Server properly configures marked as SPAMMER. Please help

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-11 22:52

Hi everyone. I'm desperate.

My server keeps being listed on CBL spam list even though hmailserver is properly configured.

I've tested for open relay on my server, and the result was NOT OPENED for anonymous relay.

External to external account is disabled on all IP ranges. SMTP authentication is required on local to local and local to external.

Can someone please help me out figure out what is going on?

I've checked the SMTP log several times, IPs from Belize, Netherlands and other countries tries to authenticate, and in the log they are shown as failed authentication, but my server keeps been listed as a SPAM server.

My current Hmailserver version is: 5.6.7-B2425

Thanks in advance

h1j4ck3r

User avatar
jimimaseye
Moderator
Moderator
Posts: 8156
Joined: 2011-09-08 17:48

Re: Server properly configures marked as SPAMMER. Please help

Post by jimimaseye » 2019-10-11 23:02

https://www.hmailserver.com/documentati ... d_for_spam

Possible virus on network machine or password compromised.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-11 23:11

Hi Jimi, thanks for the reply.

I've tried to identify some spamware with TCPView, nothing seemed wrong.

I've also tried what you posted on your reply. The only authenticated users I've checked were apparently real users.

Is there a way to see the e-mails that were relayed today, the from and to account? My system shows that 1,242 e-mails were processed today, where can I see what which were those e-mails?

I don't know what else I could do.

Thanks

palinka
Senior user
Senior user
Posts: 1191
Joined: 2017-09-12 17:57

Re: Server properly configures marked as SPAMMER. Please help

Post by palinka » 2019-10-11 23:26

h1j4ck3r wrote:
2019-10-11 23:11
Hi Jimi, thanks for the reply.

I've tried to identify some spamware with TCPView, nothing seemed wrong.

I've also tried what you posted on your reply. The only authenticated users I've checked were apparently real users.

Is there a way to see the e-mails that were relayed today, the from and to account? My system shows that 1,242 e-mails were processed today, where can I see what which were those e-mails?

I don't know what else I could do.

Thanks
Is that an unusual number?

Parse your log through this and it will be easy to see what user's password has been compromised.

https://log.damnation.org.uk/

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-11 23:47

I've done what you asked, and generated a readable log, but nothing seems wrong for me.

Is it safe for me to attach these logs result here for you? Or will I be exposing any sensitive data, like passwords and other things.

Thanks

palinka
Senior user
Senior user
Posts: 1191
Joined: 2017-09-12 17:57

Re: Server properly configures marked as SPAMMER. Please help

Post by palinka » 2019-10-12 02:03

no passwords will be included, but usernames will.

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-12 03:37

Ok, here are the logs. If anyone can take a look and give me a hand, I'm really lost.

:(

Thanks in advance.
Attachments
logs.rar
(442.26 KiB) Downloaded 16 times

User avatar
mattg
Moderator
Moderator
Posts: 20224
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Server properly configures marked as SPAMMER. Please help

Post by mattg » 2019-10-12 04:48

need the actual raw log please, not the HTML from where loaded it into the log analyser

Just put the text of the log in 'code' tags in a post
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1191
Joined: 2017-09-12 17:57

Re: Server properly configures marked as SPAMMER. Please help

Post by palinka » 2019-10-12 08:57

Its too sanitized to help much.

Look at these, for example, which I picked randomly. They look like obvious spam.

