Dynamic Black/Whitelists in your script.

This section contains scripts that hMailServer has contributed with. hMailServer 5 is needed to use these.
Post Reply
User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 00:26

I have been using this feature a while now and it is brilliant. I used to modify my Black/Whitelists directly in my script and reload/restart every time. Not anymore.

Data is located in an XML file in the Events directory and I use Microsoft XML Notepad 2007 to edit the XML file across my SMB network.

Sample VBScript.

Code: Select all

Option Explicit
'
'   COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "*********"
'
'   XMLDATA file is located in .\hMailServer\Events\
'
Private Const XMLDATA = "dynamic-lists.xml"

'******************************************************************************************************************************
'********** Functions                                                                                                **********
'******************************************************************************************************************************

Function Lookup(strRegEx, strMatch) : Lookup = False
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = False
      .MultiLine = True
      .IgnoreCase = True
      If .Test(strMatch) Then Lookup = True
   End With
End Function

Function oLookup(strRegEx, strMatch, bGlobal)
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = bGlobal
      .MultiLine = True
      .IgnoreCase = True
      Set oLookup = .Execute(strMatch)
   End With
End Function

Function HTMLClean(strHTML)
   '
   ' <!-- ... -->   PHP: "(<!--[^>]*-->)"      JavaScript: "(<!--[\s\S]*?-->)"
   ' /*   ...  */   PHP: "(\/\*)[^>]*(\*\/)"   JavaScript: "(\/\*)[\s\S]*?(\*\/)"
   ' <!--[\\s\\S]*?(?:-->)?<!---+>?|<!(?![dD][oO][cC][tT][yY][pP][eE]|\\[CDATA\\])[^>]*>?|<[?][^>]*>?
   '
   With CreateObject("VBScript.RegExp")
      .Pattern = "(<style[\s\S]*?style>)|(\/\*[\s\S]*?\*\/)|(<[\s\S]*?>)"
      .Global = True
      .MultiLine = True
      .IgnoreCase = True
      HTMLClean = .Replace(strHTML, "")
   End With
End Function

Function LoadXML(XMLFile)
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   Dim oXML : Set oXML = CreateObject("MSXML2.DOMDocument")
   oXML.Load(oApp.Settings.Directories.EventDirectory & "\" & XMLFile)
   If oXML.parseError <> 0 Then
      EventLog.Write( "XML ERROR - errorCode - " & oXML.parseError.errorCode ) ' Returns a long integer error code
      EventLog.Write( "XML ERROR - reason    - " & oXML.parseError.reason )    ' Returns a string explaining the reason for the error
      EventLog.Write( "XML ERROR - line      - " & oXML.parseError.line )      ' Returns a long integer representing the line number for the error
      EventLog.Write( "XML ERROR - linePos   - " & oXML.parseError.linePos )   ' Returns a long integer representing the line position for the error
      EventLog.Write( "XML ERROR - srcText   - " & oXML.parseError.srcText )   ' Returns a string containing the line that caused the error
      EventLog.Write( "XML ERROR - url       - " & oXML.parseError.url )       ' Returns the url pointing the loaded document
      EventLog.Write( "XML ERROR - filePos   - " & oXML.parseError.filePos )   ' Returns a long integer file position of the error
   End If
   Set LoadXML = oXML
End Function

Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = ""
   Dim Match, Matches, strTXT
   Set Matches = oXML.selectNodes(MyNode)
   strTXT = ""
   For Each Match In Matches
      strTXT = strTXT & Match.text & "|"
   Next
   If (Trim(strTXT) <> "") Then
      LoadXMLNode = Left(strTXT,Len(strTXT)-1)
   Else
      EventLog.Write( "ERROR: Empty string from LoadXMLNode(oXML, " & MyNode & ")" )
   End If
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnSMTPData(oClient, oMessage)
   Dim oXML : Set oXML = LoadXML(XMLDATA)
   Dim strRegEx
   '
   '   Whitelist HELO
   '
   strRegEx = LoadXMLNode(oXML, "//Whitelist/HELO")
   If Lookup(strRegEx, oClient.HELO) Then
      Exit Sub
   End If
   '
   '   Reject HELO
   '
   strRegEx = LoadXMLNode(oXML, "//Reject/HELO")
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "5.3.0 CODE01 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
End Sub

