SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-14 14:44

Good morning I am something new in the forum but I have the following problem for a long time and they are repetitive to different members in my domain.

There are people who are entering my mail without authentication or permission without any account created in my own domain to send pshing and spam messages like the following:

example1@example.com.co
User mail - @ domain

(For reasons of security of my company I can not reveal the domain nor the user there will be any problem)

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>>>>

From: jia@aguerriarquitectos.com <jia@aguerriarquitectos.com>
Posted on: Wednesday, June 12, 2019 23:21
To: example1@example.com.co
Subject: example1@example.com.co has been hacked! Change your password immediately!

I salute you!

I have bad news for you.
01/23/2019 - on this day I pirated his operating system and got full access to his account example1@example.com.co.
That's how it was.
In the router software through which it was connected, there was a vulnerability.
First I pirated this router and put my malicious code on it.
When he entered through the Internet, my Trojan was installed in the operating system of his device.

After that, I made a complete dump of his disk (I have his entire address book,
History of viewing sites, all files, phone numbers and addresses of all your contacts).

A month ago, I wanted to lock your device and ask for a small amount of money to unlock.
But I looked at the sites you visit regularly. I'm surprised by your favorite resources.
I'm talking about adult sites.

I mean, you're a great pervert. You have unbridled fantasy!

After that, an idea came to my mind.
I took a screenshot of the intimate website where you have fun (you know what I mean, yes?).
After that I took a picture of your entertainment (using your device's camera).
The result was great! Do not hesitate!

I am deeply convinced that you would not like to show these images to your family, friends or colleagues.
I think $ 214 is a small amount for my silence.
Also, I spent a lot of time with you!

I accept money in bitcoins.
My BTC wallet: 1NKSptmiwmgz9kBi8s8g2tWHeMjWSs6HRa

Do not know how to transfer money to Bitcoin?
In any search engine type "How to transfer money to bitcoin".
It's easier than transferring money to a credit card!

For the payment you have a little more than two days (exactly 50 hours).
Do not worry, the timer will start at the moment you open this letter. Yes, yes ... It has already begun!

After payment, my virus and the commitment to you automatically destroy themselves.
Narrative: if I do not receive the specified amount from you, your device will be blocked and all your contacts will receive a photo with your "entertainment".

I want you to be prudent.
- Do not try to find and destroy my virus! (All your data is already loaded on a remote server)
- Do not try to contact me (this is impossible, the sender's address was generated at random)
- Several security services will not help you; formatting a disk or destroying a device will not help either, since your data is already on a remote server.

. I guarantee that I will not bother you again after payment, since you are far from my only victim.
This is a hacker honor code.

From now on, I advise you to use good antivirus and update them regularly (several times a day).

Do not get mad at me, everyone has their own work.
Goodbye
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> >>>

Detailed log on the entry and sending of spam mail this example is a single user, has also sent groups within the server something that disturbs me a lot as you know what groups are on the server or is it just chance?

additional to this I have a detailed error of sql if possible a solution I would appreciate it is very important for me this type of solutions

Start log and send to my server HmailServer V.5.6 4-B2283 - Type MSSQL CE

Code: Select all


"TCPIP"	7192	"2019-06-12 20:42:53.262"	"TCP - 192.168.1.144 connected to 192.168.1.254:110."
"ERROR"	2580	"2019-06-12 20:42:54.298"	"Severity: 2 (High), Code: HM5032, Source: DALConnection::Execute, Description: Source: SQLCEConnection::Execute(), Code: HM10044, Description: Error while executing SQL statement: 
DELETE FROM hm_logon_failures WHERE failuretime < DATEADD(mi, -999999999, GETDATE())
Microsoft SQL Server Compact OLE DB Provider
Uno o más errores al procesar el comando."
"TCPIP"	7192	"2019-06-12 20:42:55.832"	"TCP - 185.137.111.136 connected to 192.168.1.254:25."
"TCPIP"	7192	"2019-06-12 20:43:10.392"	"TCP - 185.137.111.129 connected to 192.168.1.254:25."
"TCPIP"	7192	"2019-06-12 20:43:12.037"	"TCP - 109.252.91.99 connected to 192.168.1.254:25."
"SMTPD"	7192	519701	"2019-06-12 20:43:12.039"	"109.252.91.99"	"SENT: 220 example.com.co"
"SMTPD"	6728	519701	"2019-06-12 20:43:12.376"	"109.252.91.99"	"RECEIVED: EHLO 109-252-91-99.nat.spd-mgts.ru"
"SMTPD"	6728	519701	"2019-06-12 20:43:12.377"	"109.252.91.99"	"SENT: 250-mail.example.com.co[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"TCPIP"	7192	"2019-06-12 20:43:12.512"	"TCP - 192.168.1.95 connected to 192.168.1.254:110."
"SMTPD"	6740	519701	"2019-06-12 20:43:13.080"	"109.252.91.99"	"RECEIVED: MAIL From:<jia@aguerriarquitectos.com>" (spamer)
"SMTPD"	6740	519701	"2019-06-12 20:43:13.359"	"109.252.91.99"	"SENT: 250 OK"
"TCPIP"	7192	"2019-06-12 20:43:13.475"	"TCP - 192.168.1.177 connected to 192.168.1.254:110."
"SMTPD"	6728	519701	"2019-06-12 20:43:13.797"	"109.252.91.99"	"RECEIVED: RCPT To:<example1@example.com.co>" (usuario)
"SMTPD"	6728	519701	"2019-06-12 20:43:13.807"	"109.252.91.99"	"SENT: 250 OK"
"SMTPD"	5568	519701	"2019-06-12 20:43:14.242"	"109.252.91.99"	"RECEIVED: DATA"
"SMTPD"	5568	519701	"2019-06-12 20:43:14.251"	"109.252.91.99"	"SENT: 354 OK, send."
"TCPIP"	7192	"2019-06-12 20:43:15.721"	"TCP - 185.137.111.125 connected to 192.168.1.254:25."
"SMTPD"	2372	519701	"2019-06-12 20:43:15.908"	"109.252.91.99"	"SENT: 250 Queued (1.664 seconds)"
"SMTPD"	6728	519701	"2019-06-12 20:43:16.340"	"109.252.91.99"	"RECEIVED: QUIT"
"SMTPD"	6728	519701	"2019-06-12 20:43:16.341"	"109.252.91.99"	"SENT: 221 goodbye"
"TCPIP"	7192	"2019-06-12 20:43:16.693"	"TCP - 185.137.111.96 connected to 192.168.1.254:25."
"TCPIP"	5568	"2019-06-12 20:43:17.031"	"TCP - 192.168.1.143 connected to 192.168.1.254:110."
"TCPIP"	5568	"2019-06-12 20:43:17.288"	"TCP - 192.168.1.143 connected to 192.168.1.254:110."
"TCPIP"	6728	"2019-06-12 20:43:24.322"	"TCP - 181.155.203.65 connected to 192.168.1.254:143."
"TCPIP"	5568	"2019-06-12 20:43:25.741"	"TCP - 192.168.1.171 connected to 192.168.1.254:110."
"TCPIP"	6740	"2019-06-12 20:43:30.874"	"TCP - 192.168.1.37 connected to 192.168.1.254:110."
"TCPIP"	7192	"2019-06-12 20:43:32.491"	"TCP - 185.137.111.136 connected to 192.168.1.254:25."
"TCPIP"	6740	"2019-06-12 20:43:42.325"	"TCP - 190.144.231.197 connected to 192.168.1.254:110."
"TCPIP"	876	"2019-06-12 20:43:42.929"	"TCP - 192.168.1.49 connected to 192.168.1.254:110."
"TCPIP"	876	"2019-06-12 20:43:43.385"	"TCP - 192.168.1.178 connected to 192.168.1.254:110."
"TCPIP"	876	"2019-06-12 20:43:45.674"	"TCP - 192.168.1.182 connected to 192.168.1.254:110."
"TCPIP"	7192	"2019-06-12 20:43:48.603"	"TCP - 185.137.111.129 connected to 192.168.1.254:25."
"TCPIP"	876	"2019-06-12 20:43:49.487"	"TCP - 192.168.1.142 connected to 192.168.1.254:110."
"TCPIP"	7192	"2019-06-12 20:43:50.006"	"TCP - 185.137.111.125 connected to 192.168.1.254:25."
"TCPIP"	876	"2019-06-12 20:43:53.695"	"TCP - 192.168.1.144 connected to 192.168.1.254:110."
"TCPIP"	7192	"2019-06-12 20:43:54.729"	"TCP - 124.105.173.53 connected to 192.168.1.254:25."
"SMTPD"	7192	519719	"2019-06-12 20:43:54.731"	"124.105.173.53"	"SENT: 220 example.com.co"

