HMS sending Spam

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

HMS sending Spam

Post by MarHMS » 2017-03-02 15:19

I think someone is using my HMS as a relay to send spam.

See attachment below.

Can someone please explain, and advice how to stop it?
Attachments
Untitled42.jpg
Untitled32.jpg

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: HMS sending Spam

Post by jimimaseye » 2017-03-02 15:32

HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-02 15:39

[code]3/2/2017 8:36:50 AM Hmailserver: 5.6.4-B2283

IP: 127.0.0.1 - 127.0.0.1 Priority: 15 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


IP: 192.168.0.1 - 192.168.0.255 Priority: 1 Name: LAN

Allow connections Other
SMTP: True Antispam : False
POP3: True Antivirus: False
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: False

There is a total of 2 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False - 5 Use SA score: False - 5
Subject Text: "[Possible Spam]"
Spam delete threshold: 8 Maximum message size: 1024

GREYLISTING:
Greylisting: False

DNSBL ENTRIES:
zen.spamhaus.org Score: 5 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2
hostkarma.junkemailfilter.com Score: 2 Result: 127.0.0.2|127.0.0.4
b.barracudacentral.org Score: 2 Result: 127.0.0.2|127.0.0.4

SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------

WHITELISTING
No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete email. Notify Sender: False, Notify Receiver: True

Max Message Size: 26214
CLAM AV: True Hostname: localhost Port: 3310
CLAMWIN: False
CUSTOMAV: False

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe Executable file
*.inf Setup file
*.js JavaScript files
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.pif Program information file
*.rar Winrar archives
*.reg Registration key
*.scf Windows Explorer command
*.scr Windows Screen saver
*.vbs VBScript
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: True
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 465 / SMTP - None
0.0.0.0 / 587 / SMTP - None
192.168.0.7 / 25 / SMTP - None
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: E:\HMAIL\Logs\hmailserver_2017-03-02.log
Error: E:\HMAIL\Logs\ERROR_hmailserver_2017-03-02.log
Event: E:\HMAIL\Logs\hmailserver_events.log
Awstats: E:\HMAIL\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - True
IMAP - True
TCPIP - True
DEBUG - True
AWSTATS - True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory C:\Users\eviewer\Desktop\ is writable.

ERROR: Messages exists which are located outside of the data directory E:\HMAIL\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.45, Hmailserver Forum.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: HMS sending Spam

Post by jimimaseye » 2017-03-02 15:44

Did you read the link I gave you and follow its advice word for word? Everything you need to know is in there. (I personally am not going to repeat what has already been written).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-02 15:47

Will do that.

Honestly, I was reading another thread with similar issue, so I got a bit confused and overlooked the link :(

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: HMS sending Spam

Post by jimimaseye » 2017-03-02 15:50

(Your "LAN" ip range has no point. Your priority for it is LOWER than the INTERNET range (which will then take precedence). And your TCPIP PORT entry "192.168.0.7 / 25 / SMTP - None" is pointless too. the "0.0.0.0" already covers it.)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-02 16:33

I see.
So should I delete LAN IP range, or change its priority?
Will make the changes. Thanks as usual! :)

I'm going through the document.
Mail server passed open relay tests, but there are definitely ongoing suspicious activities based on the queue.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: HMS sending Spam

Post by jimimaseye » 2017-03-02 16:42

Look for the advice on checking the SMTPD entries to find the account that was used to authenticate.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-02 18:46

Okay, I'm getting somewhere, but I need your assistance Jim.

I pasted 3 excerpts of the log below.
I see where authentications are failing with some random accounts, also with one being almost legit. I see where the suspicious email is sending, but not where it got authenticated.
Suspicious email being anthonytataesq@gmail.com

