Help me get rid of spammer sending from my hmail server!

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Help me get rid of spammer sending from my hmail server!

Post by entropicsinkhole » 2007-07-10 21:23

First, info about my system: Windows Server 2003, hMail v4.4, ASSP 1.3.1 (spam protection)

I'm hoping someone here has some advice! I have a spammer somehow using my hmail server to send spam to external email addresses (the messages are sent from external email addresses to external email addresses--they never involve local mail addresses at all). The spam messages get queued up under Undelivered Messages long enough for me to see the source mail addresses and their IP, but the IP addresses are always different. I'm thinking that this huge mass of spam transfer is the cause of some recent connectivity issues with my mail server.

If left long enough, the messages do eventually send, at which point they pass through my spam protection (ASSP), which doesn't stop them and in fact places the messages in its 'not spam' folder even after I added all the bad source email addresses to my blacklist (there are about six email addresses the spammer is sending from right now, though the IP addresses are always different).

I searched this forum and found someone else who experienced a similar issue but the resolution was never posted. See: (http://www.hmailserver.com/forum/viewto ... ht=spammer)

I followed the advice given in this forum and checked the settings:

1) Allow Deliveries from External to External Account is NOT checked off
2) The Open Relay tests I have run tell me that I have no relay open.
3) In the IP Range -> Internet ->"Require Authentication for deliveries
to remote accounts" is checked off

4) Here are some excerpts from the log, where the spammer address service@paypal.com (the spammer addresses are ALWAYS service@something) tries to send to yhlbb@go.com. This message got through to my ASSP spam protection eventually, though I noticed that the hmail log seems to recognize it doesn't exist. Note: I've changed my domain name to domain.com.

is one minute's worth of log, starting from the time the spam appeared:

PD" 3536 62255 "2007-07-10 14:00:51.000" "127.0.0.1" "SENT: 220 domain.com ESMTP"
"SMTPD" 3536 62249 "2007-07-10 14:00:51.000" "127.0.0.1" "RECEIVED: RCPT TO:<yhlbb@go.com>"
"SMTPD" 3500 62255 "2007-07-10 14:00:51.015" "127.0.0.1" "RECEIVED: HELO IPCheck"
"SMTPD" 3500 62255 "2007-07-10 14:00:51.015" "127.0.0.1" "SENT: 250 Hello."
"SMTPD" 3536 62249 "2007-07-10 14:00:51.015" "127.0.0.1" "SENT: 250 OK"
"SMTPD" 3500 62255 "2007-07-10 14:00:51.015" "127.0.0.1" "RECEIVED: RSET"
"SMTPD" 3500 62255 "2007-07-10 14:00:51.015" "127.0.0.1" "SENT: 250 OK"
"SMTPD" 3500 62255 "2007-07-10 14:00:51.015" "127.0.0.1" "RECEIVED: QUIT"
"SMTPD" 3500 62255 "2007-07-10 14:00:51.015" "127.0.0.1" "SENT: 221 goodbye"
"TCPIP" 3500 "2007-07-10 14:00:51.015" "Disconnecting socket 4264 for session 62255"