User avatar
jimimaseye
Moderator
Moderator
Posts: 8157
Joined: 2011-09-08 17:48

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by jimimaseye » 2019-06-14 19:37

run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1469
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by Dravion » 2019-06-14 20:58

Some Attacker info:

The Email address <jia@aguerriarquitectos.com> is fake. Anyone can fake a Email address in this way, thats no deep Hacker wisdom.

The Hacker comes from Russia, Moscow.
He delivered the Email to you via Dynamic IP Dialup Connection (109-252-91-99.nat.spd-mgts.ru) which resolved to the Provider IP-Address: 109.252.91.99
which is runned by Moscow Local Telephone Network (OAO MGTS) (netname: MGTS-PPPOE).

Dont pay any Money or Bitcoin to this Idiot. He is not a Hacker. The Info above shows he doesnt even know to hide its own DialIP-UP IP address behind a
Proxy. You are the Victim of a so called Social Engineering Attack. This Idiot is trying to scare you and take advantage of it.

Try to contact the Russian Authorities in Moscow and report the issue. The Russian Police doesn't play games and will catch the idiot in no time
This should be the right Website to report your issue:
https://en.mvd.ru/Contacts/contacts

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by jim.bus » 2019-06-15 08:37

These 'sextortion' scam emails are proliferating all over. I've gotten many of them myself and Dravion is correct, the dumb hacker is trying to scam someone into paying him/her money when in reality your system was never compromised other than at some point one of the email addresses in your system was hacked probably from someone else's Address book or out of dome business's database then sold to the hacker. It is all a scam. The hacker who sent one to me threatened to send my torrid information to all my 6 Contacts. I have considerably more than that. The dumbass hacker doesn't know anything.

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-15 17:33

Thank you very much, if it is something I already knew as the previous answer is false, I am from the area of ​​systems in my company what happens is that the configuration of the hmailserver in my opinion has security gaps and bad configuration for this post Here, reading documents and posters of more people, I understand that this is how the real question is how do I avoid this type of mail?

They enter my server without prior authentication and send emails without further ado?

I have also managed to locate other ips and my IP-Range is almost infinite of this type of people wanting to use my mail server and 3 login attempts I need support or a helping hand of knowledge in hmailserver to help avoid this as it is is becoming the day in the company.

The only thing that I have identified are logins spammers as it appears in documents that use (wmjsolsk) this type of characters to hide their test mail (123456@com.co) for log attacks.

"Example"

The interesting lines here are the following section:

"<spammers IP address>" "RECEIVED: AUTH LOGIN"
"<spammers IP address>" "SENT: 334 VXNlcm5hbWU6"
"<spammers IP address>" "RECEIVED: dGVzdEB0ZXN0LmNvbQ =="
"<spammers IP address>" "SENT: 334 UGFzc3dvcmQ6"
"<spammers IP address>" "RECEIVED: ***"

"" "" ""
Something that I have already identified.

User avatar
johang
Normal user
Normal user
Posts: 81
Joined: 2008-09-01 09:20

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by johang » 2019-06-16 00:58

RyuzDev wrote:
2019-06-15 17:33
Thank you very much, if it is something I already knew as the previous answer is false, I am from the area of ​​systems in my company what happens is that the configuration of the hmailserver in my opinion has security gaps and bad configuration for this post Here, reading documents and posters of more people, I understand that this is how the real question is how do I avoid this type of mail?

They enter my server without prior authentication and send emails without further ado?

I have also managed to locate other ips and my IP-Range is almost infinite of this type of people wanting to use my mail server and 3 login attempts I need support or a helping hand of knowledge in hmailserver to help avoid this as it is is becoming the day in the company.

The only thing that I have identified are logins spammers as it appears in documents that use (wmjsolsk) this type of characters to hide their test mail (123456@com.co) for log attacks.

