Anti-spam not working

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
eric92
New user
New user
Posts: 28
Joined: 2011-09-26 06:45

Anti-spam not working

Post by eric92 » 2017-03-08 18:21

Hi,

From last few days the anti-spam feature does not seem to work. When I look under the Status tab where it shows the statistics like Processed messages etc the value under the Spam messages is 0 even though the spam settings are correct and antispam enabled.

Any thoughts?

Thanks!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-08 18:30

Run this viewtopic.php?f=20&t=30914

Follow the instructions and post the results please.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

eric92
New user
New user
Posts: 28
Joined: 2011-09-26 06:45

Re: Anti-spam not working

Post by eric92 » 2017-03-09 10:04

Thanks!

Please find the results below:

[code]3/9/2017 2:09:51 AM Hmailserver: 5.6.3-B2249

IP: 127.0.0.1 - 127.0.0.1 Priority: 15 Name: My computer

Allow connections Other
SMTP: True Antispam : False
POP3: True Antivirus: False
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : False
POP3: True Antivirus: False
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : False
POP3: True Antivirus: False
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: False

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 6 Use SPF: True - 1 Use Spamassassin: False
Add X-HmailServer-Spam: True Check HELO host: True - 1
Add X-HmailServer-Reason: True Check MX records: True - 1
Add X-HmailServer-Subject: False Verify DKIM: True - 1

Spam delete threshold: 7 Maximum message size: 1024

GREYLISTING:
Greylisting: False

DNSBL ENTRIES:
b.barracudacentral.org Score: 7 Result: 127.0.0.*

SURBL ENTRIES:
multi.surbl.org Score: 5
-----------------------------------------------------------------------------------------------

WHITELISTING
No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS: No application configured.

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe Executable file
*.inf Setup file
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.reg Registration key
*.scf Windows Explorer command
*.scr Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: True
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 26 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: False

Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-03-09.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-03-09.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory C:\Users\Administrator\Desktop\backup is writable.

ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.46, Hmailserver Forum.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-09 11:53

3 things:

1, Why does the report show 2x identical INTERNET ip ranges? You should only have 1.

2,
IP: 127.0.0.1 - 127.0.0.1
Antispam : False

IP: 0.0.0.0 - 255.255.255.255
Antispam : False

With antispam disabled, it isnt ever going to work.


(Unrelated, but for clarity):
3, When you were asked to run that script, it informed you THREE times to not apply formatting when posting the results:

The forum thread instructions:
You may be advised by forum helpers to run the script and copy/paste the resultant file contents in to a REPLY on your forum thread - no further formatting will be required

TO RUN
......When complete, paste the resultant report to your forum thread as a REPLY (no formatting necessary)
And on the results screen:
Copy/paste the contents (CTRL-A to select), or upload the file, to the forum as a 'REPLY' for further help.

NOTE: When posting to forum, please do NOT apply formatting.
And yet you still did (you applied a

Code: Select all

 formatting needing me to edit your post and remove it).  Obviously I am missing something if people are ignoring/missing this instruction.  Help me out: tell me why you did or what it is I need to do to ensure people read this instruction (instead of missing or ignoring it).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

jordyro
New user
New user
Posts: 23
Joined: 2007-01-11 11:26
Location: Romania
Contact:

Re: Anti-spam not working

Post by jordyro » 2017-03-11 19:29

[code]3/11/2017 7:22:34 PM Hmailserver: 5.6.7-B2407

IP: 127.0.0.1 - 127.0.0.1 Priority: 20 Name: localhost

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False


IP: 192.168.0.12 - 192.168.0.12 Priority: 7 Name: portalb

Allow connections Other
SMTP: True Antispam : True
POP3: False Antivirus: True
IMAP: False SSL/TLS: True

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - False


IP: 192.168.0.2 - 192.168.0.9 Priority: 5 Name: data-server

Allow connections Other
SMTP: True Antispam : True
POP3: False Antivirus: True
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - False


IP: 94.177.29.2 - 94.177.29.2 Priority: 3 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - True
External To External - False


IP: 192.168.0.7 - 192.168.0.7 Priority: 0 Name: portal

Allow connections Other
SMTP: True Antispam : True
POP3: False Antivirus: True
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - False


IP: 192.168.0.22 - 192.168.0.22 Priority: 0 Name: Ricoh

Allow connections Other
SMTP: True Antispam : True
POP3: False Antivirus: True
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - False


IP: 192.168.0.8 - 192.168.0.8 Priority: 0 Name: Xerox

Allow connections Other
SMTP: True Antispam : True
POP3: False Antivirus: True
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - False


IP: 192.168.0.8 - 192.168.0.8 Priority: 0 Name: Xerox

Allow connections Other
SMTP: True Antispam : True
POP3: False Antivirus: True
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - False

!! Warning: DEFAULT DOMAIN is SET !!
------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30
Minutes to Autoban: 36000

There is a total of 512 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: True - 5 Use SA score: True
Subject Text: "[SPAM]"
Spam delete threshold: 6 Maximum message size: 1024

GREYLISTING:
Greylisting: False

DNSBL ENTRIES:
zen.spamhaus.org Score: 3 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2

SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------

WHITELISTING
0.0.0.0 to 255.255.255.255 *@unicas.ro
0.0.0.0 to 255.255.255.255 *majutex*
0.0.0.0 to 255.255.255.255 *paypal*
0.0.0.0 to 255.255.255.255
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete Attachments.

Max Message Size: 0
CLAM AV: False
CLAMWIN: True Executable: C:\Program Files (x86)\ClamWin\bin\clamscan.exe Path: C:\ProgramData\.clamwin\db
CUSTOMAV: False

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe Executable file
*.inf Setup file
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.reg Registration key
*.scf Windows Explorer command
*.scr Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: False
SslCipherList :

-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 465 / SMTP - StartTLS Optional
0.0.0.0 / 993 / IMAP - StartTLS Optional
0.0.0.0 / 995 / POP3 - StartTLS Optional
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-03-11.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-03-11.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - True
IMAP - True
TCPIP - True
DEBUG - True
AWSTATS - True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

Backup directory D:\data is writable.

