How Can I restrict spammer actions

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
andrei.catanoiu
New user
New user
Posts: 4
Joined: 2009-08-28 14:43

How Can I restrict spammer actions

Post by andrei.catanoiu » 2009-08-28 15:09

Hello,

Yesterday:

-I checked : Allow deliveries from Externnal to external accounts
and
-Unchecked: Require Authentication for deliveries / To Remote Accounts

From Advanced / IPRanges/ Internet, because I want to test these options.

This mornig I receive 40.000 Emails.

I resetted HMail to the default settings and now I don't receive emails but the spammer continue to send them (aprox 10 emails/second).

How can I restrict his actions ?

I can't restrict this IP or put in backlis because he has many ip and DNS Hosts ?

Log File:

"SMTPD" 2868 2267 "2009-08-28 15:43:47.207" "201.68.73.44" "RECEIVED: RCPT TO: <lc_min@so-net.net.tw>"
"SMTPD" 2868 2267 "2009-08-28 15:43:47.207" "201.68.73.44" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:47.207" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2269 "2009-08-28 15:43:47.504" "117.201.97.247" "RECEIVED: RCPT TO: <protary@ms25.hinet.net>"
"SMTPD" 2868 2269 "2009-08-28 15:43:47.504" "117.201.97.247" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:47.504" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2266 "2009-08-28 15:43:47.691" "190.177.202.146" "RECEIVED: RCPT TO: <now9607@ms54.hinet.net>"
"SMTPD" 2868 2266 "2009-08-28 15:43:47.691" "190.177.202.146" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:47.691" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2270 "2009-08-28 15:43:47.784" "189.93.218.60" "RECEIVED: RCPT TO: <zgsn@sporton.com.tw>"
"SMTPD" 2868 2270 "2009-08-28 15:43:47.784" "189.93.218.60" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:47.784" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2268 "2009-08-28 15:43:47.862" "201.78.206.70" "RECEIVED: RCPT TO: <sunbath@ms17.hinet.net>"
"SMTPD" 2868 2268 "2009-08-28 15:43:47.862" "201.78.206.70" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:47.862" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2264 "2009-08-28 15:43:47.909" "91.124.22.86" "RECEIVED: RCPT TO: <p002852l@ms51.hinet.net>"
"SMTPD" 2868 2264 "2009-08-28 15:43:47.909" "91.124.22.86" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:47.909" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2267 "2009-08-28 15:43:48.081" "201.68.73.44" "RECEIVED: RCPT TO: <kb.michael@gmail.com>"
"SMTPD" 2868 2267 "2009-08-28 15:43:48.081" "201.68.73.44" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:48.081" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2269 "2009-08-28 15:43:48.346" "117.201.97.247" "RECEIVED: RCPT TO: <proximityfuze_@hotmail.com>"
"SMTPD" 2868 2269 "2009-08-28 15:43:48.346" "117.201.97.247" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:48.346" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2266 "2009-08-28 15:43:48.502" "190.177.202.146" "RECEIVED: RCPT TO: <nc002769@ms46.hinet.net>"
"SMTPD" 2868 2266 "2009-08-28 15:43:48.502" "190.177.202.146" "SENT: 530 SMTP authentication is required."