Code: Select all

Session: 10527
"SMTPC" 8832 10527 "2019-10-11 09:51:03.087" "172.217.212.26" "RECEIVED: 220 mx.google.com ESMTP q194si13645218jaq.58 - gsmtp"
"SMTPC" 8832 10527 "2019-10-11 09:51:03.087" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.118" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.118" "172.217.212.26" "SENT: STARTTLS"
"SMTPC" 8832 10527 "2019-10-11 09:51:03.134" "172.217.212.26" "RECEIVED: 220 2.0.0 Ready to start TLS"
"SMTPC" 8832 10527 "2019-10-11 09:51:03.165" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.181" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.181" "172.217.212.26" "SENT: MAIL FROM:<greatacessoria.>"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.212" "172.217.212.26" "RECEIVED: 250 2.1.0 OK q194si13645218jaq.58 - gsmtp"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.212" "172.217.212.26" "SENT: RCPT TO:<gmail.>"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.415" "172.217.212.26" "RECEIVED: 552-5.2.2 The email account that you tried to reach is over quota. Please direct[nl]552-5.2.2 the recipient to[nl]552 5.2.2 https://support.google.com/mail/?p=OverQuotaPerm q194si13645218jaq.58 - gsmtp"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.415" "172.217.212.26" "SENT: QUIT"
"SMTPC" 14808 10527 "2019-10-11 09:51:03.431" "172.217.212.26" "RECEIVED: 221 2.0.0 closing connection q194si13645218jaq.58 - gsmtp"
Session: 10548
"SMTPC" 8832 10548 "2019-10-11 09:55:30.295" "172.217.212.26" "RECEIVED: 220 mx.google.com ESMTP l26si14282982jap.63 - gsmtp"
"SMTPC" 8832 10548 "2019-10-11 09:55:30.295" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9772 10548 "2019-10-11 09:55:30.311" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9772 10548 "2019-10-11 09:55:30.311" "172.217.212.26" "SENT: STARTTLS"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.326" "172.217.212.26" "RECEIVED: 220 2.0.0 Ready to start TLS"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.373" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9496 10548 "2019-10-11 09:55:30.389" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9496 10548 "2019-10-11 09:55:30.389" "172.217.212.26" "SENT: MAIL FROM:<com.>"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.404" "172.217.212.26" "RECEIVED: 250 2.1.0 OK l26si14282982jap.63 - gsmtp"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.404" "172.217.212.26" "SENT: RCPT TO:<gmail.>"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.467" "172.217.212.26" "RECEIVED: 552-5.2.2 The email account that you tried to reach is over quota. Please direct[nl]552-5.2.2 the recipient to[nl]552 5.2.2 https://support.google.com/mail/?p=OverQuotaPerm l26si14282982jap.63 - gsmtp"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.467" "172.217.212.26" "SENT: QUIT"
"SMTPC" 8832 10548 "2019-10-11 09:55:30.482" "172.217.212.26" "RECEIVED: 221 2.0.0 closing connection l26si14282982jap.63 - gsmtp"
Find the smtpd entries that correspond to these and you'll find the account with the hacked password.

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-12 09:51

Ok, here is the full day log, without the base64 "translation".

Hope this helps.

Thanks!
Attachments
full-log-2019-10-11.rar
(502.66 KiB) Downloaded 14 times

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-12 10:04

palinka wrote:
2019-10-12 08:57
Its too sanitized to help much.

Look at these, for example, which I picked randomly. They look like obvious spam.