ERROR: Messages exists which are located outside of the data directory C:\Program Files (x86)\hMailServer\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.46, Hmailserver Forum.

jordyro
New user
New user
Posts: 23
Joined: 2007-01-11 11:26
Location: Romania
Contact:

Re: Anti-spam not working

Post by jordyro » 2017-03-11 19:34

same thing to me
any clues???
test from Hmail works like a charm.
Win2012R2
mssql 2014
both hmail and SpamAssasin (with nssm) works under Local System user
I tried spamd x86 and x68. Same thing.
no error in hmailserver logs.
no error/ nothing in spamd logs
no clues in Event Viewer

User avatar
mattg
Moderator
Moderator
Posts: 20123
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti-spam not working

Post by mattg » 2017-03-12 01:31

You have the IP range priority backwards

Higher number is higher priority

An IP range with priority of 30 gets used before an IP range with priority of 10

You internet IP range with priority 10 trumps all of the other ipranges except the mycomputer range which has priority of 20.
All of the rest are unused in your current system.

Change all of the priorities that are under 10 to numbers higher than 25 for them to have effect
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 20123
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti-spam not working

Post by mattg » 2017-03-12 01:41

Also, because you have autoban enabled, autoban entries are created at priority 20

You should change your MyComputer IP range to priority 21 so that it takes precedence over any autoban entries for that IP 127.0.0.1 (this would be webmail or other server scripts)

AND why do you have a default domain set? Unless you have a really good reason, please disable that.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-12 02:38

There is also repetition and unnecessary ranges:


IP: 192.168.0.8 - 192.168.0.8 Priority: 0 Name: Xero (and there are 2x of these!)
and
IP: 192.168.0.7 - 192.168.0.7 Priority: 0 Name: portal

are all covered by

IP: 192.168.0.2 - 192.168.0.9 Priority: 5 Name: data-server

and they are all without authentication required. So why the need to list them separately (they are never going to be autobanned)? And as Matt says they need to be HIGHER priority than your internet range (so a priority number higher than 10).

I suggest this (note the priority changes):

IP: 94.177.29.2 - 94.177.29.2 Priority: 25 Name: My computer
IP: 192.168.0.12 - 192.168.0.12 Priority: 20 Name: portalb
IP: 192.168.0.2 - 192.168.0.9 Priority: 20 Name: data-server
IP: 192.168.0.22 - 192.168.0.22 Priority: 20 Name: Ricoh
IP: 127.0.0.1 - 127.0.0.1 Priority: 20 Name: localhost
IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

jordyro
New user
New user
Posts: 23
Joined: 2007-01-11 11:26
Location: Romania
Contact:

Re: Anti-spam not working

Post by jordyro » 2017-03-12 09:16

still not working
either from localhost , my computer or internet ip's
[code]3/12/2017 9:04:37 AM Hmailserver: 5.6.7-B2407

IP: 94.177.29.2 - 94.177.29.2 Priority: 21 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - True
External To External - False


IP: 127.0.0.1 - 127.0.0.1 Priority: 20 Name: localhost

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False

!! Warning: DEFAULT DOMAIN is SET !!
------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30
Minutes to Autoban: 36000

There is a total of 542 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: True - 5 Use SA score: True
Subject Text: "[SPAM]"
Spam delete threshold: 6 Maximum message size: 1024

GREYLISTING:
Greylisting: False

DNSBL ENTRIES:
zen.spamhaus.org Score: 3 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2

SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------

WHITELISTING
0.0.0.0 to 255.255.255.255 *@unicas.ro
0.0.0.0 to 255.255.255.255 *majutex*
0.0.0.0 to 255.255.255.255 *paypal*
0.0.0.0 to 255.255.255.255
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete Attachments.

Max Message Size: 0
CLAM AV: False
CLAMWIN: True Executable: C:\Program Files (x86)\ClamWin\bin\clamscan.exe Path: C:\ProgramData\.clamwin\db
CUSTOMAV: False

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe Executable file
*.inf Setup file
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.reg Registration key
*.scf Windows Explorer command
*.scr Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: False
SslCipherList :

-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 465 / SMTP - StartTLS Optional
0.0.0.0 / 993 / IMAP - StartTLS Optional
0.0.0.0 / 995 / POP3 - StartTLS Optional
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-03-12.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-03-12.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - True
IMAP - True
TCPIP - True
DEBUG - True
AWSTATS - True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

Backup directory D:\data is writable.

ERROR: Messages exists which are located outside of the data directory C:\Program Files (x86)\hMailServer\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.46, Hmailserver Forum.

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-12 10:23

Can you please remove all entries under whitelisting.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

jordyro
New user
New user
Posts: 23
Joined: 2007-01-11 11:26
Location: Romania
Contact:

Re: Anti-spam not working

Post by jordyro » 2017-03-12 10:37

SorenR wrote:Can you please remove all entries under whitelisting.
thanks!
i didn`t notice last rule in whitelist. someone else is guilty for that!
:mrgreen:
thanks again!
works

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-12 11:43

jordyro wrote:
SorenR wrote:Can you please remove all entries under whitelisting.
thanks!
i didn`t notice last rule in whitelist. someone else is guilty for that!
:mrgreen:
thanks again!
works
Can you check : you still have 2x range of identical settings showing on your report:
IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet
You should only have one. (I have no idea how you manage to input this).

(And you still have a DEFAULT DOMAIN set - this is dangerous. You should remove it if possible).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

jordyro
New user
New user
Posts: 23
Joined: 2007-01-11 11:26
Location: Romania
Contact:

Re: Anti-spam not working

Post by jordyro » 2017-03-12 13:43

double checked.
for shure in hm admin i have only one of those :)

IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet
removed default domain also.
If someone interested:
ClamAV indeed works better than ClamWin.
Installed as service via nssm just like SpamAssasin.
Takes about 500MB of RAM, but is fast, clearly much faster than ClamWin

User avatar
jim.bus
Senior user
Senior user
Posts: 297
Joined: 2011-05-28 11:49
Location: US

Re: Anti-spam not working

Post by jim.bus » 2017-03-12 13:51

Jimimsaye,

While I agree a Default Domain is dangerous to have and should be removed, if it is so dangerous then why isn't the Default Domain setting capability removed from hMailServer as an option so it can never be set? Is there a purpose which makes the risk of having a Default Domain set justified? I have never personally used the Default Domain option since I first started using hMailServer (the only email server implementation I have ever installed on my system) as I recognized it was not a good thing to use as it was a security risk to set a Default Domain.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-12 15:22

The purpose of the default domain is to allow authentication and addressing by stating USER part only or adressing by user name only (in the absence of a domain it will assume the default domain. It is particularly useful when there are multiple domains hosted on the system and you might be a user (such as an admin) that has access and rights to send from/to a variety of those domains, or when you address/send to users that are on your local domain you can do away with typing '@localdomain' all the time (you can simply send to "Sue"). https://www.hmailserver.com/documentati ... e_advanced).