*******************

"SMTPD" 3500 62249 "2007-07-10 14:00:57.734" "127.0.0.1" "SENT: 250 Queued (0.375 seconds)"
"APPLICATION" 272 "2007-07-10 14:00:57.734" "SMTPDeliverer - Message 241363: Delivering message from service@paypal.us to yhlbb@go.com, yhlclwtr@mercuryspeed.com, yhmaffozfds@hotmail.com, yhofer@cox.net, yhpwong@hkusua.hku.hk, yhquhl@jblqiiz.net, yhyz99@163.com, yia@valley.net, yiannis.koulas@nokia.com, yiannis@lepalais.gr, yiayiamst@mailcity.com, yichongik@hanmail.net, yigawa@aol.com, yimmy@beefblast.org, yinginze@pacific.net.sg, yingyiduan@hotmail.com, yinwei@mbox5.singnet.com.sg, yiranayah@fhtm.us, yixuanxuan@yahoo.ca, yjedimike@aol.com. File: D:\hMailServer\Data\{27C069BE-3D4D-499D-848C-67DB8E8E3F62}.eml"
"TCPIP" 4884 "2007-07-10 14:00:57.875" "DNS - MX Result: 16 IP addresses were found."
"SMTPD" 3500 62249 "2007-07-10 14:00:57.890" "127.0.0.1" "RECEIVED: QUIT"
"SMTPD" 3500 62249 "2007-07-10 14:00:57.890" "127.0.0.1" "SENT: 221 goodbye"
********************
"APPLICATION" 272 "2007-07-10 14:01:27.514" "SMTPDeliverer - Message 241363: No mail servers exists for the address yhlbb@go.com."
*****************************
"SMTPC" 3536 62340 "2007-07-10 14:01:42.905" "64.97.204.10" "SENT: HELO wpshc.com"
"APPLICATION" 4444 "2007-07-10 14:01:42.983" "SMTPDeliverer - Message 241247: Failed to connect to 199.81.130.93."
"SMTPC" 3536 62340 "2007-07-10 14:01:43.061" "64.97.204.10" "RECEIVED: 250 sc0-in04.emaildefenseservice.com"
"SMTPC" 3536 62340 "2007-07-10 14:01:43.061" "64.97.204.10" "SENT: MAIL FROM:<service@paypal.us>"
"SMTPC" 3536 62340 "2007-07-10 14:01:43.186" "64.97.204.10" "RECEIVED: 250 2.1.0 Ok"
"SMTPC" 3536 62340 "2007-07-10 14:01:43.186" "64.97.204.10" "SENT: RCPT TO:<yhlbb@go.com>"
"TCPIP" 3500 "2007-07-10 14:01:43.311" "Created accept socket 2916 on listening socket 2020"
****************************
"SMTPC" 3500 62360 "2007-07-10 14:01:48.201" "192.118.82.144" "SENT: HELO domain.com"
"SMTPC" 3536 62340 "2007-07-10 14:01:48.358" "64.97.204.10" "RECEIVED: 550 5.7.1 <yhlbb@go.com>: Recipient address rejected: RCPT TO:<yhlbb@go.com> User unknown"
"SMTPC" 3536 62340 "2007-07-10 14:01:48.358" "64.97.204.10" "SENT: QUIT"
"TCPIP" 3536 "2007-07-10 14:01:48.858" "Disconnecting socket 3256 for session 59716"
"TCPIP" 3500 "2007-07-10 14:01:48.858" "Disconnecting socket 2980 for session 59790"
"TCPIP" 3460 "2007-07-10 14:01:48.858" "Disconnecting socket 2884 for session 60007"
"TCPIP" 3556 "2007-07-10 14:01:48.858" "Disconnecting socket 2524 for session 60096"
*******************

"TCPIP" 3536 "2007-07-10 14:02:11.654" "Disconnecting socket 3792 for session 62408"
"TCPIP" 272 "2007-07-10 14:02:11.654" "DNS - MX Lookup: jblqiiz.net"
"TCPIP" 272 "2007-07-10 14:02:11.701" "DNS - MX Result: 0 IP addresses were found."
"APPLICATION" 272 "2007-07-10 14:02:11.701" "SMTPDeliverer - Message 241363: No mail servers exists for the address yhlbb@go.com."
"TCPIP" 272 "2007-07-10 14:02:11.701" "DNS - MX Lookup: lepalais.gr"
"APPLICATION" 4768 "2007-07-10 14:02:11.748" "SMTPDeliverer - Message 241115: Failed to connect to 66.240.173.8."
"TCPIP" 4768 "2007-07-10 14:02:11.748" "DNS - MX Lookup: missionpublishing.net"
"SMTPC" 3536 62380 "2007-07-10 14:02:11.779" "65.24.7.12" "RECEIVED: 250 recipient <eevans@nj.rr.com> ok"
"S

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-07-10 21:31

You need to find a log snippet that covers the time when hMailServer accepted the email message. The log snippets you posted just contains info when hMailServer where trying to deliver the message.

So what you need to look for is a connection where hMailServer has acted as server. These lines starts with "SMTPD". You have some lines starting with this, but the lines you've posted only shows a part of the session 62249.

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-10 22:22

I copied a single portion this time, making sure to include SMTPD. Hopefully this is a little more helpful. Thanks!


