How to block this...

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

How to block this...

Post by Rainer » 2008-02-25 13:33

Hello, today I see a lot of this lines in my log:

"SMTPD" 3608 34012 "2008-02-25 10:44:50.887" "221.5.17.252" "SENT: 220 Welcome to MilesTec AG"
"SMTPD" 3608 34012 "2008-02-25 10:44:51.528" "221.5.17.252" "RECEIVED: EHLO UATIM-49CCCC0DC"
"SMTPD" 3608 34012 "2008-02-25 10:44:51.528" "221.5.17.252" "SENT: 250-hmailserver[nl]250-SIZE[nl]250 AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:44:53.340" "221.5.17.252" "RECEIVED: AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:44:53.871" "221.5.17.252" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3608 34012 "2008-02-25 10:44:54.418" "221.5.17.252" "RECEIVED: aW5uYQ=="
"SMTPD" 3608 34012 "2008-02-25 10:44:54.418" "221.5.17.252" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3608 34012 "2008-02-25 10:44:55.090" "221.5.17.252" "RECEIVED: ***"
"SMTPD" 3608 34012 "2008-02-25 10:44:55.090" "221.5.17.252" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 3608 34012 "2008-02-25 10:44:55.731" "221.5.17.252" "RECEIVED: AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:44:55.731" "221.5.17.252" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3608 34012 "2008-02-25 10:44:56.293" "221.5.17.252" "RECEIVED: aW5uYQ=="
"SMTPD" 3608 34012 "2008-02-25 10:44:56.293" "221.5.17.252" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3608 34012 "2008-02-25 10:44:56.903" "221.5.17.252" "RECEIVED: ***"
"SMTPD" 3608 34012 "2008-02-25 10:44:56.903" "221.5.17.252" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 3608 34012 "2008-02-25 10:44:59.918" "221.5.17.252" "RECEIVED: AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:44:59.918" "221.5.17.252" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3608 34012 "2008-02-25 10:45:00.762" "221.5.17.252" "RECEIVED: aW5uYQ=="
"SMTPD" 3608 34012 "2008-02-25 10:45:00.762" "221.5.17.252" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3608 34012 "2008-02-25 10:45:01.512" "221.5.17.252" "RECEIVED: ***"
"SMTPD" 3608 34012 "2008-02-25 10:45:01.528" "221.5.17.252" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 3608 34012 "2008-02-25 10:45:02.043" "221.5.17.252" "RECEIVED: AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:45:02.043" "221.5.17.252" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3608 34012 "2008-02-25 10:45:02.606" "221.5.17.252" "RECEIVED: aW5uYQ=="
"SMTPD" 3608 34012 "2008-02-25 10:45:02.606" "221.5.17.252" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3608 34012 "2008-02-25 10:45:03.356" "221.5.17.252" "RECEIVED: ***"
"SMTPD" 3608 34012 "2008-02-25 10:45:03.356" "221.5.17.252" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 3608 34012 "2008-02-25 10:45:04.106" "221.5.17.252" "RECEIVED: AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:45:04.106" "221.5.17.252" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3608 34012 "2008-02-25 10:45:04.684" "221.5.17.252" "RECEIVED: aW5uYQ=="
"SMTPD" 3608 34012 "2008-02-25 10:45:04.684" "221.5.17.252" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3608 34012 "2008-02-25 10:45:05.231" "221.5.17.252" "RECEIVED: ***"
"SMTPD" 3608 34012 "2008-02-25 10:45:05.762" "221.5.17.252" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 3608 34012 "2008-02-25 10:45:12.512" "221.5.17.252" "RECEIVED: AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:45:12.512" "221.5.17.252" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3608 34012 "2008-02-25 10:45:13.215" "221.5.17.252" "RECEIVED: aW5uYQ=="
"SMTPD" 3608 34012 "2008-02-25 10:45:13.215" "221.5.17.252" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3608 34012 "2008-02-25 10:45:13.996" "221.5.17.252" "RECEIVED: ***"
"SMTPD" 3608 34012 "2008-02-25 10:45:13.996" "221.5.17.252" "SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD" 3608 34012 "2008-02-25 10:45:14.825" "221.5.17.252" "RECEIVED: AUTH LOGIN"
"SMTPD" 3608 34012 "2008-02-25 10:45:14.825" "221.5.17.252" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3608 34012 "2008-02-25 10:45:15.496" "221.5.17.252" "RECEIVED: aW5uYQ=="
"SMTPD" 3608 34012 "2008-02-25 10:45:15.496" "221.5.17.252" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3608 34012 "2008-02-25 10:45:16.184" "221.5.17.252" "RECEIVED: ***"
"SMTPD" 3608 34012 "2008-02-25 10:45:16.184" "221.5.17.252" "SENT: 535 Authentication failed. Restarting authentication process."