Code: Select all

"SMTPD"	1848	1221126	"2017-03-02 00:17:44.532"	"46.105.123.22"	"RECEIVED: RSET"
"SMTPD"	1848	1221126	"2017-03-02 00:17:44.532"	"46.105.123.22"	"SENT: 250 OK"
"SMTPD"	1828	1221126	"2017-03-02 00:17:44.673"	"46.105.123.22"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1828	1221126	"2017-03-02 00:17:44.673"	"46.105.123.22"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1848	1221126	"2017-03-02 00:17:44.813"	"46.105.123.22"	"RECEIVED: cGx1Z2luc0BmaXJzdHVuaW9uamEuY29t"
"SMTPD"	1848	1221126	"2017-03-02 00:17:44.813"	"46.105.123.22"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1820	1221126	"2017-03-02 00:17:44.962"	"46.105.123.22"	"RECEIVED: ***"
"SMTPD"	1820	1221126	"2017-03-02 00:17:44.962"	"46.105.123.22"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	1848	1221126	"2017-03-02 00:17:45.118"	"46.105.123.22"	"RECEIVED: RSET"
"SMTPD"	1848	1221126	"2017-03-02 00:17:45.118"	"46.105.123.22"	"SENT: Too many invalid commands. Bye!"
"DEBUG"	1812	"2017-03-02 00:17:45.118"	"Ending session 1221126"
"DEBUG"	1764	"2017-03-02 00:18:10.514"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1876	"2017-03-02 00:18:10.514"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1876	"2017-03-02 00:18:10.514"	"Delivering message..."
"APPLICATION"	1876	"2017-03-02 00:18:10.514"	"SMTPDeliverer - Message 1917088: Delivering message from anthonytataesq@gmail.com to memastal@gmail.ccom. File: E:\HMAIL\Data\{D24A655B-C52E-4A8E-B8E9-8CD11CF7070E}.eml"
"DEBUG"	1876	"2017-03-02 00:18:10.514"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1764	"2017-03-02 00:18:10.514"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Delivering message..."
"APPLICATION"	1888	"2017-03-02 00:18:10.514"	"SMTPDeliverer - Message 1917100: Delivering message from anthonytataesq@gmail.com to _blacksoul666@univision.com. File: E:\HMAIL\Data\{0CFE7932-2791-42BB-B22D-8D8592D30FFD}.eml"
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1764	"2017-03-02 00:18:10.514"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:18:10.514"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:18:10.514"	"Delivering message..."
"APPLICATION"	1884	"2017-03-02 00:18:10.514"	"SMTPDeliverer - Message 1914973: Delivering message from anthonytataesq@gmail.com to sidberrygmail@87.com. File: E:\HMAIL\Data\{93D6E2DE-15B8-4460-B92E-4D6B736AFBFD}.eml"
"DEBUG"	1884	"2017-03-02 00:18:10.514"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Connecting to ClamAV stream port..."
"DEBUG"	1876	"2017-03-02 00:18:10.530"	"Connecting to ClamAV stream port..."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"No virus detected: stream: OK"
"DEBUG"	1884	"2017-03-02 00:18:11.543"	"Connecting to ClamAV stream port..."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"No virus detected: stream: OK"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Applying rules"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Applying rule Global Spam Rule"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Applying rules"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Performing local delivery"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Applying rule Global Spam Rule"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Local delivery completed"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Applying rule whereareyounow.net Spam"
"TCPIP"	1888	"2017-03-02 00:18:11.543"	"DNS MX lookup: univision.com"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Performing local delivery"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Local delivery completed"
"TCPIP"	1876	"2017-03-02 00:18:11.543"	"DNS MX lookup: gmail.ccom"
"TCPIP"	1876	"2017-03-02 00:18:11.543"	"DNS - MX Result: 0 IP addresses were found."
"APPLICATION"	1876	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917088: No mail servers could be found for the address memastal@gmail.ccom."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Summarizing delivery result"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Summarized delivery results"
"TCPIP"	1888	"2017-03-02 00:18:11.543"	"DNS - MX Result: 0 IP addresses were found."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"SD::RescheduleDelivery_"
"APPLICATION"	1888	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917100: No mail servers could be found for the address _blacksoul666@univision.com."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Retrieving retry options."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Summarizing delivery result"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Starting rescheduling."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Summarized delivery results"
"APPLICATION"	1876	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917088: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"SD::RescheduleDelivery_"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Retrieving retry options."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Starting rescheduling."
"APPLICATION"	1888	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917100: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Message rescheduled for later delivery."
"APPLICATION"	1876	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917088: Message delivery thread completed."
"DEBUG"	1888	"2017-03-02 00:18:11.574"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1888	"2017-03-02 00:18:11.574"	"Message rescheduled for later delivery."
"APPLICATION"	1888	"2017-03-02 00:18:11.574"	"SMTPDeliverer - Message 1917100: Message delivery thread completed."
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"No virus detected: stream: OK"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Applying rules"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Applying rule Global Spam Rule"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Performing local delivery"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Local delivery completed"
"TCPIP"	1884	"2017-03-02 00:18:12.558"	"DNS MX lookup: 87.com"
"TCPIP"	1884	"2017-03-02 00:18:12.838"	"DNS - MX Result: 1 IP addresses were found."
"DEBUG"	1884	"2017-03-02 00:18:12.838"	"Starting external delivery process. Server: 87.com (150.242.208.8), Port: 25, Security: 2, User name: "
"DEBUG"	1884	"2017-03-02 00:18:12.838"	"Creating session 1221149"
"TCPIP"	1884	"2017-03-02 00:18:12.838"	"Connecting to 150.242.208.8:25..."
"DEBUG"	1812	"2017-03-02 00:18:14.652"	"SMTPDeliverer - Message 1914973 - Connection failed: Host name: 150.242.208.8, message: The remote computer refused the network connection"
"DEBUG"	1812	"2017-03-02 00:18:14.652"	"Ending session 1221149"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"External delivery process completed"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Summarizing delivery result"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Summarized delivery results"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"SD::RescheduleDelivery_"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Retrieving retry options."
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Starting rescheduling."
"APPLICATION"	1884	"2017-03-02 00:18:14.652"	"SMTPDeliverer - Message 1914973: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Message rescheduled for later delivery."
"APPLICATION"	1884	"2017-03-02 00:18:14.652"	"SMTPDeliverer - Message 1914973: Message delivery thread completed."