Sub OnAcceptMessage(oClient, oMessage)
   Dim oXML : Set oXML = LoadXML(XMLDATA)
   Dim strRegEx, Match, Matches
   '
   '   Reject "Subject:"
   '
   strRegEx = LoadXMLNode(oXML, "//Reject/Subject")
   Set Matches = oLookup(strRegEx, oMessage.Subject, False)
   For Each Match In Matches
      Result.Value = 2
      Result.Message = "5.3.0 CODE02 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   Next
   '
   '   Blacklist "Body:"
   '
   strRegEx = LoadXMLNode(oXML, "//Blacklist/Bodytxt")
   Set Matches = oLookup(strRegEx, oMessage.Body, False)
   For Each Match In Matches
      Result.Value = 2
      Result.Message = "5.3.0 CODE03 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   Next
   Set Matches = oLookup(strRegEx, HTMLClean(oMessage.HTMLBody), False)
   For Each Match In Matches
      Result.Value = 2
      Result.Message = "5.3.0 CODE04 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   Next
End Sub
The layout of the XML file is how I use it. <Root> is top level and should not be changed. <Reject>, <Blacklist>, <Whitelist> you can change any way you like HOWEVER the XML syntax is case sensitive so if you create <ACME> with elements of <Explosive>TNT</Explosive> and <explosive>Nitro</explosive> doing a lookup on "//ACME/Explosive" will ONLY list TNT!

IF you edit the XMLDATA file with a text editor... Well, there are some limitations you should be aware of.. The text representation of reserved letters are:

Code: Select all

&lt;   <
&gt;   >
&amp;  &
&quot; "
&apos; '
Sample XMLDATA file

Code: Select all

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<Root>
  <Reject>
    <HELO>(0\.0\.0\.0)</HELO>
    <HELO>(127(?:\.[0-9]{1,3}){3})</HELO>
    <HELO>^(masscan)$</HELO>
    <HELO>^(ylmf\-pc)$</HELO>
    <From>(Sweetme)|(Kira Johns)|(July Girl)|(Hot Mama)|(Little Miss)</From>
    <From>(Baby Boobs)|(Booby Girl)|(Booby Booms)</From>
    <Subject>^(yo|hi|sup|hello|greets|hey t?here)(!?)(.?)(8?-?\)?)?$</Subject>
  </Reject>
  <Blacklist>
    <X-Envelope-From>^(.*\@.*bitcoin.*)$</X-Envelope-From>
    <From>(Tim Kristiansen)</From>
    <Bodytxt>(I have a proposal)</Bodytxt>
    <Bodytxt>(You are receiving this email because you opted in via our website)</Bodytxt>
    <IPRange>^216\.82\.(2(4[0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$</IPRange>
  </Blacklist>
  <Whitelist>
    <X-Envelope-From>^(security\@facebookmail\.com)$</X-Envelope-From>
    <X-Envelope-From>^(noreply\@fitnessworld\.com)$</X-Envelope-From>
    <From>(account-update\@amazon\.com)</From>
    <From>(\@id\.apple\.com)</From>
    <HELO>^(VVS-WEB)[0-9]{2}(\.localdomain)$</HELO>
    <HELO>^(app)[0-9]{2}(-shippii-com)$</HELO>
    <HELO>^(LouisesMatebookX)$</HELO>
    <HELO>^(LAPTOP08MT84VB)$</HELO>
  </Whitelist>
  <Ransomeware>
    <Bodytxt>(https://dl.dropboxusercontent.com/s/)</Bodytxt>
    <Bodytxt>(https://www.dropbox.com/meta_dl/)</Bodytxt>
  </Ransomeware>
</Root>
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-10 01:47

Installed. I'm not sure how useful the rest will be, but the reject on helo will slay a lot of spammers.

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 14:54

palinka wrote:
2019-02-10 01:47
Installed. I'm not sure how useful the rest will be, but the reject on helo will slay a lot of spammers.
The code in OnSMTPData(oClient, oMessage) I have in OnHELO(oClient) but since OnHELO(oClient) is not in the official build, I placed the code there. The benefit of moving it to OnHELO(oClient) is AUTH is done AFTER OnHELO(oClient) and BEFORE OnSMTPData(oClient, oMessage) ... :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 15:26

This will filter out ANY non-RFC compliant HELO/EHLO greeting. There are a lot of SPAM BOTs and infected clients/servers that can be captured using this.
This is NOT a foolproof test and valid servers/clients MAY fail. That's why you MUST use a Whitelist BEFORE this test.

I experience Outlook 365 clients sometimes identify themselves with the machine name and not the FQDN. I believe this is a problem with DHCP service. I have made entries in my Whitelist to compensate for this. Also, skip this test for clients on my LAN.