221.5.17.252 is not a allowed IP; its from China :evil: !
How to determine this brute-force-attack?
Sorry POP3 log is deactivated!
Rainer Noa

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2008-02-25 13:52

Block the IP at your firewall for now.

I know there have been a few requests to add security into hMail to stop this from happening but as of yet there is none to my knowledge

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Post by Rainer » 2008-02-25 14:02

^DooM^ wrote:Block the IP at your firewall for now.

I know there have been a few requests to add security into hMail to stop this from happening but as of yet there is none to my knowledge
Hello and THX for answering!

My options for relaying are OK and there is no problem, but I think it makes sence to block an IP after n-invalid login-tries!

Kind regards :)
Rainer Noa

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2008-02-25 14:49

I agree :)

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Post by Rainer » 2008-02-25 15:01

^DooM^ wrote:Block the IP at your firewall for now.

I know there have been a few requests to add security into hMail to stop this from happening but as of yet there is none to my knowledge
Yes, you can add a ip-range and then you must disallow all connections.
Rainer Noa

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Post by ^DooM^ » 2008-02-25 16:19

Yes but that is the same as manually adding a block to your firewall and I also suggested that same fix in another post. You seemed to be asking about a proper automated solution which is entirely different. That user can swap his IP address 5000 times, will you add all 5000 ip ranges to hMail?

User avatar
SorenR
Senior user
Senior user
Posts: 4389
Joined: 2006-08-21 15:38
Location: Denmark

Post by SorenR » 2008-02-25 18:04

The idea is actually not bad if there is a retension period on the IP address. One or two weeks should be fine.

5 bad retries and SLAM you dead :-) At least for the next 2 weeks :lol:

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2008-02-25 19:18

How is the ip in china generating the lines in the log?

User avatar
SorenR
Senior user
Senior user
Posts: 4389
Joined: 2006-08-21 15:38
Location: Denmark

Post by SorenR » 2008-02-25 19:27

Still on the drawing board :-)
I imagined that if I enable SMTP logging (which I allready do), I can use this information to build a database and use the codesnippet from OnClientConnect to build the functionality. I just don't know how scalable it will be..

Actually, ranking spam senders I get most spam from Turkey, Russia, China, Spain, Brazil, Colombia, Great Britain and South Korea (in that order). I have not included the spam that enters my site via my backup-mx...

That was my initial idea, 5 spam mails and they are blacklisted.. I have not checked who is trying to use me as relay.

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Post by Rainer » 2008-02-26 08:42

Hello and THX for all answers.
I blocked the hole 221-Range.
Only China, Taiwan and Japan is inthere.
I do not really need this countries in my logs!

Greetings from Germany :)

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Post by Rainer » 2008-02-26 08:44

Hello SorenR, I'm interested in your solution!
Sounds good!

Kind regards :)
Rainer Noa

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2008-02-26 11:37

I'm still confused, is someone attacking the server or using it to send mail?

User avatar
Rainer
Normal user
Normal user
Posts: 166
Joined: 2007-06-21 13:40
Location: Zweibrücken - Germany

Post by Rainer » 2008-02-26 11:56

Hello phil54, yes someone from China is attacking the server. With good Preferences the spammer will be blocked from relaying and sending email via my server.

But it looks not good, to see this brute-force-attacking in the log.

Kind Regards :)

phil54
Normal user
Normal user
Posts: 195
Joined: 2007-11-26 13:13
Location: UK :-)

Post by phil54 » 2008-02-26 11:57

Bloody spammers !! Hope it goes well rainer, you'll have to let us know how it goes

tocpcs
New user
New user
Posts: 12
Joined: 2008-02-26 13:58

Post by tocpcs » 2008-02-26 14:45

I like this idea, I have a feature request for similar functionality.

I like the thinking of using the outside script to do it, however, I see a flaw in that if the data was maintained inside hMail, it could be as simple as an array search of addresses (similar to PHPs inarray).

Many of the addresses I'd like to block probably don't have genuine servers running on them, and are just used to either attack or spam, something I'd like to block.

Vote for my feature request and hopefully we get somewhere with it being added to hMail!

Post Reply