Code: Select all

"DEBUG"	1876	"2017-03-02 00:19:12.890"	"Starting external delivery process. Server: gmail-smtp-in.l.google.com (108.177.12.27), Port: 25, Security: 2, User name: "
"DEBUG"	1876	"2017-03-02 00:19:12.890"	"Creating session 1221155"
"TCPIP"	1876	"2017-03-02 00:19:12.890"	"Connecting to 108.177.12.27:25..."
"DEBUG"	1812	"2017-03-02 00:19:12.937"	"TCP connection started for session 1221155"
"SMTPC"	1812	1221155	"2017-03-02 00:19:12.984"	"108.177.12.27"	"RECEIVED: 220 mx.google.com ESMTP 75si2898249uau.245 - gsmtp"
"SMTPC"	1812	1221155	"2017-03-02 00:19:12.984"	"108.177.12.27"	"SENT: EHLO ***"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.047"	"108.177.12.27"	"RECEIVED: 250-mx.google.com at your service, [***][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.047"	"108.177.12.27"	"SENT: STARTTLS"
"SMTPC"	1796	1221155	"2017-03-02 00:19:13.094"	"108.177.12.27"	"RECEIVED: 220 2.0.0 Ready to start TLS"
"DEBUG"	1796	"2017-03-02 00:19:13.094"	"Performing SSL/TLS handshake for session 1221155. Verify certificate: True, Expected remote host name: gmail-smtp-in.l.google.com"
"DEBUG"	1812	"2017-03-02 00:19:13.140"	"Certificate verification succeeded for session 1221155."
"DEBUG"	1796	"2017-03-02 00:19:13.140"	"SMTPDeliverer - Message 1915161 - Connection failed: Host name: 176.74.176.187, message: The remote computer refused the network connection"
"DEBUG"	1796	"2017-03-02 00:19:13.140"	"Ending session 1221154"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"External delivery process completed"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Summarizing delivery result"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Summarized delivery results"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"SD::RescheduleDelivery_"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Retrieving retry options."
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Starting rescheduling."
"APPLICATION"	1884	"2017-03-02 00:19:13.140"	"SMTPDeliverer - Message 1915161: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Message rescheduled for later delivery."
"APPLICATION"	1884	"2017-03-02 00:19:13.140"	"SMTPDeliverer - Message 1915161: Message delivery thread completed."
"TCPIP"	1796	"2017-03-02 00:19:13.187"	"TCPConnection - TLS/SSL handshake completed. Session Id: 1221155, Remote IP: 108.177.12.27, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"SMTPC"	1796	1221155	"2017-03-02 00:19:13.187"	"108.177.12.27"	"SENT: EHLO ***"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.234"	"108.177.12.27"	"RECEIVED: 250-mx.google.com at your service, [***][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.234"	"108.177.12.27"	"SENT: MAIL FROM:<anthonytataesq@gmail.com>"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.281"	"108.177.12.27"	"RECEIVED: 250 2.1.0 OK 75si2898249uau.245 - gsmtp"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.297"	"108.177.12.27"	"SENT: RCPT TO:<tsharris23@gmail.com>"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.406"	"108.177.12.27"	"RECEIVED: 452-4.2.2 The email account that you tried to reach is over quota. Please direct[nl]452-4.2.2 the recipient to[nl]452 4.2.2  https://support.google.com/mail/?p=OverQuotaTemp 75si2898249uau.245 - gsmtp"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.406"	"108.177.12.27"	"SENT: QUIT"
"SMTPC"	1796	1221155	"2017-03-02 00:19:13.453"	"108.177.12.27"	"RECEIVED: 221 2.0.0 closing connection 75si2898249uau.245 - gsmtp"
"DEBUG"	1796	"2017-03-02 00:19:13.453"	"Ending session 1221155"
"DEBUG"	1876	"2017-03-02 00:19:13.453"	"External delivery process completed"