"SMTPD" 3500 62249 "2007-07-10 14:00:52.953" "127.0.0.1" "RECEIVED: RCPT TO:<yhyz99@163.com>"
"SMTPD" 3500 62249 "2007-07-10 14:00:52.953" "127.0.0.1" "SENT: 250 OK"
"POP3D" 3500 62262 "2007-07-10 14:00:53.250" "10.0.4.116" "RECEIVED: UIDL"
"POP3D" 3500 62262 "2007-07-10 14:00:53.250" "10.0.4.116" "SENT: +OK 35 messages (5339103 octets)[nl]1 232770[nl]2 233070[nl]3 233353[nl]4 233633[nl]5 233723[nl]6 ....etc......"
"SMTPC" 3536 62258 "2007-07-10 14:00:53.265" "64.18.5.10" "RECEIVED: 550 5.1.1 <xsiana@gwtc.net>... User unknown"
"SMTPC" 3536 62258 "2007-07-10 14:00:53.265" "64.18.5.10" "SENT: QUIT"
"POP3D" 3500 62262 "2007-07-10 14:00:53.265" "10.0.4.116" "RECEIVED: QUIT"
"POP3D" 3500 62262 "2007-07-10 14:00:53.265" "10.0.4.116" "SENT: +OK POP3 server saying goodbye..."
"TCPIP" 3500 "2007-07-10 14:00:53.265" "Disconnecting socket 2172 for session 62262"
"SMTPD" 3500 62249 "2007-07-10 14:00:53.422" "127.0.0.1" "RECEIVED: RCPT TO:<yia@valley.net>"
"SMTPD" 3500 62249 "2007-07-10 14:00:53.437" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3536 62253 "2007-07-10 14:00:53.484" "202.95.238.201" "RECEIVED: 250 Requested mail action okay, completed"
"SMTPC" 3536 62253 "2007-07-10 14:00:53.484" "202.95.238.201" "SENT: MAIL FROM:<service@paypal.us>"
"SMTPC" 3536 62260 "2007-07-10 14:00:53.500" "206.46.232.11" "RECEIVED: 220 vms051pub.verizon.net -- Server ESMTP (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006))"
"SMTPC" 3536 62260 "2007-07-10 14:00:53.500" "206.46.232.11" "SENT: HELO domain.com"
"APPLICATION" 5024 "2007-07-10 14:00:53.765" "SMTPDeliverer - Message 241354: Failed to connect to 69.46.226.165."
"APPLICATION" 5024 "2007-07-10 14:00:53.765" "SMTPDeliverer - Message 241354: Message could not be delivered. Scheduling it for later delivery."
"APPLICATION" 5024 "2007-07-10 14:00:53.765" "SMTPDeliverer - Message 241354: Message delivery thread completed."
"SMTPD" 3536 62249 "2007-07-10 14:00:53.765" "127.0.0.1" "RECEIVED: RCPT TO:<yiannis.koulas@nokia.com>"
"SMTPD" 3536 62249 "2007-07-10 14:00:53.765" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3500 62260 "2007-07-10 14:00:53.765" "206.46.232.11" "RECEIVED: 250 vms051pub.verizon.net OK, [209.91.163.65]."
"SMTPC" 3500 62260 "2007-07-10 14:00:53.765" "206.46.232.11" "SENT: MAIL FROM:<service@paypal.us>"
"SMTPC" 3500 62260 "2007-07-10 14:00:54.125" "206.46.232.11" "RECEIVED: 250 2.5.0 Address Ok."
"SMTPC" 3500 62260 "2007-07-10 14:00:54.125" "206.46.232.11" "SENT: RCPT TO:<writer10@verizon.net>"
"APPLICATION" 5516 "2007-07-10 14:00:54.203" "SMTPDeliverer - Message 241355: Failed to connect to 69.46.226.165."
"APPLICATION" 2948 "2007-07-10 14:00:54.203" "SMTPDeliverer - Message 241353: Failed to connect to 69.46.226.165."
"APPLICATION" 5516 "2007-07-10 14:00:54.203" "SMTPDeliverer - Message 241355: Message could not be delivered. Scheduling it for later delivery."
"APPLICATION" 2948 "2007-07-10 14:00:54.203" "SMTPDeliverer - Message 241353: Message could not be delivered. Scheduling it for later delivery."
"APPLICATION" 5516 "2007-07-10 14:00:54.203" "SMTPDeliverer - Message 241355: Message delivery thread completed."
"APPLICATION" 2948 "2007-07-10 14:00:54.203" "SMTPDeliverer - Message 241353: Message delivery thread completed."
"SMTPC" 3536 62258 "2007-07-10 14:00:54.265" "64.18.5.10" "RECEIVED: 221 Catch you later"
"TCPIP" 3536 "2007-07-10 14:00:54.265" "Disconnecting socket 1312 for session 62258"
"TCPIP" 4884 "2007-07-10 14:00:54.265" "DNS - MX Lookup: hotmail.com"
"TCPIP" 4884 "2007-07-10 14:00:54.265" "DNS - MX Result: 12 IP addresses were found."