"Example"

The interesting lines here are the following section:

"<spammers IP address>" "RECEIVED: AUTH LOGIN"
"<spammers IP address>" "SENT: 334 VXNlcm5hbWU6"
"<spammers IP address>" "RECEIVED: dGVzdEB0ZXN0LmNvbQ =="
"<spammers IP address>" "SENT: 334 UGFzc3dvcmQ6"
"<spammers IP address>" "RECEIVED: ***"

"" "" ""
Something that I have already identified.


did you read Jimi Maseyes post ?

https://www.base64decode.org/
"<spammers IP address>" "RECEIVED: AUTH LOGIN"
"<spammers IP address>" "SENT: 334 Username:"
"<spammers IP address>" "RECEIVED: test@test.com"
"<spammers IP address>" "SENT: 334 Password:"
"<spammers IP address>" "RECEIVED: ***"

if you have a test@test.com configured in your mailserver i would suggest you change password or delete that "acount"
,
,
______________________________________________________________end of the line

User avatar
mattg
Moderator
Moderator
Posts: 20232
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by mattg » 2019-06-16 01:22

RyuzDev wrote:
2019-06-15 17:33
The interesting lines here are the following section:

"<spammers IP address>" "RECEIVED: AUTH LOGIN"
"<spammers IP address>" "SENT: 334 VXNlcm5hbWU6"
"<spammers IP address>" "RECEIVED: dGVzdEB0ZXN0LmNvbQ =="
"<spammers IP address>" "SENT: 334 UGFzc3dvcmQ6"
"<spammers IP address>" "RECEIVED: ***"
ALSO this doesn't show successful sending

This just shows a sending ATTEMPT.
IF hmailserver allowed the message, then you have a compromised account

If you don't have the domain identified in the base64 decode on your hamilserver (@test.com), but the message was still accepted then you have set a default domain, that default domain has an account called 'test' and the password was guessed / hacked. (Lets be honest, if you have an account called test, the password is also going to be test)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1213
Joined: 2017-09-12 17:57

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by palinka » 2019-06-16 02:41

mattg wrote:
2019-06-16 01:22
(Lets be honest, if you have an account called test, the password is also going to be test)
NO!!!!! It's "password". :mrgreen:

User avatar
SorenR
Senior user
Senior user
Posts: 3212
Joined: 2006-08-21 15:38
Location: Denmark

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by SorenR » 2019-06-16 11:12

palinka wrote:
2019-06-16 02:41
mattg wrote:
2019-06-16 01:22
(Lets be honest, if you have an account called test, the password is also going to be test)
NO!!!!! It's "password". :mrgreen:
During a recent password audit, it was found that a blonde was using the following password: "MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento". When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20232
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by mattg » 2019-06-17 01:16

SorenR wrote:
2019-06-16 11:12
During a recent password audit, it was found that a blonde was using the following password: "MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento". When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital.
Oh that is gold
And really what a great password (until you had to type it on an old flip phone or on a smart TV with only an onscreen keyboard)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-17 16:18

jimimaseye wrote:
2019-06-14 19:37
run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914

[Entered by mobile. Excuse my spelling.]

sorry I did not see your work here you can find the ips we had to block

Code: Select all

[code]2019-06-14   Hmailserver: 5.6.4-B2283

DOMAINS

   "Domain1.com" - dixxxxxxxxxx.com               Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - glxxxxxxxx.com.co              Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 185.36.81.0 - 185.36.81.254     Priority: 30     Name: ip block

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:     True


IP: 141.98.10.0 - 141.98.10.254     Priority: 30     Name: ipblock2

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 192.168.1.1 - 192.168.1.255     Priority: 30     Name: RedLocal

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:   True                              Antivirus:  False
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 185.137.11.1 - 185.137.11.255     Priority: 30     Name: spam

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 74.6.128.0 - 74.6.135.255     Priority: 30     Name: SPAM-OP

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:     True


IP: 185.137.111.1 - 185.137.111.254     Priority: 30     Name: spam2

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 45.13.39.1 - 45.13.39.255     Priority: 30     Name: spam3

  Allow connections                         Other
     SMTP:  False                              Antispam :  False
     POP3:  False                              Antivirus:  False
     IMAP:  False                              SSL/TLS:    False


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    - False
     External To Local    - False    
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      3
                              Minutes Before Reset:       999999999  (16.666.666,65 hours, 694.444,44 days)
                              Minutes to Autoban:         999999999  (16.666.666,65 hours, 694.444,44 days)

There is a total of 129 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  6 Mins: 15   Plain Text:         True  Bind: 192.168.1.254
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:  20  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "\"
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  3       Use SPF:           False        Use Spamassassin:   False
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2
  Add X-HmailServer-Subject:  True    Verify DKIM:       False    
              Subject Text: "[SPAM]"
  Spam delete threshold: 5         Maximum message size: 0

DNSBL ENTRIES:
   No entries

SURBL ENTRIES:
   No entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
              0.0.0.0            to    255.255.255.255              *[@t]home[dot]com
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   No entries
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 366   / SMTP   -   None                
               0.0.0.0         / 530   / SMTP   -   None                
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-06-14.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-06-14.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -      .
                        SMTP        -    True
                        POP3        -      .
                        IMAP        -      .
                        TCPIP       -    True
                        DEBUG       -      .
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory C:\Users\Administrador\Desktop\12222 is writable.

ERROR: Messages exists which are located outside of the data directory E:\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     E:\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.95, Hmailserver Forum.
[/code]

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-17 16:19

johang wrote:
2019-06-16 00:58
RyuzDev wrote:
2019-06-15 17:33
Thank you very much, if it is something I already knew as the previous answer is false, I am from the area of ​​systems in my company what happens is that the configuration of the hmailserver in my opinion has security gaps and bad configuration for this post Here, reading documents and posters of more people, I understand that this is how the real question is how do I avoid this type of mail?

They enter my server without prior authentication and send emails without further ado?

I have also managed to locate other ips and my IP-Range is almost infinite of this type of people wanting to use my mail server and 3 login attempts I need support or a helping hand of knowledge in hmailserver to help avoid this as it is is becoming the day in the company.

The only thing that I have identified are logins spammers as it appears in documents that use (wmjsolsk) this type of characters to hide their test mail (123456@com.co) for log attacks.