Code: Select all

"DEBUG"	1848	"2017-03-02 00:36:57.288"	"Creating session 1221298"
"TCPIP"	1848	"2017-03-02 00:36:57.288"	"TCP - 91.200.12.164 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 00:36:57.288"	"TCP connection started for session 1221268"
"SMTPD"	1848	1221268	"2017-03-02 00:36:57.288"	"91.200.12.164"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.514"	"91.200.12.164"	"RECEIVED: EHLO User"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.514"	"91.200.12.164"	"SENT: 250-***[nl]250-SIZE 32000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	1836	1221268	"2017-03-02 00:36:57.739"	"91.200.12.164"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1836	1221268	"2017-03-02 00:36:57.739"	"91.200.12.164"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.974"	"91.200.12.164"	"RECEIVED: ZmF4"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.974"	"91.200.12.164"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1836	1221268	"2017-03-02 00:36:58.193"	"91.200.12.164"	"RECEIVED: ***"
"SMTPD"	1836	1221268	"2017-03-02 00:36:58.193"	"91.200.12.164"	"SENT: 535 Authentication failed. Restarting authentication process."
"DEBUG"	1848	"2017-03-02 00:36:58.420"	"The read operation failed. Bytes transferred: 0 Remote IP: 91.200.12.164, Session: 1221268, Code: 10054, Message: An existing connection was forcibly closed by the remote host"
"DEBUG"	1848	"2017-03-02 00:36:58.420"	"Ending session 1221268"
"DEBUG"	1848	"2017-03-02 00:37:10.314"	"Creating session 1221299"
"TCPIP"	1848	"2017-03-02 00:37:10.314"	"TCP - 94.71.123.49 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 00:37:10.329"	"TCP connection started for session 1221298"
"SMTPD"	1848	1221298	"2017-03-02 00:37:10.329"	"94.71.123.49"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1836	1221298	"2017-03-02 00:37:12.894"	"94.71.123.49"	"RECEIVED: HELO *** Welcome to the FirstUnion"
"SMTPD"	1836	1221298	"2017-03-02 00:37:12.894"	"94.71.123.49"	"SENT: 250 Hello."
"SMTPD"	1848	1221298	"2017-03-02 00:37:13.168"	"94.71.123.49"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1848	1221298	"2017-03-02 00:37:13.168"	"94.71.123.49"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1828	1221298	"2017-03-02 00:37:13.477"	"94.71.123.49"	"RECEIVED: ZGFuYQ=="
"SMTPD"	1828	1221298	"2017-03-02 00:37:13.477"	"94.71.123.49"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1836	1221298	"2017-03-02 00:37:13.803"	"94.71.123.49"	"RECEIVED: ***"
"SMTPD"	1836	1221298	"2017-03-02 00:37:13.819"	"94.71.123.49"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	1848	1221298	"2017-03-02 00:37:14.133"	"94.71.123.49"	"RECEIVED: QUIT"
"SMTPD"	1848	1221298	"2017-03-02 00:37:14.133"	"94.71.123.49"	"SENT: 221 goodbye"
"DEBUG"	1836	"2017-03-02 00:37:14.133"	"Ending session 1221298"
"DEBUG"	1972	"2017-03-02 00:37:22.978"	"No messages to index."
"IMAPD"	1836	799893	"2017-03-02 00:37:24.504"	"94.100.181.37"	"RECEIVED: DONE"
"IMAPD"	1836	799893	"2017-03-02 00:37:24.504"	"94.100.181.37"	"SENT: 44 OK IDLE terminated"
"IMAPD"	1828	799893	"2017-03-02 00:37:24.727"	"94.100.181.37"	"RECEIVED: 5 CLOSE"
"IMAPD"	1828	799893	"2017-03-02 00:37:24.727"	"94.100.181.37"	"SENT: 5 OK CLOSE completed"
"IMAPD"	1836	799893	"2017-03-02 00:37:24.938"	"94.100.181.37"	"RECEIVED: 1 STATUS INBOX (UIDNEXT MESSAGES UNSEEN UIDVALIDITY)"
"IMAPD"	1836	799893	"2017-03-02 00:37:24.938"	"94.100.181.37"	"SENT: * STATUS "INBOX" (MESSAGES 1559 UNSEEN 0 UIDNEXT 1682 UIDVALIDITY 1342022141)[nl]1 OK Status completed"
"IMAPD"	1828	799893	"2017-03-02 00:37:25.147"	"94.100.181.37"	"RECEIVED: 4 SELECT INBOX"
"IMAPD"	1828	799893	"2017-03-02 00:37:25.147"	"94.100.181.37"	"SENT: * 1559 EXISTS[nl]* 0 RECENT[nl]* FLAGS (\Deleted \Seen \Draft \Answered \Flagged)[nl]* OK [UIDVALIDITY 1342022141] current uidvalidity[nl]* OK [UIDNEXT 1682] next uid[nl]* OK [PERMANENTFLAGS (\Deleted \Seen \Draft \Answered \Flagged)] limited[nl]4 OK [READ-WRITE] SELECT completed"
"IMAPD"	1836	799893	"2017-03-02 00:37:25.350"	"94.100.181.37"	"RECEIVED: 44 IDLE"
"IMAPD"	1836	799893	"2017-03-02 00:37:25.350"	"94.100.181.37"	"SENT: + idling"
"DEBUG"	1764	"2017-03-02 00:37:31.314"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Delivering message..."
"APPLICATION"	1892	"2017-03-02 00:37:31.314"	"SMTPDeliverer - Message 1920942: Delivering message from anthonytataesq@gmail.com to likaskala759@muchomail.com. File: E:\HMAIL\Data\{DE1C8BE3-BBFA-474F-87B8-7ECC71C2813F}.eml"
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1764	"2017-03-02 00:37:31.314"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:37:31.314"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:37:31.314"	"Delivering message..."
"APPLICATION"	1884	"2017-03-02 00:37:31.314"	"SMTPDeliverer - Message 1916113: Delivering message from anthonytataesq@gmail.com to smacomber@twc.cpm. File: E:\HMAIL\Data\{D155F800-E022-43F8-8EA0-71F35094BCA4}.eml"
"DEBUG"	1884	"2017-03-02 00:37:31.314"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Connecting to ClamAV stream port..."
"DEBUG"	1884	"2017-03-02 00:37:31.329"	"Connecting to ClamAV stream port..."