Valid greetings are: FQDN, [192.168.0.1] and [IPv6:fe80::1]

Non-Valid greetings are: masscan, localhost, ylmf-pc, WIN-82VNUNPK9RO

Code: Select all

   '
   '   Validate HELO/EHLO greeting
   '
   Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
   Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
   Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
   strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6
   If (Lookup(strRegEx, oClient.HELO) = False) Then
      Result.Value = 2
      Result.Message = SMTPCode(Result.Value) & " CODE03 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-10 17:13

I get a lot of these:

2019-02-10 01:02:22.199 RECEIVED: EHLO 24-121-219-54.erkacmtk02.com.sta.suddenlink.net

It's a valid fqdn, i suppose. But it's bot net crap from a dynamic ip. SA filters them fine, but it would be great to reject them altogether.

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 21:31

palinka wrote:
2019-02-10 17:13
I get a lot of these:

2019-02-10 01:02:22.199 RECEIVED: EHLO 24-121-219-54.erkacmtk02.com.sta.suddenlink.net

It's a valid fqdn, i suppose. But it's bot net crap from a dynamic ip. SA filters them fine, but it would be great to reject them altogether.
This appear the most I can cut it down and still not cripple suddenlink.net completely.
<Root>
<Reject>
<HELO>^(.*\.com\.sta\.suddenlink\.net)$</HELO>
</Reject>
</Root>
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-10 21:53

Oh, sorry, no. I didn't mean they all come from suddenlink. They come from all over, every and any ISP but using the host name of the ISP's IP address. Some are static IPs as well ("STATIC" being part of the hostname).

Code: Select all

2019-02-10 01:02:22.199	RECEIVED: EHLO 24-121-219-54.erkacmtk02.com.sta.suddenlink.net
2019-02-10 01:02:43.777	RECEIVED: MAIL FROM: <GeraldScott@suddenlink.net>

RECEIVED: EHLO 120.pool90-71-49.dynamic.orange.es
2019-02-10 01:55:41.518	RECEIVED: MAIL FROM: <JoshuaPatterson@orange.es>

RECEIVED: EHLO soetemanfc.nl
2019-02-10 02:02:13.921	RECEIVED: MAIL FROM: <MarkMoore@soetemanfc.nl>

RECEIVED: EHLO static-74-214-35-42.cpe.metrocast.net
2019-02-10 03:20:51.826	RECEIVED: MAIL FROM: <BrianMiller@metrocast.net>

RECEIVED: EHLO static-74-101-171-218.nycmny.fios.verizon.net
2019-02-10 03:47:20.016	RECEIVED: MAIL FROM: <RalphDavis@verizon.net>

RECEIVED: EHLO cityhotelsootmarsum.nl
2019-02-10 03:56:52.849	RECEIVED: MAIL FROM: <ScottMartinez@cityhotelsootmarsum.nl>

RECEIVED: EHLO 68-112-54-79.static.hlrg.nc.charter.com
2019-02-10 04:19:07.528	RECEIVED: MAIL FROM: <BillyCarter@charter.com>

RECEIVED: EHLO vandepoltours.nl
2019-02-10 04:39:20.121	RECEIVED: MAIL FROM: <GregoryRussell@vandepoltours.nl>

RECEIVED: EHLO nuvanwerknaarwerk.nl
2019-02-10 05:13:54.390	RECEIVED: MAIL FROM: <RoyWilson@nuvanwerknaarwerk.nl>

And so on and so forth. The pattern is in the from address: Capital first letter first name, capital first letter last name. Obviously they're spoofed addresses. Most are in the form of host name of the IP like "120.pool90-71-49.dynamic.orange.es".

Like I said, SA deals with them effectively because they are all or nearly all very high level malicious spam. Lots of viruses and "meet me" sex links. It would be great if they could be rejected. Not sure how that could be done. The only way I can think of is to check if the domain has a working mail server, but that could take a bunch of resources, I would imagine.

For example, I looked up static-74-214-35-42.cpe.metrocast.net on mxtoolbox.com. IP does match hostname, but when I do smpt dialogue test, it comes back with a timeout.

But then again, cityhotelsootmarsum.nl is/has a working mail server. They probably don't know they've been compromised.

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-10 23:23

This is for IPv4 only. I must admit I have not seen one of those in a VERY VERY long time...

Code: Select all

   Dim a
   a = Split(oClient.IPAddress, ".")
   If (InStr(1, oClient.HELO, a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0), 1) > 0) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
   End
I presume this...