"SMTPD" 3536 62249 "2007-07-10 14:00:54.359" "127.0.0.1" "RECEIVED: RCPT TO:<yiannis@lepalais.gr>"
"SMTPD" 3536 62249 "2007-07-10 14:00:54.359" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3500 62260 "2007-07-10 14:00:54.500" "206.46.232.11" "RECEIVED: 250 2.1.5 writer10@verizon.net OK."
"SMTPC" 3500 62260 "2007-07-10 14:00:54.500" "206.46.232.11" "SENT: DATA"
"SMTPC" 3536 62253 "2007-07-10 14:00:54.625" "202.95.238.201" "RECEIVED: 250 Requested mail action okay, completed"
"SMTPC" 3536 62253 "2007-07-10 14:00:54.625" "202.95.238.201" "SENT: RCPT TO:<vince@uno.net.ph>"
"SMTPC" 3500 62260 "2007-07-10 14:00:54.812" "206.46.232.11" "RECEIVED: 354 Enter mail, end with a single "."."
"SMTPC" 3500 62260 "2007-07-10 14:00:54.812" "206.46.232.11" "SENT: [nl]."
"SMTPD" 3536 62249 "2007-07-10 14:00:54.828" "127.0.0.1" "RECEIVED: RCPT TO:<yiayiamst@mailcity.com>"
"SMTPD" 3536 62249 "2007-07-10 14:00:54.828" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3536 62264 "2007-07-10 14:00:55.015" "65.54.244.8" "RECEIVED: 220 bay0-mc1-f1.bay0.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.msn.com/Anti-spam/. Violations will result in use of equipment located in California and other states. Tue, 10 Jul 2007 11:00:55 -0700 "
"SMTPC" 3536 62264 "2007-07-10 14:00:55.015" "65.54.244.8" "SENT: HELO domain.com"
"TCPIP" 3536 "2007-07-10 14:00:55.062" "Created accept socket 4104 on listening socket 2020"
"POP3D" 3536 62265 "2007-07-10 14:00:55.062" "10.0.2.85" "SENT: +OK POP3"
"POP3D" 3536 62265 "2007-07-10 14:00:55.078" "10.0.2.85" "RECEIVED: CAPA"
"POP3D" 3536 62265 "2007-07-10 14:00:55.078" "10.0.2.85" "SENT: -ERR Invalid command in current state."
"POP3D" 3536 62265 "2007-07-10 14:00:55.093" "10.0.2.85" "RECEIVED: USER jmccann"
"POP3D" 3536 62265 "2007-07-10 14:00:55.093" "10.0.2.85" "SENT: +OK Send your password"
"POP3D" 3536 62265 "2007-07-10 14:00:55.109" "10.0.2.85" "RECEIVED: PASS ***"
"POP3D" 3536 62265 "2007-07-10 14:00:55.109" "10.0.2.85" "SENT: +OK Mailbox locked and ready"
"POP3D" 3536 62265 "2007-07-10 14:00:55.125" "10.0.2.85" "RECEIVED: STAT"
"POP3D" 3536 62265 "2007-07-10 14:00:55.125" "10.0.2.85" "SENT: +OK 0 0"
"POP3D" 3536 62265 "2007-07-10 14:00:55.140" "10.0.2.85" "RECEIVED: QUIT"
"POP3D" 3536 62265 "2007-07-10 14:00:55.140" "10.0.2.85" "SENT: +OK POP3 server saying goodbye..."
"TCPIP" 3536 "2007-07-10 14:00:55.140" "Disconnecting socket 4376 for session 62265"
"SMTPD" 3536 62249 "2007-07-10 14:00:55.265" "127.0.0.1" "RECEIVED: RCPT TO:<yichongik@hanmail.net>"
"SMTPD" 3536 62249 "2007-07-10 14:00:55.281" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3500 62248 "2007-07-10 14:00:55.359" "195.121.6.51" "RECEIVED: 550 5.1.1 User unknown"
"SMTPC" 3500 62248 "2007-07-10 14:00:55.359" "195.121.6.51" "SENT: QUIT"
"SMTPC" 3536 62264 "2007-07-10 14:00:55.484" "65.54.244.8" "RECEIVED: 250 bay0-mc1-f1.bay0.hotmail.com (3.3.3.1) Hello [209.91.163.65]"
"SMTPC" 3536 62264 "2007-07-10 14:00:55.484" "65.54.244.8" "SENT: MAIL FROM:<service@paypal.us>"
"SMTPC" 3500 62260 "2007-07-10 14:00:55.640" "206.46.232.11" "RECEIVED: 250 2.5.0 Ok."
"SMTPC" 3500 62260 "2007-07-10 14:00:55.640" "206.46.232.11" "SENT: QUIT"
"SMTPD" 3536 62249 "2007-07-10 14:00:55.718" "127.0.0.1" "RECEIVED: RCPT TO:<yigawa@aol.com>"
"SMTPD" 3536 62249 "2007-07-10 14:00:55.718" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3500 62248 "2007-07-10 14:00:55.734" "195.121.6.51" "RECEIVED: 221 2.0.0 hpsmtp-eml05.kpnxchange.com Service closing transmission channel"
"TCPIP" 3500 "2007-07-10 14:00:55.734" "Disconnecting socket 4488 for session 62248"
