Improved Auto-Ban

Use this forum if you want to suggest a new feature to hMailServer. Before posting, please search the forum to confirm that it has not already been suggested.
Post Reply
User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Improved Auto-Ban

Post by EduardoFoltran » 2018-07-27 16:59

Hi!

I would like to suggest an implementation to improve the auto-ban security feature but first I believe it should be useful to put this proposal under context.
I had some users with a severe problem of spam. Despite my best effort, I could not make a sensible impact on the amount of spam these particular users received every day. The reason for that was clear to me. I am in Brazil and my users are Brazilian people who send and receive messages in Portuguese. The same is true for the Brazilian spammers. All spam originated in Brazil stay in Brazil. For that, they never reach spamtraps of the majors DNSBL services worldwide. The messages are schemes and advertisements targeted to Portuguese speakers. I looked for a DNSBL focused on Brazilian spam, but I found none. So I decided to create my own.
Since november 2017 I have been working in this DNSBL service. I establish 7 levels of “spamness” ranging from “whitelisted” to “drop-it-now”. For a while, I used real accounts of my users, witch volunteer for it, as spamtraps, implemented some algorithms to spot spammers and asked all others to mark as spam all undesired email they receive. In less than a month the impact was huge. I was able to reduce 60% of the spam and after 3 months I had group of very happy users congratulating me. Now I am not using any real account as spamtraps and I am setting proper spamtraps over the internet.
Having all that experience with the DNSBL and the spamtraps, I started to look more closely to the IPs that fell into the auto-ban feature of HMS. Most times I look, there is some IPs banned. I started to check those IPs on my DNSBL and they always fell in the “drop-it-now” level. That means, those IPs are spammers trying to kidnap some user account.

**The proposal**

With this background, I propose to implement some kind of auto-ban based on a DNSBL service. So, if a given IP is listed in a DNSBL list, there is no need to wait it fail login. It should be banned just for trying to login.
I believe it could work like this:
1- The “bad-guy” IP connects to HMS and receives the 220 salute, meanwhile, HMS starts to check its reputation on a DNSBL.
2- The “bad-guy” goes on with EHLO formalities.
3- If the “bad-guy” wants to deliver a message, going to the MAIL, RCPT, DATA path, treat it normally.
4- If the “bad-guy” ask for AUTH, close connection and ban it.

I hope you find this suggestion useful.

Eduardo

User avatar
SorenR
Senior user
Senior user
Posts: 3582
Joined: 2006-08-21 15:38
Location: Denmark

Re: Improved Auto-Ban

Post by SorenR » 2018-07-27 18:25

How's your vbs ??

Code: Select all

   For i = 0 To 10
      If InStr(Message.HeaderValue("X-hMailServer-Reason-" & i), "RBL Rejection Message") Then 
         Call AutoBan(oClient.IPAddress, "DNSBL - " & Message.HeaderValue("X-hMailServer-Reason-" & i), 7, "d")
      End If
   Next
I made this "StartUp" eventhandler some time back that should make the above possible. It will require a modified hmailserver.exe due to the OnHELO procedure
http://www.hmailserver.com/forum/viewto ... 20#p203420

Code: Select all

Option Explicit

'******************************************************************************************************************************
'********** Settings                                                                                                 **********
'******************************************************************************************************************************

' COM authentication
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "########"

'******************************************************************************************************************************
'********** Functions                                                                                                **********
'******************************************************************************************************************************

Function Wait(sec)
   With CreateObject("WScript.Shell")
      .Run "timeout /T " & Int(sec), 0, True
      '        .Run "sleep -m " & Int(sec * 1000), 0, True
      '        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
   End With
End Function

Function LockFile(strPath)
   Const Append = 8
   Const Unicode = -1
   With CreateObject("Scripting.FileSystemObject")
      Dim oFile, i
      For i = 0 To 30
         On Error Resume Next
         Set oFile = .OpenTextFile(strPath, Append, True, Unicode)
         If Not (Err.Number = 70) Then
            Set LockFile = oFile
            On Error Goto 0
            Exit For
         End If
         On Error Goto 0
         Wait(1)
      Next
   End With
   If (Err.Number = 70) Then
      EventLog.Write( "ERROR: EventHandlers.vbs" )
      EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
      Err.Clear
   ElseIf (Err.Number <> 0) Then
      EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
      EventLog.Write( "Error       : " & Err.Number )
      EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
      EventLog.Write( "Source      : " & Err.Source )
      EventLog.Write( "Description : " & Err.Description )
      Err.Clear
   End If
End Function

