Block Spammed Email

Use this forum for discussions about SpamAssassin and anti-spam in general.
Post Reply
Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Block Spammed Email

Post by Jessy14 » 2017-10-03 21:46

Hi Experts, We received a bunch of emails every day using our email address. Below is one of them viewed from the email property. Please advise! Thank you!

Return-Path: sales@xxx.com
Received: from [203.155.38.234] (Unknown [203.155.38.234])
by xxx.com with ESMTP
; Tue, 3 Oct 2017 09:24:44 -0500
MIME-Version: 1.0
Date: Tue, 03 Oct 2017 21:24:44 +0700
Message-ID: <dCAb2d1464489A4F49F676d93628D0c5b0b702d70959e301401@mail.gmail.com>
Subject: INVOICE
From: Gale Kingsley <sales@xxx.com>
To: data@xxx.com
Content-Type: multipart/mixed; boundary=18e1101567890fe77c7c9cf1d958
Envelope-To: <data@xxx.com>

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Block Spammed Email

Post by jimimaseye » 2017-10-03 22:32

Spoofing is a common spam problem. Check your system is well protected - run this and post the results: viewtopic.php?f=20&t=30914
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-03 23:34

Below is the running report. Please advise! Thank you!

[code]2017-10-03 Hmailserver: 5.5.2-B2129

DOMAINS

"Domain1.com" - axxxxxxxxx.net Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 0 Enabled: False
Max message size: 0 Plus addressing: False
Max size of accounts: 0
Greylisting: False

"Domain2.com" - kxxxxxx.com Enabled: True
|- "Alias1.com" - kxxxxxxx.com
|- "Alias2.com" - kxxxxxx.com
|- "Alias3.com" - kxxxx.com

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 0 Enabled: False
Max message size: 0 Plus addressing: False
Max size of accounts: 0
Greylisting: False

"Domain3.com" - lxxxxxxx.com Enabled: True

SIGNATURE LIMITS DKIM ADVANCED
Enabled: False Max size: 0 Enabled: False
Max message size: 0 Plus addressing: False
Max size of accounts: 0
Greylisting: False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 203.155.38.234 - 203.155.38.234 Priority: 20 Name: Argentina Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 110.175.54.4 - 110.175.54.4 Priority: 20 Name: Australian Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 114.217.78.63 - 114.217.78.63 Priority: 20 Name: Auto-ban: 15

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 117.247.232.48 - 117.247.232.48 Priority: 20 Name: Indian Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 14.141.80.58 - 14.141.80.58 Priority: 20 Name: Indian Ban 2

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 103.18.122.231 - 103.18.122.231 Priority: 20 Name: Indian Ban 3

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 110.227.121.216 - 110.227.121.216 Priority: 20 Name: Indian Ban 5

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 182.72.195.155 - 182.72.195.155 Priority: 20 Name: Indian Ban 6

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 14.177.37.50 - 14.177.37.50 Priority: 20 Name: Inidan Ban 4

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 80.234.143.226 - 80.234.143.226 Priority: 20 Name: London-ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 128.199.62.244 - 128.199.62.244 Priority: 20 Name: Netherland Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 51.39.117.1 - 51.39.117.1 Priority: 20 Name: SA Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 123.231.125.30 - 123.231.125.30 Priority: 20 Name: Sri Lanka Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 203.155.38.234 - 203.155.38.234 Priority: 20 Name: Thailand Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 166.38.70.182 - 166.38.70.182 Priority: 20 Name: US Ban

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 173.0.51.8 - 173.0.51.8 Priority: 20 Name: US Ban-2

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 174.47.172.122 - 174.47.172.122 Priority: 20 Name: US Ban 3

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 155.195.72.182 - 155.195.72.182 Priority: 20 Name: US Bank 4

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 58.187.68.191 - 58.187.68.191 Priority: 20 Name: Vietmna Spam 1

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 171.232.39.60 - 171.232.39.60 Priority: 20 Name: Vietnam spam

Allow connections Other
SMTP: False Antispam : False
POP3: False Antivirus: False
IMAP: False SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - False
Local To External - False
External To Local - False
External To External - False


IP: 127.0.0.1 - 127.0.0.1 Priority: 15 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - True
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 5
Minutes Before Reset: 30 (0.50 hours, 0.02 days)
Minutes to Autoban: 60 (1.00 hours, 0.04 days)