"TCPIP" 6024 "2007-07-10 14:00:55.734" "DNS - MX Lookup: student.gsu.edu"
"SMTPC" 3536 62264 "2007-07-10 14:00:55.828" "65.54.244.8" "RECEIVED: 250 service@paypal.us....Sender OK"
"SMTPC" 3536 62264 "2007-07-10 14:00:55.828" "65.54.244.8" "SENT: RCPT TO:<xrtjywe@hotmail.com>"
"SMTPC" 3500 62260 "2007-07-10 14:00:55.937" "206.46.232.11" "RECEIVED: 221 2.3.0 Bye received. Goodbye."
"TCPIP" 3500 "2007-07-10 14:00:55.937" "Disconnecting socket 4500 for session 62260"
"TCPIP" 3580 "2007-07-10 14:00:55.937" "DNS - MX Lookup: wiegert.marsci.uga.edu"
"TCPIP" 6024 "2007-07-10 14:00:56.031" "DNS - MX Result: 1 IP addresses were found."
"SMTPD" 3536 62249 "2007-07-10 14:00:56.093" "127.0.0.1" "RECEIVED: RCPT TO:<yimmy@beefblast.org>"
"SMTPD" 3536 62249 "2007-07-10 14:00:56.093" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3536 62264 "2007-07-10 14:00:56.171" "65.54.244.8" "RECEIVED: 550 Requested action not taken: mailbox unavailable"
"SMTPC" 3536 62264 "2007-07-10 14:00:56.171" "65.54.244.8" "SENT: RCPT TO:<xryio@hotmail.com>"
"SMTPC" 3536 62253 "2007-07-10 14:00:56.375" "202.95.238.201" "RECEIVED: 250 Requested mail action okay, completed"
"SMTPC" 3536 62253 "2007-07-10 14:00:56.375" "202.95.238.201" "SENT: DATA"
"TCPIP" 3580 "2007-07-10 14:00:56.437" "DNS - MX Result: 0 IP addresses were found."
"APPLICATION" 3580 "2007-07-10 14:00:56.437" "SMTPDeliverer - Message 241356: No mail servers exists for the address writer10@verizon.net."
"TCPIP" 3580 "2007-07-10 14:00:56.437" "DNS - MX Lookup: yahoo.com"
"TCPIP" 3580 "2007-07-10 14:00:56.437" "DNS - MX Result: 10 IP addresses were found."
"SMTPD" 3536 62249 "2007-07-10 14:00:56.453" "127.0.0.1" "RECEIVED: RCPT TO:<yinginze@pacific.net.sg>"
"SMTPD" 3536 62249 "2007-07-10 14:00:56.453" "127.0.0.1" "SENT: 250 OK"
"SMTPC" 3500 62264 "2007-07-10 14:00:56.453" "65.54.244.8" "RECEIVED: 550 Requested action not taken: mailbox unavailable"
"SMTPC" 3500 62264 "2007-07-10 14:00:56.453" "65.54.244.8" "SENT: RCPT TO:<xsliimx@hotmail.com>"
"SMTPC" 3500 62267 "2007-07-10 14:00:56.562" "216.39.53.2" "RECEIVED: 220 mta212.mail.re4.yahoo.com ESMTP YSmtp service ready"
"SMTPC" 3500 62267 "2007-07-10 14:00:56.562"
********(removed legit email stuff)**********
"SMTPC" 3500 62264 "2007-07-10 14:00:56.578" "65.54.244.8" "RECEIVED: 250 xsliimx@hotmail.com "
"SMTPC" 3500 62264 "2007-07-10 14:00:56.578" "65.54.244.8" "SENT: RCPT TO:<xsmat@hotmail.com>"
"SMTPD" 3500 62249 "2007-07-10 14:00:56.593" "127.0.0.1" "RECEIVED: RCPT TO:<yingyiduan@hotmail.com>"
"SMTPD" 3500 62249 "2007-07-10 14:00:56.593" "127.0.0.1" "SENT: 250 OK"
"POP3D" 3536 62268 "2007-07-10 14:00:56.593" "10.0.3.69" "SENT: +OK Mailbox locked and ready"
"POP3D" 3536 62268 "2007-07-10 14:00:56.593" "10.0.3.69" "RECEIVED: STAT"
"POP3D" 3536 62268 "2007-07-10 14:00:56.593" "10.0.3.69" "SENT: +OK 605 108410102"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "RECEIVED: LIST"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "SENT: +OK 605 messages (108410102 octets)"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "SENT: 1 2036[nl]2 35868[nl]3 20408[nl]4 .....etc......"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "RECEIVED: UIDL"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "SENT: +OK 605 messages (108410102 octets)[nl]1 1037[nl]2 1150[nl]3 1990[nl]....etc......"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "RECEIVED: RETR 605"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "SENT: +OK 855 octets"
"POP3D" 3536 62268 "2007-07-10 14:00:56.609" "10.0.3.69" "SENT: ."