"SMTPD" 2868 2265 "2009-08-28 15:43:48.767" "89.190.229.46" "RECEIVED: MAIL FROM: <fangkang@cm1.hinet.net>"
"SMTPD" 2868 2265 "2009-08-28 15:43:48.767" "89.190.229.46" "SENT: 250 OK"
"SMTPD" 2868 2267 "2009-08-28 15:43:48.986" "201.68.73.44" "RECEIVED: RCPT TO: <ky.iwen@gmail.com>"
"SMTPD" 2868 2267 "2009-08-28 15:43:48.986" "201.68.73.44" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:48.986" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2269 "2009-08-28 15:43:49.173" "117.201.97.247" "RECEIVED: RCPT TO: <pupai@sinamail.com>"
"SMTPD" 2868 2269 "2009-08-28 15:43:49.173" "117.201.97.247" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:49.173" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2270 "2009-08-28 15:43:49.235" "189.93.218.60" "RECEIVED: RCPT TO: <zero.cool@ivnet.com.tw>"
"SMTPD" 2868 2270 "2009-08-28 15:43:49.235" "189.93.218.60" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:49.235" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2264 "2009-08-28 15:43:49.266" "91.124.22.86" "RECEIVED: RCPT TO: <ppt12909@ms41.hinet.net>"
"SMTPD" 2868 2264 "2009-08-28 15:43:49.266" "91.124.22.86" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:49.266" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2266 "2009-08-28 15:43:49.329" "190.177.202.146" "RECEIVED: RCPT TO: <niol@ms77.hinet.net>"
"SMTPD" 2868 2266 "2009-08-28 15:43:49.329" "190.177.202.146" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:49.329" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2223 "2009-08-28 15:43:49.500" "200.217.221.135" "RECEIVED: RCPT TO: <n048280699@yahoo.com.tw>"
"SMTPD" 2868 2223 "2009-08-28 15:43:49.500" "200.217.221.135" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:49.500" "AWStats::LogDeliveryFailure"
"SMTPD" 2868 2267 "2009-08-28 15:43:49.859" "201.68.73.44" "RECEIVED: RCPT TO: <ladys.elin@gmail.com>"
"SMTPD" 2868 2267 "2009-08-28 15:43:49.875" "201.68.73.44" "SENT: 530 SMTP authentication is required."
"DEBUG" 2868 "2009-08-28 15:43:49.875" "AWStats::LogDeliveryFailure"
"SMTPD" 416 2260 "2009-08-28 15:43:49.875" "123.180.150.155" "RECEIVED: RCPT TO: <joanny12@ms12.hinet.net>"
"SMTPD" 416 2260 "2009-08-28 15:43:49.875" "123.180.150.155" "SENT: 530 SMTP authentication is required."
"DEBUG" 416 "2009-08-28 15:43:49.875" "AWStats::LogDeliveryFailure"
"SMTPD" 416 2269 "2009-08-28 15:43:49.984" "117.201.97.247" "RECEIVED: RCPT TO: <pida09@ms37.hinet.net>"
"SMTPD" 416 2269 "2009-08-28 15:43:49.984" "117.201.97.247" "SENT: 530 SMTP authentication is required."

User avatar
mattg
Moderator
Moderator
Posts: 21183
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How Can I restrict spammer actions

Post by mattg » 2009-08-28 15:22

andrei.catanoiu wrote:Yesterday:

-I checked : Allow deliveries from Externnal to external accounts
and
-Unchecked: Require Authentication for deliveries / To Remote Accounts
Well that was silly, wasn't it.

The log snippet that you show doesn't show any connections that are made, only rejections.
If you can't blacklist at firewall, you will just have to wait it out I expect. They will get sick of trying eventually. You could just block port 25 for a while (perhaps a few days at least) and see if they give up after that, but then you won't get any real mail either.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

andrei.catanoiu
New user
New user
Posts: 4
Joined: 2009-08-28 14:43

Re: How Can I restrict spammer actions

Post by andrei.catanoiu » 2009-08-28 15:36

Thank's for the answer.

I we'll try to block port 25 for a few days .

andrei.catanoiu
New user
New user
Posts: 4
Joined: 2009-08-28 14:43

Re: How Can I restrict spammer actions

Post by andrei.catanoiu » 2009-08-28 15:49

By the way hmailserver_awstats.log is:



