2
Views: 41

Re: NSLookup / PTR check

SorenR wrote:
2019-10-19 18:27
So you missed that Ruud (RvdH) made a tool for that that a looooong time ago?
Yes, I did. Thank you!

I mean, I've been using it, but I did not know it was the swiss army knife of DNS.
by palinka
2019-10-19 16:27
Forum: Scripting
Topic: NSLookup / PTR check
Replies: 2
Views: 41

NSLookup / PTR check

Something Soren wrote yesterday got me thinking, so I searched around the interwebs and found this little gem. '*** v14.9*** www.dieseyer.de *** https://gallery.technet.microsoft.com/scriptcenter/nslookup-in-vbscript-a602b357 *** Function NSLookup(IPAdr) Dim Tst : Tst = CreateObject("WScript.Shell")...
by palinka
2019-10-19 01:29
Forum: Development & alpha discussions
Topic: hMailServer 5.7
Replies: 96
Views: 6045

Re: hMailServer 5.7

Last 6 lines in that log are HELO's. I had to whitelist HELO = (.*\.immuniweb\.com) to allow it to test but it eventually failed on the GEOIP for IMAPS and SMTPS. I have not edited the log, it is one section cut'n paste. I have no trace of the HELO's you saw in any of my logs. Weird. That's what i ...
by palinka
2019-10-19 00:17
Forum: General discussions
Topic: How To Whitelist MX Email Backup Servers Forwarding As Not SPAM
Replies: 8
Views: 58

Re: How To Whitelist MX Email Backup Servers Forwarding As Not SPAM

Is ham received from junkemailfilter.com being marked as spam by spamassassin or by hmailserver's built in spf check?
by palinka
2019-10-18 23:35
Forum: Development & alpha discussions
Topic: hMailServer 5.7
Replies: 96
Views: 6045

Re: hMailServer 5.7

Huh ??? Never mind. I see what you're doing. Very sneaky. :) You're using PTR lookup, not HELO. I tested one of their IPs and it returned what you'd shown. C:\Users\palinka>nslookup 70.38.27.252 Server: resolver1.opendns.com Address: 208.67.222.222 Name: f10.immuniweb.com Address: 70.38.27.252 But ...
by palinka
2019-10-18 23:25
Forum: Development & alpha discussions
Topic: hMailServer 5.7
Replies: 96
Views: 6045

Re: hMailServer 5.7

The HELOs immuniweb use are mail.example.com and openssl.client.net - every one of them got hit by Spamhaus. Client.net exists but its not part of immuniweb and example.com has no A record at all. Probably reserved or something. If not, I'll grab it today. :mrgreen: Edit - Example domains As descri...
by palinka
2019-10-18 17:46
Forum: Development & alpha discussions
Topic: hMailServer 5.7
Replies: 96
Views: 6045

Re: hMailServer 5.7

RESULTS OF LOOKUP 192.175.111.241 is listed This IP address was detected and listed 17 times in the past 28 days, and 3 times in the past 24 hours. The most recent detection was at Fri Oct 18 03:25:00 2019 UTC +/- 5 minutes Your IP address (192.175.111.241) is sending email in such a way as to stro...
by palinka
2019-10-18 13:31
Forum: Development & alpha discussions
Topic: hMailServer 5.7
Replies: 96
Views: 6045

Re: hMailServer 5.7

RESULTS OF LOOKUP 192.175.111.241 is listed This IP address was detected and listed 17 times in the past 28 days, and 3 times in the past 24 hours. The most recent detection was at Fri Oct 18 03:25:00 2019 UTC +/- 5 minutes Your IP address (192.175.111.241) is sending email in such a way as to stro...
by palinka
2019-10-18 12:13
Forum: Development & alpha discussions
Topic: hMailServer 5.7
Replies: 96
Views: 6045

Re: hMailServer 5.7

I scored an F, due to not being able to connect. My firewall ban blocked their IPs long before trying the test due to being listed by spamhaus. I could unblock them easy enough, but what's up with the spamhaus listing?
by palinka
2019-10-17 14:09
Forum: Feature requests
Topic: HCD - SSL-Simplification with Letsencrypt
Replies: 24
Views: 2429

Re: HCD - SSL-Simplification with Letsencrypt

I actually had read them. They're either outdated, incomplete, or not applicable (apache, extra tools, gyrations). Your clue that it wants PEM files did help, and I finally got win-acme to produce all the correct files, but it's a specific set of steps through the [M]anual process of that tool. Wit...
by palinka
2019-10-15 13:13
Forum: Off-topic discussions
Topic: Another wierd attack
Replies: 7
Views: 253