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"No virus detected: stream: OK"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"No virus detected: stream: OK"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Applying rules"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Applying rules"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Applying rule Global Spam Rule"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Applying rule Global Spam Rule"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Performing local delivery"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Performing local delivery"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Local delivery completed"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Local delivery completed"
"TCPIP"	1892	"2017-03-02 00:37:32.352"	"DNS MX lookup: muchomail.com"
"TCPIP"	1884	"2017-03-02 00:37:32.352"	"DNS MX lookup: twc.cpm"
"TCPIP"	1884	"2017-03-02 00:37:32.352"	"DNS - MX Result: 0 IP addresses were found."
"APPLICATION"	1884	"2017-03-02 00:37:32.352"	"SMTPDeliverer - Message 1916113: No mail servers could be found for the address smacomber@twc.cpm."
"TCPIP"	1892	"2017-03-02 00:37:32.352"	"DNS - MX Result: 1 IP addresses were found."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Summarizing delivery result"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Starting external delivery process. Server: sitemail.everyone.net (216.200.145.235), Port: 25, Security: 2, User name: "
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Summarized delivery results"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Creating session 1221300"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"SD::RescheduleDelivery_"
"TCPIP"	1892	"2017-03-02 00:37:32.352"	"Connecting to 216.200.145.235:25..."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Retrieving retry options."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Starting rescheduling."
"APPLICATION"	1884	"2017-03-02 00:37:32.352"	"SMTPDeliverer - Message 1916113: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Message rescheduled for later delivery."
"APPLICATION"	1884	"2017-03-02 00:37:32.368"	"SMTPDeliverer - Message 1916113: Message delivery thread completed."
"DEBUG"	1828	"2017-03-02 00:37:32.477"	"TCP connection started for session 1221300"
"SMTPC"	1828	1221300	"2017-03-02 00:37:32.605"	"216.200.145.235"	"RECEIVED: 220 m0088636.mta.everyone.net ESMTP EON-INBOUND"
"SMTPC"	1828	1221300	"2017-03-02 00:37:32.605"	"216.200.145.235"	"SENT: EHLO ***"
"SMTPC"	1836	1221300	"2017-03-02 00:37:32.732"	"216.200.145.235"	"RECEIVED: 250-m0088636.mta.everyone.net[nl]250-PIPELINING[nl]250-SIZE 50000000[nl]250-AUTH PLAIN LOGIN[nl]250-AUTH=LOGIN[nl]250-STARTTLS[nl]250 8BITMIME"
"SMTPC"	1836	1221300	"2017-03-02 00:37:32.732"	"216.200.145.235"	"SENT: STARTTLS"
"SMTPC"	1828	1221300	"2017-03-02 00:37:33.846"	"216.200.145.235"	"RECEIVED: 220 Ready to start TLS"
"DEBUG"	1828	"2017-03-02 00:37:33.846"	"Performing SSL/TLS handshake for session 1221300. Verify certificate: True, Expected remote host name: sitemail.everyone.net"
"DEBUG"	1828	"2017-03-02 00:37:34.154"	"Certificate verification succeeded for session 1221300."
"TCPIP"	1836	"2017-03-02 00:37:34.559"	"TCPConnection - TLS/SSL handshake completed. Session Id: 1221300, Remote IP: 216.200.145.235, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.559"	"216.200.145.235"	"SENT: EHLO ***"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.691"	"216.200.145.235"	"RECEIVED: 250-m0088636.mta.everyone.net[nl]250-PIPELINING[nl]250-SIZE 50000000[nl]250-AUTH PLAIN LOGIN[nl]250-AUTH=LOGIN[nl]250 8BITMIME"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.691"	"216.200.145.235"	"SENT: MAIL FROM:<anthonytataesq@gmail.com>"
"SMTPC"	1820	1221300	"2017-03-02 00:37:34.800"	"216.200.145.235"	"RECEIVED: 250 Sender okay"
"SMTPC"	1820	1221300	"2017-03-02 00:37:34.800"	"216.200.145.235"	"SENT: RCPT TO:<likaskala759@muchomail.com>"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.941"	"216.200.145.235"	"RECEIVED: 450 Recipient Rejected: Domain pending confirmation"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.941"	"216.200.145.235"	"SENT: QUIT"
"SMTPC"	1848	1221300	"2017-03-02 00:37:35.066"	"216.200.145.235"	"RECEIVED: 221 Bye"
"DEBUG"	1848	"2017-03-02 00:37:35.066"	"Ending session 1221300"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"External delivery process completed"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Summarizing delivery result"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Summarized delivery results"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"SD::RescheduleDelivery_"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Retrieving retry options."
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Starting rescheduling."
"APPLICATION"	1892	"2017-03-02 00:37:35.066"	"SMTPDeliverer - Message 1920942: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Message rescheduled for later delivery."
"APPLICATION"	1892	"2017-03-02 00:37:35.066"	"SMTPDeliverer - Message 1920942: Message delivery thread completed."
Thanks