2009-08-28 16:44:35 _jy@gmail.com to068@xuite.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:36 _jy@gmail.com tt.jame@msa.hinet.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:37 -hsuan@umail.hinet.net twins0219@yahoo.com.tw 59.96.100.231 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:37 _jy@gmail.com taiwan.ma@msa.hinet.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:37 -hsuan@umail.hinet.net wangsc89@seed.net.tw 59.96.100.231 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:38 _jy@gmail.com tofu01@xuite.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:38 -hsuan@umail.hinet.net vetchris54@hotmail.com 59.96.100.231 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:39 na.leng@yahoo.com.tw ns_rene@so-net.net.tw 121.22.40.185 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:39 phil.candy@msa.hinet.net levid.lee66@msa.hinet.net 86.57.156.136 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:39 _jy@gmail.com ting6583@ms24.hinet.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:39 na.leng@yahoo.com.tw october.sai@gmail.com 121.22.40.185 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:40 _jy@gmail.com s87673@xuite.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:40 phil.candy@msa.hinet.net lcc4941@ms8.hinet.net 86.57.156.136 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:40 na.leng@yahoo.com.tw ninll@giga.net.tw 121.22.40.185 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:40 peimou@ms81.hinet.net yainickl@ms69.hinet.net 211.87.224.101 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:40 sa_arthur@xuite.net ppt12731@ms48.hinet.net 201.29.104.22 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:41 na.leng@yahoo.com.tw neil_taoyuan@so-net.net.tw 121.22.40.185 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:41 _jy@gmail.com team_3th@yahoo.com.tw 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:41 phil.candy@msa.hinet.net libertyj@ms32.hinet.net 86.57.156.136 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:41 na.leng@yahoo.com.tw ng_uni@so-net.net.tw 121.22.40.185 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:41 peimou@ms81.hinet.net yl8016@ms28.hinet.net 211.87.224.101 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:42 sa_arthur@xuite.net polonaise@ms23.hinet.net 201.29.104.22 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:42 _jy@gmail.com total-s66@umail.hinet.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:42 phil.candy@msa.hinet.net lchamber@ms18.hinet.net 86.57.156.136 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:42 na.leng@yahoo.com.tw momo.id@gmail.com 121.22.40.185 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:42 peimou@ms81.hinet.net xz097377@gogo.net.tw 211.87.224.101 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:43 na.leng@yahoo.com.tw neo_pin@so-net.net.tw 121.22.40.185 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:43 phil.candy@msa.hinet.net lin2115@ms51.hinet.net 86.57.156.136 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0
2009-08-28 16:44:43 _jy@gmail.com terry_may@xuite.net 190.177.202.146 127.0.0.1 SMTP ?virus=&rblgheuristicspam=0&ssl=0 530 0

User avatar
mattg
Moderator
Moderator
Posts: 21183
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How Can I restrict spammer actions

Post by mattg » 2009-08-28 15:54

All of those have 530 at the second last each line.
That is the rejection code I believe.

Nothing to stress about there.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

andrei.catanoiu
New user
New user
Posts: 4
Joined: 2009-08-28 14:43

Re: How Can I restrict spammer actions

Post by andrei.catanoiu » 2009-08-28 15:56

Ok , thank's

roi
Normal user
Normal user
Posts: 153
Joined: 2009-09-20 12:56
Location: Chiba, Japan

Re: How Can I restrict spammer actions

Post by roi » 2009-10-05 07:01

andrei.catanoiu ... so what happened? Did the spammer (he seems to have a botnet) give up and you could re-open port 25? This is a nightmare situation where one is forced to close port 25 in order to stop the spam storm, and I am curious just what I might have to do if it happens to me. Appreciate a feedback on this unfortunate story.
hMS: 5.2.1-B361 | DB: Internal MySQL from hMS 4.4 | OS: W2K3 1Gb VM

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: How Can I restrict spammer actions

Post by Slug » 2009-10-05 11:16

Would the tar pitting option work in this instance ?

I can not remember if the tar pitting was on IP address only or IP and from/to address.

Michael
Missing Hmailserver ... Now running Debian servers

roi
Normal user
Normal user
Posts: 153
Joined: 2009-09-20 12:56
Location: Chiba, Japan

Re: How Can I restrict spammer actions

Post by roi » 2009-10-06 14:36

Tarpitting is designed to delay reuse of an smtp connection, but in this example, new smtp connections are made by the spammer so tarpitting would be irrelevant, I think. And to make it worse, the spammer uses different IP addresses.

But speaking of tarpitting, spammers have learned to reuse a connection even with tarpitting by resetting the conversation and starting another transaction without reconnecting. Tarpitting would work better if there was a way to force a disconnect if the connection has been reset a given number of times. But that is another story and may even be a feature request, but I understand Martin is concentrating on performance and bug fixes rather than new features for the moment.

I understand Martin now thinks tarpitting is not really an effective way to stop/delay spam, and I probably agree with him on that.
hMS: 5.2.1-B361 | DB: Internal MySQL from hMS 4.4 | OS: W2K3 1Gb VM

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: How Can I restrict spammer actions

Post by Slug » 2009-10-06 14:50

roi wrote:Tarpitting is designed to delay reuse of an smtp connection, but in this example, new smtp connections are made by the spammer so tarpitting would be irrelevant, I think. And to make it worse, the spammer uses different IP addresses.
Thankyou, but I am aware of this.
But speaking of tarpitting, spammers have learned to reuse a connection even with tarpitting by resetting the conversation and starting another transaction without reconnecting. Tarpitting would work better if there was a way to force a disconnect if the connection has been reset a given number of times.
If, for eg the tar pitting in hMs was IP only (I have already said I can not remember), then this may be of some use to the above poster. As shutting down Port 25 "for a few days" is not an option with I would guess 99.9% of people here.

but I understand Martin is concentrating on performance and bug fixes rather than new features for the moment.
Really, I must have missed that post :wink:
I understand Martin now thinks tarpitting is not really an effective way to stop/delay spam, and I probably agree with him on that.
Again, I must have missed that post... do you have a link so I can refresh my memory :wink:

Michael
Missing Hmailserver ... Now running Debian servers

User avatar
sheffters
Senior user
Senior user
Posts: 453
Joined: 2009-07-01 20:46
Contact:

Re: How Can I restrict spammer actions

Post by sheffters » 2009-10-06 14:59

Again, I must have missed that post... do you have a link so I can refresh my memory
It has been mentioned a few times by Martin and others that (paraphrasing) it's junk / pointless nowerdays (link below to first one I came accross).

http://hmailserver.com/forum/viewtopic. ... ive#p93506

Best solution would be to just sit it out imho ... hmail will refuse the connections, so turn up the connection limit for a few days and let them all bounce off ... if you're on a decent web connection then it's unlikely that it will be saturated for long.

S.

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: How Can I restrict spammer actions

Post by Slug » 2009-10-06 15:03

My post was partly tongue in check, hence the smiles ...

I found roi's post so "matter a fact" I couldn't help myself

Michael
Missing Hmailserver ... Now running Debian servers

roi
Normal user
Normal user
Posts: 153
Joined: 2009-09-20 12:56
Location: Chiba, Japan

Re: How Can I restrict spammer actions

Post by roi » 2009-10-06 15:19

Slug... didn't mean to appear "overconfident". As a total newbee to hMail, I spend a lot of my time reading other people's post in the forum. I'm actually in a very sharp learning curve and will back off at the very first push by seniors like yourself. I have a lot to learn, and probably have all the time to do so. So I am in my humble place where I belong...
hMS: 5.2.1-B361 | DB: Internal MySQL from hMS 4.4 | OS: W2K3 1Gb VM

User avatar
Slug
Moderator
Moderator
Posts: 1369
Joined: 2005-03-13 05:42
Location: Sydney Australia
Contact:

Re: How Can I restrict spammer actions

Post by Slug » 2009-10-06 15:23

roi, my post was not meant to get you to "back off" this forum will only benefit from users who are happy to help others (like yourself)

Like I said I just couldn't help myself, no harm done.

Michael
Missing Hmailserver ... Now running Debian servers

roi
Normal user
Normal user
Posts: 153
Joined: 2009-09-20 12:56
Location: Chiba, Japan

Re: How Can I restrict spammer actions

Post by roi » 2009-10-06 16:10

Best solution would be to just sit it out...
I guess I am overly being paranoid about spam storm... thanks for the input.]
hMS: 5.2.1-B361 | DB: Internal MySQL from hMS 4.4 | OS: W2K3 1Gb VM

^DooM^
Site Admin
Posts: 13861
Joined: 2005-07-29 16:18
Location: UK

Re: How Can I restrict spammer actions

Post by ^DooM^ » 2009-10-06 16:20

I have never used tarpitting so don't really find it useful ;) Roi we appreciate your posts on here and the time you take out of your day to help out. It's always better to have multiple points of view than just one. One word of advice though if you intend on sticking around, Don't take us to seriously. Sarcasm is rife on this forum :P
If at first you don't succeed, bomb disposal probably isn't for you! ヅ

roi
Normal user
Normal user
Posts: 153
Joined: 2009-09-20 12:56
Location: Chiba, Japan

Re: How Can I restrict spammer actions

Post by roi » 2009-10-06 16:28

Thanks... DooM. I am learning the culture and probably can roll with the punches. That said, I think I can feel the warmth behind the sarcasm. This is the only forum that I am involved in and I'm glad of my first choice.
hMS: 5.2.1-B361 | DB: Internal MySQL from hMS 4.4 | OS: W2K3 1Gb VM

Post Reply