Way to auto-ban unknow user

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
User avatar
bagu
Normal user
Normal user
Posts: 224
Joined: 2005-06-17 03:08
Location: France
Contact:

Way to auto-ban unknow user

Post by bagu » 2016-11-03 13:26

Is there a way to auto ban for a specified time sender wich try to send to unknow user directly ?
Because i have a ton of SENT: 550 Unknown user with 60 minutes between every try...
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Way to auto-ban unknow user

Post by jimimaseye » 2016-11-03 16:31

No it's not really possible unless you want to write a script that monitors your log files. Standard functionality doesn't allow you otherwise.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: Way to auto-ban unknow user

Post by ras07 » 2016-11-19 04:25

I think you actually could do it without resorting to monitoring the log files. Create a "catch-all" account (Advanced tab under Domain settings). In OnAcceptMessage save the sender's IP address to a header, like so:

Code: Select all

Sub OnAcceptMessage (oClient, oMessage)
	oMessage.HeaderValue("X-Sender-IP") = oClient.IPAddress
	oMessage.Save
End Sub
Then in OnDeliveryStart, look for your catch-all address and if found, ban the sender's IP (and optionally, don't deliver the email):

Code: Select all

OnDeliveryStart(oMessage)
	Dim i, sRecipients
	For i = 0 To oMessage.Recipients.Count-1				' string all Recipient addresses together
		sRecipients = sRecipients & " " & oMessage.Recipients.Item(i).Address
	Next
	if InStr(1, sRecipients, "catchall@mydomain.com", vbTextCompare) Then
		Call AutoBan(oMessage.HeaderValue("X-Sender-IP") , "UnknownUser", 1, "w")
		Result.Value = 1			' Don't deliver the message
	End If
End Sub
The AutoBan subroutine is unapologetically stolen from SorenR in this post: viewtopic.php?f=7&t=29832&p=190838&hili ... an#p190838

Code: Select all

   Sub AutoBan(sIPAddress, sReason, iDuration, sType)

      '      sType can be one of the following;
      '
      '      "yyyy" - Year
      '         "q" - Quarter
      '         "m" - Month
      '         "y" - Day of year
      '         "d" - Day
      '         "w" - Weekday
      '        "ww" - Week of year
      '         "h" - Hour
      '         "n" - Minute
      '         "s" - Second

      Dim oApp : Set oApp = CreateObject("hMailServer.Application")
      Call oApp.Authenticate(ADMIN, PASSWORD)
      With LockFile("c:\temp\autoban.lck")
         On Error Resume Next
         oApp.Settings.SecurityRanges.Refresh
         If oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing Then
            With oApp.Settings.SecurityRanges.Add
               .Name = "(" & sReason & ") " & IPAddress
               .LowerIP = sIPAddress
               .UpperIP = sIPAddress
               .Priority = 20
               .Expires = True
               .ExpiresTime = DateAdd(sType, iDuration, Now())
               .Save
            End With
         End If
         oApp.Settings.SecurityRanges.Refresh
         On Error Goto 0
         .Close
      End With
   End Sub
(Disclaimer: I haven't tested this code specifically, but I do something very like it on my server)

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: Way to auto-ban unknow user

Post by ras07 » 2016-11-19 04:59

Alternately, if you cheat a little with some third-party tools you can pretty simply monitor the log file to do this. Make sure SMTP logging is on, then do something like this:

Code: Select all

Sub OnAcceptMessage (oClient, oMessage)
	Dim LogFileName, NowTime
	NowTime = Now
	LogFileName = "c:\HMailServer\Logs\hmailserver_" & Year(NowTime) & "-"
	If Month(NowTime)<10 Then LogFileName = LogFileName & "0"
	LogFileName = LogFileName & Month(NowTime) & "-"
	If Day(NowTime)<10 Then LogFileName = LogFileName & "0"
	LogFileName = LogFileName & Day(NowTime) & ".log"
' All that just to determine the appropriate log file name

