Block SpamProtection IP's

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
Atreyu4055
New user
New user
Posts: 4
Joined: 2015-07-31 16:06

Block SpamProtection IP's

Post by Atreyu4055 » 2017-02-21 14:44

I have a situation where Hmailserver is used with a domain that was registered in the mid 1990's and over many years, has become a HUGE spam target. While I manage to mitigate most of the crap that comes in via due diligent locked-down configs and DNSBL/SpamAssassin setup, there is one particular scenario from a spammer which is a challenge.

I can receive 40 to 50 SMTP session attempts, sequentially and NOT concurrently, from the same IP address trying to send spam. In other words - I have spam coming in from the same IP, addressed to individual people on the domain, sent to one recipient at a time in the SMTP session. The spammer is NOT using CC or BCC, it is literally one recipient in the SMTP session... Naturally that spammer is not going to "hit" everyone on the domain, so almost daily, the Hmailserver Queue gets built-up with "undeliverable" attempts from that spammer. The spam is part of a botnet, so no I am not going to manually blacklist several dozen if not hundreds of IP addresses or add this to a firewall. Geo-IP blocking is out of the question as well.

I see no way to immediately block SMTP sessions from an IP address that try to send spam, AFTER that system has been tested positive for blacklisting or fails the SpamAssassin test. OR another way to look at it - If Hmailserver receives XX amount of SMTP sessions from the SAME IP address within YY seconds/minutes of each other, ban that IP address.

This is a feature found in Icewarp, a commercial software product. That product has a robust "cache" of IP addresses of every single incoming SMTP session. If that IP address breaks the rules you define, for whatever the reason, they end up in that cache and can be banned for a period you define... even before an SMTP session takes place.

Atreyu

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block SpamProtection IP's

Post by mattg » 2017-02-21 15:03

I think this could be done with some clever scripting...

This thread shows how to add detail to the database >> viewtopic.php?f=20&t=13890
You could either check frequently with a scheduled task driven script, or perhaps use SQL triggers, for new timed IP ranges to be created (like Autoban does). hMailserver deletes these automatically.

Can you script in VBS?
What sort of mail volume is on that server? I'm guessing enough to warrant using a database table rather than a flat file...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Atreyu4055
New user
New user
Posts: 4
Joined: 2015-07-31 16:06

Re: Block SpamProtection IP's

Post by Atreyu4055 » 2017-02-21 17:03

Hi there, I have intermediate VB-scripting experience... I am no expert by any means. The mail server processes around 5 thousand messages per day. I understand the idea behind scripting/SQL but I'm not quite sure where or how to "hook" into whatever function that handles the "live" condition upon SpamProtection being activated.

On the Icewarp product I mentioned, there is one screen that controls this as per the condition I explained earlier... it would be very nice to have that same screen instead of having to resort to scripting.

Atreyu

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block SpamProtection IP's

Post by mattg » 2017-02-22 01:25

Atreyu4055 wrote:it would be very nice to have that same screen instead of having to resort to scripting.
Whilst I understand that, and agree in some ways (just learning bash scripts for a Linux firewall ATM), hMailserver typically doesn't add 'fluff' that can be easily scripted, especially if only a few users would ever use it.

Look at the hMailserver COM API >> https://www.hmailserver.com/documentati ... om_objects
especially the securityrange and securityranges >> https://www.hmailserver.com/documentati ... rityranges & https://www.hmailserver.com/documentati ... urityrange

Here's an example that adds an autoban that will last a year. You just need to call it with the IP as a string passed.

Code: Select all

Sub AutobanIP(IPAddress)
	Dim oApp
	Set oApp = CreateObject("hMailServer.Application")

' 		Give this script permission to access all
' 		hMailServer settings.
	Call oApp.Authenticate("Administrator", g_sAdminPassword)

	Dim oSecurityRange
	Set oSecurityRange = oApp.Settings.SecurityRanges.Add()
	With oSecurityRange
		.lowerip = ipaddress
		.upperip = ipaddress
		.priority = 20
		.allowdeliveryfromlocaltolocal = False
		.allowdeliveryfromlocaltoremote = False
		.allowdeliveryfromremotetolocal = False
		.allowdeliveryfromremotetoremote = False
		.allowimapconnections = False
		.allowsmtpconnections = False
		.allowpop3connections = False
		.expires = True
		.ExpiresTime = DateAdd("d", 365, Now())
		.name = "added from script"
		.save
	End With
End Sub
I'm looking forward to using this more in the expected new event (some already have in test builds) OnHELO


OH, and please detail a POLL question and answer for this thread so that we can vote for it...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3155
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block SpamProtection IP's

Post by SorenR » 2017-02-22 17:11

Well Matt, my suggestion is a bit more advanced - and everything is off to begin with, no point in forcing it off.