There is a total of 1 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL DELIVERY RFC COMPLIANCE ADVANCED
No. Connections: 50 No Retries: 4 Mins: 30 Plain Text: False Bind:
Host: Domain2.com Empty sender: True Batch recipients: 100
Max Msg Size: 11000 Relay:- Incorrect endings: True Use STARTTLS: True
(none entered) Disc. on invalid: False Delivered-To hdr: False
Req Auth: False Loop limit: 5
Recipient hosts: 15
Con. Sec.: None
POP3
No. Connections: 50

IMAP
GENERAL PUBLIC FOLDERS ADVANCED
No. Connections: 50 Public folder name: #Public IMAP sort: True
IMAP Quota: True
IMAP Idle: True
IMAP ACL: True
Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 3 Hostname: localhost
Add X-HmailServer-Reason: True Check MX records: True - 3 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False Use SA score: False - 5
Subject Text: "[SPAM-HMS]"
Spam delete threshold: 5 Maximum message size: 1024

GREYLISTING:
Greylisting: True Defer mins: 5 Days Unused: 2 Days Used: 32
Bypass SPF: False Bypass A/MX: False

Greylist WHITELIST ENTRIES:
IP Address: 69.41.173.84

Greylist DOMAINS enabled:
No entries

DNSBL ENTRIES:
zen.spamhaus.org Score: 7 Result: 127.0.0.*
bl.spamcop.net Score: 6 Result: 127.0.0.*
psbl.surriel.com Score: 6 Result: 127.0.0.*
virbl.dnsbl.bit.nl Score: 6 Result: 127.0.0.*
b.barracudacentral.org Score: 6 Result: 127.0.0.*

SURBL ENTRIES:
multi.surbl.org Score: 6
0spamurl.fusionzero.com Score: 6
ru.countries.nerd.dk Score: 6
-----------------------------------------------------------------------------------------------

WHITELISTING

-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete email. Notify Sender: False, Notify Receiver: False

Max Message Size: 1024
CLAM AV: True Hostname: localhost Port: 3310
CLAMWIN: False
CUSTOMAV: False

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe
*.inf Setup file
*.js
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.pid
*.pif
*.reg Registration key
*.rtf
*.scf Windows Explorer command
*.scr Windows Screen saver
“.PDF.EXE
-----------------------------------------------------------------------------------------------

SSL/TLS
SslCipherList :

-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:-
Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-10-03.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-10-03.log - !! ERRORS PRESENT !!
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - True
IMAP - .
TCPIP - .
DEBUG - True
AWSTATS - .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: PostgreSQL

IPv6 support is available in operating system.

Backup directory C:\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Storage\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\Backups\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\hMailServer is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder: C:\Program Files (x86)\hMailServer\
Database folder:
Data folder: C:\Program Files (x86)\hMailServer\Data
Log folder: C:\Program Files (x86)\hMailServer\Logs
Temp folder: C:\Program Files (x86)\hMailServer\Temp
Event folder: C:\Program Files (x86)\hMailServer\Events

[Database]
Type= PostgreSQL
Username= postgres
PasswordEncryption=1
Port= 5432
Server= localhost
Internal= 0
-----------------------------------------------------------------------------------------------

Error 438. Out-dated version. Some fields or objects missing.

[/code]
Generated by HMSSettingsDiagnostics v1.74, Hmailserver Forum.

User avatar
mattg
Moderator
Moderator
Posts: 20134
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block Spammed Email

Post by mattg » 2017-10-03 23:49

These scripts will help >> viewtopic.php?p=68117#p68117
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Block Spammed Email

Post by jimimaseye » 2017-10-04 00:00

From your results I see the following:

1, You have LOCAL TO LOCAL DELIVERIES allowed without authentication required for the INTERNET range. This allows spammers to send you spam through your system and will explain some of the spam you receive. You must ENABLE AUTHENTICATION for 'local to local deliveries'.