	Dim objShell, CmdLine, objExecObject, sErrorCode
	Set objShell = CreateObject("WScript.Shell")
	CmdLine = "%ComSpec% /c tail -100 " & LogFileName & " | grep """ &  Trim(oClient.IPAddress) & ".*SENT: 550 Unknown user"""
	sErrorCode = objShell.Run(CmdLine, 0, True)
	If sErrorCode=0 Then 
		Call AutoBan(oClient,IPAddress , "UnknownUser", 1, "w")
	End If
End Sub
tail.exe and grep.exe comes from UnxUtils, a Windows port of a bunch of common Unix utilities, available on Sourceforge. tail -100 looks at the last 250 lines of your log file (adjust number to suit). grep looks for a line that has the IP address in question, followed by some stuff, followed by SENT: 550 Unknown user. (Note that a dot is the "any single character" wildcard in grep, so looking for 192.168.0.1 would actually match, for example, 192z168@021 ... you could get more precise by escaping the dots in the IP address with a preceding backslash, but practice, an accidental match would be vanishingly rare.)

Note also that you might have to turn off the "Keep files open" option in the log file settings in hMailServer.

This executes reasonably quickly (on the order of 30 mS on my server). Again, I didn't test this specific code but I do something very like this to check whether the sender issued a STARTTLS command. (It used to be that spambots almost never used encrypted sessions, although I'm seeing more encrypted spam recently).

If making a shell call offends your sensibilities, I think there's a way to replicate the "tail" function by opening the log file as a stream and using the .Skip method ... then call VBScript.RegExp to do the regular expression search.

estradis
Normal user
Normal user
Posts: 156
Joined: 2014-09-09 10:47

Re: Way to auto-ban unknow user

Post by estradis » 2017-01-20 16:39

ras07 wrote:I think you actually could do it without resorting to monitoring the log files. Create a "catch-all" account (Advanced tab under Domain settings). In OnAcceptMessage save the sender's IP address to a header, like so:

[...]

Then in OnDeliveryStart, look for your catch-all address and if found, ban the sender's IP (and optionally, don't deliver the email):

[...]
Be careful!

OnAcceptMessage is the last point you can refuse incoming messages with NDRs created by transmitting server. After that point *the message is delivered by the senders view*. Especially in Germany this means by law, that the email has arrived to recipient, therefore the sender can start a legal dispute. Accepting the mail in first just for deleting it afterwards can lead to the loss of any case in court.

Indeed the idea is great, but *check and refuse the transmission in OnAcceptMessage* so the sender will be notified. This will save you from beeing sentenced.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Way to auto-ban unknow user

Post by jimimaseye » 2017-01-20 17:05

estradis wrote: OnAcceptMessage is the last point you can refuse incoming messages with NDRs created by transmitting server. After that point *the message is delivered by the senders view*. Especially in Germany this means by law, that the email has arrived to recipient, therefore the sender can start a legal dispute.
How is this different to emails being received, identified as spam/malicious (falsely or otherwise), and being deleted by antispam/malware software? What possible legal case can there be again someone based on an accusation of "your email server didn't refuse my email therefore you must have read it".

A receiving email server is no proof of reading and I doubt there is any case that would win based on it. (Servers can be tampered, misconfigured, erroneous antispam measure deleting it, or the recipient simply not logging in to read it.). I dont think 'email' has ever been considered as a guaranteed method of instant communication - its not like a telephone call that you would no immediately if it is being answer by the intended recipient. In fact good 'antispam' practice is to accept all emails and dump rather than bounce (to avoid back scatter and unnecessary email traffic).

THAT SAID......

......I would now make the similarly to saying a letter pushed through the letter box is no guarantee of it being read. But here in the UK there is something even more ridiculous: the law courts deems a 'court summons' (a demand to appear in court - stay with me.....) as being served and accepted just by generating the letter and putting it in their outgoing post or postbox! In other words, irrespective of that the letter might not make it to the post office, or that the post office might lose it, or that the letter might be delivered to the wrong address, or that no one is home to read it, they consider it READ by the recipient. (I know this, because I went to Australia a few years ago - spent 4 months away, and came back to a warrant for my arrest due to not responding to a speeding ticket and the subsequent court summons due to its non payment - all because I was away when they both arrived through my letterbox.) Obviously, if they had used registered post (requiring signature on delivery) for such post would ensure and prove their letter was accepted or not. (Just as an NDR does in the email world). In either case, though, its still no proof of READING.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
ras07
Normal user
Normal user
Posts: 228
Joined: 2010-03-11 08:51