Function Lookup(strRegEx, strMatch) : Lookup = False
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = False
      .MultiLine = True
      .IgnoreCase = True
      If .Test(strMatch) Then Lookup = True
   End With
End Function

Function oLookup(strRegEx, strMatch, bGlobal)
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = bGlobal
      .MultiLine = True
      .IgnoreCase = True
      Set oLookup = .Execute(strMatch)
   End With
End Function

'
' System Scripting Runtime COM object ("SScripting.IPNetwork")
' http://www.netal.com/ssr.htm
' Binary -> http://www.netal.com/software/ssr15.zip
'
' ALTERNATIVE: DNSBL      = sbl.spamhaus.org
'              ReturnCode = 127.0.0.3
'              Score      = 5
'
Function IsSnowShoe(strIP) : IsSnowShoe = False
   Dim a
   a = Split(strIP, ".")
   With CreateObject("SScripting.IPNetwork")
      strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".sbl.spamhaus.org")
   End With
   If (strIP = "127.0.0.3") Then IsSnowShoe = True
End Function

Function LongIntegerFromIP(p_strIP)
   Dim arrTemp, i, lngTemp
   arrTemp = Split(p_strIP, ".")
   For i = 0 To UBound(arrTemp)
      lngTemp = lngTemp + CLng(arrTemp(i)) * (256 ^ (3 - i))
   Next
   LongIntegerFromIP = lngTemp
End Function

Function isAutoBan(oMessage)
   Dim strRegEx, i, a, Match, Matches, m_strIP, m_strLowerIP, m_strUpperIP
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   strRegEx = "(?:[0-9]{1,3}\.){3}[0-9]{1,3}"
   For i = 0 To oMessage.Headers.Count-1
      If oMessage.Headers(i).Name = "Received" Then
         If Lookup("by backup-mx.post.tele.dk", oMessage.Headers(i).Value) Then
            Set Matches = oLookup(strRegEx, oMessage.Headers(i).Value, False)
            If Matches.Count > 0 Then
               For Each Match In Matches
                  m_strIP = LongIntegerFromIP(Match.Value)
                  For a = 0 To oApp.Settings.SecurityRanges.Count-1
                     If (oApp.Settings.SecurityRanges.Item(a).Priority = 20) Then
                        m_strLowerIP = LongIntegerFromIP(oApp.Settings.SecurityRanges.Item(a).LowerIP)
                        m_strUpperIP = LongIntegerFromIP(oApp.Settings.SecurityRanges.Item(a).UpperIP)
                        If (m_strIP >= m_strLowerIP) And (m_strIP <= m_strUpperIP) Then
                           Result.Value = 2
                           Result.Message = "5.7.1 CODE08 The SMTP service on IP address (" & Match.Value & ") is not welcome here."
                           Exit Function
                        End If
                     End If
                  Next
               Next
               Exit Function
            End If
         End If
      End If
   Next
End Function

'******************************************************************************************************************************
'********** Subroutines                                                                                              **********
'******************************************************************************************************************************

Sub XEnvelope(oMessage)
   Dim i, strEnvelope1, strEnvelope2
   For i = 0 To oMessage.Recipients.Count-1
      If (i = 0) Then
         strEnvelope1 = oMessage.Recipients(i).Address
         strEnvelope2 = oMessage.Recipients(i).OriginalAddress
      Else
         strEnvelope1 = strEnvelope1 & ", " & oMessage.Recipients(i).Address
         strEnvelope2 = strEnvelope2 & ", " & oMessage.Recipients(i).OriginalAddress
      End If
   Next
   oMessage.HeaderValue("X-Envelope-To") = strEnvelope1
   oMessage.HeaderValue("X-Envelope-OriginalTo") = strEnvelope2
   oMessage.HeaderValue("X-Envelope-From") = oMessage.FromAddress
   oMessage.Save
End Sub

'
' sType can be one of the following;
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Sub AutoBan(sIPAddress, sReason, iDuration, sType)
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   With LockFile("c:\hmailserver\temp\autoban.lck")
      On Error Resume Next
      oApp.Settings.SecurityRanges.Refresh
      If (oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing) Then
         With oApp.Settings.SecurityRanges.Add
            .Name = "(" & sReason & ") " & sIPAddress
            .LowerIP = sIPAddress
            .UpperIP = sIPAddress
            .Priority = 20
            .Expires = True
            .ExpiresTime = DateAdd(sType, iDuration, Now())
            .Save
         End With
      End If
      oApp.Settings.SecurityRanges.Refresh
      On Error Goto 0
      .Close
   End With
End Sub