"Example"

The interesting lines here are the following section:

"<spammers IP address>" "RECEIVED: AUTH LOGIN"
"<spammers IP address>" "SENT: 334 VXNlcm5hbWU6"
"<spammers IP address>" "RECEIVED: dGVzdEB0ZXN0LmNvbQ =="
"<spammers IP address>" "SENT: 334 UGFzc3dvcmQ6"
"<spammers IP address>" "RECEIVED: ***"

"" "" ""
Something that I have already identified.
this is a example, not have that email have only corp people in the hmailServer

did you read Jimi Maseyes post ?

https://www.base64decode.org/
"<spammers IP address>" "RECEIVED: AUTH LOGIN"
"<spammers IP address>" "SENT: 334 Username:"
"<spammers IP address>" "RECEIVED: test@test.com"
"<spammers IP address>" "SENT: 334 Password:"
"<spammers IP address>" "RECEIVED: ***"

if you have a test@test.com configured in your mailserver i would suggest you change password or delete that "acount"

User avatar
jimimaseye
Moderator
Moderator
Posts: 8157
Joined: 2011-09-08 17:48

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by jimimaseye » 2019-06-17 22:22

RyuzDev wrote:
2019-06-17 16:18

Code: Select all

2019-06-14   Hmailserver: 5.6.4-B2233           

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False 
There is your problem. Set that to true.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20232
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by mattg » 2019-06-17 23:09

I'd also set your LAN IP range to a priority higher than 30, if you use 30 for banned ranges (and crikey, you've permanently banned a heap of the internet there)

Set your 192.168.1.xxx range to priority 500


ALSO, you have errors in your error log
please post the contents of C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-06-14.log

And you have wild card whitelisted the *[@t]home[dot]com domain.


you need to fix these

ERROR: Messages exists which are located outside of the data directory E:\Data.
ERROR: Full paths are stored in the database.


And I can't see if you have a default domain set or not
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-17 23:50

mattg wrote:
2019-06-17 23:09
I'd also set your LAN IP range to a priority higher than 30, if you use 30 for banned ranges (and crikey, you've permanently banned a heap of the internet there)

Set your 192.168.1.xxx range to priority 500


ALSO, you have errors in your error log
please post the contents of C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-06-14.log

And you have wild card whitelisted the *[@t]home[dot]com domain.


you need to fix these

ERROR: Messages exists which are located outside of the data directory E:\Data.
ERROR: Full paths are stored in the database.


And I can't see if you have a default domain set or not


example@com.co is my domain (secret for security)
example1 is a email corporative (secret for security)

Code: Select all

"ERROR"	2580	"2019-06-14 09:12:09.889"	"Severity: 2 (High), Code: HM5032, Source: DALConnection::Execute, Description: Source: SQLCEConnection::Execute(), Code: HM10044, Description: Error while executing SQL statement: 
DELETE FROM hm_logon_failures WHERE failuretime < DATEADD(mi, -999999999, GETDATE())
Microsoft SQL Server Compact OLE DB Provider
Uno o más errores al procesar el comando."
"ERROR"	2580	"2019-06-14 09:13:09.895"	"Severity: 2 (High), Code: HM5032, Source: DALConnection::Execute, Description: Source: SQLCEConnection::Execute(), Code: HM10044, Description: Error while executing SQL statement: 
DELETE FROM hm_logon_failures WHERE failuretime < DATEADD(mi, -999999999, GETDATE())
Microsoft SQL Server Compact OLE DB Provider
Uno o más errores al procesar el comando."
"ERROR"	8056	"2019-06-14 09:14:38.871"	"Severity: 3 (Medium), Code: HM4403, Source: Message::GetHeader, Description: Could not read the message header, since the file was not available. File: C:\Program Files (x86)\hMailServer\Data\example.com.co\example1\EE\{EE80FDBD-55BB-403C-91F0-FDD7A7C9D332}.eml"

"ERROR"	2580	"2019-06-14 09:15:09.902"	"Severity: 2 (High), Code: HM5032, Source: DALConnection::Execute, Description: Source: SQLCEConnection::Execute(), Code: HM10044, Description: Error while executing SQL statement: 
DELETE FROM hm_logon_failures WHERE failuretime < DATEADD(mi, -999999999, GETDATE())
Microsoft SQL Server Compact OLE DB Provider
Uno o más errores al procesar el comando."

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-18 00:40

jimimaseye wrote:
2019-06-17 22:22
RyuzDev wrote:
2019-06-17 16:18

Code: Select all

2019-06-14   Hmailserver: 5.6.4-B2233           

IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False 
There is your problem. Set that to true.

[Entered by mobile. Excuse my spelling.]
Require SMTP authentication ?

local to local e-mail addresses or

Require SSL/TLS for authentication ?

User avatar
mattg
Moderator
Moderator
Posts: 20232
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by mattg » 2019-06-18 00:57

Require SMTP AUTH for local to local on the internet IP range
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 20232
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by mattg » 2019-06-18 01:02

Your errors show two things

#1 the user that that connects to the SQL server compact edition hasn't been able to run a delete query. My guess here is that you are running hmailserver under a restricted permissions user, or that the server was just too busy at the time.

#2 That you haven't excluded local antivirus software from checking the DATA directory, and that a file was quarantined by the AV, and hMailserver couldn't access it
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by estradis » 2019-06-18 16:30

mattg wrote:
2019-06-17 01:16
SorenR wrote:
2019-06-16 11:12
During a recent password audit, it was found that a blonde was using the following password: "MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento". When asked why she had such a long password, she said she was told that it had to be at least 8 characters long and include at least one capital.
Oh that is gold
And really what a great password (until you had to type it on an old flip phone or on a smart TV with only an onscreen keyboard)
When I'm adviced like that, I always use
SnowWhiteAndThe7Dwarfes
:mrgreen:

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-18 18:53

mattg wrote:
2019-06-18 00:57
Require SMTP AUTH for local to local on the internet IP range
Activating this function will prevent this from happening to me?