The reason of it being a security risk is because when spambots attempt breakins the often ONLY type the userpart and a guessed password. If you have a defined default domain then that would mean they are only 2 parts to be guessing and given the user parts are quite common (such as "admin", "postmaster", "sales" etc and often exist) it means their only real obstacle in this case would be the password.

HOWEVER, if you do not have a default domain set then the bots would also need to be knowing/guessing the domain parts to complete the full address too - and as you know domains can be a random choice of words and characters that make no sense. Look in to your autobans and you will seldom see attempts with 'user@yourdomain.tld' as the full attempted login. In this case, the guessing of the password is the last thing the bot needs to get right - it needs to work out what the valid user (easy to guess) AND domain (not as easy to guess) is first. Double security.

Also, its inclusion also changes the way HMS responds to incorrect formatted addresses. For an example, read this: viewtopic.php?p=193959#p193959

The idea of using a default domain is also to help where some devices that need to authenticate (such as a scanner or fax machine) do not have the ability to quote the full email address notation.

So, unless there is a real need (where a connecting machine such as a scanner cannot specify a full email address when authenticating or addressing to a local user) then it should be turned off.

Why isnt it removed as a feature? Well for the reasons above. (Addressing to "sue" and legacy machines authenticating or addressing)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-12 15:42

jordyro wrote:double checked.
for shure in hm admin i have only one of those :)

IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet
Strange. If you stop/restart your service and run the report again, does it still show 2x of the same ranges? (I wonder if it is a quirk of caching after you remove some of the other ranges).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

jordyro
New user
New user
Posts: 23
Joined: 2007-01-11 11:26
Location: Romania
Contact:

Re: Anti-spam not working

Post by jordyro » 2017-03-12 16:40

:cry:
same thing after restarted service and after that the server
but everything works just fine
[code]3/12/2017 4:36:47 PM Hmailserver: 5.6.7-B2407

IP: 192.168.0.2 - 192.168.0.9 Priority: 31 Name: local_lan

Allow connections Other
SMTP: True Antispam : True
POP3: False Antivirus: True
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 94.177.29.2 - 94.177.29.2 Priority: 21 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - True
External To External - False


IP: 127.0.0.1 - 127.0.0.1 Priority: 20 Name: localhost

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False
------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30
Minutes to Autoban: 36000

There is a total of 556 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: False - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: True - 5 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False - 5 Use SA score: True
Subject Text: "[SPAM]"
Spam delete threshold: 8 Maximum message size: 1024

GREYLISTING:
Greylisting: False

DNSBL ENTRIES:
zen.spamhaus.org Score: 3 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2

SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------

WHITELISTING
No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete email. Notify Sender: False, Notify Receiver: True

Max Message Size: 0
CLAM AV: True Hostname: localhost Port: 3310
CLAMWIN: False
CUSTOMAV: False

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe Executable file
*.inf Setup file
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.reg Registration key
*.scf Windows Explorer command
*.scr Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: False
SslCipherList :

-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 465 / SMTP - StartTLS Optional
0.0.0.0 / 993 / IMAP - StartTLS Optional
0.0.0.0 / 995 / POP3 - StartTLS Optional
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-03-12.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-03-12.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - .
SMTP - True
POP3 - True
IMAP - True
TCPIP - True
DEBUG - .
AWSTATS - .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

Backup directory D:\data is writable.

ERROR: Messages exists which are located outside of the data directory C:\Program Files (x86)\hMailServer\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.46, Hmailserver Forum.

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-12 16:52

Sorry guys... It's BS... I've had my domain as Default Domain for the past 10 years - also when I was hosting a few other domains for my wife's business... Never had a cracked password... I have more autobans on full "user@domain" than just "user".

Anyways... If managed correctly your server will give itself away in the HELO/EHLO greeting and from there it is a relative simple task to work your way backwards to find MX records pointing to this domain. And Yeah... SPAMMERS do have these tools...

BUT... It's still not an excuse for a simple password. Regardless.

FYI: It is far more likely your password was used somewhere else and intercepted by some malware or sniffer :wink:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-12 19:02

SorenR wrote:Sorry guys... It's BS... I've had my domain as Default Domain for the past 10 years - also when I was hosting a few other domains for my wife's business... Never had a cracked password... I have more autobans on full "user@domain" than just "user".
I reckon you were unlucky then. They might have picked up the domain from it actually being on a potential spam target list.

This is my current autoban list (which is typical of what I see every day):
Image

Youll notice that the majority, nearly all, of them are attempts by USER only (no domain specified). There are only 3 attempts to log in with full domain addresses - and 2 of them are from an old domain (before we changed) and probably due to it being on a list the same as your wife's business was. There is one single attempt to crack in by full domain address with the correct domain ("training@mydomain..") which we dont actually have a matching address anyway. I reckon my constant efforts in tracking down mail-list database suppliers and asking for global removal/suppression has paid off and minimised the risk of this domain ending up on the wrong type of list (unlike my old domain that was constantly receiving spam).