Sub SPAMList(oMessage, strMatch)
   Dim i
   If (oMessage.HeaderValue("X-hMailServer-Spam") = "YES") Then
      i = CInt(oMessage.HeaderValue("X-hMailServer-Reason-Score"))
   Else
      oMessage.HeaderValue("X-hMailServer-Spam") = "YES"
      i = 0
   End If
   oMessage.HeaderValue("X-hMailServer-Reason-0") = "SPAMlisted - (Score: 5)"
   oMessage.HeaderValue("X-hMailServer-Reason-Score") = 5 + i
   oMessage.HeaderValue("X-Blacklist-RegEx") = strMatch
   oMessage.Save
End Sub

Sub WhiteList(oMessage, strMatch)
   Dim i
   If (oMessage.HeaderValue("X-hMailServer-Spam") = "YES") Then
      ' oMessage.Headers.ItemByName("X-hMailServer-Spam").Delete
      oMessage.HeaderValue("X-Whitelist-RegEx") = strMatch
      oMessage.HeaderValue("X-hMailServer-Spam") = "NO"
      i = CInt(oMessage.HeaderValue("X-hMailServer-Reason-Score"))
      oMessage.HeaderValue("X-hMailServer-Reason-Score") = i * -1
      oMessage.Save
   End If
End Sub

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)

   '
   ' Exclude Backup-MX & local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Exit Sub
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub

   '
   ' Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)

End Sub

Sub OnHELO(oClient)
   Dim strRegEx, Match, Matches

   '
   ' Exclude Backup-MX & local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Exit Sub
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub

   '
   ' Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)

   '
   ' SnowShoe SPAM detection
   '
   If IsSnowShoe(oClient.IPAddress) Then
      Result.Value = 2
      Result.Message = "5.7.1 CODE01 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Call AutoBan(oClient.IPAddress, "SNOWSHOE - " & oClient.HELO, 7, "d")
      Exit Sub
   End If

   '
   ' Deny servers with specific HELO/EHLO greetings
   '
   strRegEx = "^(\[87\.51\.72\.165\])$|" &_
              "^(mydomain\.tld)$|" &_
              "^(mx\.mydomain\.tld)$|" &_
              "^(.*\.[a-z]{4,})$|" &_
              "(0\.0\.0\.0)|" &_
              "(127(?:\.[0-9]{1,3}){3})"
   Set Matches = oLookup(strRegEx, oClient.HELO, False)
   If Matches.Count > 0 Then
      For Each Match In Matches
         Result.Value = 2
         Result.Message = "5.7.1 CODE02 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. {" & Match.Value & "}"
         Call AutoBan(oClient.IPAddress, "BLACKLIST - " & oClient.HELO, 7, "d")
         Exit Sub
      Next
   End If

   '
   ' Validate HELO/EHLO greeting
   '
   Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
   Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
   Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
   Const myKnown = "^(LouisesPC)$|^(LouisesHuawei)$"
   strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6 & "|" & myKnown
   If (Lookup(strRegEx, oClient.HELO) = False) Then
      Result.Value = 2
      Result.Message = "5.7.1 CODE03 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Call AutoBan(oClient.IPAddress, "Bad HELO - " & oClient.HELO, 7, "d")
      Exit Sub
   End If

End Sub

'  ********** SPAM test: DNSBlackLists, HeloHost, MXRecords, SPF

Sub OnSMTPData(oClient, oMessage)

   '
   ' Exclude Backup-MX & local LAN from test
   '
   If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Exit Sub
   If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub

   '
   ' Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)

End Sub

'  ********** SPAM test: SURBL, DKIM, SpamAssassin

Sub OnAcceptMessage(oClient, oMessage)
   Dim i, a, strRegEx, Match, Matches

   '
   ' Exclude authenticated users test
   '
   If (oClient.Username <> "") Then Exit Sub

   '
   ' Banned sender via Backup-MX ?
   '
   If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Call isAutoBan(oMessage)

   '
   ' Reject "X-Envelope-From:"
   '
   strRegEx = "(\@dcs-dz\.com)$|" &_
              "(\@danmarkmail\.com)$|" &_
              "(\@epsp-telagh\.com)$|" &_
              "(\@vrshoesale\.com)$|" &_
              "(\.bid)$|(\.kim)$|(\.men)$|(\.top)$|(\.win)$|(\.xyz)$|(\.zip)$"
   Set Matches = oLookup(strRegEx, oMessage.FromAddress, False)
   If Matches.Count > 0 Then
      For Each Match In Matches
         Result.Value = 2
         Result.Message = "5.7.1 CODE04 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. {" & Match.Value & "}"
         Exit Sub
      Next
   End If