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

the hacker's login log or spam

Code: Select all

"TCPIP"	6656	"2019-06-15 19:28:02.983"	"TCP - 81.0.33.45 connected to 192.168.1.254:25."
"SMTPD"	6656	717117	"2019-06-15 19:28:02.986"	"81.0.33.45"	"SENT: 220 example.com.co"
"SMTPD"	6612	717117	"2019-06-15 19:28:03.159"	"81.0.33.45"	"RECEIVED: EHLO static.45.33.0.81.ibercom.com"
"SMTPD"	6612	717117	"2019-06-15 19:28:03.160"	"81.0.33.45"	"SENT: 250-mail.example.com.co[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	6656	717117	"2019-06-15 19:28:03.358"	"81.0.33.45"	"RECEIVED: MAIL From:<hsu@rsmi.com.tw>"
"ERROR"	2580	"2019-06-15 19:28:03.826"	"Severity: 2 (High), Code: HM5032, Source: DALConnection::Execute, Description: Source: SQLCEConnection::Execute(), Code: HM10044, Description: Error while executing SQL statement: 
DELETE FROM hm_logon_failures WHERE failuretime < DATEADD(mi, -999999999, GETDATE())
Microsoft SQL Server Compact OLE DB Provider
Uno o más errores al procesar el comando."
"SMTPD"	6656	717117	"2019-06-15 19:28:03.965"	"81.0.33.45"	"SENT: 250 OK"
"SMTPD"	6612	717117	"2019-06-15 19:28:04.138"	"81.0.33.45"	"RECEIVED: RCPT To:<example1@example.com.co>"
"SMTPD"	6612	717117	"2019-06-15 19:28:04.148"	"81.0.33.45"	"SENT: 250 OK"
"SMTPD"	6656	717117	"2019-06-15 19:28:04.319"	"81.0.33.45"	"RECEIVED: DATA"
"SMTPD"	6656	717117	"2019-06-15 19:28:04.320"	"81.0.33.45"	"SENT: 354 OK, send."
"SMTPD"	772	717117	"2019-06-15 19:28:04.755"	"81.0.33.45"	"SENT: 250 Queued (0.448 seconds)"
"SMTPD"	4444	717117	"2019-06-15 19:28:04.942"	"81.0.33.45"	"RECEIVED: QUIT"
"SMTPD"	4444	717117	"2019-06-15 19:28:04.943"	"81.0.33.45"	"SENT: 221 goodbye"

This is the message that came to my employee

Code: Select all

-----Mensaje original-----
De: herculie99 <hsu@rsmi.com.tw> 
Enviado el: sábado, 15 de junio de 2019 21:20
Para: example@example1.com.co
Asunto: Spend Your Time On My Advice

Hello!

I have very bad news for you.
12/03/2019 - on this day I hacked your OS and got full access to your
account catalina.castellanos@globalnews.com.co

So, you can change the password, yes... But my malware intercepts it every
time.

How I made it:
In the software of the router, through which you went online, was a
vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book,
history of viewing sites, all files, phone numbers and addresses of all your
contacts).

A month ago, I wanted to lock your device and ask for a not big amount of
btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by
what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from
the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand
what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your
device) and glued them together.
Turned out amazing! You are so spectacular!

I'm know that you would not like to show these screenshots to your friends,
relatives or colleagues.
I think $508 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!

Pay ONLY in Bitcoins!
My BTC wallet: 1DZs3Qng8jR5tnLRFbHz5AT9Go6SV25FR3

You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy

For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.

After payment, my virus and dirty screenshots with your enjoys will be
self-destruct automatically.
If I do not receive from you the specified amount, then your device will be
locked, and all your contacts will receive a screenshots with your "enjoys".

I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and
screenshots is already uploaded to a remote server)
- Do not try to contact me (this is impossible, sender's address was
randomly generated)
- Various security services will not help you; formatting a disk or
destroying a device will not help, since your data is already on a remote
server.

P.S. You are not my single victim. so, I guarantee you that I will not
disturb you again after payment!
 This is the word of honor hacker

I also ask you to regularly update your antiviruses in the future. This way
you will no longer fall into a similar situation.

Do not hold evil! I just do my job.
Have a nice day!

palinka
Senior user
Senior user
Posts: 1213
Joined: 2017-09-12 17:57

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by palinka » 2019-06-18 21:47

RyuzDev wrote:
2019-06-18 18:53
mattg wrote:
2019-06-18 00:57
Require SMTP AUTH for local to local on the internet IP range
Activating this function will prevent this from happening to me?


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

the hacker's login log or spam

Code: Select all

"TCPIP"	6656	"2019-06-15 19:28:02.983"	"TCP - 81.0.33.45 connected to 192.168.1.254:25."
"SMTPD"	6656	717117	"2019-06-15 19:28:02.986"	"81.0.33.45"	"SENT: 220 example.com.co"
"SMTPD"	6612	717117	"2019-06-15 19:28:03.159"	"81.0.33.45"	"RECEIVED: EHLO static.45.33.0.81.ibercom.com"
"SMTPD"	6612	717117	"2019-06-15 19:28:03.160"	"81.0.33.45"	"SENT: 250-mail.example.com.co[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	6656	717117	"2019-06-15 19:28:03.358"	"81.0.33.45"	"RECEIVED: MAIL From:<hsu@rsmi.com.tw>"
"ERROR"	2580	"2019-06-15 19:28:03.826"	"Severity: 2 (High), Code: HM5032, Source: DALConnection::Execute, Description: Source: SQLCEConnection::Execute(), Code: HM10044, Description: Error while executing SQL statement: 
DELETE FROM hm_logon_failures WHERE failuretime < DATEADD(mi, -999999999, GETDATE())
Microsoft SQL Server Compact OLE DB Provider
Uno o más errores al procesar el comando."
"SMTPD"	6656	717117	"2019-06-15 19:28:03.965"	"81.0.33.45"	"SENT: 250 OK"
"SMTPD"	6612	717117	"2019-06-15 19:28:04.138"	"81.0.33.45"	"RECEIVED: RCPT To:<example1@example.com.co>"
"SMTPD"	6612	717117	"2019-06-15 19:28:04.148"	"81.0.33.45"	"SENT: 250 OK"
"SMTPD"	6656	717117	"2019-06-15 19:28:04.319"	"81.0.33.45"	"RECEIVED: DATA"
"SMTPD"	6656	717117	"2019-06-15 19:28:04.320"	"81.0.33.45"	"SENT: 354 OK, send."
"SMTPD"	772	717117	"2019-06-15 19:28:04.755"	"81.0.33.45"	"SENT: 250 Queued (0.448 seconds)"
"SMTPD"	4444	717117	"2019-06-15 19:28:04.942"	"81.0.33.45"	"RECEIVED: QUIT"
"SMTPD"	4444	717117	"2019-06-15 19:28:04.943"	"81.0.33.45"	"SENT: 221 goodbye"

This is the message that came to my employee

Code: Select all

-----Mensaje original-----
De: herculie99 <hsu@rsmi.com.tw> 
Enviado el: sábado, 15 de junio de 2019 21:20
Para: example@example1.com.co
Asunto: Spend Your Time On My Advice

Hello!