I firmly believe that the majority of the attempts come from sniffer bots in my case which are not clever or programmed enough to do the "ah, we have a connection to this ip address, lets do a reverse lookup, now apply the results, now retry the connection again" approach (far too much hassle for bots trying to dump their sh1te as quick as possible). However, somewhere in this forum, I did prove that simply having an entry in DNS with an 'A' record attracts these bots: I did a test where my server was invisible in as much as it didnt have an 'A' record pointing to this server and consequently it rarely received spam contact attempts (only sniffers applied). As soon as I changed the 'A' record to point to this server again the spam attempts then started again. And its these sniffers that do not want the hassle of doing reverse lookups to resolve the domain name.
Attachments
Untitled.png
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-12 21:55

I would love to see the HELO/EHLO strings for all these attempts.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-12 22:20

Heres a few:

[code]Session: 4711
"SMTPD" 580 4711 "2017-03-09 18:33:34.471" "91.183.46.186" "SENT: 220 Northcote SMTP"
"SMTPD" 4900 4711 "2017-03-09 18:33:34.580" "91.183.46.186" "RECEIVED: HELO Northcote"
"SMTPD" 4900 4711 "2017-03-09 18:33:34.580" "91.183.46.186" "SENT: 250 Hello."
"SMTPD" 4256 4711 "2017-03-09 18:33:34.689" "91.183.46.186" "RECEIVED: AUTH LOGIN"
"SMTPD" 4256 4711 "2017-03-09 18:33:34.689" "91.183.46.186" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4400 4711 "2017-03-09 18:33:34.798" "91.183.46.186" "RECEIVED: ZGF2aWQ=" [ david ]
"SMTPD" 4400 4711 "2017-03-09 18:33:34.798" "91.183.46.186" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4900 4711 "2017-03-09 18:33:34.907" "91.183.46.186" "RECEIVED: ***"
"SMTPD" 4900 4711 "2017-03-09 18:33:34.970" "91.183.46.186" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 3192
"SMTPD" 580 3192 "2017-03-09 11:24:29.004" "181.44.42.186" "SENT: 220 Northcote SMTP"
"SMTPD" 2188 3192 "2017-03-09 11:24:29.301" "181.44.42.186" "RECEIVED: HELO Northcote"
"SMTPD" 2188 3192 "2017-03-09 11:24:29.301" "181.44.42.186" "SENT: 250 Hello."
"SMTPD" 2484 3192 "2017-03-09 11:24:29.597" "181.44.42.186" "RECEIVED: AUTH LOGIN"
"SMTPD" 2484 3192 "2017-03-09 11:24:29.597" "181.44.42.186" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3344 3192 "2017-03-09 11:24:29.909" "181.44.42.186" "RECEIVED: b3BlcmF0b3I=" [ operator ]
"SMTPD" 3344 3192 "2017-03-09 11:24:29.909" "181.44.42.186" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2188 3192 "2017-03-09 11:24:30.205" "181.44.42.186" "RECEIVED: ***"
"SMTPD" 2188 3192 "2017-03-09 11:24:30.268" "181.44.42.186" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 2426
"SMTPD" 4024 2426 "2017-03-09 08:30:16.591" "23.254.204.173" "SENT: 220 Northcote SMTP"
"SMTPD" 3344 2426 "2017-03-09 08:30:16.731" "23.254.204.173" "RECEIVED: EHLO ylmf-pc"
"SMTPD" 3344 2426 "2017-03-09 08:30:16.747" "23.254.204.173" "SENT: 250-mydomain.co.uk[nl]250-SIZE 26214000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2188 2426 "2017-03-09 08:30:16.871" "23.254.204.173" "RECEIVED: AUTH LOGIN"
"SMTPD" 2188 2426 "2017-03-09 08:30:16.871" "23.254.204.173" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4596 2426 "2017-03-09 08:30:16.996" "23.254.204.173" "RECEIVED: c2FsZXNAZGVjcm9mbG9vci5jb20=" [ sales@olddomain.com ]
"SMTPD" 4596 2426 "2017-03-09 08:30:16.996" "23.254.204.173" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3344 2426 "2017-03-09 08:30:17.168" "23.254.204.173" "RECEIVED: ***"
"SMTPD" 3344 2426 "2017-03-09 08:30:17.246" "23.254.204.173" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 1376
"SMTPD" 580 1376 "2017-03-09 03:21:01.783" "200.41.170.131" "SENT: 220 Northcote SMTP"
"SMTPD" 4400 1376 "2017-03-09 03:21:02.111" "200.41.170.131" "RECEIVED: HELO Northcote"
"SMTPD" 4400 1376 "2017-03-09 03:21:02.111" "200.41.170.131" "SENT: 250 Hello."
"SMTPD" 580 1376 "2017-03-09 03:21:02.438" "200.41.170.131" "RECEIVED: AUTH LOGIN"
"SMTPD" 580 1376 "2017-03-09 03:21:02.438" "200.41.170.131" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4596 1376 "2017-03-09 03:21:02.766" "200.41.170.131" "RECEIVED: YW5kcmU=" [ andre ]
"SMTPD" 4596 1376 "2017-03-09 03:21:02.766" "200.41.170.131" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4400 1376 "2017-03-09 03:21:03.093" "200.41.170.131" "RECEIVED: ***"
"SMTPD" 4400 1376 "2017-03-09 03:21:03.156" "200.41.170.131" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 1254
"SMTPD" 580 1254 "2017-03-09 02:37:49.835" "111.93.62.210" "SENT: 220 Northcote SMTP"
"SMTPD" 2188 1254 "2017-03-09 02:37:50.054" "111.93.62.210" "RECEIVED: HELO Northcote"
"SMTPD" 2188 1254 "2017-03-09 02:37:50.054" "111.93.62.210" "SENT: 250 Hello."
"SMTPD" 4344 1254 "2017-03-09 02:37:50.272" "111.93.62.210" "RECEIVED: AUTH LOGIN"
"SMTPD" 4344 1254 "2017-03-09 02:37:50.272" "111.93.62.210" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 580 1254 "2017-03-09 02:37:50.491" "111.93.62.210" "RECEIVED: aGVjdG9y" [ hector ]
"SMTPD" 580 1254 "2017-03-09 02:37:50.491" "111.93.62.210" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 2188 1254 "2017-03-09 02:37:50.709" "111.93.62.210" "RECEIVED: ***"
"SMTPD" 2188 1254 "2017-03-09 02:37:50.756" "111.93.62.210" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 4582
"SMTPD" 736 4582 "2017-03-08 17:45:15.241" "104.168.141.210" "SENT: 220 Northcote SMTP"
"SMTPD" 4784 4582 "2017-03-08 17:45:15.413" "104.168.141.210" "RECEIVED: EHLO ylmf-pc"
"SMTPD" 4784 4582 "2017-03-08 17:45:15.413" "104.168.141.210" "SENT: 250-mydomain.co.uk[nl]250-SIZE 26214000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 4216 4582 "2017-03-08 17:45:15.569" "104.168.141.210" "RECEIVED: AUTH LOGIN"
"SMTPD" 4216 4582 "2017-03-08 17:45:15.569" "104.168.141.210" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4784 4582 "2017-03-08 17:45:15.740" "104.168.141.210" "RECEIVED: c2FsZXNAZGVjcm9mbG9vci5jb20=" [ sales@olddomain.com ]
"SMTPD" 4784 4582 "2017-03-08 17:45:15.740" "104.168.141.210" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3660 4582 "2017-03-08 17:45:15.912" "104.168.141.210" "RECEIVED: ***"
"SMTPD" 3660 4582 "2017-03-08 17:45:15.959" "104.168.141.210" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 4099
"SMTPD" 736 4099 "2017-03-08 16:18:08.482" "178.79.42.26" "SENT: 220 Northcote SMTP"
"SMTPD" 3296 4099 "2017-03-08 16:18:08.591" "178.79.42.26" "RECEIVED: HELO Northcote"
"SMTPD" 3296 4099 "2017-03-08 16:18:08.591" "178.79.42.26" "SENT: 250 Hello."
"SMTPD" 736 4099 "2017-03-08 16:18:08.700" "178.79.42.26" "RECEIVED: AUTH LOGIN"
"SMTPD" 736 4099 "2017-03-08 16:18:08.700" "178.79.42.26" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4140 4099 "2017-03-08 16:18:08.809" "178.79.42.26" "RECEIVED: c2NhbnM=" [ scans ]
"SMTPD" 4140 4099 "2017-03-08 16:18:08.809" "178.79.42.26" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3296 4099 "2017-03-08 16:18:08.934" "178.79.42.26" "RECEIVED: ***"
"SMTPD" 3296 4099 "2017-03-08 16:18:08.996" "178.79.42.26" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 3857
"SMTPD" 736 3857 "2017-03-08 15:06:38.704" "208.105.155.18" "SENT: 220 Northcote SMTP"
"SMTPD" 4736 3857 "2017-03-08 15:06:38.907" "208.105.155.18" "RECEIVED: HELO Northcote"
"SMTPD" 4736 3857 "2017-03-08 15:06:38.907" "208.105.155.18" "SENT: 250 Hello."
"SMTPD" 4504 3857 "2017-03-08 15:06:39.110" "208.105.155.18" "RECEIVED: AUTH LOGIN"
"SMTPD" 4504 3857 "2017-03-08 15:06:39.110" "208.105.155.18" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 736 3857 "2017-03-08 15:06:39.312" "208.105.155.18" "RECEIVED: ZGVtbw==" [ demo ]
"SMTPD" 736 3857 "2017-03-08 15:06:39.312" "208.105.155.18" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4736 3857 "2017-03-08 15:06:39.515" "208.105.155.18" "RECEIVED: ***"
"SMTPD" 4736 3857 "2017-03-08 15:06:39.562" "208.105.155.18" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 3617
"SMTPD" 736 3617 "2017-03-08 13:59:48.683" "201.190.192.149" "SENT: 220 Northcote SMTP"
"SMTPD" 4168 3617 "2017-03-08 13:59:49.088" "201.190.192.149" "RECEIVED: HELO Northcote"
"SMTPD" 4168 3617 "2017-03-08 13:59:49.088" "201.190.192.149" "SENT: 250 Hello."
"SMTPD" 2156 3617 "2017-03-08 13:59:49.432" "201.190.192.149" "RECEIVED: AUTH LOGIN"
"SMTPD" 2156 3617 "2017-03-08 13:59:49.432" "201.190.192.149" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4104 3617 "2017-03-08 13:59:49.744" "201.190.192.149" "RECEIVED: dGVzdDI=" [ test2 ]
"SMTPD" 4104 3617 "2017-03-08 13:59:49.744" "201.190.192.149" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4168 3617 "2017-03-08 13:59:50.071" "201.190.192.149" "RECEIVED: ***"
"SMTPD" 4168 3617 "2017-03-08 13:59:50.134" "201.190.192.149" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 3489
"SMTPD" 736 3489 "2017-03-08 13:25:37.357" "96.66.208.154" "SENT: 220 Northcote SMTP"
"SMTPD" 4104 3489 "2017-03-08 13:25:37.544" "96.66.208.154" "RECEIVED: HELO Northcote"
"SMTPD" 4104 3489 "2017-03-08 13:25:37.544" "96.66.208.154" "SENT: 250 Hello."
"SMTPD" 4092 3489 "2017-03-08 13:25:37.763" "96.66.208.154" "RECEIVED: AUTH LOGIN"
"SMTPD" 4092 3489 "2017-03-08 13:25:37.763" "96.66.208.154" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 4784 3489 "2017-03-08 13:25:38.028" "96.66.208.154" "RECEIVED: Y29waWVy" [ copier ]
"SMTPD" 4784 3489 "2017-03-08 13:25:38.028" "96.66.208.154" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4104 3489 "2017-03-08 13:25:38.356" "96.66.208.154" "RECEIVED: ***"
"SMTPD" 4104 3489 "2017-03-08 13:25:38.402" "96.66.208.154" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 2339
"SMTPD" 736 2339 "2017-03-08 08:06:54.539" "113.161.80.16" "SENT: 220 Northcote SMTP"
"SMTPD" 736 2339 "2017-03-08 08:06:54.866" "113.161.80.16" "RECEIVED: HELO Northcote"
"SMTPD" 736 2339 "2017-03-08 08:06:54.866" "113.161.80.16" "SENT: 250 Hello."
"SMTPD" 2816 2339 "2017-03-08 08:06:55.194" "113.161.80.16" "RECEIVED: AUTH LOGIN"
"SMTPD" 2816 2339 "2017-03-08 08:06:55.194" "113.161.80.16" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 888 2339 "2017-03-08 08:06:55.522" "113.161.80.16" "RECEIVED: dGVzdA==" [ test ]
"SMTPD" 888 2339 "2017-03-08 08:06:55.522" "113.161.80.16" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4688 2339 "2017-03-08 08:06:55.849" "113.161.80.16" "RECEIVED: ***"
"SMTPD" 4688 2339 "2017-03-08 08:06:55.896" "113.161.80.16" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 1722
"SMTPD" 736 1722 "2017-03-08 04:53:26.992" "58.62.55.140" "SENT: 220 Northcote SMTP"
"SMTPD" 888 1722 "2017-03-08 04:53:27.320" "58.62.55.140" "RECEIVED: HELO Northcote"
"SMTPD" 888 1722 "2017-03-08 04:53:27.320" "58.62.55.140" "SENT: 250 Hello."
"SMTPD" 736 1722 "2017-03-08 04:53:27.648" "58.62.55.140" "RECEIVED: AUTH LOGIN"
"SMTPD" 736 1722 "2017-03-08 04:53:27.648" "58.62.55.140" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 888 1722 "2017-03-08 04:53:27.975" "58.62.55.140" "RECEIVED: dXNlcg==" [ user ]
"SMTPD" 888 1722 "2017-03-08 04:53:27.975" "58.62.55.140" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 736 1722 "2017-03-08 04:53:28.303" "58.62.55.140" "RECEIVED: ***"
"SMTPD" 736 1722 "2017-03-08 04:53:28.350" "58.62.55.140" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 1801
"SMTPD" 736 1801 "2017-03-08 05:14:49.721" "112.124.76.177" "SENT: 220 Northcote SMTP"
"SMTPD" 736 1801 "2017-03-08 05:14:50.048" "112.124.76.177" "RECEIVED: HELO Northcote"
"SMTPD" 736 1801 "2017-03-08 05:14:50.048" "112.124.76.177" "SENT: 250 Hello."
"SMTPD" 4508 1801 "2017-03-08 05:14:50.376" "112.124.76.177" "RECEIVED: AUTH LOGIN"
"SMTPD" 4508 1801 "2017-03-08 05:14:50.376" "112.124.76.177" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 736 1801 "2017-03-08 05:14:50.704" "112.124.76.177" "RECEIVED: dGVzdHVzZXI=" [ testuser ]
"SMTPD" 736 1801 "2017-03-08 05:14:50.704" "112.124.76.177" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3092 1801 "2017-03-08 05:14:51.031" "112.124.76.177" "RECEIVED: ***"
"SMTPD" 3092 1801 "2017-03-08 05:14:51.156" "112.124.76.177" "SENT: 535 Authentication failed. Too many invalid logon attempts."