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-02 19:18

I can't edit the post above.

Those excerpts are before the suspicious email got authenticated. Can you explain?

Below excerpt is when it got authenticated:

Code: Select all

"DEBUG"	1848	"2017-03-02 02:27:26.278"	"Creating session 1221903"
"TCPIP"	1848	"2017-03-02 02:27:26.278"	"TCP - 112.124.76.177 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 02:27:26.278"	"TCP connection started for session 1221881"
"SMTPD"	1848	1221881	"2017-03-02 02:27:26.278"	"112.124.76.177"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1832	1221881	"2017-03-02 02:27:26.702"	"112.124.76.177"	"RECEIVED: HELO *** Welcome to the FirstUnion"
"SMTPD"	1832	1221881	"2017-03-02 02:27:26.702"	"112.124.76.177"	"SENT: 250 Hello."
"SMTPD"	1848	1221881	"2017-03-02 02:27:27.138"	"112.124.76.177"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1848	1221881	"2017-03-02 02:27:27.138"	"112.124.76.177"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1832	1221881	"2017-03-02 02:27:28.563"	"112.124.76.177"	"RECEIVED: ZmVybmFuZG8="
"SMTPD"	1832	1221881	"2017-03-02 02:27:28.563"	"112.124.76.177"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1848	1221881	"2017-03-02 02:27:31.730"	"112.124.76.177"	"RECEIVED: ***"
"SMTPD"	1848	1221881	"2017-03-02 02:27:31.745"	"112.124.76.177"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	1832	1221881	"2017-03-02 02:27:32.170"	"112.124.76.177"	"RECEIVED: QUIT"
"SMTPD"	1832	1221881	"2017-03-02 02:27:32.170"	"112.124.76.177"	"SENT: 221 goodbye"
"DEBUG"	1848	"2017-03-02 02:27:32.170"	"Ending session 1221881"
"DEBUG"	1848	"2017-03-02 02:27:36.234"	"Creating session 1221905"
"TCPIP"	1848	"2017-03-02 02:27:36.234"	"TCP - 35.164.135.168 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 02:27:36.234"	"TCP connection started for session 1221903"
"SMTPD"	1848	1221903	"2017-03-02 02:27:36.234"	"35.164.135.168"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.344"	"35.164.135.168"	"RECEIVED: EHLO WIN-HON4OMN1707"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.344"	"35.164.135.168"	"SENT: 250-***[nl]250-SIZE 32000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.449"	"35.164.135.168"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.449"	"35.164.135.168"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.569"	"35.164.135.168"	"RECEIVED: dm9pY2VtYWls"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.569"	"35.164.135.168"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.679"	"35.164.135.168"	"RECEIVED: ***"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.679"	"35.164.135.168"	"SENT: 235 authenticated."
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.830"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.830"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.926"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.942"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.051"	"35.164.135.168"	"RECEIVED: RCPT TO: <habana171@hotmail.com>"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.051"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.161"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.161"	"35.164.135.168"	"SENT: 354 OK, send."
"DEBUG"	1844	"2017-03-02 02:27:37.491"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:37.491"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:37.491"	"Saving message: {1FD2EF55-05FC-4BE4-9EFD-41BF9307D190}.eml"
"DEBUG"	1620	"2017-03-02 02:27:37.491"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	1620	1221903	"2017-03-02 02:27:37.491"	"35.164.135.168"	"SENT: 250 Queued (0.320 seconds)"
"DEBUG"	1764	"2017-03-02 02:27:37.506"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Delivering message..."
"APPLICATION"	1904	"2017-03-02 02:27:37.506"	"SMTPDeliverer - Message 1923063: Delivering message from anthonytataesq@gmail.com to habana171@hotmail.com. File: E:\HMAIL\Data\{1FD2EF55-05FC-4BE4-9EFD-41BF9307D190}.eml"
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Connecting to ClamAV stream port..."
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.616"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.616"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.739"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.739"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:37.844"	"35.164.135.168"	"RECEIVED: RCPT TO: <habana171@yahoo.com>"
"SMTPD"	1844	1221903	"2017-03-02 02:27:37.844"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.953"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.969"	"35.164.135.168"	"SENT: 354 OK, send."
"DEBUG"	1824	"2017-03-02 02:27:38.188"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.188"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.188"	"Saving message: {F3878594-3259-4FCC-ACEA-33EA14DDC958}.eml"
"DEBUG"	1620	"2017-03-02 02:27:38.188"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	1620	1221903	"2017-03-02 02:27:38.188"	"35.164.135.168"	"SENT: 250 Queued (0.224 seconds)"
"DEBUG"	1764	"2017-03-02 02:27:38.188"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1896	"2017-03-02 02:27:38.188"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1896	"2017-03-02 02:27:38.188"	"Delivering message..."
"APPLICATION"	1896	"2017-03-02 02:27:38.188"	"SMTPDeliverer - Message 1923064: Delivering message from anthonytataesq@gmail.com to habana171@yahoo.com. File: E:\HMAIL\Data\{F3878594-3259-4FCC-ACEA-33EA14DDC958}.eml"
