New External Attacks On hMailServer

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
Senior user
Senior user
Posts: 386
Joined: 2011-05-28 11:49
Location: US

New External Attacks On hMailServer

Post by jim.bus » 2019-09-19 21:56

Starting yesterday IP Address has constantly (almost every minute or two) been incessantly attempting to do an Authenticated Connection on Port 25. It was unable to do so presumably because I had entered MattG's suggested additions to hMailServer's .ini file which disallow Authentications on Port 25 and/or because I also require Authenticated Connections on the Internet IP Range.

When I noticed the attack was constant I added an IP Address Range Block on so hMailServer will not even allow this IP Address to connect.

The actual attack I saw in my Logs is this series of Log Entries and this would repeat every minute or two (as stated I now block this IP Address):

"TCPIP" 10236 "2019-09-19 01:26:22.084" "TCP - connected to"
"DEBUG" 10236 "2019-09-19 01:26:22.084" "TCP connection started for session 1124"
"SMTPD" 10236 1124 "2019-09-19 01:26:22.084" "" "SENT: 220 mail.********.com ESMTP"
"SMTPD" 9628 1124 "2019-09-19 01:26:22.287" "" "RECEIVED: EHLO User"
"SMTPD" 9628 1124 "2019-09-19 01:26:22.287" "" "SENT: 250-mail.********.com[nl]250-SIZE 25600000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD" 10236 1124 "2019-09-19 01:26:22.553" "" "RECEIVED: RSET"
"SMTPD" 10236 1124 "2019-09-19 01:26:22.553" "" "SENT: 250 OK"
"SMTPD" 9628 1124 "2019-09-19 01:26:22.740" "" "RECEIVED: AUTH LOGIN"
"SMTPD" 9628 1124 "2019-09-19 01:26:22.740" "" "SENT: 504 Authentication not enabled."
"SMTPD" 10236 1124 "2019-09-19 01:26:22.943" "" "RECEIVED: QUIT"
"SMTPD" 10236 1124 "2019-09-19 01:26:22.943" "" "SENT: 221 goodbye"
"DEBUG" 9628 "2019-09-19 01:26:22.943" "Ending session 1124"

I noticed this attack because I had been setting my hMailServer machine to Sleep after 10 minutes of inactivity and to Wake From Sleep on Network Interface Controller (NIC) activity. It became noticeable because my Computer would go to Sleep and within a minute Wake back up again and do this incessantly with no more than many of the times there being only a minute or so of Sleep Mode. This caused me to look in the Logs to see what was going on and I discovered the above Attack Log Entries. After putting a connection Block on this IP Address, the computer will of course still Wake from Sleep MOde (I had to disallow Sleep for now) because the activity still is there on the NIC causing the computer to Wake From Sleep anyway. Apparently my Router Firewall will not allow me to block incoming IP Addresses. If I could do that then at least the computer would stop always Waking from Sleep due to this Attack.

Apparently the Abuse contact for ' -' is '' with World Hosting Farm, Ireland, apparently the owner of the IP Address though an IP Address Location query returned that Sprint S.a. was the ISP and is located in Warsaw Poland. I am probably going to send an Abuse complaint to World Hosting Farm.

I thought I should let hMailSerer users know of this attack and maybe also see if anyone else is also experiencing this kind of attack.
Last edited by jim.bus on 2019-09-19 22:00, edited 1 time in total.

User avatar
Posts: 8637
Joined: 2011-09-08 17:48

Re: New External Attacks On hMailServer

Post by jimimaseye » 2019-09-19 22:00

This "kind of attack" is common. Chances are the user of the machine trying the attack doesn't even know it (virus spam bot). It will stop. They always do.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs :

Senior user
Senior user
Posts: 1964
Joined: 2017-09-12 17:57

Re: New External Attacks On hMailServer

Post by palinka » 2019-09-19 22:53

I have only 2 hits on that subnet and 0 returns (dropped connections at the firewall), so very little activity from that particular botnet.

Post Reply