Re: Way to auto-ban unknow user

Post by ras07 » 2017-01-20 19:31

As they say, I Am Not A Lawyer, but I'll just point out that we're talking about deleting mail that was sent to a non-existent account. So who, exactly, is "the law" going to presume the recipient is? If I write "To Fred" (and nothing else) on an envelope and drop it in the local post, I don't think a court is going to be very sympathetic when I tell them that I presume Fred got my letter and is ignoring it.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Way to auto-ban unknow user

Post by jimimaseye » 2017-01-20 20:04

ras07 wrote:As they say, I Am Not A Lawyer, but I'll just point out that we're talking about deleting mail that was sent to a non-existent account. So who, exactly, is "the law" going to presume the recipient is? If I write "To Fred" (and nothing else) on an envelope and drop it in the local post, I don't think a court is going to be very sympathetic when I tell them that I presume Fred got my letter and is ignoring it.
:lol: Like it.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

estradis
Normal user
Normal user
Posts: 156
Joined: 2014-09-09 10:47

Re: Way to auto-ban unknow user

Post by estradis » 2017-01-21 12:25

First of all, *I never wrote that the mail must be read!* I was talking about accepting and delivering mails. What the recipient does with it is not part of the law.

In germany emails were handled like hand written letters or postcards. The postmaster will be handled like a postman. This means, when the mailserver is accepting emails, they must be delivered regardless of its content or the account exits or not. (For the sender there is no difference between an account, an alias or a catch-all address.) Only antivirus is accepted to be filtered because the sender has to explain on court why he sent malicious mails and why it must had been delivered to the recipient.

Every mail *must* be delivered once it was accepted by server. The user behind the address *must* ckeck it's spam folders (not read mails!) once a day when the account is used for business. Thats the law in germany!

What's the use case? I don't know exactly! The only thing making sense to me is that someone is sending you an email with a typo in the recipients address. When the message is refused because the user is unknown then the sender will hopefully detect his mistake and sent the mail again with the correct recipient. When you use a catch-all address, the sender won't be informed ever about his mistake. He beleives that his message has arrived. This becomes critical when the message is a valid bill or contains a deathline for a law case.

Yes, it *IS* ridiculous and yes it *IS* a big problem in germany, because we have a lot of lawers doing nothing else than seeking especially for these incidents and taking you then to court.

All I wanted to say is that you better check your law before accepting any email without delivering it to any postbox and it will be a better choice to reject mails in a way the sender will be notified.


Especially in the example above there is no reason to accept messages in first just to delete it afterwards. You can combine both events and reject mails in OnAcceptMessage. They will be deleted then automatically by hMailserver after the sender was notified.

And again, the idea is great!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: Way to auto-ban unknow user

Post by jimimaseye » 2017-01-21 13:17

Just for continued interest (by discussion), and acknowledging we are slightly digressing from the thread topic, I am still a little interested in this German Law theory and have a couple of questions (to which I ask of your opinion):

Initially, you said
estradis wrote:Especially in Germany this means by law, that the email has arrived to recipient, therefore the sender can start a legal dispute
you then elaborated this with
estradis wrote:This means, when the mailserver is accepting emails, they must be delivered regardless of its content or the account exits or not. (For the sender there is no difference between an account, an alias or a catch-all address.)
.
.
The user behind the address *must* check it's spam folders (not read mails!) once a day when the account is used for business.
So, if an email has been sent to a non-existent address, that by definition has no individual behind it, (such) as often a catch-all address is (hence its acceptance to the mail server in the first place), then who exactly is supposed to be physically looking at all of these emails? Who is classed as "the recipient"?

And given that technology exists to do these jobs of looking through emails in replacement of the non-existing human account owner (easier, quicker and often more reliably) in the form of software (such as antivirus/spam or considered tailored filtering scripts) then isn't this accepted being *checked*?

And how do you *check* a spam folder without *reading* the emails? Is simply looking in and saying "yes there are some" then mass deleting them sufficient?