2, You are using the 'internet ranges' to act as the autoban feature when you already have autoban enabled. However you may be finding that your autoban is not effective due to the high settings you have against it. Advice:

a, Create AUTOBAN entries for all of those 'ban' IP RANGES you have and then remove them from your IP RANGEs. You only really need the INTERNET and MY COMPUTER ip ranges.
b, Then, change your AUTOBAN settings and lower the " Max invalid logon attempts:" from 5 to 1 (or 2 maximum)

By using the autoban feature (instead of the way you do with IP Ranges) you will stop the rogue spammers connecting to your machine in the first place (rather than give then a connection and rejection). Also you dont have the hassle of keep entering them yourself (given that most spam connections have a short lifespan).

With the above changes you will be tighhtening up your system and minimising the risk of receiving those spam messages.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-04 00:34

Thank you experts! Do you mean that all of the bans created under the IP range needs to be removed? Thank you!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Block Spammed Email

Post by jimimaseye » 2017-10-04 00:37

Yes.

Also you are running an old version and should update to the latest version that features many improvements and security updates.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-04 00:38

Verion 5.5.2

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Block Spammed Email

Post by jimimaseye » 2017-10-04 00:44

https://www.hmailserver.com/download


Remember: we are experts. :wink:
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-04 00:47

You suggest: Create AUTOBAN entries for all of those 'ban' IP RANGES you have.
My question: Where to create the auto ban entries?

Thank you!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Block Spammed Email

Post by jimimaseye » 2017-10-04 08:55

Jessy14 wrote:You suggest: Create AUTOBAN entries for all of those 'ban' IP RANGES you have.
My question: Where to create the auto ban entries?

Thank you!
Sorry, let me clarify: by this I was suggesting that those IP RANGES that you have do not have an EXPIRY set against them as you created them manually and made them permanent. (Maybe because you thought that the ip address was constant and long term). I was suggesting that you expire them (delete them) or at least set an expiry date on them as they are unlikely to be effective any more. It will not make much difference to your system except clean it up. The above suggested changes to your autoban settings and scripts offered be Mattg will give you a greater protection and autonomy.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-04 17:03

Thank you experts!

I am going to add the following scripts. Do I need to add my user name to this line? If oClient.Username <> "my user name" Then
Do I need to add the password and where? Appreciate!

Sub OnAcceptMessage(oClient, oMessage)
If oClient.Username <> "" Then
dim authemail, authemail_value, fromemail, fromemail_value
authemail = Split ( (oClient.Username) , "@" )
authemail_value = authemail(1)

fromemail = Split ( (oMessage.FromAddress) , "@" )
fromemail_value = fromemail(1)

If LCase(authemail_value) <> LCase(fromemail_value) Then
Result.Value = 2
Result.Message = "You are only allowed to send from your domain"
End If
End If
End Sub

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Block Spammed Email

Post by jimimaseye » 2017-10-04 17:25

Just add the script as displayed. No changes or password required.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-04 19:33

Thank you!

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: Block Spammed Email

Post by jimimaseye » 2017-10-04 19:47

Remember that script will only work if you make the amendments I explained above regarding enabling authentication.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-04 21:42

The scripts have been added. It looks like the junk emails were blocked.
But there are too many emails queued in the server which are not delivered. Now we cannot receive the emails any more. Please advise! Thank you!

User avatar
mattg
Moderator
Moderator
Posts: 20134
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block Spammed Email

Post by mattg » 2017-10-04 23:13

clear the queue (right click on the queue and 'clear')
ALL mail will be removed (including any genuine mail - this will all be lost)

You will then need to remove yourself from BlackLists

Good luck
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Jessy14
Normal user
Normal user
Posts: 43
Joined: 2014-02-02 20:28

Re: Block Spammed Email

Post by Jessy14 » 2017-10-05 16:34

After removing the scripts, it is fine now. BTW I didn't have anything on the blacklist. How to remove myself from the blacklist? Thank you!

User avatar
mattg
Moderator
Moderator
Posts: 20134
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block Spammed Email

Post by mattg » 2017-10-05 23:44

Check this list http://mxtoolbox.com/blacklists.aspx

Each Blacklist has their own removal process
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

cf.harper
New user
New user
Posts: 1
Joined: 2017-11-07 17:15

Re: Block Spammed Email

Post by cf.harper » 2017-11-07 17:18

I need some spam for research purposes. So hopefully spammers will scan this email address cf.harper@yandex.com

Post Reply