Session: 1434
"SMTPD" 736 1434 "2017-03-08 03:19:14.543" "209.240.111.200" "SENT: 220 Northcote SMTP"
"SMTPD" 4092 1434 "2017-03-08 03:19:14.746" "209.240.111.200" "RECEIVED: HELO Northcote"
"SMTPD" 4092 1434 "2017-03-08 03:19:14.746" "209.240.111.200" "SENT: 250 Hello."
"SMTPD" 4140 1434 "2017-03-08 03:19:14.948" "209.240.111.200" "RECEIVED: AUTH LOGIN"
"SMTPD" 4140 1434 "2017-03-08 03:19:14.948" "209.240.111.200" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 2456 1434 "2017-03-08 03:19:15.151" "209.240.111.200" "RECEIVED: YXVkaXQ=" [ audit ]
"SMTPD" 2456 1434 "2017-03-08 03:19:15.151" "209.240.111.200" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 4092 1434 "2017-03-08 03:19:15.370" "209.240.111.200" "RECEIVED: ***"
"SMTPD" 4092 1434 "2017-03-08 03:19:15.432" "209.240.111.200" "SENT: 535 Authentication failed. Too many invalid logon attempts."[/code]


You can see most of them are from bots and are harvesting the HELO string from whatever my banner is (ie, they respond "HELO Northcote" because I sent "220 Northcote SMTP"). But there is the odd "EHLO ylmf-pc". (That is why I choose to deliberately defy the suggestion of using the FQDN in the banner. Otherwise they would have been one step nearer to guessing a login leaving only the password to have a stab at.)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-12 22:44

You tried the OnHELO modded version of hMailServer ??

It can rid you of all these in a jiffy... That's actually why I originally made the OnHELO mod.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-12 23:12

I havent implemented it, no (I have no doubts about its intention and success though). The reasons I didnt are

a, my system is a low use system (by comparison to some).
b, the number of 'attacks' I get are usually in single numbers per day. It isnt exactly put under any pressure by such attacks.
c, When 'attacked' the existing method of autoban handles it adequately - as I have often advocated (when talking about the DisableAuthPort option) I think having numerous autoban ranges isnt a problem and its only scary if you choose to look at them and dont like the colour red. As long as the system stops the attack I dont care really how it does it as long as it does. With my autoban threshold so low they only get one attempt to get it right at which they will still be stopped from connecting again anyway. AND
d, (You know we should really apply beta versions to a production server ;-) . But this isnt really a consideration for me given the other 3 reasons take precedence. )

Now, I know you could argue that giving them a one-chance oportunity to guess the authentication details is a higher risk than just stopping the connection in the first place based on the HELO string, and I agree. But thats when I then raise points (a) and (d) and accept the risk. If there was a more foolproof way of applying a block based on the HELO string that is more generic (other than compiling a list of known greetings such a YMLF-PC etc (which therefore isnt a generic pattern or algorithm) or rejecting them because they are not correctly formed (a generic method, yes, but genuine users or systems could make mistakes - as, indeed, I do not offer FQDN to my HELO greeting and for good reasons proven above) then I would consider it.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-13 12:23

jimimaseye wrote: a, my system is a low use system (by comparison to some).
Ah... Small system... Like mine...
Take yesterday... 98 SMTP connection attempts resulting in 48 mails sent into first line defense. The turnout was 15 emails of which 5 were tagged as SPAM.
jimimaseye wrote: b, the number of 'attacks' I get are usually in single numbers per day. It isnt exactly put under any pressure by such attacks.
Nor is mine but occationally the sh*t hit the fan and my daily SMTP log grow from 2-300 KB to 3.700 KB.
jimimaseye wrote: c, When 'attacked' the existing method of autoban handles it adequately - as I have often advocated (when talking about the DisableAuthPort option) I think having numerous autoban ranges isnt a problem and its only scary if you choose to look at them and dont like the colour red. As long as the system stops the attack I dont care really how it does it as long as it does. With my autoban threshold so low they only get one attempt to get it right at which they will still be stopped from connecting again anyway. AND
I use AutoBan throughout my EventHandlers.vbs and range bans from 2 hours to 2 days depending of "attack type". For example I found that SnowShoe SPAM is reoccuring from the same IP address over 1-2 hours so I do a lookup and ban for 2 hours - then I don't have to worry about that anymore ;-)
Generally I only watch my server, the way it is now it is relative secure (maybe too secure) so I only have to do stuff when my daughter wine about being locked out :oops:
jimimaseye wrote: d, (You know we should really apply beta versions to a production server ;-) . But this isnt really a consideration for me given the other 3 reasons take precedence. )

