unknown users sending e-mails from our hmailserver
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
unknown users sending e-mails from our hmailserver
Hi Guys,
I really need some help on this.
We have an hmail server that we use for our OTRS ticketing system, and for our devices (routers, switches, servers, scanners, ... etc) to send notifications.
The problem I see is that there are many unknown users (no account on the server) using this mail server to send spam. I can see many e-mails daily in the queue in the form of SOMEONE@our.domain sending to random addresses.
This is of course causing the mail reputation to drop to poor, and our tickets e-mails to our clients are rejected.
I am trying to obtain the the IP addresses of the offending spammers and block them from reaching the server, but this is a losing battle, as there are thousands of them.
Any suggestion on how to check if the account does actually exist in any of the domains defined in the server, and if it not just simply block it/prevent it from sending ? any available script for that ?
we do use Auto-ban, and defined IP ranges, but offenders still seem to be able to authenticate and send mails.
I appreciate any help on that.
I really need some help on this.
We have an hmail server that we use for our OTRS ticketing system, and for our devices (routers, switches, servers, scanners, ... etc) to send notifications.
The problem I see is that there are many unknown users (no account on the server) using this mail server to send spam. I can see many e-mails daily in the queue in the form of SOMEONE@our.domain sending to random addresses.
This is of course causing the mail reputation to drop to poor, and our tickets e-mails to our clients are rejected.
I am trying to obtain the the IP addresses of the offending spammers and block them from reaching the server, but this is a losing battle, as there are thousands of them.
Any suggestion on how to check if the account does actually exist in any of the domains defined in the server, and if it not just simply block it/prevent it from sending ? any available script for that ?
we do use Auto-ban, and defined IP ranges, but offenders still seem to be able to authenticate and send mails.
I appreciate any help on that.
Re: unknown users sending e-mails from our hmailserver
Without more details it is hard to say whats going on... are you really using hmailserver version 4.x?
If posting here was a mistake and you are running 5.x
Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
If it is a authenticated sender, the account might be compromised (as well), and i would suggest you change password for that account immediately
You can obtain username by posting a partial log file with offending sender using https://log.damnation.org.uk/, this username details on the fly making it easier to find a compromised account
If posting here was a mistake and you are running 5.x
- Can you post a piece of the SMTPD logfile were the attacker sends the mail(s)?
- run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
If it is a authenticated sender, the account might be compromised (as well), and i would suggest you change password for that account immediately
You can obtain username by posting a partial log file with offending sender using https://log.damnation.org.uk/, this username details on the fly making it easier to find a compromised account
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
Re: unknown users sending e-mails from our hmailserver
Hi,
Thank you very much for the quick response.
Our hmailserver is version 5.6.4-B2283, running on Windows Server 2012r2.
- Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
I see a lot of ramodon-names@our.domain. So the domain looks correct, yet the users are not actual registered accounts.
- If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
so basically, I need to copy the script, save it on the server as ANYNAME.vbs along with the other scripts and hit reload scripts, is that correct ?
Regards
Thank you very much for the quick response.
Our hmailserver is version 5.6.4-B2283, running on Windows Server 2012r2.
- Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
I see a lot of ramodon-names@our.domain. So the domain looks correct, yet the users are not actual registered accounts.
- If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
so basically, I need to copy the script, save it on the server as ANYNAME.vbs along with the other scripts and hit reload scripts, is that correct ?
Regards
Re: unknown users sending e-mails from our hmailserver
Did the spammer authenticate?ali.kalamchi wrote: ↑2020-05-07 14:39Hi,
Thank you very much for the quick response.
Our hmailserver is version 5.6.4-B2283, running on Windows Server 2012r2.
- Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
I see a lot of ramodon-names@our.domain. So the domain looks correct, yet the users are not actual registered accounts.
C:\Program Files (x86)\hMailServer\Events\EventHandlers.vbsali.kalamchi wrote: ↑2020-05-07 14:39- If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
so basically, I need to copy the script, save it on the server as ANYNAME.vbs along with the other scripts and hit reload scripts, is that correct ?
Regards
If you already have something in 'Sub OnAcceptMessage(oClient, oMessage)' then simply append one of the scripts i posted above
Otherwise just paste it in there, save and Reload Script
But unless you are a open relay you have more issues, either with a account password being guessed or a very poor setup
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
Re: unknown users sending e-mails from our hmailserver
Here is what I have in EventHandlers:
So basically If I understood correctly, I need to copy the script and paste it under Sub OnAcceptMessage(oClient, oMessage) which is currently empty as shown above ?
- Did the spammer authenticate?
I am not really sure. However, I see many different random names, so it seems that somehow they are bypassing authentication ?
Code: Select all
' Sub OnClientConnect(oClient)
' End Sub
' Sub OnSMTPData(oClient, oMessage)
' End Sub
' Sub OnAcceptMessage(oClient, oMessage)
' End Sub
' Sub OnDeliveryStart(oMessage)
' End Sub
' Sub OnDeliverMessage(oMessage)
' End Sub
' Sub OnBackupFailed(sReason)
' End Sub
' Sub OnBackupCompleted()
' End Sub
' Sub OnError(iSeverity, iCode, sSource, sDescription)
' End Sub
' Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
' End Sub
' Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
' End Sub
Sub OnChangeCISSender(oMessage)
oldBody = Ucase(oMessage.body)
nOtrsBegin = InStr( oldBody, "<OTRS>")
nOtrsEnd = InStr( oldBody, "</OTRS>")
nXOtrsCustomerUser = Instr( oldBody, "X-OTRS-CUSTOMERUSER=")
If nOtrsBegin <> 0 And nOtrsEnd <> 0 And nXOtrsCustomerUser <> 0 then
XOtrsCustomer = Mid( oMessage.body, nXOtrsCustomerUser + 20, nOtrsEnd - nXOtrsCustomerUser - 20 )
oMessage.From=Trim( XOtrsCustomer )
oMessage.FromAddress=Trim( XOtrsCustomer )
Xbody = Mid( oMessage.body, nOtrsEnd + 7 )
While Left( Xbody, 2 ) = chr(13) + chr(10)
Xbody = Mid ( Xbody, 3 )
Wend
oMessage.body = Xbody
End If
oMessage.Save
End Sub
- Did the spammer authenticate?
I am not really sure. However, I see many different random names, so it seems that somehow they are bypassing authentication ?
Re: unknown users sending e-mails from our hmailserver
If you keep answering only half or less of the questions i asked for i am not able, nor do I like to assist you any further, i have better things to do then act like a parrot
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
Re: unknown users sending e-mails from our hmailserver
Hey, I'm just trying to figure out how to solve the issue we are having, and I really don't have experience with hmailserver or its scripts/logs, and I have not been offensive so i'm not sure why are you taking it personally.
I do genuinely need help with the issue.
thanks anyway
I do genuinely need help with the issue.
thanks anyway
Re: unknown users sending e-mails from our hmailserver
RvdH wrote: ↑2020-05-07 12:43
- Can you post a piece of the SMTPD logfile were the attacker sends the mail(s)?
- run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
Re: unknown users sending e-mails from our hmailserver
Here is some log samples, fake e-mail addresses highlighted:
The above are few examples.
Attached is the diagnostic file.
Thanks
Code: Select all
"SMTPD" 2080 52721398 "2020-05-07 00:10:46.804" "171.35.169.187" "SENT: 220 Welcome to talia.systems."
"SMTPD" 2084 52721398 "2020-05-07 00:10:47.429" "171.35.169.187" "RECEIVED: EHLO mail.talia.systems"
"SMTPD" 2084 52721398 "2020-05-07 00:10:47.429" "171.35.169.187" "SENT: 250-mail.talia.systems[nl]250-SIZE 100000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2080 52721398 "2020-05-07 00:10:48.054" "171.35.169.187" "RECEIVED: AUTH LOGIN"
"SMTPD" 2080 52721398 "2020-05-07 00:10:48.054" "171.35.169.187" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2084 52721398 "2020-05-07 00:10:48.695" "171.35.169.187" "RECEIVED: bmFzQHRhbGlhLnN5c3RlbXM="
"SMTPD" 2084 52721398 "2020-05-07 00:10:48.695" "171.35.169.187" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2076 52721398 "2020-05-07 00:10:49.336" "171.35.169.187" "RECEIVED: ***"
"SMTPD" 2076 52721398 "2020-05-07 00:10:49.336" "171.35.169.187" "SENT: 235 authenticated."
"SMTPD" 2080 52721398 "2020-05-07 00:10:50.007" "171.35.169.187" "RECEIVED: MAIL FROM:<[color=#FF0000]leivisonviana@talia.systems[/color]>"
"SMTPD" 2080 52721398 "2020-05-07 00:10:50.007" "171.35.169.187" "SENT: 250 OK"
"SMTPD" 2076 52721398 "2020-05-07 00:10:50.648" "171.35.169.187" "RECEIVED: RCPT TO:<vanderlei-adv@hotmail.com>"
"SMTPD" 2076 52721398 "2020-05-07 00:10:50.648" "171.35.169.187" "SENT: 250 OK"
"SMTPD" 2080 52721398 "2020-05-07 00:10:51.320" "171.35.169.187" "RECEIVED: DATA"
"SMTPD" 2080 52721398 "2020-05-07 00:10:51.320" "171.35.169.187" "SENT: 354 OK, send."
"SMTPD" 1324 52721398 "2020-05-07 00:10:53.023" "171.35.169.187" "SENT: 250 Queued (1.664 seconds)"
Code: Select all
"SMTPD" 2080 52721398 "2020-05-07 00:11:11.023" "171.35.169.187" "RECEIVED: RCPT TO:<mj@m-jackowski.pl>"
"SMTPD" 2080 52721398 "2020-05-07 00:11:11.039" "171.35.169.187" "SENT: 250 OK"
"SMTPD" 2096 52721398 "2020-05-07 00:11:11.680" "171.35.169.187" "RECEIVED: DATA"
"SMTPD" 2096 52721398 "2020-05-07 00:11:11.680" "171.35.169.187" "SENT: 354 OK, send."
"SMTPD" 1324 52721398 "2020-05-07 00:11:12.570" "171.35.169.187" "SENT: 250 Queued (0.896 seconds)"
"SMTPD" 2084 52721398 "2020-05-07 00:11:13.227" "171.35.169.187" "RECEIVED: MAIL FROM:<[color=#FF0000]lelek1978@talia.systems[/color]>"
"SMTPD" 2084 52721398 "2020-05-07 00:11:13.227" "171.35.169.187" "SENT: 250 OK"
"SMTPD" 2096 52721398 "2020-05-07 00:11:13.883" "171.35.169.187" "RECEIVED: RCPT TO:<mogilskie@gmail.com>"
"SMTPD" 2096 52721398 "2020-05-07 00:11:13.883" "171.35.169.187" "SENT: 250 OK"
"SMTPD" 2084 52721398 "2020-05-07 00:11:14.524" "171.35.169.187" "RECEIVED: DATA"
"SMTPD" 2084 52721398 "2020-05-07 00:11:14.524" "171.35.169.187" "SENT: 354 OK, send."
"SMTPD" 1324 52721398 "2020-05-07 00:11:15.789" "171.35.169.187" "SENT: 250 Queued (1.280 seconds)"
Code: Select all
"SMTPD" 2076 52722122 "2020-05-07 00:22:42.881" "202.137.155.168" "SENT: 220 Welcome to talia.systems."
"SMTPD" 2076 52722122 "2020-05-07 00:22:44.772" "202.137.155.168" "RECEIVED: EHLO mail.talia.systems"
"SMTPD" 2076 52722122 "2020-05-07 00:22:44.772" "202.137.155.168" "SENT: 250-mail.talia.systems[nl]250-SIZE 100000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2096 52722122 "2020-05-07 00:22:46.912" "202.137.155.168" "RECEIVED: AUTH LOGIN"
"SMTPD" 2096 52722122 "2020-05-07 00:22:46.912" "202.137.155.168" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2076 52722122 "2020-05-07 00:22:49.819" "202.137.155.168" "RECEIVED: bmFzQHRhbGlhLnN5c3RlbXM="
"SMTPD" 2076 52722122 "2020-05-07 00:22:49.819" "202.137.155.168" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2076 52722122 "2020-05-07 00:22:51.600" "202.137.155.168" "RECEIVED: ***"
"SMTPD" 2076 52722122 "2020-05-07 00:22:51.600" "202.137.155.168" "SENT: 235 authenticated."
"SMTPD" 2080 52722122 "2020-05-07 00:22:52.944" "202.137.155.168" "RECEIVED: MAIL FROM:<esi2001@talia.systems>"
"SMTPD" 2080 52722122 "2020-05-07 00:22:52.944" "202.137.155.168" "SENT: 250 OK"
"SMTPD" 2076 52722122 "2020-05-07 00:22:54.710" "202.137.155.168" "RECEIVED: RCPT TO:<jameshawkins21@hotmail.co.uk>"
"SMTPD" 2076 52722122 "2020-05-07 00:22:54.710" "202.137.155.168" "SENT: 250 OK"
"SMTPD" 2076 52722122 "2020-05-07 00:22:56.852" "202.137.155.168" "RECEIVED: DATA"
"SMTPD" 2076 52722122 "2020-05-07 00:22:56.852" "202.137.155.168" "SENT: 354 OK, send."
"SMTPD" 1324 52722122 "2020-05-07 00:23:09.258" "202.137.155.168" "SENT: 250 Queued (12.416 seconds)"
"SMTPD" 2076 52722122 "2020-05-07 00:23:09.961" "202.137.155.168" "RECEIVED: MAIL FROM:<[color=#FF0000]esi2001@talia.systems[/color]>"
"SMTPD" 2076 52722122 "2020-05-07 00:23:09.961" "202.137.155.168" "SENT: 250 OK"
"SMTPD" 2080 52722122 "2020-05-07 00:23:10.992" "202.137.155.168" "RECEIVED: RCPT TO:<JAuletta@mba-it.net>"
"SMTPD" 2080 52722122 "2020-05-07 00:23:10.992" "202.137.155.168" "SENT: 250 OK"
"SMTPD" 2096 52722122 "2020-05-07 00:23:11.602" "202.137.155.168" "RECEIVED: DATA"
"SMTPD" 2096 52722122 "2020-05-07 00:23:11.617" "202.137.155.168" "SENT: 354 OK, send."
Attached is the diagnostic file.
Thanks
- Attachments
-
- HMSDiagnostic_202005071515.zip
- (3.17 KiB) Downloaded 425 times
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
Re: unknown users sending e-mails from our hmailserver
sorry, changing the font color didn't work. below are examples of the fake accounts from the posted log:
leivisonviana@talia.systems
lelek1978@talia.systems
esi2001@talia.systems
We don't have any of those accounts within our talia.systems domain.
leivisonviana@talia.systems
lelek1978@talia.systems
esi2001@talia.systems
We don't have any of those accounts within our talia.systems domain.
Re: unknown users sending e-mails from our hmailserver
You may want to change the password for nas@talia.systems !
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: unknown users sending e-mails from our hmailserver
We have got a winner... might also be a good time to check check the system (nas device?) for malware or unwanted external access
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
Re: unknown users sending e-mails from our hmailserver
Hi,
Many thanks. Will do and watch the situation. Yes, it is a NAS device. In the worst case I might even stop it from accessing the mail server at this point.
May I ask how did you specify exactly which account might be causing the issue ?
regards
Many thanks. Will do and watch the situation. Yes, it is a NAS device. In the worst case I might even stop it from accessing the mail server at this point.
May I ask how did you specify exactly which account might be causing the issue ?
regards
Re: unknown users sending e-mails from our hmailserver
ali.kalamchi wrote: ↑2020-05-07 19:14Hi,
Many thanks. Will do and watch the situation. Yes, it is a NAS device. In the worst case I might even stop it from accessing the mail server at this point.
May I ask how did you specify exactly which account might be causing the issue ?
regards
Code: Select all
"SMTPD" 2080 52721398 "2020-05-07 00:10:48.054" "171.35.169.187" "RECEIVED: AUTH LOGIN"
"SMTPD" 2080 52721398 "2020-05-07 00:10:48.054" "171.35.169.187" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2084 52721398 "2020-05-07 00:10:48.695" "171.35.169.187" "RECEIVED: bmFzQHRhbGlhLnN5c3RlbXM="
"SMTPD" 2084 52721398 "2020-05-07 00:10:48.695" "171.35.169.187" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2076 52721398 "2020-05-07 00:10:49.336" "171.35.169.187" "RECEIVED: ***"
"SMTPD" 2076 52721398 "2020-05-07 00:10:49.336" "171.35.169.187" "SENT: 235 authenticated."
It decodes the base64 encoded username
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
- ali.kalamchi
- New user
- Posts: 9
- Joined: 2020-03-09 12:39
Re: unknown users sending e-mails from our hmailserver
many thanks. I really do appreciate the help.
I have completely disabled this account for tonight. Will monitor the server and see how it goes.
have a nice evening
I have completely disabled this account for tonight. Will monitor the server and see how it goes.
have a nice evening