I have very bad news for you.
12/03/2019 - on this day I hacked your OS and got full access to your
account catalina.castellanos@globalnews.com.co

So, you can change the password, yes... But my malware intercepts it every
time.

How I made it:
In the software of the router, through which you went online, was a
vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book,
history of viewing sites, all files, phone numbers and addresses of all your
contacts).

A month ago, I wanted to lock your device and ask for a not big amount of
btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by
what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from
the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand
what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your
device) and glued them together.
Turned out amazing! You are so spectacular!

I'm know that you would not like to show these screenshots to your friends,
relatives or colleagues.
I think $508 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!

Pay ONLY in Bitcoins!
My BTC wallet: 1DZs3Qng8jR5tnLRFbHz5AT9Go6SV25FR3

You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy

For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.

After payment, my virus and dirty screenshots with your enjoys will be
self-destruct automatically.
If I do not receive from you the specified amount, then your device will be
locked, and all your contacts will receive a screenshots with your "enjoys".

I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and
screenshots is already uploaded to a remote server)
- Do not try to contact me (this is impossible, sender's address was
randomly generated)
- Various security services will not help you; formatting a disk or
destroying a device will not help, since your data is already on a remote
server.

P.S. You are not my single victim. so, I guarantee you that I will not
disturb you again after payment!
 This is the word of honor hacker

I also ask you to regularly update your antiviruses in the future. This way
you will no longer fall into a similar situation.

Do not hold evil! I just do my job.
Have a nice day!
Those things are completely unrelated. The message is just SPAM. There is no hacker and you have not been hacked.

I did a quick search for error HM5032 and this post looks promising.

https://www.hmailserver.com/forum/viewt ... 98#p176198

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-18 23:22

palinka wrote:
2019-06-18 21:47
RyuzDev wrote:
2019-06-18 18:53
mattg wrote:
2019-06-18 00:57
Require SMTP AUTH for local to local on the internet IP range
Activating this function will prevent this from happening to me?


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

the hacker's login log or spam

Code: Select all

"TCPIP"	6656	"2019-06-15 19:28:02.983"	"TCP - 81.0.33.45 connected to 192.168.1.254:25."
"SMTPD"	6656	717117	"2019-06-15 19:28:02.986"	"81.0.33.45"	"SENT: 220 example.com.co"
"SMTPD"	6612	717117	"2019-06-15 19:28:03.159"	"81.0.33.45"	"RECEIVED: EHLO static.45.33.0.81.ibercom.com"
"SMTPD"	6612	717117	"2019-06-15 19:28:03.160"	"81.0.33.45"	"SENT: 250-mail.example.com.co[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	6656	717117	"2019-06-15 19:28:03.358"	"81.0.33.45"	"RECEIVED: MAIL From:<hsu@rsmi.com.tw>"
"ERROR"	2580	"2019-06-15 19:28:03.826"	"Severity: 2 (High), Code: HM5032, Source: DALConnection::Execute, Description: Source: SQLCEConnection::Execute(), Code: HM10044, Description: Error while executing SQL statement: 
DELETE FROM hm_logon_failures WHERE failuretime < DATEADD(mi, -999999999, GETDATE())
Microsoft SQL Server Compact OLE DB Provider
Uno o más errores al procesar el comando."
"SMTPD"	6656	717117	"2019-06-15 19:28:03.965"	"81.0.33.45"	"SENT: 250 OK"
"SMTPD"	6612	717117	"2019-06-15 19:28:04.138"	"81.0.33.45"	"RECEIVED: RCPT To:<example1@example.com.co>"
"SMTPD"	6612	717117	"2019-06-15 19:28:04.148"	"81.0.33.45"	"SENT: 250 OK"
"SMTPD"	6656	717117	"2019-06-15 19:28:04.319"	"81.0.33.45"	"RECEIVED: DATA"
"SMTPD"	6656	717117	"2019-06-15 19:28:04.320"	"81.0.33.45"	"SENT: 354 OK, send."
"SMTPD"	772	717117	"2019-06-15 19:28:04.755"	"81.0.33.45"	"SENT: 250 Queued (0.448 seconds)"
"SMTPD"	4444	717117	"2019-06-15 19:28:04.942"	"81.0.33.45"	"RECEIVED: QUIT"
"SMTPD"	4444	717117	"2019-06-15 19:28:04.943"	"81.0.33.45"	"SENT: 221 goodbye"

This is the message that came to my employee

Code: Select all

-----Mensaje original-----
De: herculie99 <hsu@rsmi.com.tw> 
Enviado el: sábado, 15 de junio de 2019 21:20
Para: example@example1.com.co
Asunto: Spend Your Time On My Advice

Hello!

I have very bad news for you.
12/03/2019 - on this day I hacked your OS and got full access to your
account catalina.castellanos@globalnews.com.co

So, you can change the password, yes... But my malware intercepts it every
time.

How I made it:
In the software of the router, through which you went online, was a
vulnerability.
I just hacked this router and placed my malicious code on it.
When you went online, my trojan was installed on the OS of your device.

After that, I made a full dump of your disk (I have all your address book,
history of viewing sites, all files, phone numbers and addresses of all your
contacts).

A month ago, I wanted to lock your device and ask for a not big amount of
btc to unlock.
But I looked at the sites that you regularly visit, and I was shocked by
what I saw!!!
I'm talk you about sites for adults.

I want to say - you are a BIG pervert. Your fantasy is shifted far away from
the normal course!

And I got an idea....
I made a screenshot of the adult sites where you have fun (do you understand
what it is about, huh?).
After that, I made a screenshot of your joys (using the camera of your
device) and glued them together.
Turned out amazing! You are so spectacular!

I'm know that you would not like to show these screenshots to your friends,
relatives or colleagues.
I think $508 is a very, very small amount for my silence.
Besides, I have been spying on you for so long, having spent a lot of time!