"DEBUG"	1896	"2017-03-02 02:27:38.188"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1896	"2017-03-02 02:27:38.203"	"Connecting to ClamAV stream port..."
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.321"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.321"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:38.430"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1844	1221903	"2017-03-02 02:27:38.430"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1824	1221903	"2017-03-02 02:27:38.541"	"35.164.135.168"	"RECEIVED: RCPT TO: <christinacragg63@gmail.com>"
"SMTPD"	1824	1221903	"2017-03-02 02:27:38.541"	"35.164.135.168"	"SENT: 250 OK"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"No virus detected: stream: OK"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Applying rules"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Applying rule Global Spam Rule"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Performing local delivery"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Local delivery completed"
"TCPIP"	1904	"2017-03-02 02:27:38.572"	"DNS MX lookup: hotmail.com"
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.650"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.650"	"35.164.135.168"	"SENT: 354 OK, send."
"TCPIP"	1904	"2017-03-02 02:27:38.682"	"DNS - MX Result: 72 IP addresses were found."
"DEBUG"	1904	"2017-03-02 02:27:38.682"	"Maximum number of MX host reached. Truncating MX server list."
"DEBUG"	1904	"2017-03-02 02:27:38.682"	"Starting external delivery process. Server: mx1.hotmail.com (65.55.92.184), Port: 25, Security: 2, User name: "
"DEBUG"	1904	"2017-03-02 02:27:38.682"	"Creating session 1221906"
"TCPIP"	1904	"2017-03-02 02:27:38.682"	"Connecting to 65.55.92.184:25..."
"DEBUG"	1844	"2017-03-02 02:27:38.760"	"TCP connection started for session 1221906"
"SMTPC"	1824	1221906	"2017-03-02 02:27:38.838"	"65.55.92.184"	"RECEIVED: 220 SNT004-MC4F2.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Wed, 1 Mar 2017 23:27:40 -0800 "
"SMTPC"	1824	1221906	"2017-03-02 02:27:38.838"	"65.55.92.184"	"SENT: EHLO ***"
"DEBUG"	1832	"2017-03-02 02:27:38.885"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.885"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.885"	"Saving message: {8E95FD57-FE34-46D7-A177-01306FEF73EF}.eml"
"DEBUG"	1620	"2017-03-02 02:27:38.885"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	1620	1221903	"2017-03-02 02:27:38.885"	"35.164.135.168"	"SENT: 250 Queued (0.240 seconds)"
"DEBUG"	1764	"2017-03-02 02:27:38.885"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Delivering message..."
"APPLICATION"	1908	"2017-03-02 02:27:38.885"	"SMTPDeliverer - Message 1923065: Delivering message from anthonytataesq@gmail.com to christinacragg63@gmail.com. File: E:\HMAIL\Data\{8E95FD57-FE34-46D7-A177-01306FEF73EF}.eml"
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Connecting to ClamAV stream port..."
"SMTPC"	1844	1221906	"2017-03-02 02:27:38.900"	"65.55.92.184"	"RECEIVED: 250-SNT004-MC4F2.hotmail.com (3.22.0.27) Hello [***][nl]250-SIZE 36909875[nl]250-PIPELINING[nl]250-8bitmime[nl]250-BINARYMIME[nl]250-CHUNKING[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250-AUTH=LOGIN[nl]250 OK"
"SMTPC"	1844	1221906	"2017-03-02 02:27:38.900"	"65.55.92.184"	"SENT: STARTTLS"
"SMTPC"	1832	1221906	"2017-03-02 02:27:38.987"	"65.55.92.184"	"RECEIVED: 220 SMTP server ready"
"DEBUG"	1832	"2017-03-02 02:27:38.987"	"Performing SSL/TLS handshake for session 1221906. Verify certificate: True, Expected remote host name: mx1.hotmail.com"
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.002"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.002"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.112"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.127"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.237"	"35.164.135.168"	"RECEIVED: RCPT TO: <pfdrreynolds@bellsouth.net>"
"DEBUG"	1832	"2017-03-02 02:27:39.237"	"Certificate verification succeeded for session 1221906."
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.237"	"35.164.135.168"	"SENT: 250 OK"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"No virus detected: stream: OK"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Applying rules"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Applying rule Global Spam Rule"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Performing local delivery"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Local delivery completed"
"TCPIP"	1896	"2017-03-02 02:27:39.268"	"DNS MX lookup: yahoo.com"
"TCPIP"	1848	"2017-03-02 02:27:39.330"	"TCPConnection - TLS/SSL handshake completed. Session Id: 1221906, Remote IP: 65.55.92.184, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384, Bits: 256"
"SMTPC"	1848	1221906	"2017-03-02 02:27:39.330"	"65.55.92.184"	"SENT: EHLO ***"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.346"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.346"	"35.164.135.168"	"SENT: 354 OK, send."
"TCPIP"	1896	"2017-03-02 02:27:39.377"	"DNS - MX Result: 24 IP addresses were found."
"DEBUG"	1896	"2017-03-02 02:27:39.377"	"Maximum number of MX host reached. Truncating MX server list."
I changed the password for the compromised account. Thanks.

User avatar
mattg
Moderator
Moderator
Posts: 20133
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HMS sending Spam

Post by mattg » 2017-03-03 00:18

So the compromised account was 'voicemail'
You have a default domain set - that alone should have triggered some failures in the open-relay tests

Once they authenticated, they'd send a message, RSET, then send another (rinse , repeat)

turn off your default domain
make all mail clients use authentication like 'username@example.com', not just 'username'
Clear your queue, this may take a few attempts to achieve, and may take many minutes.

https://log.damnation.org.uk/
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-03 04:44

The accounts are authenticated using username@example.com, not username. It's odd though how it got authenticated with just voicemail though.

Default domain?
I don't think I'm understanding.

User avatar
mattg
Moderator
Moderator
Posts: 20133
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HMS sending Spam

Post by mattg » 2017-03-03 05:54

having a default domain set is the ONLY way that accounts can authenticate with just a username

Admin GUI >> Advanced

You have a default domain set, please make that blank
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: HMS sending Spam

Post by jimimaseye » 2017-03-03 11:38

mattg wrote:having a default domain set is the ONLY way that accounts can authenticate with just a username

Admin GUI >> Advanced

You have a default domain set, please make that blank
I see another version of the 'settings' script coming with an additional field being included. (This is very important in identifying potential security risks - as proven here.)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-03 19:37

mattg wrote:having a default domain set is the ONLY way that accounts can authenticate with just a username

Admin GUI >> Advanced

You have a default domain set, please make that blank
I cleared the default domain box.
Thanks a lot guys!

I also enabled Auto Ban. I use a webmail which resides on the same server as HMS. I read that in order to exclude it, I would have to create a IP Range for said webmail IP. Will the computer IP Range suffice, or do I have to add the public IP address?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8131
Joined: 2011-09-08 17:48

Re: HMS sending Spam

Post by jimimaseye » 2017-03-03 19:57

You use whatever the IP ADDRESS is that is identified to HMS at the time of connection and the priority must be higher than 20.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

MarHMS
Normal user
Normal user
Posts: 105
Joined: 2015-12-11 17:10

Re: HMS sending Spam

Post by MarHMS » 2017-03-04 01:18

jimimaseye wrote:You use whatever the IP ADDRESS is that is identified to HMS at the time of connection and the priority must be higher than 20.
Will do that.

Thanks

Post Reply