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-07-10 22:32

No, still no complete log. The log does not show the start of that SMTP conversation. If you zip the entire log and send it to me at martin@hmailserver.com I can take a look at it.

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-10 22:59

Will do! Thanks Martin! Just got to edit the log file... 1 day's worth of entries is 120MB unzipped....and 33MB zipped. Don't think you'll appreciate receiving THAT via email. I'm going to cut it down to 2 or 3 hours worth first.

tonda
Normal user
Normal user
Posts: 93
Joined: 2006-10-20 14:13
Location: CZ

Post by tonda » 2007-07-11 00:05

Just an idea: I have seen a lot of 127.0.0.1 addresses in your log. What is your localhost IP range setting? What happens when e-mail arrives from spammer through ASSP and ASSP in turn connects to hmailserver from localhost address? I suppose hmailserver uses localhost IP range and appropriate settings from this range so I think you could try to check localhost IP range settings also...

iprat
Normal user
Normal user
Posts: 247
Joined: 2005-05-20 16:50
Location: Barcelona, EU
Contact:

Post by iprat » 2007-07-11 09:21

I think the problem is in ASSP config.

Spammer talks to ASSP.

ASSP accepts it and talks to hMailserver from 127.0.0.1 with is entirely reliable to hMailServer.

The problem probably is that ASSP is not correctly configured as it lets the spammer to pass messages to you hMailServer while mine doesn't.

Be sure to define your local domain in ASSP.

I have my hMailserver 127.0.0.1 range setup like your's so I would bet the problem is in your ASSP configuration.
My perfect combination:
hMailServer 5.6.1 (B2208), ASSP 1.3.3.8 (antispam), Clamav 0.98.6 (antivirus)

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-11 13:01

Hi guys, thanks for the responses... Just sent my log to Martin, so hoping for his input on that. As for your suggestions...