RECEIVED: EHLO 68-112-54-79.static.hlrg.nc.charter.com
2019-02-10 04:19:07.528 RECEIVED: MAIL FROM: <BillyCarter@charter.com>

came from 79.54.112.68 :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 00:36

Had a closer look at my raw SMTP logs ... oops ... I do get them, but they are denied as sender and recipient are the same and my domain require authentication.

Hmm... I got 1 Friday, 2 Saturday and today at 5 PM it really took off...

I see some of them have the IP address the "right way"

"SMTPD" 2764 142 "2019-02-10 18:19:48.276" "89.64.17.153" "RECEIVED: EHLO 89-64-17-153.dynamic.chello.pl"

and some of them have the IP address the "reverse way"

"SMTPD" 2792 162 "2019-02-10 19:37:56.236" "178.150.135.53" "RECEIVED: EHLO 53.135.150.178.triolan.net"

I have just added this to my EventHandlers.vbs, lets see if it works...

Code: Select all

   Dim a, strRegEx
   a = Split(oClient.IPAddress, ".")
   strRegEx = "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-11 03:17

SorenR wrote:
2019-02-11 00:36

Code: Select all

   Dim a, strRegEx
   a = Split(oClient.IPAddress, ".")
   strRegEx = "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
This looks really good. Good idea to use the dashes.

Does this require the new unofficial version of hmailserver?

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 03:23

palinka wrote:
2019-02-11 03:17
SorenR wrote:
2019-02-11 00:36

Code: Select all

   Dim a, strRegEx
   a = Split(oClient.IPAddress, ".")
   strRegEx = "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
This looks really good. Good idea to use the dashes.

Does this require the new unofficial version of hmailserver?
You can add this to OnHELO or OnSMTPData, preferably after a HELO Whitelist, if you have one.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-11 03:45

SorenR wrote:
2019-02-11 03:23
You can add this to OnHELO or OnSMTPData, preferably after a HELO Whitelist, if you have one.
👍

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 03:49

Code: Select all

"SMTPD"	2052	3	"2019-02-11 01:27:19.137"	"191.19.107.164"	"SENT: 220 mx.acme.inc ESMTP"
"SMTPD"	2052	3	"2019-02-11 01:27:19.418"	"191.19.107.164"	"RECEIVED: EHLO 191-19-107-164.user.vivozap.com.br"
"SMTPD"	2052	3	"2019-02-11 01:27:19.528"	"191.19.107.164"	"SENT: 554 5.3.0 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
"SMTPD"	2052	3	"2019-02-11 01:27:19.793"	"191.19.107.164"	"RECEIVED: HELO 191-19-107-164.user.vivozap.com.br"
"SMTPD"	2052	3	"2019-02-11 01:27:19.825"	"191.19.107.164"	"SENT: 554 5.3.0 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-11 11:38

From this morning.

Code: Select all

SMTPD  –  83  –  66.167.205.6 ?
2019-02-11 00:54:11.603	RECEIVED: EHLO h-66-167-205-6.snva.ca.dynamic.globalcapacity.com
2019-02-11 00:54:32.821	SENT: 554 530 CODE10 Your access to this mail system has been rejected due to the sending MTAs poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate 

SMTPD  –  114  –  199.36.111.220 ?
2019-02-11 01:49:10.329	SENT: 220 mydomain
2019-02-11 01:49:10.954	RECEIVED: EHLO 26-108-144-198.customer.rigidtech.net
2019-02-11 01:49:50.755	SENT: 250-mydomain
250-SIZE 20480000
250-STARTTLS
250 HELP
2019-02-11 01:49:51.075	RECEIVED: MAIL FROM: <JamesBoyd@rigidtech.net>
2019-02-11 01:49:51.341	SENT: 250 OK

SMTPD  –  173  –  97.96.158.36 ?
2019-02-11 03:19:00.883	SENT: 220 mydomain
2019-02-11 03:19:01.398	RECEIVED: EHLO 097-096-158-036.biz.spectrum.com
2019-02-11 03:19:22.686	SENT: 250-mydomain
250-SIZE 20480000
250-STARTTLS
250 HELP
2019-02-11 03:19:23.139	RECEIVED: MAIL FROM: <FrederickJordan@spectrum.com>
2019-02-11 03:19:23.280	SENT: 250 OK

One worked. One had a different ip than the domain name, the other inserted 0's into the domain to make the ip portion all 3 digits. Weird.