Re: Another wierd attack

I've been getting bot net "attacks" recently where there is a coordinated attempt of a dozen or so connections over the course of a minute. It's immediately noticeable because they all use the same HELO. So far they've all been on port 25. They get rejected and firewall banned. Screenshot_20191015-0...
by palinka
2019-10-15 03:37
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

IDS hits are rolling in. Some never to be seen again, since with many repeat tries (and fails)...

http://hmsfirewallbandemo.ddns.net/sear ... reason=IDS
by palinka
2019-10-14 18:38
Forum: General discussions
Topic: Server properly configures marked as SPAMMER. Please help
Replies: 22
Views: 327

Re: Server properly configures marked as SPAMMER. Please help

h1j4ck3r wrote:
2019-10-14 17:46
(as far as I know)
Famous last words. :mrgreen:

A firewall rule may or may not help, but it certainly can't hurt and only takes only a minute to setup.
by palinka
2019-10-14 17:16
Forum: General discussions
Topic: Server properly configures marked as SPAMMER. Please help
Replies: 22
Views: 327

Re: Server properly configures marked as SPAMMER. Please help

XBL is bot spam. Could be an infected computer on your network. Try blocking access to port 25 outbound except for your hmailserver. Then, as Matt suggests, find the infection.
by palinka
2019-10-12 08:57
Forum: General discussions
Topic: Server properly configures marked as SPAMMER. Please help
Replies: 22
Views: 327

Re: Server properly configures marked as SPAMMER. Please help

Its too sanitized to help much. Look at these, for example, which I picked randomly. They look like obvious spam. Session: 10527 "SMTPC" 8832 10527 "2019-10-11 09:51:03.087" "172.217.212.26" "RECEIVED: 220 mx.google.com ESMTP q194si13645218jaq.58 - gsmtp" "SMTPC" 8832 10527 "2019-10-11 09:51:03.087"...
by palinka
2019-10-12 02:03
Forum: General discussions
Topic: Server properly configures marked as SPAMMER. Please help
Replies: 22
Views: 327

Re: Server properly configures marked as SPAMMER. Please help

no passwords will be included, but usernames will.
by palinka
2019-10-11 23:26
Forum: General discussions
Topic: Server properly configures marked as SPAMMER. Please help
Replies: 22
Views: 327

Re: Server properly configures marked as SPAMMER. Please help

Hi Jimi, thanks for the reply. I've tried to identify some spamware with TCPView, nothing seemed wrong. I've also tried what you posted on your reply. The only authenticated users I've checked were apparently real users. Is there a way to see the e-mails that were relayed today, the from and to acc...
by palinka
2019-10-11 22:04
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

I hit a milestone today: 10,000 firewall rules related to this project. :mrgreen:

Still going strong. No signs of fatigue.
by palinka
2019-10-11 15:03
Forum: General discussions
Topic: Multiple domains best setup?
Replies: 17
Views: 516

Re: Multiple domains best setup?

I test this mail server with mxtoolbox and mail-tester.com. I did not know https://www.checktls.com but just test it and set up on port 25 starttls optional and choose valid cert from LE and got 90%. Will be mail server fully functional with port 25 starttls optional? https://i.ibb.co/nLPXRpc/check...
by palinka
2019-10-11 03:28
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

So i ran the tor dnsbl against all 9,945 IPs in my firewall ban and had 24 hits. 0.24% of my connections came through tor. It could actually be a little higher. Some older entries may have been removed from the dnsbl. It's supposed to be real time. Still, don't be surprised if you get no hits at all...
by palinka
2019-10-10 23:49
Forum: General discussions
Topic: MySQL - Is the release distributed with WAMP ok?
Replies: 12
Views: 272

Re: MySQL - Is the release distributed with WAMP ok?

You'll be missing all the folders because they're stored in your old database. Sorry, i don't know anything about the ce version, but you somehow need to export them in an sql format readable by mysql. Then import that into mysql. If you want to try that, i would suggest the following: First, export...
by palinka
2019-10-10 23:30
Forum: General discussions
Topic: MySQL - Is the release distributed with WAMP ok?
Replies: 12
Views: 272

Re: MySQL - Is the release distributed with WAMP ok?

Did you import all the tables from the old db? Or only the settings?
by palinka
2019-10-10 16:17
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

I'd like to run it against every IP in my database, but I'm sure I'll get blacklisted for sending 10k IPs in a few minutes.
by palinka
2019-10-10 14:22
Forum: General discussions
Topic: Urgent help! Why can someone send an email through my mail server without verification?
Replies: 16
Views: 779

Re: Urgent help! Why can someone send an email through my mail server without verification?

8,053 hits for GeoIP. 1,635 hits for Spamhaus zen 128 hits for UCEP. [Many FPs - need to get rid of this] 37 hits for ResIP. [Looks for dynamic-y looking HELOs] 31 hits for HELO-Inv. [HELO validation] 11 hits for SH-DBL. [Spamhaus DBL OnHELO] 6 hits for ListUnsub-Rej. [Soren's xml custom list] 4 hit...
by palinka
2019-10-10 14:03
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

mattg wrote:
2019-10-08 02:00
Or perhaps using TOR
Speaking of which, i just ran across this.

https://www.dan.me.uk/dnsbl

Tor exit nodes in dnsbl. I'm going to try it starting today.
by palinka
2019-10-10 11:28
Forum: General discussions
Topic: Urgent help! Why can someone send an email through my mail server without verification?
Replies: 16
Views: 779

Re: Urgent help! Why can someone send an email through my mail server without verification?

Very VERY strong, impossible-to-remember passwords. I use those kinds of passwords often for email, because email is just set and forget. My daughter had a random 15 character password that was clearly sniffed probably somewhere where she used wifi, many years back. I've tightened up my security si...
by palinka
2019-10-10 03:16
Forum: General discussions
Topic: Urgent help! Why can someone send an email through my mail server without verification?
Replies: 16
Views: 779

Re: Urgent help! Why can someone send an email through my mail server without verification?

Simple passwords are easily guessed. Absolutley Powershell script for strong random passwords. :mrgreen: Function MakeUp-String([Int]$Size = 12, [Char[]]$CharSets = "ULNS", [Char[]]$Exclude) { $Chars = @(); $TokenSet = @() If (!$TokenSets) {$Global:TokenSets = @{ U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUV...
by palinka
2019-10-10 03:03
Forum: General discussions
Topic: Multiple domains best setup?
Replies: 17
Views: 516

Re: Multiple domains best setup?

mattg wrote:
2019-10-10 01:56
IIS re-writes are done in IIS manager using 'URL Rewrite'
I only do apache. :oops:

Code: Select all

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
by palinka
2019-10-10 00:22
Forum: General discussions
Topic: Multiple domains best setup?
Replies: 17
Views: 516

Re: Multiple domains best setup?

So you suggest to make these changes? For domain XXX.COM mail.xxx.com A 1.2.3.4 *mail CNAME mail.xxx.com webmail A 1.2.3.4 *.webmail CNAME webmail.xxx.com xxx.com MX 20 mail.xxx.com dkim._domainkey TXT v=DKIM1;k=rsa;p=MIGfMA0G....QEBAQUAA4GNADCBiQKBgQCTrHqwIjJe....QIDAQAB; xxx.com TXT v=spf1 mx a a...
by palinka
2019-10-09 21:10
Forum: General discussions
Topic: Multiple domains best setup?
Replies: 17
Views: 516

Re: Multiple domains best setup?

1. What should I type in Settings > Protocols > SMTP > Delivery of email > Local hostname (if I type mail.xxx.com > mxtoolbox says hostname OK and email have good reputation. but if I test second domain yyy.com on mxtoolbox it says "Reverse DNS does not match SMTP Banner" so emails from that domain...
by palinka
2019-10-09 19:55
Forum: General discussions
Topic: Better way to handle spam attacks?
Replies: 4
Views: 415

Re: Better way to handle spam attacks?

Sure, if you never plan to receive mail from the outside. You didn't specifically say was the case but it appears that way from the "web application" commentin ther op. Just delete the internet ip range altogether. If you do need to receive mail there are various other methods. Like Matt said, block...
by palinka
2019-10-09 19:38
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

powershell: # De-Duplicate Firewall Rules List $RuleList = 'C:\scripts\hmailserver\FWBan\Deduplicate\fwrulelist.txt' $DupList = 'C:\scripts\hmailserver\FWBan\Deduplicate\fwduplist.txt' $RegexIP = '^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]...
by palinka
2019-10-09 17:24
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

You may want to experiment opening up monitoring all ports (execept port 25) and use idsDelIP(sIPAddress) on OnClientLogon... Sage advice, as usual. I discovered that without restriction to port 25, a couple of filters in OnHELO got triggered for imap connections when they should never have in the ...
by palinka
2019-10-09 16:40
Forum: General discussions
Topic: Urgent help! Why can someone send an email through my mail server without verification?
Replies: 16
Views: 779

Re: Urgent help! Why can someone send an email through my mail server without verification?