This idea further makes me question the way Outlook/Exchange servers work. From what I have see they can accept EVERY email irrespective of whether the intended recipient exists, close the SMTP communication, and then afterwards (a minute or so later) send an NDR equivalent (strictly not a TRUE NDR as the original smtp conversation has already concluded) back to the sender informing them of the usual invalid address/unknown user. Now, consider what would then happen if the SENDERS server has such filters on that prevents the originating user from seeing such NDR returns? In this case, the exchange server 'accepted' the email, didnt deliver it to anyone (as it has no idea who to deliver it to) and yet didnt refuse the original delivery request in the first place. (And its better-late-than-never approach of sending you back an email a couple of minutes later doesnt work as the original sender might see such an email due to the reasons above).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

estradis
Normal user
Normal user
Posts: 156
Joined: 2014-09-09 10:47

Re: Way to auto-ban unknow user

Post by estradis » 2017-01-23 11:28

jimimaseye wrote: Initially, you said
estradis wrote:Especially in Germany this means by law, that the email has arrived to recipient, therefore the sender can start a legal dispute
you then elaborated this with
estradis wrote:This means, when the mailserver is accepting emails, they must be delivered regardless of its content or the account exits or not. (For the sender there is no difference between an account, an alias or a catch-all address.)
.
.
The user behind the address *must* check it's spam folders (not read mails!) once a day when the account is used for business.
Let me explain that in an example:

You have two accounts configured called info(at)example.com and postmaster(at)example.com. You additional have defined an alias called sales(at)example.com pointing to info(at)example.com. You also have defined an catch-all-address pointing to postmaster(at)example.com. This means, that the only accounts are info(at)example.com and postmaster(at)example.com. sales(at)example.com and all undefined addresses doesn't have a "physically" account.

When I send an email to any address, I don't know whether there is a "physically" account behind and I also don't care. I assume, that the email was delivered and will be handled in some way, hopefully by reading.

That was, what I wanted to say.
jimimaseye wrote: So, if an email has been sent to a non-existent address, that by definition has no individual behind it, (such) as often a catch-all address is (hence its acceptance to the mail server in the first place), then who exactly is supposed to be physically looking at all of these emails? Who is classed as "the recipient"?
I disagree!
What's the use-case behind a catch-all address when no one will ever check the mails? Are you 1000% sure that it all will be spam? Can you safefly rule out that no valid mail will ever arrive eg. by a typo in address? When a mail will only be accepted to be deleted unread afterwards, why you won't reject it during transmission instead?

The most corporates using catch-all addresses in which I have been involved used them to deliver the mails to the first contact address also used by webform or imprint, etc. This means, that there was always a real person checking the mails. I can tell you that you'll do them a favor by rejecting as much spam as possible.

jimimaseye wrote: And how do you *check* a spam folder without *reading* the emails? Is simply looking in and saying "yes there are some" then mass deleting them sufficient?
That's indeed a big problem! By law no one will be allowed to check the mail *EXPECT* the employee aggreed with that. Therefore in germany every working contract contains clauses in which the employer will be permitted to do antispam/antivirus (and some other) checks. But they must be done automatically, not individually. If it is necessary to do any in personal configuration of the user, you need a separate permission for that. Almost all companies in germany must have a "data protection officer" which must be involved then. Often these work will be done under his eyes only (called "four-eyes principle"). If you detect by accident some compromising emails you have to run the same procedure, depending on your corporate processes.
jimimaseye wrote: From what I have see they can accept EVERY email irrespective of whether the intended recipient exists, close the SMTP communication, and then afterwards (a minute or so later) send an NDR equivalent (strictly not a TRUE NDR as the original smtp conversation has already concluded) back to the sender informing them of the usual invalid address/unknown user.
That's a big problem too, but it's not only about Exchange. (eg. Postfix can be configured to behave like that too.)

Every postmaster in larger german companies knowing the law will try to avoid this, but in smaller companies I often had seen such misconfiguration. Most of them were administrated by law unknowing Power-Users doing that besides their daily businesses, not by real administrators as their daily businesses.
jimimaseye wrote: Now, consider what would then happen if the SENDERS server has such filters on that prevents the originating user from seeing such NDR returns? In this case, the exchange server 'accepted' the email, didnt deliver it to anyone (as it has no idea who to deliver it to) and yet didnt refuse the original delivery request in the first place. (And its better-late-than-never approach of sending you back an email a couple of minutes later doesnt work as the original sender might see such an email due to the reasons above).
I'd say that's exactly the reason why it *is* better to reject mails during transmission. The sending server has to generate the (real) NDR and you haven't to deliver the mail as it wasn't accepted in first.

By law, in germany the corporate has also to archive every mail which concerns to a business deal in a way it can't be modified or deleted. As the postmaster cannot know which emails this will be, the most mailservers are configured to archive every arriving mail. This will be another reason to avoid as much unnecessary mails as possible.

Post Reply