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-11 13:59

This should take care of;

1: 127-0-0-1
2: 127-000-000-001
3: 1-0-0-127
4: 001-000-000-127

Code: Select all

   Dim a, b(3), i, strRegEx
   a = Split(oClient.IPAddress, ".")
   For i = 0 to 3
      b(i) = Right("00" & a(i),3)
   Next
   strRegEx = "(" & a(0) & "-" & a(1) & "-" & a(2) & "-" & a(3) & ")|" &_
              "(" & b(0) & "-" & b(1) & "-" & b(2) & "-" & b(3) & ")|" &_
              "(" & a(3) & "-" & a(2) & "-" & a(1) & "-" & a(0) & ")|" &_
              "(" & b(3) & "-" & b(2) & "-" & b(1) & "-" & b(0) & ")"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "530 CODE10 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-12 11:51

Thanks!

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script. Feb. 12. SECURITY UPDATE

Post by SorenR » 2019-02-12 18:39

This is potentially an IMPORTANT update.

If a lookup in the XML file returns "", the RegEx Lookup/oLookup WILL MATCH EVERYTHING.

The change is altering

---> Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = ""

to

---> Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = "THIS CANNOT BE EMPTY"


I came across this today as I deleted all "From" elements from node "Blacklist" this morning, leaving no results for LoadXMLNode(oXML, "//Blacklist/From").

Code: Select all

Function LoadXMLNode(oXML, MyNode) : LoadXMLNode = "THIS CANNOT BE EMPTY"
   Dim Match, Matches, strTXT
   Set Matches = oXML.selectNodes(MyNode)
   strTXT = ""
   For Each Match In Matches
      strTXT = strTXT & Match.text & "|"
   Next
   If (Trim(strTXT) <> "") Then
      LoadXMLNode = Left(strTXT,Len(strTXT)-1)
   Else
      EventLog.Write( "ERROR: Empty string from LoadXMLNode(oXML, " & MyNode & ")" )
   End If
End Function
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-15 19:44

Sneaky buggers using dots now.

Code: Select all

Received: from 33.net-3-2.embou.es (33.net-94.228.2.isbl.embou.net [94.228.2.33]) 

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-16 00:03

Deleted my last post... this fell into the trap: mail-oln040092254091.outbound.protection.outlook.com

spamhaus do have some bugs :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 510
Joined: 2017-09-12 17:57

Re: Dynamic Black/Whitelists in your script.

Post by palinka » 2019-02-16 15:29

SorenR wrote:
2019-02-16 00:03
Deleted my last post... this fell into the trap: mail-oln040092254091.outbound.protection.outlook.com

spamhaus do have some bugs :mrgreen:
Aye. Good for me. I have too many projects lined up this weekend anyway. :D

User avatar
SorenR
Senior user
Senior user
Posts: 2776
Joined: 2006-08-21 15:38
Location: Denmark

Re: Dynamic Black/Whitelists in your script.

Post by SorenR » 2019-02-19 02:09

Been running this isLashBack() function over the weekend...
The listings are determined objectively and systematically. Only IPs that send email to specially-created, LashBack owned-and-monitored email addresses (unsubscribe probes) -- that are used only on suppression lists -- are blacklisted.
You know, these SPAM mails where the "unsubscribe" button don't really seem to function properly.

Code: Select all

Function isLashBack(strIP) : isLashBack = False
   Dim a, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".ubl.unsubscore.com")
   End With
   If (InStr(1, strLookup, "127.0.0.2", 1) > 0) Then isLashBack = True
End Function

Function isSnowShoe(strIP) : isSnowShoe = False
   Dim a, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zen.spamhaus.org")
   End With
   If (InStr(1, strLookup, "127.0.0.3", 1) > 0) Then isSnowShoe = True
End Function

Sub OnClientConnect(oClient)
   '
   '   LashBack SPAM detection
   '
   If isLashBack(oClient.IPAddress) Then
      Result.Value = 1
      Exit Sub
   End If
   '
   '   SnowShoe SPAM detection
   '
   If isSnowShoe(oClient.IPAddress) Then
      Result.Value = 1
      Exit Sub
   End If
End Sub
Between this and the SnowShoe function, my server is having an easy life.

I have changed the SnowShoe function for the rare event that sbl.spamhaus.org would return 127.0.0.2 AND 127.0.0.3. We only need to check for 127.0.0.3.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19366
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Dynamic Black/Whitelists in your script.

Post by mattg » 2019-02-19 03:37

I've been using ubl.unsubscore.com as an RBL for a long time

It had it set to 1, but checking a few this morning, SpamAssassin normally rejects these, and no other RBL picks them up

Think I'll increase my score for this RBL
Thanks
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply