Activate antispam even for authed smtp

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
DJP78
New user
New user
Posts: 3
Joined: 2014-07-22 13:38

Activate antispam even for authed smtp

Post by DJP78 » 2014-07-22 15:16

Hi,

By design (don't know why...), antispam is disabled for authed SMTP.

Sometimes, you might want to need to activate antispam even for authed smtp user, furthermore if they have a virus or bot on their computer.

Is there a way to bypass this behaviour by adding an option "anti-spam for non auth and authed" or "antispam for non auth only" in the IP range? Or to add an option in the configuration ?

Regards,
PS: http://www.hmailserver.com/forum/viewto ... 76#p163976 < Original topic !

percepts
Senior user
Senior user
Posts: 5282
Joined: 2009-10-20 16:33
Location: Sceptred Isle

Re: Activate antispam even for authed smtp

Post by percepts » 2014-07-22 16:00


User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Activate antispam even for authed smtp

Post by RvdH » 2015-06-26 19:03

+1
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: Activate antispam even for authed smtp

Post by jimimaseye » 2015-06-26 22:34

Ok, I thought about this. And concluded I am not understanding enough. How will this work?

Spambot infects Dave's pc in accounts and starts sending crap out.

1, HELO test: no client pc on your lan with pass this. "DAVES-PC - ip:[192.168.1.34]" is going to fail an HELO test.
2, SPF check: how do you SPF check "DAVES-PC"?
3, MX records: DAVES-PC wont have an MX record either
4, DNSBL checks: Any DNSBL you have here is likely to fail as it wont (correctly) list 192.168.1.34 as a valid whitelisted sender
5, Spamassassin: by the time it gets here its too late - the client has done passing its full message to the server.

So, maybe I am being thick, but tell me how is it supposed to check this authenticated and stop Dave's spam going, or better, let Dave send genuine email out without being deemed hooky?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Activate antispam even for authed smtp

Post by RvdH » 2015-06-27 00:34

Why do you assume it is coming from a DAVES-PC on a local IP 192.168.1.34?
Once a account is hacked/hijacked or it's password is stolen by some trojan/virus/keylogger it can come from any IP in the world as the hacker most likely knows dave's password

Below you see SMTPD log for hacked/hijacked account earlier today on my works server

"SMTPD" 3552 66103 "2015-06-26 16:55:01.269" "173.26.154.52" "SENT: 220 server.mydomain.nl ESMTP"
"SMTPD" 3540 66103 "2015-06-26 16:55:01.737" "173.26.154.52" "RECEIVED: EHLO anotherdomain.com"
"SMTPD" 3540 66103 "2015-06-26 16:55:01.737" "173.26.154.52" "SENT: 250-server.mydomain.nl[nl]250-SIZE 40960000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3540 66103 "2015-06-26 16:55:02.018" "173.26.154.52" "RECEIVED: AUTH LOGIN"
"SMTPD" 3540 66103 "2015-06-26 16:55:02.018" "173.26.154.52" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3652 66103 "2015-06-26 16:55:02.330" "173.26.154.52" "RECEIVED: c29tZWFjY291bnRAbXlkb21haW4ubmwg [ someaccount@mydomain.nl ]
"SMTPD" 3652 66103 "2015-06-26 16:55:02.330" "173.26.154.52" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3552 66103 "2015-06-26 16:55:02.595" "173.26.154.52" "RECEIVED: ***"
"SMTPD" 3552 66103 "2015-06-26 16:55:02.611" "173.26.154.52" "SENT: 235 authenticated."
"SMTPD" 3540 66103 "2015-06-26 16:55:02.923" "173.26.154.52" "RECEIVED: MAIL FROM: <someaccount@mydomain.nl>"
"SMTPD" 3540 66103 "2015-06-26 16:55:02.923" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3652 66103 "2015-06-26 16:55:03.219" "173.26.154.52" "RECEIVED: RCPT TO: <acfife616@yahoo.com>"
"SMTPD" 3652 66103 "2015-06-26 16:55:03.219" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3552 66103 "2015-06-26 16:55:03.500" "173.26.154.52" "RECEIVED: RCPT TO: <aattiah27@yahoo.com>"
"SMTPD" 3552 66103 "2015-06-26 16:55:03.516" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3540 66103 "2015-06-26 16:55:03.843" "173.26.154.52" "RECEIVED: RCPT TO: <andrewthefonz@yahoo.com>"
"SMTPD" 3540 66103 "2015-06-26 16:55:03.843" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3552 66103 "2015-06-26 16:55:04.124" "173.26.154.52" "RECEIVED: RCPT TO: <a.lefou@yahoo.com>"
"SMTPD" 3552 66103 "2015-06-26 16:55:04.124" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3652 66103 "2015-06-26 16:55:04.405" "173.26.154.52" "RECEIVED: RCPT TO: <ahmed_love_20080@yahoo.com>"
"SMTPD" 3652 66103 "2015-06-26 16:55:04.405" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3540 66103 "2015-06-26 16:55:04.732" "173.26.154.52" "RECEIVED: RCPT TO: <alexei_64@yahoo.com>"
"SMTPD" 3540 66103 "2015-06-26 16:55:04.732" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3552 66103 "2015-06-26 16:55:05.029" "173.26.154.52" "RECEIVED: RCPT TO: <a23walker@yahoo.com>"
"SMTPD" 3552 66103 "2015-06-26 16:55:05.029" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3552 66103 "2015-06-26 16:55:05.341" "173.26.154.52" "RECEIVED: RCPT TO: <adaris1@yahoo.com>"
"SMTPD" 3552 66103 "2015-06-26 16:55:05.356" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3540 66103 "2015-06-26 16:55:05.653" "173.26.154.52" "RECEIVED: RCPT TO: <adora_santiago23@yahoo.com>"
"SMTPD" 3540 66103 "2015-06-26 16:55:05.653" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3652 66103 "2015-06-26 16:55:05.934" "173.26.154.52" "RECEIVED: RCPT TO: <alfredoraya33@yahoo.com>"
"SMTPD" 3652 66103 "2015-06-26 16:55:05.934" "173.26.154.52" "SENT: 250 OK"
"SMTPD" 3552 66103 "2015-06-26 16:55:06.230" "173.26.154.52" "RECEIVED: DATA"
"SMTPD" 3552 66103 "2015-06-26 16:55:06.230" "173.26.154.52" "SENT: 354 OK, send."
"SMTPD" 3188 66103 "2015-06-26 16:55:06.698" "173.26.154.52" "SENT: 250 Queued (0.464 seconds)"

If you lookup 173.26.154.52 on DNSBL's surely SpamAssassin would have kicked in, and stopped the mails from being send, eg:

b.barracudacentral.org True
bl.spamcop.net True
dnsbl-1.uceprotect.net True
hostkarma.junkemailfilter.com True
zen.spamhaus.org True
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: Activate antispam even for authed smtp

Post by jimimaseye » 2015-06-27 08:21

You missed my point:
or better, let Dave send genuine email out without being deemed hooky?
if you have spam checking on AUTHENTICATED connections (because you want to stop spam after someone has cracked the password, as above) how are you going to stop dave in accounts from failing to send legitimate mails (due to HELO and SPF tests etc)?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Activate antispam even for authed smtp

Post by RvdH » 2015-06-27 08:44

to my knowledge and experience SpamAssassin does not give much weight to faulty SPF and HELO tests, the DNSBL, URIBL and bayes filters weight much higher and give much higher rates
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Activate antispam even for authed smtp

Post by RvdH » 2015-06-27 10:50

Looked a little deeper into this, you also can lower the SpamAssassin score for authenticated users, eg:

Add AddXAuthUserHeader=1 to the Settings section in hMailServer.ini

Code: Select all

describe	LOCAL_AUTH_RCVD		Message received from authenticated user 
header		LOCAL_AUTH_RCVD		Received =~	/^.*(X-AuthUser).*$/i
score		LOCAL_AUTH_RCVD		-2
Doing so i think you can lower the score assigned to failing SPF / HELO checks so only bayes, dnsbl en uribl checks are active on mail from authenticated users
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

Post Reply