Simple passwords are easily guessed. Alternatively, it could have been part of a data breach (not on your server) where the user had the same password for the breached account as the mail account.
by palinka
2019-10-08 13:38
Forum: General discussions
Topic: changing smtp port
Replies: 5
Views: 8500

Re: changing smtp port

Server to server connections are always and only on port 25. They're is nothing you can do to change that and even if you could, no other server would accept unauthenticated connections on any port other than 25.

You must use a relay.
by palinka
2019-10-08 11:18
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

Verizon and time Warner definitely block. I believe comcast does too. That's over half the overall residential internet market right there (US).
by palinka
2019-10-08 02:43
Forum: General discussions
Topic: Getting Different Presentaion Of hMailServer Forum Topics
Replies: 21
Views: 786

Re: Getting Different Presentaion Of hMailServer Forum Topics

Is that an M16 + Bipod My time in 'the green' wasn't nearly so exciting as to be called 'special'. SAW: squad automatic weapon.5.56 belt fed machine gun. Only civilians put a bipod on a m16/ar15. And a bottle of cheap liquor we bought from some hobo in the wrong place at the wrong time. :mrgreen:
by palinka
2019-10-08 02:38
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

mattg wrote:
2019-10-08 02:00
Or perhaps using TOR
Maybe, but still, how many mall servers also act as tor exit nodes?

Anyway, the vast majority of connections i drop are geo ip based, so i wouldn't accept them no matter what the circumstances are. Even if they were bona fide legit mail servers.
by palinka
2019-10-08 02:30
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

Can I suggest you do your GeoID lookup only when you pass "1" on hits? 1: code performs faster 2: IPAddress will probably stay geo-stationary for at least the next couple of milliseconds :mrgreen: I wanted to do that but ran into a couple of issues. First thing is i wanted both location and helo. S...
by palinka
2019-10-08 01:56
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN! Except they are usually connecting from dynamic IPs, which may later end being used by a genuine sender Good ...
by palinka
2019-10-08 01:46
Forum: General discussions
Topic: Getting Different Presentaion Of hMailServer Forum Topics
Replies: 21
Views: 786

Re: Getting Different Presentaion Of hMailServer Forum Topics

T. Scott Randolph, former Sgt. Helo Assault Special Ops Capable at U.S. Marine Corps (1992-1998) I have worked for and with Special Forces from many countries. They are all very tough and effective, otherwise they would just be “the Army” and not “Special”. That being said, who’s bright idea was it...
by palinka
2019-10-07 22:58
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

That function didn't work out the way I hoped so I changed it up a bit. Function idsAddIP(sIPAddress, sHits, sHELO) Include("C:\Program Files (x86)\hMailServer\Events\VbsJson.vbs") Dim ReturnCode, Json, oGeoip, oXML Set Json = New VbsJson On Error Resume Next Set oXML = CreateObject ("Msxml2.XMLHTTP...
by palinka
2019-10-07 15:46
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

OK, here's how I worked it out. Testing it now. Function idsAddIP(sIPAddress, sHits, sCountry, sHELO) Dim strSQL, oDB : Set oDB = GetDatabaseObject strSQL = "INSERT INTO " & idsTable & " (timestamp,ipaddress,hits,country,helo) VALUES (NOW(),'" & sIPAddress & "','" & sHits &"','" & sCountry & "','" &...
by palinka
2019-10-07 14:47
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

You may want to experiment opening up monitoring all ports (execept port 25) and use idsDelIP(sIPAddress) on OnClientLogon... Don't forget the rolling window when matching the number of hits. No point in processing stuff that only occur once ot twice a week. The IDS code was initially targeted at p...
by palinka
2019-10-07 13:39
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php :D Did you keep the 180 minute window ? Working with AutoBan somtimes aggressive settings will kill your server performance, which is why I only look at a 180 minutes window. No point in banning someone that wi...
by palinka
2019-10-07 13:07
Forum: General discussions
Topic: Getting Different Presentaion Of hMailServer Forum Topics
Replies: 21
Views: 786