Now, I know you could argue that giving them a one-chance oportunity to guess the authentication details is a higher risk than just stopping the connection in the first place based on the HELO string, and I agree. But thats when I then raise points (a) and (d) and accept the risk. If there was a more foolproof way of applying a block based on the HELO string that is more generic (other than compiling a list of known greetings such a YMLF-PC etc (which therefore isnt a generic pattern or algorithm) or rejecting them because they are not correctly formed (a generic method, yes, but genuine users or systems could make mistakes - as, indeed, I do not offer FQDN to my HELO greeting and for good reasons proven above) then I would consider it.
I have no idea why Martin have not taken the OnHELO mod but Hey, that's life.
Rvdh picked it up and moved forward with it and other mods so someone out there must like it. Anyways it's been running rock solid here for a year+ so in my mind it's past both alpha and beta...

Regarding your EHLO greeting... Sorry mate but my server will ban your server for 2 days for not being RFC compliant. :mrgreen:

Code: Select all

      Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
      Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
      Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
      strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6
      If (Lookup(strRegEx, oClient.HELO) = False) Then
         '
         ' Validate HELO/EHLO greeting
         '
         Result.Value = 2
         Result.Message = "5.7.1 Your access to this mail system has been rejected due to the sending\n" &_
                          "      MTA's poor reputation. If you believe that this failure is in error,\n" &_
                          "      please contact the intended recipient via alternate means."
         Call AutoBan(oClient.IPAddress, oClient.HELO, 2, "d")
         Exit Sub
      End If
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-13 13:00

SorenR wrote:
jimimaseye wrote: b, the number of 'attacks' I get are usually in single numbers per day. It isnt exactly put under any pressure by such attacks.
Nor is mine but occationally the sh*t hit the fan and my daily SMTP log grow from 2-300 KB to 3.700 KB.
The only time my log goes anywhere near above 300k is if I temporarily add extra logging (TCPIP, DEBUG etc)...except last christmas when I sent out my 450 message christmas greeting mailing that continually looped sending it out 5 times before I stopped it!
SorenR wrote: I have no idea why Martin have not taken the OnHELO mod but Hey, that's life.
I think he is adding it to 5.7, isnt he. (I would have no hesitation in trusting your or RvdH's modded versions, I just choose its not necessary to me).
SorenR wrote: Regarding your EHLO greeting... Sorry mate but my server will ban your server for 2 days for not being RFC compliant. :mrgreen:
Yeah, exactly. BUT:
1, yours is the only server I have come across that will do such a thing (I have never had a failed delivery due to this)

2, RFC says I "SHOULD" have an address (or literal), not that I MUST:
4.1.1.1 Extended HELLO (EHLO) or HELLO (HELO)
  • These commands are used to identify the SMTP client to the SMTP
    server. The argument field contains the fully-qualified domain name
    of the SMTP client if one is available. In situations in which the
    SMTP client system does not have a meaningful domain name (e.g., when
    its address is dynamically allocated and no reverse mapping record is
    available), the client SHOULD send an address literal
Definitions (at top of article):
  • SHOULD This word, or the adjective "RECOMMENDED", mean that
    there may exist valid reasons in particular circumstances to
    ignore a particular item, but the full implications must be
    understood and carefully weighed
    before choosing a different
    course
And yes, I have considered the implications and as stated in (1) I havent come a cropper yet.

3, You might block me, but I have stopped spambots guessing my domain by mining it from my banner (as previously discussed, above). Extra security. I do have a PTR record which can be used and checked against the HELO and that obviously will fail (as it does now also because it doesnt point to the company domain I send under). But, again, Ive never been rejected yet. I think its akin to putting brighter brake light bulbs on your car to improve your breaking effificiency.

Lots of Ying and very little Yang.

(p.s I dont have a postmaster account either. Dont tell the police! :mrgreen: )
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-13 13:22

You missed this... :wink:
3.6 Domains

Only resolvable, fully-qualified, domain names (FQDNs) are permitted
when domain names are used in SMTP. In other words, names that can
be resolved to MX RRs or A RRs (as discussed in section 5) are
permitted, as are CNAME RRs whose targets can be resolved, in turn,
to MX or A RRs. Local nicknames or unqualified names MUST NOT be
used. There are two exceptions to the rule requiring FQDNs:
  • - The domain name given in the EHLO command MUST BE either a primary
    host name (a domain name that resolves to an A RR) or, if the host
    has no name, an address literal as described in section 4.1.1.1.

    - The reserved mailbox name "postmaster" may be used in a RCPT
    command without domain qualification (see section 4.1.1.3) and
    MUST be accepted if so used.
  • 1. MUST This word, or the terms "REQUIRED" or "SHALL", mean that
    the definition is an absolute requirement of the specification.

    2. MUST NOT This phrase, or the phrase "SHALL NOT", mean that the
    definition is an absolute prohibition of the specification.
https://www.ietf.org/rfc/rfc2821.txt
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-13 13:35

Yes I understand that. Effectively saying:

where mentioning a DOMAIN during SMTP communication then it must comply to section 5. (ie be valid, qualified and resolvable). But regarding the HELO string, it is allowed an exception as shown in 4.1.1.1. At which point I bring you back to 4.1.1.1 (as already discussed).

In all other parts of my mail system, where a DOMAIN is mentioned in SMTP communications, I always conform with a FQDN resolvable domain just as 3.6 says I must.

I know that these RFCs are not always the easiest to follow despite their attempts to clarify every ambiguity that may appear - sometimes too much clarification just muddies the water. Consequently its sometimes difficult and open to interpretation on what is what.