Code: Select all

Session: 10527
"SMTPC" 8832 10527 "2019-10-11 09:51:03.087" "172.217.212.26" "RECEIVED: 220 mx.google.com ESMTP q194si13645218jaq.58 - gsmtp"
"SMTPC" 8832 10527 "2019-10-11 09:51:03.087" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.118" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.118" "172.217.212.26" "SENT: STARTTLS"
"SMTPC" 8832 10527 "2019-10-11 09:51:03.134" "172.217.212.26" "RECEIVED: 220 2.0.0 Ready to start TLS"
"SMTPC" 8832 10527 "2019-10-11 09:51:03.165" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.181" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9496 10527 "2019-10-11 09:51:03.181" "172.217.212.26" "SENT: MAIL FROM:<greatacessoria.>"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.212" "172.217.212.26" "RECEIVED: 250 2.1.0 OK q194si13645218jaq.58 - gsmtp"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.212" "172.217.212.26" "SENT: RCPT TO:<gmail.>"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.415" "172.217.212.26" "RECEIVED: 552-5.2.2 The email account that you tried to reach is over quota. Please direct[nl]552-5.2.2 the recipient to[nl]552 5.2.2 https://support.google.com/mail/?p=OverQuotaPerm q194si13645218jaq.58 - gsmtp"
"SMTPC" 9772 10527 "2019-10-11 09:51:03.415" "172.217.212.26" "SENT: QUIT"
"SMTPC" 14808 10527 "2019-10-11 09:51:03.431" "172.217.212.26" "RECEIVED: 221 2.0.0 closing connection q194si13645218jaq.58 - gsmtp"
Session: 10548
"SMTPC" 8832 10548 "2019-10-11 09:55:30.295" "172.217.212.26" "RECEIVED: 220 mx.google.com ESMTP l26si14282982jap.63 - gsmtp"
"SMTPC" 8832 10548 "2019-10-11 09:55:30.295" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9772 10548 "2019-10-11 09:55:30.311" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9772 10548 "2019-10-11 09:55:30.311" "172.217.212.26" "SENT: STARTTLS"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.326" "172.217.212.26" "RECEIVED: 220 2.0.0 Ready to start TLS"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.373" "172.217.212.26" "SENT: EHLO mail.iziservice.com.br"
"SMTPC" 9496 10548 "2019-10-11 09:55:30.389" "172.217.212.26" "RECEIVED: 250-mx.google.com at your service, [148.72.169.65][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC" 9496 10548 "2019-10-11 09:55:30.389" "172.217.212.26" "SENT: MAIL FROM:<com.>"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.404" "172.217.212.26" "RECEIVED: 250 2.1.0 OK l26si14282982jap.63 - gsmtp"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.404" "172.217.212.26" "SENT: RCPT TO:<gmail.>"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.467" "172.217.212.26" "RECEIVED: 552-5.2.2 The email account that you tried to reach is over quota. Please direct[nl]552-5.2.2 the recipient to[nl]552 5.2.2 https://support.google.com/mail/?p=OverQuotaPerm l26si14282982jap.63 - gsmtp"
"SMTPC" 14808 10548 "2019-10-11 09:55:30.467" "172.217.212.26" "SENT: QUIT"
"SMTPC" 8832 10548 "2019-10-11 09:55:30.482" "172.217.212.26" "RECEIVED: 221 2.0.0 closing connection l26si14282982jap.63 - gsmtp"
Find the smtpd entries that correspond to these and you'll find the account with the hacked password.
Palinka, thanks for your post. How can I link a SMTPC record with a SMTPD record?
I really don't know how to do that.

Thanks for your help.

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-12 10:24

Palinka, I've tried to identify those records, but they seem to me to be inbound messages, not outbound.

I believe my server is marked as a spammer because of outbound messages, not inbound. Please, correct me if I'm wrong.

I've created a VBScript to filter inbound and outbound messages. If "FromAddress" or "To" does not match a registered account the message won't be accepted, but that also does not seem to fix the spam issue.

:(

I really don't know what else to do.

If you can help me out fixing this SPAM problem I'm willing to donate again to the project.

Thanks everyone.

User avatar
mattg
Moderator
Moderator
Posts: 20224
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Server properly configures marked as SPAMMER. Please help

Post by mattg » 2019-10-12 10:48

SMTPD is mail delivered to your server
SMTPC is being delivered FROM your server to another server


Most of that SMTPD is just someone trying unsuccessfully to AUTH, using a dictionary attack
Doesn't look like much got through

There is one account that you seem to be trying to get to but it is 'over quota' at the other end

I'd guess this is a forward from your local account faturaxxxxx@gaxxx.com.br to gasmetal[dot]axxxxxxxx@gmail.com
That is an issue, because that forward account is over quota

Every bounce that you send is also sending a copy here, but they aren't getting through as the account is over limit.