Re: Getting Different Presentaion Of hMailServer Forum Topics

jim.bus wrote:
2019-10-05 21:22
Must have been the ship you were stationed on when you were in the Marines!
Eh.. I'm not 120 years old, nor am i British. Anyway holystoning is a job for swabbies and squids and never Marines. :mrgreen:
by palinka
2019-10-07 12:58
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php :D
by palinka
2019-10-07 12:54
Forum: Scripting
Topic: Firewall Ban
Replies: 56
Views: 4406

Re: Firewall Ban

Added SorenR's Intrusion Detection System (IDS). Its a great idea and picks up spammers that don't ordinarily get picked up. The way it works is simple, but genius. 1) every connection, it records the IP into the db with hits=1. 2a) IF a message is successfully received, the record is deleted -OR- 2...
by palinka
2019-10-07 12:27
Forum: General discussions
Topic: Google Calendar: 530 SMTP authentication is required.
Replies: 3
Views: 251

Re: Google Calendar: 530 SMTP authentication is required.

If you look in your logs, you may find that the FROM is actually google.com and not the account that is sending out the invite. If that's the case, then obviously, google.com is an external domain.

Can you post logs for this transaction?
by palinka
2019-10-07 12:21
Forum: General discussions
Topic: DNS Secondary MX record - do I need one?
Replies: 1
Views: 212

Re: DNS Secondary MX record - do I need one?

Is it best practices to have a secondary MX record or can I just use a primary record. Right now I just have one instance of hmailserver serving all of my domains. Are there advantages to having two, if I am simply just routing back to the same instance? Do some of you use GMAIL here as a back up? ...
by palinka
2019-10-06 01:24
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

SorenR wrote:
2019-10-05 18:05
I used it for GEO blocking on select ports but eventually removed the code from Handler.vbs - never got around to remove the column from DB. :mrgreen:
OK, cool. I got rid of it and ID as well. No real need for it when you have:

Code: Select all

ON DUPLICATE KEY UPDATE hits=(hits+1)
by palinka
2019-10-05 16:54
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database... Done. A couple of minor changes, but nothing to write home about. I want to run it a few days before committing to github. One question - what is the column ...
by palinka
2019-10-05 14:10
Forum: General discussions
Topic: Getting Different Presentaion Of hMailServer Forum Topics
Replies: 21
Views: 786

Re: Getting Different Presentaion Of hMailServer Forum Topics

jimimaseye wrote:
2019-10-05 11:14
We like to keep a clean ship. 👮‍♂️
Holystoned daily.



Image
by palinka
2019-10-05 13:04
Forum: General discussions
Topic: How do you check antispam settings?
Replies: 5
Views: 423

Re: How do you check antispam settings?

Cool. Sounds great. I use the clamav/sane plugin too. Also download definitions hourly. I'll give that a try.
by palinka
2019-10-05 12:52
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

Here's one that is maybe more explanative. Total number of firewall drops per day on smtp ports. The trend line shows 3,189 per day as of now. It's a bit skewed by one "spammer" that turned out to be ethersoft in Japan pinging me 100k times over the course of a couple days because i had a ddns setup...
by palinka
2019-10-05 04:50
Forum: General discussions
Topic: How Do I Block All Mail Containing a Specific String
Replies: 7
Views: 418

Re: How Do I Block All Mail Containing a Specific String

Use the event log.

Code: Select all

EventLog.Write( "whatever you want to record." )
by palinka
2019-10-05 03:04
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

Spammers/hackers do not stay on the same IPaddress for too long so over time you'll be "playing" with maillinglists. Actually it's been working out pretty well. I parse the firewall log to see who comes back and how many times. About half of them come back. Some just a few times, some hundreds of t...
by palinka
2019-10-04 22:23
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

You can have more than one unique key on the same table... Why would you have duplicate IPaddresses? Because I want to see/count IPs that have been added/removed from the firewall. For example, its possible to be listed, removed, listed again, rebanned, and permanently marked safe from future reban...
by palinka
2019-10-04 21:52
Forum: General discussions
Topic: Stop intruder
Replies: 68
Views: 3170

Re: Stop intruder

ipaddress is UNIQUE KEY so therefore: INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1) Exactly. But my firewall ban requires unique key on ID to allow for duplicate IP addresses (for a few reasons). So I'll probably just prepend the column names with ids_ in order to just follow the s...