(postmaster...postmaster......postmaster.....NURSE?!!)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-13 15:38

jimimaseye wrote:Yes I understand that. Effectively saying:

where mentioning a DOMAIN during SMTP communication then it must comply to section 5. (ie be valid, qualified and resolvable). But regarding the HELO string, it is allowed an exception as shown in 4.1.1.1. At which point I bring you back to 4.1.1.1 (as already discussed).

In all other parts of my mail system, where a DOMAIN is mentioned in SMTP communications, I always conform with a FQDN resolvable domain just as 3.6 says I must.

I know that these RFCs are not always the easiest to follow despite their attempts to clarify every ambiguity that may appear - sometimes too much clarification just muddies the water. Consequently its sometimes difficult and open to interpretation on what is what.

(postmaster...postmaster......postmaster.....NURSE?!!)
Well... Regardless... You should try it and see if your AutoBan list shrinks. Anyhow, I've got your gmail address :mrgreen:

Another modification I use is "slightly" NON-RFC... SMTP Port 25 with authentication disabled and accept EHLO FQDN only.
My clients use port 465 with SSL and accept EHLO Domain Literals and EHLO FQDN's. iCrap devices and Smartphones force me to allow Domain Literals from clients. :roll:

Domain literals means "EHLO [123.123.123.123]" and the IP Address MUST be in brackets.
I used to get tons of SPAM from like "EHLO 123.123.123.123" and "EHLO 127.0.0.1" and this has dropped drastically since I began filtering.

Another probe/bot countermeasure is a 20 second pause on port 25... in Sub OnClientConnect(oClient)

Code: Select all

   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "timeout /T " & Int(sec), 0, True
'        .Run "sleep -m " & Int(sec * 1000), 0, True
'        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
      End With
   End Function

   Sub OnClientConnect(oClient)
      If (oClient.Port = 25) Then Wait(20)
   End Sub
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20123
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Anti-spam not working

Post by mattg » 2017-03-13 23:32

SorenR wrote:Another probe/bot countermeasure is a 20 second pause on port 25... in Sub OnClientConnect(oClient)
Ohhhh, I like that trick too.

You have some awesome tricks SorenR :D
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8125
Joined: 2011-09-08 17:48

Re: Anti-spam not working

Post by jimimaseye » 2017-03-14 11:45

mattg wrote:
SorenR wrote:Another probe/bot countermeasure is a 20 second pause on port 25... in Sub OnClientConnect(oClient)
Ohhhh, I like that trick too.

You have some awesome tricks SorenR :D
You could go for an even more heavy handed approach and apply them everywhere. http://www.tldp.org/HOWTO/Spam-Filterin ... elays.html

Always worth remembering this though as a warning:
Beware that while you are holding up an incoming SMTP delivery, you are also holding up a TCP socket on your server, as well as memory and other server resources. If your server is generally busy, imposing SMTP transaction delays will make you more vulnerable to Denial-of-Service attacks. A more "scalable" option may be to drop the connection once you have conclusive evidence that the sender is a ratware client.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3184
Joined: 2006-08-21 15:38
Location: Denmark

Re: Anti-spam not working

Post by SorenR » 2017-03-14 12:33

jimimaseye wrote:
mattg wrote:
SorenR wrote:Another probe/bot countermeasure is a 20 second pause on port 25... in Sub OnClientConnect(oClient)
Ohhhh, I like that trick too.

You have some awesome tricks SorenR :D
You could go for an even more heavy handed approach and apply them everywhere. http://www.tldp.org/HOWTO/Spam-Filterin ... elays.html

Always worth remembering this though as a warning:
Beware that while you are holding up an incoming SMTP delivery, you are also holding up a TCP socket on your server, as well as memory and other server resources. If your server is generally busy, imposing SMTP transaction delays will make you more vulnerable to Denial-of-Service attacks. A more "scalable" option may be to drop the connection once you have conclusive evidence that the sender is a ratware client.
I tried it - no effect, except the one at "Sub OnClientConnect(oClient)". It would need some experimenting to see if the wait can be reduced without loss of functionality.

So far today 18% of the SMTP sessions on my server has been dropped by "the other side" due to the 20 second wait.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jim.bus
Senior user
Senior user
Posts: 297
Joined: 2011-05-28 11:49
Location: US

Re: Anti-spam not working

Post by jim.bus » 2017-03-14 13:36

jimimaseye wrote:The purpose of the default domain is to allow authentication and addressing by stating USER part only or adressing by user name only (in the absence of a domain it will assume the default domain. It is particularly useful when there are multiple domains hosted on the system and you might be a user (such as an admin) that has access and rights to send from/to a variety of those domains, or when you address/send to users that are on your local domain you can do away with typing '@localdomain' all the time (you can simply send to "Sue"). https://www.hmailserver.com/documentati ... e_advanced).

The reason of it being a security risk is because when spambots attempt breakins the often ONLY type the userpart and a guessed password. If you have a defined default domain then that would mean they are only 2 parts to be guessing and given the user parts are quite common (such as "admin", "postmaster", "sales" etc and often exist) it means their only real obstacle in this case would be the password.

HOWEVER, if you do not have a default domain set then the bots would also need to be knowing/guessing the domain parts to complete the full address too - and as you know domains can be a random choice of words and characters that make no sense. Look in to your autobans and you will seldom see attempts with 'user@yourdomain.tld' as the full attempted login. In this case, the guessing of the password is the last thing the bot needs to get right - it needs to work out what the valid user (easy to guess) AND domain (not as easy to guess) is first. Double security.

Also, its inclusion also changes the way HMS responds to incorrect formatted addresses. For an example, read this: viewtopic.php?p=193959#p193959

The idea of using a default domain is also to help where some devices that need to authenticate (such as a scanner or fax machine) do not have the ability to quote the full email address notation.

So, unless there is a real need (where a connecting machine such as a scanner cannot specify a full email address when authenticating or addressing to a local user) then it should be turned off.

Why isnt it removed as a feature? Well for the reasons above. (Addressing to "sue" and legacy machines authenticating or addressing)
jimimaseye,

Yes I understood the first part as to how the Default Domain worked eliminating the need to fully spell out the email address. I also understood the danger of using the Default Domain. You supplied the additional information I was asking for as to why you might want to take on the risk meaning your response regarding the use of scanners or fax machines as examples. Thanks very much for the additional information as to why you might want to absorb the risk of having a Default Domain. Having the Default Domain capability now makes sense.

Post Reply