The main problem as far as I can tell is that the spammer can use my hmail server to send email at all. The fact that ASSP is not stopping them once hmail sends them out seems to be a secondary concern... Of course I could be wrong.

tonda:
From what I gather, the fact that 127.0.0.1 appears so often in the log means the spammer is somehow using the server's localhost address to send the spam, which is probably why the external-to-external address feature being turned off doesn't stop the emails from being sent (ie. it acts as local to external address, which IS enabled). ASSP actually doesn't catch spam before it hits the hmail server -- it is an SMTP proxy, meaning it catches it on the way out (feel free to correct me anyone, I'm a bit new to ASSP). For instance, if I delete a spam message that is sitting in hmail's queue, that message never reaches ASSP.

iprat: If there is an issue with ASSP, I don't know what it is--it certainly works great to block all other spam. I have added the spammer domain names into my blacklist, but it doesn't stop their email messages from a) being added to the 'not spam' folder and b) therefore being sent. Even after I manually send the spam to spam@domain.com, which chucks the spam in my errors/spam folder and then update my spam database, the stuff comes through. My local domain is definitely defined in ASSP. I'm really not sure where else to look to, since ASSP's settings seem pretty basic and have worked for everything in the last year. :(

I'm hoping I can stop the spammer at the hmail level, since even if ASSP blocks the spam, the spammer still floods hmail and generally slows everything down (these spam problems are coinciding with clients have problems connecting to the server at times)

iprat
Normal user
Normal user
Posts: 247
Joined: 2005-05-20 16:50
Location: Barcelona, EU
Contact:

Post by iprat » 2007-07-11 13:09

Well in my setup the job is done like this:

Local user->ASSP->hMailServer
inet->ASSP->hMailServer

So it is in front line in both occasions.

In ASSP you must fulfill under the relaying options your local domain and allowed IP (in my case mydomain.com and 127.0.0.1 192.168.0.)

In my server all outgoing SMTP need user+password, and ASSP automatically sees if authenticated SMTP is used, and then it lets our WAN users send emails using SMTP without problems (as they use authentication).

Maybe Martin's logs tell us something else, but I'm sure there's a misconfiguration in ASSP or in hMailserver.

Anyway are you sure you have correctly passed openrelay tests ? http://www.abuse.net/relay.html or others...
My perfect combination:
hMailServer 5.6.1 (B2208), ASSP 1.3.3.8 (antispam), Clamav 0.98.6 (antivirus)

iprat
Normal user
Normal user
Posts: 247
Joined: 2005-05-20 16:50
Location: Barcelona, EU
Contact:

Post by iprat » 2007-07-11 13:16

Well there's always an option to have a bot in your local machines or server working for a Spammer, have you checked the headers of those emails, where they originate ?

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-07-11 13:20

The spam is not sent from an external account. A spammer authenticates successfully on the account info@<defaultdomain> and then sends the spam messages. Users who have logged on with a password are considered trusted and may send email from any address.

I figured out the password for the info-account on my first attempt. This is what happens if you're lazy when choosing passwords...

iprat
Normal user
Normal user
Posts: 247
Joined: 2005-05-20 16:50
Location: Barcelona, EU
Contact:

Post by iprat » 2007-07-11 13:23

iprat wrote:Maybe Martin's logs tell us something else, but I'm sure there's a misconfiguration in ASSP or in hMailserver.
So there's no misconfiguration anywere :lol:

Probably there are bots on inet that try the obvious combinations:

user: jim
pass: jim

The solution couldn't be easier :D
My perfect combination:
hMailServer 5.6.1 (B2208), ASSP 1.3.3.8 (antispam), Clamav 0.98.6 (antivirus)

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-11 13:51

martin wrote: I figured out the password for the info-account on my first attempt. This is what happens if you're lazy when choosing passwords...
Ugh... Go figure. Thanks Martin. I knew it would be something dumb like that. Hah, at least I can blame whoever originally set this server up--probably they left it at whatever the default is. I'll change it and post in a few days to tell you guys whether that fixed the situation.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-07-11 13:57

probably they left it at whatever the default is
Nope, they didn't. They actually set the password manually, they just choose a bad one. :)

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-11 14:48

Yeah, Martin, you're right about the manual password (I'm at work now, so I see it isn't some special builtin account that would have had a default password) ... Let me guess, the password was, hm, 'info'? (that would have been MY first guess). I have a sneaking suspicion that there are a LOT of passwords like that kicking around, so now I'm off to change all the obvious ones just in case. Ah, yes, nothing like a good wakeup call!

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-11 14:56

Hm, resetting the password to something insanely difficult to crack didn't work, so I'm making the account inactive for now, to troubleshoot. The only thing I'm aware of that we use it for is to send mass emails anyway.

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-07-11 15:37

Are you sure hMailServer still accepted new email after you've changed the password? The email messages which are still in the queue won't be removed just because you changed the password... :)

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-11 15:51

Yeah, definitely had to remove the old stuff from the queue.

That said, changing the password for the info account is not preventing new spam from arriving... I even disabled the info account and it's still coming through. :( I gave it a good hour, just to be sure, but new spammer messages are still lining up in the queue, the little bastards.

Going back over the logs again... Hey Martin, where are you looking to spot the account the spammer is using to send from? It's not obvious to me...and I'm trying to find out if there's another account the spammer is using (this morning it's using service@ticfcu.com account to send spam). I can see it authenticating with a string of unknown-to-me letters/numbers at one point (this morning), but I'm nt sure how useful that is:

"SMTPD" 3500 72118 "2007-07-11 09:08:21.171" "127.0.0.1" "RECEIVED: AUTH LOGIN"
"SMTPD" 3500 72118 "2007-07-11 09:08:21.171" "127.0.0.1" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3500 72118 "2007-07-11 09:08:21.562" "127.0.0.1" "RECEIVED: YWRtaW4="
"SMTPD" 3500 72118 "2007-07-11 09:08:21.562" "127.0.0.1" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3500 72118 "2007-07-11 09:08:21.796" "127.0.0.1" "RECEIVED: ***"
"SMTPD" 3500 72118 "2007-07-11 09:08:21.796" "127.0.0.1" "SENT: 235 authenticated."
"SMTPD" 3500 72118 "2007-07-11 09:08:22.031" "127.0.0.1" "RECEIVED: RSET"
"SMTPD" 3500 72118 "2007-07-11 09:08:22.031" "127.0.0.1" "SENT: 250 OK"
"SMTPD" 3500 72118 "2007-07-11 09:08:22.562" "127.0.0.1" "RECEIVED: MAIL FROM:<service@ticfcu.com>"

User avatar
martin
Developer
Developer
Posts: 6834
Joined: 2003-11-21 01:09
Location: Sweden
Contact:

Post by martin » 2007-07-11 16:04

The third line in that log snippet contains a base64-decoded version of the user name. This is where the user authenticates.

If you go to for example:
http://www.opinionatedgeek.com/dotnet/t ... fault.aspx
type in YWRtaW4= and press Decode, you'll see that the username in this case is "admin".

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-11 16:15

martin wrote: you'll see that the username in this case is "admin".
... and guess what the password to the admin account is . . . ? Imagine, I guessed it in one try... sheesh. I am hating the previous IT person right now.

Well, I'm hoping my troubles are at least helping other people. I'm certainly learning a lot. I'll keep you posted.

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Post by Slug » 2007-07-12 02:56

This thread is better entertainment then the comics....
Missing Hmailserver ... Now running Debian servers

iprat
Normal user
Normal user
Posts: 247
Joined: 2005-05-20 16:50
Location: Barcelona, EU
Contact:

Post by iprat » 2007-07-12 09:05

Slug wrote:This thread is better entertainment then the comics....
:lol: Couldn't agree more with you :lol:

Be careful not to have some more obvious accounts like:

support,
yourdomainname,

etc....

;)
My perfect combination:
hMailServer 5.6.1 (B2208), ASSP 1.3.3.8 (antispam), Clamav 0.98.6 (antivirus)

entropicsinkhole
Normal user
Normal user
Posts: 119
Joined: 2007-05-28 21:10

Post by entropicsinkhole » 2007-07-12 15:11

Slug wrote:This thread is better entertainment then the comics....
Geez, glad my aggravation provided you guys some entertainment LOL. I've only worked at this place for two months and I could tell you some horror stories about security that would make you piss your pants. You think the email passwords are bad...want to take a crack at some domain passwords next? Yeah, "Send in the clowns!"
iprat wrote:Be careful not to have some more obvious accounts like:

support,
yourdomainname,
Seriously, you don't even want me to start a rant on this one...


All kidding aside, I appreciate everyone's help and advice, especially Martin! I checked my mail queue and logs this morning and Bastard Spammer has disappeared, courtesy of some newly secure passwords.

Post Reply