Pay ONLY in Bitcoins!
My BTC wallet: 1DZs3Qng8jR5tnLRFbHz5AT9Go6SV25FR3

You do not know how to use bitcoins?
Enter a query in any search engine: "how to replenish btc wallet".
It's extremely easy

For this payment I give you two days (48 hours).
As soon as this letter is opened, the timer will work.

After payment, my virus and dirty screenshots with your enjoys will be
self-destruct automatically.
If I do not receive from you the specified amount, then your device will be
locked, and all your contacts will receive a screenshots with your "enjoys".

I hope you understand your situation.
- Do not try to find and destroy my virus! (All your data, files and
screenshots is already uploaded to a remote server)
- Do not try to contact me (this is impossible, sender's address was
randomly generated)
- Various security services will not help you; formatting a disk or
destroying a device will not help, since your data is already on a remote
server.

P.S. You are not my single victim. so, I guarantee you that I will not
disturb you again after payment!
 This is the word of honor hacker

I also ask you to regularly update your antiviruses in the future. This way
you will no longer fall into a similar situation.

Do not hold evil! I just do my job.
Have a nice day!
Those things are completely unrelated. The message is just SPAM. There is no hacker and you have not been hacked.

I did a quick search for error HM5032 and this post looks promising.

https://www.hmailserver.com/forum/viewt ... 98#p176198

thanks


if I know my interest in all this is how to avoid it

User avatar
mattg
Moderator
Moderator
Posts: 20232
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by mattg » 2019-06-19 01:28

RyuzDev wrote:
2019-06-18 23:22
if I know my interest in all this is how to avoid it
Have you made the changes we suggested?

If so run the diagnostics again, and post the NEW results
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 1213
Joined: 2017-09-12 17:57

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by palinka » 2019-06-19 01:57

mattg wrote:
2019-06-19 01:28
RyuzDev wrote:
2019-06-18 23:22
if I know my interest in all this is how to avoid it
Have you made the changes we suggested?

If so run the diagnostics again, and post the NEW results
I didn't see your post above. Much more logical. The dude should abide.

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-19 16:30

mattg wrote:
2019-06-19 01:28
RyuzDev wrote:
2019-06-18 23:22
if I know my interest in all this is how to avoid it
Have you made the changes we suggested?

If so run the diagnostics again, and post the NEW results


Ready to make the adjustment thank you very much any inconvenience to notify for the moment I am very grateful

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-25 13:39

mattg wrote:
2019-06-19 01:28
RyuzDev wrote:
2019-06-18 23:22
if I know my interest in all this is how to avoid it
Have you made the changes we suggested?

If so run the diagnostics again, and post the NEW results
Hey


Any way to avoid this?

http://prnt.sc/o6edc2

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by estradis » 2019-06-25 15:34

RyuzDev wrote:
2019-06-25 13:39
mattg wrote:
2019-06-19 01:28
RyuzDev wrote:
2019-06-18 23:22
if I know my interest in all this is how to avoid it
Have you made the changes we suggested?

If so run the diagnostics again, and post the NEW results
Hey


Any way to avoid this?

http://prnt.sc/o6edc2
What's wrong with it?

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-25 15:36

estradis wrote:
2019-06-25 15:34
RyuzDev wrote:
2019-06-25 13:39
mattg wrote:
2019-06-19 01:28

Have you made the changes we suggested?

If so run the diagnostics again, and post the NEW results
Hey


Any way to avoid this?

http://prnt.sc/o6edc2
What's wrong with it?
so much IPs attacks my hmailserver not ?

User avatar
mattg
Moderator
Moderator
Posts: 20232
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by mattg » 2019-06-25 16:04

I ban for 7 days and typically have over 400 entries

Welcome to the world of being an email admin
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-06-25 19:05

mattg wrote:
2019-06-25 16:04
I ban for 7 days and typically have over 400 entries

Welcome to the world of being an email admin

Ready Thanks any recommendation for this?

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by jim.bus » 2019-06-26 08:17

I ban for 6 months and got only 45 entries but maybe my hMailServer installation is not interesting enough to the Spammers. When I reached 45 entries I also seemed to not get anymore for a long time. Unfortunately I didn't keep track of actually how long but it was a long time.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by estradis » 2019-06-28 14:35

Due to https://www.hmailserver.com/forum/viewt ... p?p=212910 we have currently 3085 addresses directly blocked in hms. We usually ban it for two weeks, but we have decided to extend the ban directly on the firewall cluster to one year for all of Brazil.

By the way, hms has no problem at all with this amount of blocked addresses. Only the database behind occasionally reaches its limits, because the RAM is quite too small.

The hms developers did a great job!

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by estradis » 2019-07-03 09:55

3224 banned addresses and hms still works fine so far.

RyuzDev
New user
New user
Posts: 13
Joined: 2019-06-14 14:23

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by RyuzDev » 2019-07-08 17:09

I continue to receive these types of messages as they do? and how do I avoid it

Code: Select all

"TCPIP"	1212	"2019-07-08 09:38:23.226"	"TCP - 209.85.214.195 connected to 192.168.1.254:25."
"SMTPD"	1212	395809	"2019-07-08 09:38:23.228"	"209.85.214.195"	"SENT: 220 mail.com.co"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.357"	"209.85.214.195"	"RECEIVED: EHLO mail-pl1-f195.google.com"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.357"	"209.85.214.195"	"SENT: 250-mail.mail.com.co[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	1040	395809	"2019-07-08 09:38:23.482"	"209.85.214.195"	"RECEIVED: MAIL FROM:<benjaminezeife12@gmail.com> SIZE=3300"
"SMTPD"	1040	395809	"2019-07-08 09:38:23.493"	"209.85.214.195"	"SENT: 250 OK"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.620"	"209.85.214.195"	"RECEIVED: RCPT TO:<username.@mail.com.co>"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.624"	"209.85.214.195"	"SENT: 550 Unknown user"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.750"	"209.85.214.195"	"RECEIVED: QUIT"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.756"	"209.85.214.195"	"SENT: 221 goodbye"
The username is a user of my company and is poorly written because is "username" and not "username."
why did the spammer still send it?

and receive message that :


start Message :
--------------------------------------------------
Benjamin <benjaminezeife12@gmail.com>
Buen día amigo,
from: undisclosed-recipients:

Code: Select all

Querido amigo ,

Mi nombre es Barrister Benjamin Ezeife, un renombrado abogado basado en Togo.
Estoy escribiendo en conexión con mi cliente fallecido, quien
lleva el mismo apellido contigo y dejó la suma de diez millones cinco
Cien mil dólares de los Estados Unidos ($ 10,5 millones) en un banco antes de
su muerte. Me puse en contacto con usted para solicitar su
consentimiento para presentarle a la
Banco como heredero de mi cliente fallecido para permitir la
transferencia de este fondo
transferir a su cuenta. Te ilumino en más detalles y
aclaraciones cuando recibo respuesta positiva de usted.

