Page 1 of 1

HMS sending Spam

Posted: 2017-03-02 15:19
by MarHMS
I think someone is using my HMS as a relay to send spam.

See attachment below.

Can someone please explain, and advice how to stop it?

Re: HMS sending Spam

Posted: 2017-03-02 15:32
by jimimaseye

Re: HMS sending Spam

Posted: 2017-03-02 15:39
by MarHMS
[code]3/2/2017 8:36:50 AM Hmailserver: 5.6.4-B2283

IP: 127.0.0.1 - 127.0.0.1 Priority: 15 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 10 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - True External To External - True


IP: 192.168.0.1 - 192.168.0.255 Priority: 1 Name: LAN

Allow connections Other
SMTP: True Antispam : False
POP3: True Antivirus: False
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: False

There is a total of 2 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: True - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: True - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False - 5 Use SA score: False - 5
Subject Text: "[Possible Spam]"
Spam delete threshold: 8 Maximum message size: 1024

GREYLISTING:
Greylisting: False

DNSBL ENTRIES:
zen.spamhaus.org Score: 5 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2
hostkarma.junkemailfilter.com Score: 2 Result: 127.0.0.2|127.0.0.4
b.barracudacentral.org Score: 2 Result: 127.0.0.2|127.0.0.4

SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------

WHITELISTING
No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
When found - Delete email. Notify Sender: False, Notify Receiver: True

Max Message Size: 26214
CLAM AV: True Hostname: localhost Port: 3310
CLAMWIN: False
CUSTOMAV: False

Block Attachments: True
*.bat Batch processing file
*.cmd Command file for Windows NT
*.com Command
*.cpl Windows Control Panel extension
*.csh CSH script
*.exe Executable file
*.inf Setup file
*.js JavaScript files
*.lnk Windows link file
*.msi Windows Installer file
*.msp Windows Installer patch
*.pif Program information file
*.rar Winrar archives
*.reg Registration key
*.scf Windows Explorer command
*.scr Windows Screen saver
*.vbs VBScript
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : True
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: True
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - None
0.0.0.0 / 465 / SMTP - None
0.0.0.0 / 587 / SMTP - None
192.168.0.7 / 25 / SMTP - None
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: E:\HMAIL\Logs\hmailserver_2017-03-02.log
Error: E:\HMAIL\Logs\ERROR_hmailserver_2017-03-02.log
Event: E:\HMAIL\Logs\hmailserver_events.log
Awstats: E:\HMAIL\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - True
IMAP - True
TCPIP - True
DEBUG - True
AWSTATS - True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory C:\Users\eviewer\Desktop\ is writable.

ERROR: Messages exists which are located outside of the data directory E:\HMAIL\Data.
ERROR: Full paths are stored in the database.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.45, Hmailserver Forum.

Re: HMS sending Spam

Posted: 2017-03-02 15:44
by jimimaseye
Did you read the link I gave you and follow its advice word for word? Everything you need to know is in there. (I personally am not going to repeat what has already been written).

Re: HMS sending Spam

Posted: 2017-03-02 15:47
by MarHMS
Will do that.

Honestly, I was reading another thread with similar issue, so I got a bit confused and overlooked the link :(

Re: HMS sending Spam

Posted: 2017-03-02 15:50
by jimimaseye
(Your "LAN" ip range has no point. Your priority for it is LOWER than the INTERNET range (which will then take precedence). And your TCPIP PORT entry "192.168.0.7 / 25 / SMTP - None" is pointless too. the "0.0.0.0" already covers it.)

Re: HMS sending Spam

Posted: 2017-03-02 16:33
by MarHMS
I see.
So should I delete LAN IP range, or change its priority?
Will make the changes. Thanks as usual! :)

I'm going through the document.
Mail server passed open relay tests, but there are definitely ongoing suspicious activities based on the queue.

Re: HMS sending Spam

Posted: 2017-03-02 16:42
by jimimaseye
Look for the advice on checking the SMTPD entries to find the account that was used to authenticate.

Re: HMS sending Spam

Posted: 2017-03-02 18:46
by MarHMS
Okay, I'm getting somewhere, but I need your assistance Jim.