Call AutoBan( oClient.IPAddress, "This text is listed under Names in IP Ranges"", 1, "yyyy")

CPorts immediately disconnect the TCP/IP session, like "kill" does in Unix. I found that sometimes these buggers are hard to get rid of ;-)
Find it here -> http://www.nirsoft.net/utils/cports.html

Function LockFile is a simple session lock so that sessions do not check & update the same record simultaneously. I found that it may lead to execution errors.

Function Wait - There is a timer missing in VBScript ;-)
There are 3 different suggestions as not all will work with all OS versions and 32/64 bit... Microsoft in a nutShell... ha ha.. get it... Shell... Oh well - geek joke :oops:

Image

Code: Select all

   Sub AutoBan(sIPAddress, sReason, iDuration, sType)
'
'     sType can be one of the following;
'
'     "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
'     Cports can be obtained here -> http://www.nirsoft.net/utils/cports.html
'
      Dim oApp : Set oApp = CreateObject("hMailServer.Application")
      Call oApp.Authenticate(ADMIN, PASSWORD)
      With LockFile("c:\hmailserver\temp\autoban.lck")
         On Error Resume Next
         oApp.Settings.SecurityRanges.Refresh
         If (oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing) Then
            With oApp.Settings.SecurityRanges.Add
               .Name = "(" & sReason & ") " & IPAddress
               .LowerIP = sIPAddress
               .UpperIP = sIPAddress
               .Priority = 20
               .Expires = True
               .ExpiresTime = DateAdd(sType, iDuration, Now())
               .Save
            End With
         End If
         oApp.Settings.SecurityRanges.Refresh
         On Error Goto 0
         .Close
      End With
      With CreateObject("WScript.Shell")
         .Run "CPorts /close * * " & sIPAddress & " *", 0, True
      End With
   End Sub

   Function LockFile(strPath)
      Const Append = 8
      Const Unicode = -1
      With CreateObject("Scripting.FileSystemObject")
         Dim oFile, i
         For i = 0 To 30
            On Error Resume Next
            Set oFile = .OpenTextFile(strPath, Append, True, Unicode)
            If (Not Err.Number = 70) Then
               Set LockFile = oFile
               On Error Goto 0
               Exit For
            End If
            On Error Goto 0
            Wait(1)
         Next
      End With
      Set oFile = Nothing
      If (Err.Number = 70) Then
         EventLog.Write("ERROR: EventHandlers.vbs")
         EventLog.Write("File " & strPath & " is locked and timeout was exceeded.")
         Err.Clear
      ElseIf (Err.Number <> 0) Then
         EventLog.Write("ERROR: EventHandlers.vbs : Function LockFile")
         EventLog.Write("Error       : " & Err.Number)
         EventLog.Write("Error (hex) : 0x" & Hex(Err.Number))
         EventLog.Write("Source      : " & Err.Source)
         EventLog.Write("Description : " & Err.Description)
         Err.Clear
      End If
   End Function

   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "timeout /T " & Int(sec), 0, True
'        .Run "sleep -m " & Int(sec * 1000), 0, True
'        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
      End With
   End Function
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19894
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block SpamProtection IP's

Post by mattg » 2017-02-22 23:54

SorenR wrote:Well Matt, my suggestion is a bit more advanced
Of course!
You are much better at this stuff than I am.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3155
Joined: 2006-08-21 15:38
Location: Denmark

Re: RE: Re: Block SpamProtection IP's

Post by SorenR » 2017-02-23 10:40

mattg wrote:
SorenR wrote:Well Matt, my suggestion is a bit more advanced
Of course!
You are much better at this stuff than I am.
Not better, different ! ;-)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Post Reply