Abogado Benjamin Ezeife. (Esq)
Abogado Principal de Dominion Associates
Cámaras y Abogados
Notario Público Lome-TOGO África Occidental
BTD / SORT-CD-00247901
Teléfono de contacto. + 228 99793155
Correo electrónico (benjaminezeife88@gmail.com)


Why does this email arrive to my account if the email has nothing to do with me?

palinka
Senior user
Senior user
Posts: 1213
Joined: 2017-09-12 17:57

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by palinka » 2019-07-08 19:43

RyuzDev wrote:
2019-07-08 17:09
Why does this email arrive to my account if the email has nothing to do with me?
It's spam. Are you doing anything to prevent spam? You will receive lots and lots of spam unless you attempt to filter it out. And after that you will still receive spam but less of it.

What are your anti spam strategies?

There are many really great tutorials here. Have you implemented any of them?

https://hmailserver.com/forum/viewtopic ... 21&t=33566

https://hmailserver.com/forum/viewtopic ... 21&t=28133

Pedja
Normal user
Normal user
Posts: 39
Joined: 2010-10-30 05:39
Location: Serbia

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by Pedja » 2019-07-28 11:53

It seems you noticed the same issue I did.

Sender email is checked on SMTP level, after it passed, mail itself can fake sender. Therefore spamers use external email address for SMTP and, as that is allowed it passes check, then they later use From: fleld in email to fake local email address. that is not checked so false sender goes through.

Aa I am told, that is perfectly fine, not considered as bug and will not be fixed.

So I created VBScript that detects this situation and marks email as faked. You may then use mail rule to deal with such email, for example - delete it.

Check discussion and provided VBScript at https://www.hmailserver.com/forum/viewtopic.php?t=34085

User avatar
SorenR
Senior user
Senior user
Posts: 3212
Joined: 2006-08-21 15:38
Location: Denmark

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by SorenR » 2019-07-28 13:30

RyuzDev wrote:
2019-07-08 17:09
I continue to receive these types of messages as they do? and how do I avoid it

Code: Select all

"TCPIP"	1212	"2019-07-08 09:38:23.226"	"TCP - 209.85.214.195 connected to 192.168.1.254:25."
"SMTPD"	1212	395809	"2019-07-08 09:38:23.228"	"209.85.214.195"	"SENT: 220 mail.com.co"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.357"	"209.85.214.195"	"RECEIVED: EHLO mail-pl1-f195.google.com"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.357"	"209.85.214.195"	"SENT: 250-mail.mail.com.co[nl]250-SIZE 20480000[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	1040	395809	"2019-07-08 09:38:23.482"	"209.85.214.195"	"RECEIVED: MAIL FROM:<benjaminezeife12@gmail.com> SIZE=3300"
"SMTPD"	1040	395809	"2019-07-08 09:38:23.493"	"209.85.214.195"	"SENT: 250 OK"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.620"	"209.85.214.195"	"RECEIVED: RCPT TO:<username.@mail.com.co>"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.624"	"209.85.214.195"	"SENT: 550 Unknown user"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.750"	"209.85.214.195"	"RECEIVED: QUIT"
"SMTPD"	1212	395809	"2019-07-08 09:38:23.756"	"209.85.214.195"	"SENT: 221 goodbye"
The username is a user of my company and is poorly written because is "username" and not "username."
why did the spammer still send it?

and receive message that :


start Message :
--------------------------------------------------
Benjamin <benjaminezeife12@gmail.com>
Buen día amigo,
from: undisclosed-recipients:

Code: Select all

Querido amigo ,

Mi nombre es Barrister Benjamin Ezeife, un renombrado abogado basado en Togo.
Estoy escribiendo en conexión con mi cliente fallecido, quien
lleva el mismo apellido contigo y dejó la suma de diez millones cinco
Cien mil dólares de los Estados Unidos ($ 10,5 millones) en un banco antes de
su muerte. Me puse en contacto con usted para solicitar su
consentimiento para presentarle a la
Banco como heredero de mi cliente fallecido para permitir la
transferencia de este fondo
transferir a su cuenta. Te ilumino en más detalles y
aclaraciones cuando recibo respuesta positiva de usted.

Abogado Benjamin Ezeife. (Esq)
Abogado Principal de Dominion Associates
Cámaras y Abogados
Notario Público Lome-TOGO África Occidental
BTD / SORT-CD-00247901
Teléfono de contacto. + 228 99793155
Correo electrónico (benjaminezeife88@gmail.com)


Why does this email arrive to my account if the email has nothing to do with me?
The log posted did not result in the email posted.

This is what it looks like when the recipient is not valid ...

Code: Select all

"SENT: 550 Unknown user"
"RECEIVED: QUIT"
"SENT: 221 goodbye"
This is what it looks like when the recipient is valid ...

Code: Select all

"SENT: 250 OK"
"RECEIVED: DATA"
"SENT: 354 OK, send."
"SENT: 250 Queued (2.531 seconds)"
"RECEIVED: QUIT"
"SENT: 221 goodbye"
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
SorenR
Senior user
Senior user
Posts: 3212
Joined: 2006-08-21 15:38
Location: Denmark

Re: SPAM - SCAM - PSHING - HMAIL SERVER !!!NEED HELP!

Post by SorenR » 2019-07-28 13:41

Pedja wrote:
2019-07-28 11:53
It seems you noticed the same issue I did.

Sender email is checked on SMTP level, after it passed, mail itself can fake sender. Therefore spamers use external email address for SMTP and, as that is allowed it passes check, then they later use From: fleld in email to fake local email address. that is not checked so false sender goes through.

Aa I am told, that is perfectly fine, not considered as bug and will not be fixed.

So I created VBScript that detects this situation and marks email as faked. You may then use mail rule to deal with such email, for example - delete it.

Check discussion and provided VBScript at https://www.hmailserver.com/forum/viewtopic.php?t=34085
Spamassassin get them every time.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Post Reply