I pasted 3 excerpts of the log below.
I see where authentications are failing with some random accounts, also with one being almost legit. I see where the suspicious email is sending, but not where it got authenticated.
Suspicious email being anthonytataesq@gmail.com

Code: Select all

"SMTPD"	1848	1221126	"2017-03-02 00:17:44.532"	"46.105.123.22"	"RECEIVED: RSET"
"SMTPD"	1848	1221126	"2017-03-02 00:17:44.532"	"46.105.123.22"	"SENT: 250 OK"
"SMTPD"	1828	1221126	"2017-03-02 00:17:44.673"	"46.105.123.22"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1828	1221126	"2017-03-02 00:17:44.673"	"46.105.123.22"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1848	1221126	"2017-03-02 00:17:44.813"	"46.105.123.22"	"RECEIVED: cGx1Z2luc0BmaXJzdHVuaW9uamEuY29t"
"SMTPD"	1848	1221126	"2017-03-02 00:17:44.813"	"46.105.123.22"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1820	1221126	"2017-03-02 00:17:44.962"	"46.105.123.22"	"RECEIVED: ***"
"SMTPD"	1820	1221126	"2017-03-02 00:17:44.962"	"46.105.123.22"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	1848	1221126	"2017-03-02 00:17:45.118"	"46.105.123.22"	"RECEIVED: RSET"
"SMTPD"	1848	1221126	"2017-03-02 00:17:45.118"	"46.105.123.22"	"SENT: Too many invalid commands. Bye!"
"DEBUG"	1812	"2017-03-02 00:17:45.118"	"Ending session 1221126"
"DEBUG"	1764	"2017-03-02 00:18:10.514"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1876	"2017-03-02 00:18:10.514"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1876	"2017-03-02 00:18:10.514"	"Delivering message..."
"APPLICATION"	1876	"2017-03-02 00:18:10.514"	"SMTPDeliverer - Message 1917088: Delivering message from anthonytataesq@gmail.com to memastal@gmail.ccom. File: E:\HMAIL\Data\{D24A655B-C52E-4A8E-B8E9-8CD11CF7070E}.eml"
"DEBUG"	1876	"2017-03-02 00:18:10.514"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1764	"2017-03-02 00:18:10.514"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Delivering message..."
"APPLICATION"	1888	"2017-03-02 00:18:10.514"	"SMTPDeliverer - Message 1917100: Delivering message from anthonytataesq@gmail.com to _blacksoul666@univision.com. File: E:\HMAIL\Data\{0CFE7932-2791-42BB-B22D-8D8592D30FFD}.eml"
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1764	"2017-03-02 00:18:10.514"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:18:10.514"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:18:10.514"	"Delivering message..."
"APPLICATION"	1884	"2017-03-02 00:18:10.514"	"SMTPDeliverer - Message 1914973: Delivering message from anthonytataesq@gmail.com to sidberrygmail@87.com. File: E:\HMAIL\Data\{93D6E2DE-15B8-4460-B92E-4D6B736AFBFD}.eml"
"DEBUG"	1884	"2017-03-02 00:18:10.514"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1888	"2017-03-02 00:18:10.514"	"Connecting to ClamAV stream port..."
"DEBUG"	1876	"2017-03-02 00:18:10.530"	"Connecting to ClamAV stream port..."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"No virus detected: stream: OK"
"DEBUG"	1884	"2017-03-02 00:18:11.543"	"Connecting to ClamAV stream port..."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"No virus detected: stream: OK"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Applying rules"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Applying rule Global Spam Rule"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Applying rules"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Performing local delivery"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Applying rule Global Spam Rule"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Local delivery completed"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Applying rule whereareyounow.net Spam"
"TCPIP"	1888	"2017-03-02 00:18:11.543"	"DNS MX lookup: univision.com"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Performing local delivery"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Local delivery completed"
"TCPIP"	1876	"2017-03-02 00:18:11.543"	"DNS MX lookup: gmail.ccom"
"TCPIP"	1876	"2017-03-02 00:18:11.543"	"DNS - MX Result: 0 IP addresses were found."
"APPLICATION"	1876	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917088: No mail servers could be found for the address memastal@gmail.ccom."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Summarizing delivery result"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Summarized delivery results"
"TCPIP"	1888	"2017-03-02 00:18:11.543"	"DNS - MX Result: 0 IP addresses were found."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"SD::RescheduleDelivery_"
"APPLICATION"	1888	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917100: No mail servers could be found for the address _blacksoul666@univision.com."
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Retrieving retry options."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Summarizing delivery result"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Starting rescheduling."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Summarized delivery results"
"APPLICATION"	1876	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917088: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"SD::RescheduleDelivery_"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Retrieving retry options."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"Starting rescheduling."
"APPLICATION"	1888	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917100: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1888	"2017-03-02 00:18:11.543"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1876	"2017-03-02 00:18:11.543"	"Message rescheduled for later delivery."
"APPLICATION"	1876	"2017-03-02 00:18:11.543"	"SMTPDeliverer - Message 1917088: Message delivery thread completed."
"DEBUG"	1888	"2017-03-02 00:18:11.574"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1888	"2017-03-02 00:18:11.574"	"Message rescheduled for later delivery."
"APPLICATION"	1888	"2017-03-02 00:18:11.574"	"SMTPDeliverer - Message 1917100: Message delivery thread completed."
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"No virus detected: stream: OK"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Applying rules"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Applying rule Global Spam Rule"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Performing local delivery"
"DEBUG"	1884	"2017-03-02 00:18:12.558"	"Local delivery completed"
"TCPIP"	1884	"2017-03-02 00:18:12.558"	"DNS MX lookup: 87.com"
"TCPIP"	1884	"2017-03-02 00:18:12.838"	"DNS - MX Result: 1 IP addresses were found."
"DEBUG"	1884	"2017-03-02 00:18:12.838"	"Starting external delivery process. Server: 87.com (150.242.208.8), Port: 25, Security: 2, User name: "
"DEBUG"	1884	"2017-03-02 00:18:12.838"	"Creating session 1221149"
"TCPIP"	1884	"2017-03-02 00:18:12.838"	"Connecting to 150.242.208.8:25..."
"DEBUG"	1812	"2017-03-02 00:18:14.652"	"SMTPDeliverer - Message 1914973 - Connection failed: Host name: 150.242.208.8, message: The remote computer refused the network connection"
"DEBUG"	1812	"2017-03-02 00:18:14.652"	"Ending session 1221149"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"External delivery process completed"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Summarizing delivery result"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Summarized delivery results"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"SD::RescheduleDelivery_"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Retrieving retry options."
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Starting rescheduling."
"APPLICATION"	1884	"2017-03-02 00:18:14.652"	"SMTPDeliverer - Message 1914973: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:18:14.652"	"Message rescheduled for later delivery."
"APPLICATION"	1884	"2017-03-02 00:18:14.652"	"SMTPDeliverer - Message 1914973: Message delivery thread completed."

Code: Select all

"DEBUG"	1876	"2017-03-02 00:19:12.890"	"Starting external delivery process. Server: gmail-smtp-in.l.google.com (108.177.12.27), Port: 25, Security: 2, User name: "
"DEBUG"	1876	"2017-03-02 00:19:12.890"	"Creating session 1221155"
"TCPIP"	1876	"2017-03-02 00:19:12.890"	"Connecting to 108.177.12.27:25..."
"DEBUG"	1812	"2017-03-02 00:19:12.937"	"TCP connection started for session 1221155"
"SMTPC"	1812	1221155	"2017-03-02 00:19:12.984"	"108.177.12.27"	"RECEIVED: 220 mx.google.com ESMTP 75si2898249uau.245 - gsmtp"
"SMTPC"	1812	1221155	"2017-03-02 00:19:12.984"	"108.177.12.27"	"SENT: EHLO ***"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.047"	"108.177.12.27"	"RECEIVED: 250-mx.google.com at your service, [***][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-STARTTLS[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.047"	"108.177.12.27"	"SENT: STARTTLS"
"SMTPC"	1796	1221155	"2017-03-02 00:19:13.094"	"108.177.12.27"	"RECEIVED: 220 2.0.0 Ready to start TLS"
"DEBUG"	1796	"2017-03-02 00:19:13.094"	"Performing SSL/TLS handshake for session 1221155. Verify certificate: True, Expected remote host name: gmail-smtp-in.l.google.com"
"DEBUG"	1812	"2017-03-02 00:19:13.140"	"Certificate verification succeeded for session 1221155."
"DEBUG"	1796	"2017-03-02 00:19:13.140"	"SMTPDeliverer - Message 1915161 - Connection failed: Host name: 176.74.176.187, message: The remote computer refused the network connection"
"DEBUG"	1796	"2017-03-02 00:19:13.140"	"Ending session 1221154"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"External delivery process completed"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Summarizing delivery result"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Summarized delivery results"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"SD::RescheduleDelivery_"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Retrieving retry options."
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Starting rescheduling."
"APPLICATION"	1884	"2017-03-02 00:19:13.140"	"SMTPDeliverer - Message 1915161: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:19:13.140"	"Message rescheduled for later delivery."
"APPLICATION"	1884	"2017-03-02 00:19:13.140"	"SMTPDeliverer - Message 1915161: Message delivery thread completed."
"TCPIP"	1796	"2017-03-02 00:19:13.187"	"TCPConnection - TLS/SSL handshake completed. Session Id: 1221155, Remote IP: 108.177.12.27, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"SMTPC"	1796	1221155	"2017-03-02 00:19:13.187"	"108.177.12.27"	"SENT: EHLO ***"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.234"	"108.177.12.27"	"RECEIVED: 250-mx.google.com at your service, [***][nl]250-SIZE 157286400[nl]250-8BITMIME[nl]250-ENHANCEDSTATUSCODES[nl]250-PIPELINING[nl]250-CHUNKING[nl]250 SMTPUTF8"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.234"	"108.177.12.27"	"SENT: MAIL FROM:<anthonytataesq@gmail.com>"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.281"	"108.177.12.27"	"RECEIVED: 250 2.1.0 OK 75si2898249uau.245 - gsmtp"
"SMTPC"	1812	1221155	"2017-03-02 00:19:13.297"	"108.177.12.27"	"SENT: RCPT TO:<tsharris23@gmail.com>"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.406"	"108.177.12.27"	"RECEIVED: 452-4.2.2 The email account that you tried to reach is over quota. Please direct[nl]452-4.2.2 the recipient to[nl]452 4.2.2  https://support.google.com/mail/?p=OverQuotaTemp 75si2898249uau.245 - gsmtp"
"SMTPC"	1848	1221155	"2017-03-02 00:19:13.406"	"108.177.12.27"	"SENT: QUIT"
"SMTPC"	1796	1221155	"2017-03-02 00:19:13.453"	"108.177.12.27"	"RECEIVED: 221 2.0.0 closing connection 75si2898249uau.245 - gsmtp"
"DEBUG"	1796	"2017-03-02 00:19:13.453"	"Ending session 1221155"
"DEBUG"	1876	"2017-03-02 00:19:13.453"	"External delivery process completed"

Code: Select all

"DEBUG"	1848	"2017-03-02 00:36:57.288"	"Creating session 1221298"
"TCPIP"	1848	"2017-03-02 00:36:57.288"	"TCP - 91.200.12.164 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 00:36:57.288"	"TCP connection started for session 1221268"
"SMTPD"	1848	1221268	"2017-03-02 00:36:57.288"	"91.200.12.164"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.514"	"91.200.12.164"	"RECEIVED: EHLO User"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.514"	"91.200.12.164"	"SENT: 250-***[nl]250-SIZE 32000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	1836	1221268	"2017-03-02 00:36:57.739"	"91.200.12.164"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1836	1221268	"2017-03-02 00:36:57.739"	"91.200.12.164"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.974"	"91.200.12.164"	"RECEIVED: ZmF4"
"SMTPD"	1828	1221268	"2017-03-02 00:36:57.974"	"91.200.12.164"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1836	1221268	"2017-03-02 00:36:58.193"	"91.200.12.164"	"RECEIVED: ***"
"SMTPD"	1836	1221268	"2017-03-02 00:36:58.193"	"91.200.12.164"	"SENT: 535 Authentication failed. Restarting authentication process."
"DEBUG"	1848	"2017-03-02 00:36:58.420"	"The read operation failed. Bytes transferred: 0 Remote IP: 91.200.12.164, Session: 1221268, Code: 10054, Message: An existing connection was forcibly closed by the remote host"
"DEBUG"	1848	"2017-03-02 00:36:58.420"	"Ending session 1221268"
"DEBUG"	1848	"2017-03-02 00:37:10.314"	"Creating session 1221299"
"TCPIP"	1848	"2017-03-02 00:37:10.314"	"TCP - 94.71.123.49 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 00:37:10.329"	"TCP connection started for session 1221298"
"SMTPD"	1848	1221298	"2017-03-02 00:37:10.329"	"94.71.123.49"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1836	1221298	"2017-03-02 00:37:12.894"	"94.71.123.49"	"RECEIVED: HELO *** Welcome to the FirstUnion"
"SMTPD"	1836	1221298	"2017-03-02 00:37:12.894"	"94.71.123.49"	"SENT: 250 Hello."
"SMTPD"	1848	1221298	"2017-03-02 00:37:13.168"	"94.71.123.49"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1848	1221298	"2017-03-02 00:37:13.168"	"94.71.123.49"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1828	1221298	"2017-03-02 00:37:13.477"	"94.71.123.49"	"RECEIVED: ZGFuYQ=="
"SMTPD"	1828	1221298	"2017-03-02 00:37:13.477"	"94.71.123.49"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1836	1221298	"2017-03-02 00:37:13.803"	"94.71.123.49"	"RECEIVED: ***"
"SMTPD"	1836	1221298	"2017-03-02 00:37:13.819"	"94.71.123.49"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	1848	1221298	"2017-03-02 00:37:14.133"	"94.71.123.49"	"RECEIVED: QUIT"
"SMTPD"	1848	1221298	"2017-03-02 00:37:14.133"	"94.71.123.49"	"SENT: 221 goodbye"
"DEBUG"	1836	"2017-03-02 00:37:14.133"	"Ending session 1221298"
"DEBUG"	1972	"2017-03-02 00:37:22.978"	"No messages to index."
"IMAPD"	1836	799893	"2017-03-02 00:37:24.504"	"94.100.181.37"	"RECEIVED: DONE"
"IMAPD"	1836	799893	"2017-03-02 00:37:24.504"	"94.100.181.37"	"SENT: 44 OK IDLE terminated"
"IMAPD"	1828	799893	"2017-03-02 00:37:24.727"	"94.100.181.37"	"RECEIVED: 5 CLOSE"