It also looks like almost all of the mail being sent out is in response to a bounce message that is coming to you. This is called backscatter. Someone has used your domain to send spam (not necessarily from your machine, and not from an account that you have configured) and other machines are returning the mail with a bounce, and you are bouncing the bounces, then also forwarding the bounce of the bounce to that gmail account.

there are some things you can do
start with running this and posting the results>> viewtopic.php?f=20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-13 03:42

Hi mattg, I've removed all the forwarding configurations to gmail.com

Let's see if that is enough to fix the problem.

I'll come back after 24 hours to let you know if the issues were resolved.

Thank you very much.

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-14 16:41

Hello again guys.

Here we are again.

I'm attaching yesterday full day log, and a print screen from CBL, showing that my server was listed 6 times in the past 24 hours. Even though we've removed those forwardings.

Something is still happening.

Hope you can help me out.

Thanks
Attachments
cbl.png
full-log-2019-10-13.rar
(379.68 KiB) Downloaded 13 times

User avatar
mattg
Moderator
Moderator
Posts: 20224
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Server properly configures marked as SPAMMER. Please help

Post by mattg » 2019-10-14 17:13

No sending at all, just lots of blocking

you have an error in your eventhandlers.vbs though
Line 112


The CBL may be triggered for a day or two

You do a AV sweep, and run a Malware scan of your entire network, just to be sure
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1191
Joined: 2017-09-12 17:57

Re: Server properly configures marked as SPAMMER. Please help

Post by palinka » 2019-10-14 17:16

XBL is bot spam. Could be an infected computer on your network. Try blocking access to port 25 outbound except for your hmailserver. Then, as Matt suggests, find the infection.

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-14 17:46

Hello guys, thanks for the replies.

Let's wait a day or two and check if CBL warning disappears. I don't believe the computer is infected, because this is a new machine and I just installed trusted software on it.

I've runned a Windows Defender Full scan and nothing wrong was found.

Is there any other tool trustable malware scan tool you recomend me running?

About the script error: The error on my event script file was on a log I'm writing for every operation. Sometime the script fails to write on the disk, so no worries.

About the network: My server is the only machine (as far as I know) on the network.

Thanks guys

palinka
Senior user
Senior user
Posts: 1191
Joined: 2017-09-12 17:57

Re: Server properly configures marked as SPAMMER. Please help

Post by palinka » 2019-10-14 18:38

h1j4ck3r wrote:
2019-10-14 17:46
(as far as I know)
Famous last words. :mrgreen:

A firewall rule may or may not help, but it certainly can't hurt and only takes only a minute to setup.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8156
Joined: 2011-09-08 17:48

Re: Server properly configures marked as SPAMMER. Please help

Post by jimimaseye » 2019-10-14 18:51

h1j4ck3r wrote:
2019-10-14 17:46
I've runned a Windows Defender Full scan and nothing wrong was found.
Ah well. Therefore there can't possibly anything on it.

Not. 🙄

Try with a trustworthy AV detection solution.
jimimaseye wrote:
2019-10-11 23:02
https://www.hmailserver.com/documentati ... d_for_spam

Possible virus on network machine or password compromised.

[Entered by mobile. Excuse my spelling.]
[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-14 21:41

I've made an entire system check with Malwarebytes.

The result (attached below) shows no threats detected.

So, I believe it is not a malware related problem.

Is there any other tool that you recomend me using?

Thanks
Attachments
malware-result.png

User avatar
jimimaseye
Moderator
Moderator
Posts: 8156
Joined: 2011-09-08 17:48

Re: Server properly configures marked as SPAMMER. Please help

Post by jimimaseye » 2019-10-14 22:08

The link given (And the advice from helpers) guides you on searching for SMTPD entries in your logs. Find them and you will find your cause.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

h1j4ck3r
New user
New user
Posts: 12
Joined: 2019-10-11 22:44

Re: Server properly configures marked as SPAMMER. Please help

Post by h1j4ck3r » 2019-10-14 22:12

I'm monitoring all SMTPD and SMTPC entries.

Everything looks fine now. Let's wait a couple of days and see if the server stop's being listed on next days.

Thank you very much

Post Reply