   '
   ' Reject "From:"
   '
   strRegEx = "(Sweetme)|(Kira Johns)|(July Girl)|(Hot Mama)|(Little Miss)|" &_
              "(Baby Boobs)|(Booby Girl)|(Booby Booms)|(aylinhansen)|" &_
              "(\.bid)$|(\.kim)$|(\.men)$|(\.top)$|(\.win)$|(\.xyz)$|(\.zip)$|" &_
              "(\.bid\>)$|(\.kim\>)$|(\.men\>)$|(\.top\>)$|(\.win\>)$|(\.xyz\>)$|(\.zip\>)$"
   Set Matches = oLookup(strRegEx, oMessage.From, False)
   If Matches.Count > 0 Then
      For Each Match In Matches
         Result.Value = 2
         Result.Message = "5.7.1 CODE05 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. {" & Match.Value & "}"
         Exit Sub
      Next
   End If

   '
   ' Reject "Subject:"
   '
   strRegEx = "^(yo|hi|sup|hello|greets|hey t?here)(!?)(.?)(8?-?\)?)?$"
   If (oMessage.HeaderValue("X-Blacklist-RegEx") = "") Then
      Set Matches = oLookup(strRegEx, oMessage.Subject, False)
      If Matches.Count > 0 Then
         For Each Match In Matches
            Result.Value = 2
            Result.Message = "5.7.1 CODE06 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means. {" & Match.Value & "}"
            Exit Sub
         Next
      End If
   End If

   '
   ' Reject "Body:"
   '
   strRegEx = "(\.xyz\/)|(thisemailwillchangeyourlife)|(Please sign the contract)"
   If Lookup(strRegEx, oMessage.Body) Or Lookup(strRegEx, oMessage.HTMLBody) Then
      Result.Value = 2
      Result.Message = "5.7.1 CODE07 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If

   '
   ' Additional SPAM processing
   '
   If oMessage.HeaderValue("X-hMailServer-Spam") <> "YES" Then

      '
      ' Blacklist IP Range
      '
      ' http://www.analyticsmarket.com/freetools/ipregex
      '
      ' 216.82.240.0 - 216.82.255.255 = MessageLabs Inc. (Symantec Inc.)
      ' ^216\.82\.(2(4[0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$

      ' strRegEx = "^216\.82\.(2(4[0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$"
      ' Set Matches = oLookup(strRegEx, oClient.IPAddress, False)
      ' If Matches.Count > 0 Then
      '    For Each Match In Matches
      '       Call SPAMList(oMessage, "BlackList oClient.IPAddress: Value '" & Match.Value & "'")
      '    Next
      ' End If

      '
      ' Blacklist "X-Envelope-From:"
      '
      If oMessage.HeaderValue("X-hMailServer-Spam") <> "YES" Then

         strRegEx = "^(job\@.*)$|" &_
                    "^(.*\@.*\.[a-z]{4,})$"
         Set Matches = oLookup(strRegEx, oMessage.FromAddress, False)
         If Matches.Count > 0 Then
            For Each Match In Matches
               Call SPAMList(oMessage, "BlackList oMessage.FromAddress: Value '" & Match.Value & "'")
            Next
         End If

      End If

      '
      ' Blacklist "From:"
      '
      If oMessage.HeaderValue("X-hMailServer-Spam") <> "YES" Then

         strRegEx = "(\<.*\@.*\.[a-z]{4,}\>)"
         Set Matches = oLookup(strRegEx, oMessage.From, False)
         If Matches.Count > 0 Then
            For Each Match In Matches
               Call SPAMList(oMessage, "BlackList oMessage.From: Value '" & Match.Value & "'")
            Next
         End If

      End If

      '
      ' Blacklist "Subject:"
      '
      If oMessage.HeaderValue("X-hMailServer-Spam") <> "YES" Then

         strRegEx = "(Fakta Gavekort)|" &_
                    "(Vi inviterer dig til at tilslutte dig)|(Dette er ikke en reklame)|" &_
                    "(Blockchain-momentum)|" &_
                    "(du vil finde rigtig meget brugbar information herinde)|" &_
                    "(ringede til dig, men du tog den ikke)|" &_
                    "(Noget helt fantastisk er ved at ske)|" &_
                    "(iPhone (3G|4|5|6|SE|7|8|9|X)(C|S)?( Plus)?)"
         Set Matches = oLookup(strRegEx, oMessage.Subject, False)
         If Matches.Count > 0 Then
            For Each Match In Matches
               Call SPAMList(oMessage, "BlackList oMessage.Subject: Value '" & Match.Value & "'")
            Next
         End If