"IMAPD"	1828	799893	"2017-03-02 00:37:24.727"	"94.100.181.37"	"SENT: 5 OK CLOSE completed"
"IMAPD"	1836	799893	"2017-03-02 00:37:24.938"	"94.100.181.37"	"RECEIVED: 1 STATUS INBOX (UIDNEXT MESSAGES UNSEEN UIDVALIDITY)"
"IMAPD"	1836	799893	"2017-03-02 00:37:24.938"	"94.100.181.37"	"SENT: * STATUS "INBOX" (MESSAGES 1559 UNSEEN 0 UIDNEXT 1682 UIDVALIDITY 1342022141)[nl]1 OK Status completed"
"IMAPD"	1828	799893	"2017-03-02 00:37:25.147"	"94.100.181.37"	"RECEIVED: 4 SELECT INBOX"
"IMAPD"	1828	799893	"2017-03-02 00:37:25.147"	"94.100.181.37"	"SENT: * 1559 EXISTS[nl]* 0 RECENT[nl]* FLAGS (\Deleted \Seen \Draft \Answered \Flagged)[nl]* OK [UIDVALIDITY 1342022141] current uidvalidity[nl]* OK [UIDNEXT 1682] next uid[nl]* OK [PERMANENTFLAGS (\Deleted \Seen \Draft \Answered \Flagged)] limited[nl]4 OK [READ-WRITE] SELECT completed"
"IMAPD"	1836	799893	"2017-03-02 00:37:25.350"	"94.100.181.37"	"RECEIVED: 44 IDLE"
"IMAPD"	1836	799893	"2017-03-02 00:37:25.350"	"94.100.181.37"	"SENT: + idling"
"DEBUG"	1764	"2017-03-02 00:37:31.314"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Delivering message..."
"APPLICATION"	1892	"2017-03-02 00:37:31.314"	"SMTPDeliverer - Message 1920942: Delivering message from anthonytataesq@gmail.com to likaskala759@muchomail.com. File: E:\HMAIL\Data\{DE1C8BE3-BBFA-474F-87B8-7ECC71C2813F}.eml"
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1764	"2017-03-02 00:37:31.314"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:37:31.314"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1884	"2017-03-02 00:37:31.314"	"Delivering message..."
"APPLICATION"	1884	"2017-03-02 00:37:31.314"	"SMTPDeliverer - Message 1916113: Delivering message from anthonytataesq@gmail.com to smacomber@twc.cpm. File: E:\HMAIL\Data\{D155F800-E022-43F8-8EA0-71F35094BCA4}.eml"
"DEBUG"	1884	"2017-03-02 00:37:31.314"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1892	"2017-03-02 00:37:31.314"	"Connecting to ClamAV stream port..."
"DEBUG"	1884	"2017-03-02 00:37:31.329"	"Connecting to ClamAV stream port..."
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"No virus detected: stream: OK"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"No virus detected: stream: OK"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Applying rules"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Applying rules"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Applying rule Global Spam Rule"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Applying rule Global Spam Rule"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Performing local delivery"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Performing local delivery"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Local delivery completed"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Local delivery completed"
"TCPIP"	1892	"2017-03-02 00:37:32.352"	"DNS MX lookup: muchomail.com"
"TCPIP"	1884	"2017-03-02 00:37:32.352"	"DNS MX lookup: twc.cpm"
"TCPIP"	1884	"2017-03-02 00:37:32.352"	"DNS - MX Result: 0 IP addresses were found."
"APPLICATION"	1884	"2017-03-02 00:37:32.352"	"SMTPDeliverer - