getting slammed via spam and hacking

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

getting slammed via spam and hacking

Post by Pern » 2011-02-25 18:07

i have a problem ive gotten on some listing or spam/hacking group or something for our email server.

i have the fallowing problems
1: brute force hacking, searching for admin,director,fred,dan,john,sales,info etc email accounts and trying passwords for them
i have been reviewing the logs manually(can only get to them every week or two) and banning the ips(this stops that ip), but its getting over whelming.
one got threw this way recently
i have enabled tar-pitting i think its called, limited trys, and i have read a lot on how to combat this, i got banned from yahoo and others and i did kim( i think it was called) and spf for domain keys and such, and got yahoo and others to un ban us. but i had to change the ip as it was still being banned from others.
2: i have had a relay type thing going on as well where external accounts can send external emails, as you know this builds up in the que and sends massive emails. i have banned those ips again, and i have settings to NOT allow relay and have tested this via relay testing sites too, they still get threw or did. i have reviewed postings on this forum extensively and tried all the settings. it stopped some of it

im at wits end here, im now going to try ewall im not really looking for a paid solution this for a church email site. and im not sure this will solve my problems(will it?)

i really need help with this can anyone help walk me threw settings see if i have them right and things ive done and find a way to fix all this.
im supper happy with this email server program, love it in fact(thx for the program). and i really dont know of even a paid solution that will be any better. i have thought of going to a filtering company but again i dont think it will help. any solution here?

what do i do to get this fixed please use detailed instructions, and ill provide if im told how to any info needed please. i can even furnish logs but id rather email or post temp(on a site i have){then delete them} so i dont have to mask the ips and such in the logs. for a single persons help please.
although ill do anything needed please

this is fairly urgent(its it not always) as its an active problem

thanks in advance for any help you may provide
Johnny
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: getting slammed via spam and hacking

Post by mattg » 2011-02-26 00:51

What version of hMailserver are you using?

Do you autoban enabled?
Do you have a strong password policy?

How many accounts and domains do you have ?
Do you run any scripts? What are your IP ranges settings (all settings)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-26 01:00

mattg wrote: What version of hMailserver are you using?
5.3.3-B1846
Do you autoban enabled?
YES
Do you have a strong password policy?
didnt know we can do this, so assume no
How many accounts and domains do you have ?
small church, setup is about 50 emails and 2 distrib setups, only 3 or 4 are actively being used most are forwarded to personal church personals emails, no email account passwords setup on those at all.
Do you run any scripts? What are your IP ranges settings (all settings)
scripts: no not really, ive played with a few but non active at this time
as for ip range is there a way to dump all the settings for you i have banned a bunch of ips 16 of them other then that i have
my computer set at 127.0.0.1 external to external is unchecked(in allow delivery's from) and eternal to local is unchecked in smtp
then i have internet range 0.0.0.0 to 255.215.255.255 same setup as above
then i have 16 banned ips with every thing on left unchecked for 16 ips and the 114.0.0.0 to 144.255.255.255 (a tiwian block of ips) fully banned with all left side unchecked.
is this what you wanted?
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: getting slammed via spam and hacking

Post by mattg » 2011-02-26 01:23

What are your autoban settings?

Strong Password policy is something that you need to implement. With so few accounts that should be easy to enforce
Internet range should be 0.0.0.0 to 255.255.255.255

There are a couple of really good scripts to ensure that senders of mail have authenticated with the account that they send from I'll post a link in a sec
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-26 01:26

mattg wrote:What are your autoban settings?
3,30,60
Strong Password policy is something that you need to implement. With so few accounts that should be easy to enforce
Internet range should be 0.0.0.0 to 255.255.255.255
sorry typo it is 255. etc
There are a couple of really good scripts to ensure that senders of mail have authenticated with the account that they send from I'll post a link in a sec
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: getting slammed via spam and hacking

Post by martin » 2011-02-26 01:31

Do you have logs from the time when the spammer started to send mail? It could be that he has gained access to one of your accounts and sent from that. Then he will be treated as 'internal' rather than external.

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-26 01:45

id be happy to send you the logs or zip them up and send them or post them too for you to you martin MORE then happy to
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: getting slammed via spam and hacking

Post by martin » 2011-02-26 01:47

Feel free to send the logs to me at martin@hmailserver.com. Please zip any log files.

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-26 02:06

i need to find them and im currently downloading them to my personal computer, as there is over 3 gigs of logs it may take a bit
i will give you for now the two i believe started it all, and last two days logs too. any you would like id be happy to share tho

thanks for the help both of you matt and martin
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: getting slammed via spam and hacking

Post by martin » 2011-02-26 02:08

I don't need *all* your logs. Probably just the last MB of them would be sufficient.

If you include a backup of your settings (not the actual messages), that may be helpful as well.

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-26 02:11

how do i give you the settings(backup) just do a back up and send it to you?
and im only sending 4 files when i do. i just have to get them to me so i can find what ones to send you.
(one that started the relay type problem) one that got a hacked account, and the last two days (small) just to show current hits.

again thx
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: getting slammed via spam and hacking

Post by martin » 2011-02-26 02:14

If you go to the backup settings in hMailServer, you can choose to perform a backup of only domains and settings, without messages.

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-26 03:10

martin: i sent some of the files and explained in the email the rest
thanks for help
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

bescher
Normal user
Normal user
Posts: 123
Joined: 2008-05-26 01:56
Location: Milwaukee Wi
Contact:

Re: getting slammed via spam and hacking

Post by bescher » 2011-02-26 11:22

I know that Martin is working with you. But I would also add greylisting to that list of needing to run.

Too bad this didn't happened 6 months ago. You could have gotten ewall much cheaper.
I would ask Alex if ewall 3.0 is still available. I run it and love it.
I would run just hmail but I am not a scripting person and I use a lot of blacklists and whitelist for that matter.

Maybe when I have tinme I can figure it out.

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-26 16:05

Hi,

Not sure I follow. The spammer started in 2010-11-22? That's quite some
time ago. I saw that a client connected and started to send messages using
Dan's account. I don't see any actual 'hacking', just spam messages being
sent from the account.

A very common cause for this is just a bad password. If Dan's password is
dan, or any other common one, a spammer may guess it. And if they guess
right, they have access to the account. Couldn't this be the cause here?

Another possible cause is that some spammer has gained access to Dan's
computer and figured out the password that way.

Martin
the hacking happened later i have yet to find that log

yes we had not checked the server as we were using it as a forward only to private emails, in jan/feb sometime we started to send out newsletters and noticed i didnt get one, i looked at the server, and we got banned from, a lot of places.
as far as dan@ account i did not notice it ill have to look at the logs for the account, but the logs i sent you martin where only the relay type problem we where having, that a external account could send external. that should not of happened at all.
the dan@ problem im not sure if the pass word was by him or not,hes pretty good about it hes an IT guy installs network systems for banks hes BIG on security ive seen some of his pw's and he hosts the churches virtual setup we have, and his pw's to me are complicated caps,numbers and punctuation so i find it hard to believe it was not secure. other then that a hack from his company there very small 5 people ones his son again hard to think that direction, although im not saying its not impossible.

at this time im more of looking of a way to stop it and prevent it.

i have worked with vbs, and i know vb.net and php very well, i was thinking of making a program, that filters spam like spam assassin as im not happy with the hoops to go threw to set up SA, you have white lists and blacklists with antivirus all ready. maybe my next step is to devlope a in comming and out going vbs spam ranking checks, and a check if the sender/or reciver is local or not, and if the domainis a spam known ip block, hungry, Taiwan,russ etc.
this would help, and if i check full sentences of emails that may help too for better filtering,a nd then capture info from and to and ips to check agenst its own banned listing, and maybe make a routine to vbs inject via mentenance the blacklisting. 9as i think of things to add to this and get deeper here)

well for now is there another solution or tips?

and martin did you get an opertuninty to check my settings KIND SIR.
bescher wrote:I know that Martin is working with you. But I would also add greylisting to that list of needing to run.

Too bad this didn't happened 6 months ago. You could have gotten ewall much cheaper.
I would ask Alex if ewall 3.0 is still available. I run it and love it.
I would run just hmail but I am not a scripting person and I use a lot of blacklists and whitelist for that matter.

Maybe when I have tinme I can figure it out.
hmailserver has blacklisting and white even gray listings build in now.
thanks all for the help
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

User avatar
martin
Developer
Developer
Posts: 6846
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Re: getting slammed via spam and hacking

Post by martin » 2011-02-26 18:32

but the logs i sent you martin where only the relay type problem we where having, that a external account could send external. that should not of happened at all.
But the spammer authenticated using dan's account. And a user which has authenticated is considered a local user and not an external one. Here's the start of such as ession. ZGFu is base-64 encoded version of "dan".

Code: Select all

"SMTPD"	4348	93522	"2010-11-22 20:57:03.459"	"83.65.129.168"	"RECEIVED: AUTH LOGIN"
"SMTPD"	4348	93522	"2010-11-22 20:57:03.459"	"83.65.129.168"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	4348	93522	"2010-11-22 20:57:03.631"	"83.65.129.168"	"RECEIVED: ZGFu"

User avatar
Pern
Normal user
Normal user
Posts: 46
Joined: 2006-09-07 21:14

Re: getting slammed via spam and hacking

Post by Pern » 2011-02-27 03:23

i have( a few days ago) disabled the dan account, i didnt delete it as so it is locked now.
Johnny - aka Pern
WebSite: dragonsworkshop.com ** Happy Holidays**

Post Reply