      End If

      '
      ' Blacklist Body
      '
      If oMessage.HeaderValue("X-hMailServer-Spam") <> "YES" Then

         strRegEx = "(Du har fået denne mail tilsendt angående et jobtilbud)|" &_
                    "(Vi har registreret, at du har et overskydende)|" &_
                    "(I øjeblikket tildeler vi alle nyopstartede brugere)|" &_
                    "(Din konto er i risiko for at blive suspenderet)|" &_
                    "(Vi leder efter en ny person)|" &_
                    "(Leo Vegas er)|(velkomstbonus til din)|" &_
                    "(beskytte dit kort mod svig)|(I have a proposal)|" &_
                    "(You are receiving this email because you opted in via our website)|" &_
                    "(iPhone (3G|4|5|6|SE|7|8|9|X)(C|S)?( Plus)?)"
         Set Matches = oLookup(strRegEx, oMessage.Body, False)
         If Matches.Count > 0 Then
            For Each Match In Matches
               Call SPAMList(oMessage, "BlackList oMessage.Body: Value '" & Match.Value & "'")
            Next
         Else
            Dim strHTMLBody : strHTMLBody = oMessage.HTMLBody

            ' <!-- ... -->   PHP: "<!--[^>]*-->"        JavaScript: "<!--[\s\S]*?-->"
            ' /*   ...  */   PHP: "(\/\*)[^>]*(\*\/)"   JavaScript: "(\/\*)[\s\S]*?(\*\/)"

            ' With CreateObject("VBScript.RegExp")
            '    .Pattern = "<!--[\\s\\S]*?(?:-->)?<!---+>?|<!(?![dD][oO][cC][tT][yY][pP][eE]|\\[CDATA\\])[^>]*>?|<[?][^>]*>?"
            '    .Global = True
            '    .MultiLine = True
            '    .IgnoreCase = True
            '    strHTMLBody = .Replace(strHTMLBody, "")
            ' End With

            ' My.WriteLog( Len(strHTMLBody) & " : oMessage.HTMLBody (FLT1) : " & strHTMLBody )

            With CreateObject("VBScript.RegExp")
               .Pattern = "(\/\*)[\s\S]*?(\*\/)"
               .Global = True
               .MultiLine = True
               .IgnoreCase = True
               strHTMLBody = .Replace(strHTMLBody, "")
            End With

            Set Matches = oLookup(strRegEx, strHTMLBody, False)
            If Matches.Count > 0 Then
               For Each Match In Matches
                  Call SPAMList(oMessage, "BlackList oMessage.HTMLBody: Value '" & Match.Value & "'")
               Next
            End If
         End If
      End If

   End If

   '
   ' Whitelist senders Eg. notification+m5kkb25r@facebookmail.com
   '
   If (oMessage.HeaderValue("X-hMailServer-Spam") = "YES") Then

      '
      ' Whitelist "X-Envelope-From:"
      '
      strRegEx = "^(notification\+)[a-z,0-9,_]{8}(\@facebookmail\.com)$|" &_
                 "^(security\@facebookmail\.com)$|" &_
                 "^(bounces\+3390280\-2e2e\-soren\=mydomain\.tld\@mail\.computerworld\.dk)$|" &_
                 "^(bounce-mc.us1_498933.[0-9]{7}-jane=mydomain.tld@mail[0-9]{1,3})|" &_
                 "^(transaction\@notice\.aliexpress\.com)$|" &_
                 "^(noreply\@compugroupmedical\.dk)$|" &_
                 "^(metin\@srv\.eatonline\.dk)$|" &_
                 "^(mobilprivat\@telia\.dk)$|" &_
                 "^(no-reply\@telia\.crm-ts\.com)$|" &_
                 "^(bounce\@gjensidige\.no)$|" &_
                 "^(info\@billigvvs\.dk)$|" &_
                 "(\@hk\.dk)$|" &_
                 "(\@cirkusrevyen\.dk)$|" &_
                 "(\@bounce\.kundemail\.power\.dk)$|" &_
                 "(\@(email|insideapple)\.apple\.com)$"
      Set Matches = oLookup(strRegEx, oMessage.FromAddress, False)
      If Matches.Count > 0 Then
         For Each Match In Matches
            Call WhiteList(oMessage, "WhiteList oMessage.FromAddress: Value '" & Match.Value & "'")
         Next
      End If

      '
      ' Whitelist "From:"
      '
      If (oMessage.HeaderValue("X-hMailServer-Spam") = "YES") Then

         strRegEx = "^(Goodreads <no-reply\@mail\.goodreads\.com>)$|" &_
                    "^(EasyPark <no-reply\@easypark\.net>)$|" &_
                    "(support\@patchingprotocol\.com)|" &_
                    "(account-update\@amazon\.com)|" &_
                    "(no_reply\@snapchat\.com)|" &_
                    "(no-reply\@myunidays\.com)|" &_
                    "(noreply\@sundhedsjobs\.dk)|" &_
                    "(\@bloderforeningen\.dk)|" &_
                    "(\@yousee\.dk)|" &_
                    "(\@id\.apple\.com)|" &_
                    "(\@seas-nve\.dk)"
         Set Matches = oLookup(strRegEx, oMessage.From, False)
         If Matches.Count > 0 Then
            For Each Match In Matches
               Call WhiteList(oMessage, "WhiteList oMessage.From: Value '" & Match.Value & "'")
            Next
         End If

      End If

   End If

   '
   ' Add X-Envelope... headers
   '
   Call XEnvelope(oMessage)

End Sub

'  ********** Saving EML to DATA

'  Sub OnDeliveryStart(oMessage)
'  End Sub

'  ********** Antivirus check, Global rules

'  Sub OnDeliverMessage(oMessage)
'  End Sub

'  ********** Local rules, Message delivered to recipient(s)

'  Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
'  End Sub

'  Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
'  End Sub

'  Sub OnBackupFailed(sReason)
'  End Sub

'  Sub OnBackupCompleted()
'  End Sub

'  Sub OnError(iSeverity, iCode, sSource, sDescription)
'  End Sub
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 20845
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Improved Auto-Ban

Post by mattg » 2018-07-27 22:33

Good idea Eduardo

As SorenR says, using a build that includes OnHelo much of this is possible
http://www.hmailserver.com/forum/viewto ... 60#p201392 is a link to one such build

ALSO, in your hmailserver.ini you can stop AUTH for certain ports. Many of us block AUTH on port 25 using this.

IN my case, using RvdH's build linked above, and SorenR's Autoban scripts, I autoban the following
- Spam scores over 15 - get one high spam score, and BAM no more messages for a few weeks
- RvdH's build also has an 'OnClientLogon', where I catch those trying to connect from another country on IMAP and POP3 ports - these aren't normally Autobanned by hmailserver as only SMTP Is autobanned by hMailserver. I'm in Australia, international is pretty definitive here.
- I have some non-standard ports. Any use of these with a failed logon gets autobanned
- Using SorenR's scripts I check for known EHLO responses for spammers, and Autoban the IP. This includes those who respond to EHLO with my public IP address.
- I also automatically check my logs every few minutes for things like those who TRY to AUTH on port 25 and are rejected, they too get added to my Autoban list

My autoban list has been sitting consistently at around the 90 to 100 entries since before the world cup started, but a few times reached into the hundreds. I now keep stats of my autoban list at the end of every day.

And just checking my stats, I don't have any bans from foreign IP addresses for over a month. I'll have to check that my script is still working...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
EduardoFoltran
Normal user
Normal user
Posts: 39
Joined: 2016-08-12 15:04

Re: Improved Auto-Ban

Post by EduardoFoltran » 2018-07-30 19:49

Hi Mattg and SorenR

Thanks for the feedback! I blocked login from port 25 and it indeed had an impact on auto-ban.
I am studying SorenR’s script to see if I can do something without the OnHelo event. I am using Matin’s compilation and I am not planning to change it in a near future. I believe such event should be on the main compilation as well. It opens some interesting possibilities.

I realize that there is a lot of stuff one can do with a list of banned IPs. For example, I figured out how ZeroBounce checks email addresses. They use several fake servers that pretend to send an email in order to check if the address exists or not. I am trying some addresses on their free test just to collect information. The domains they use always go to a website of a company of some kind that looks like a legitimate business, but digging deeper, one can see they are not real.
A list of IPs of such services should be permanently banned!

Thanks again!

Eduardo

Post Reply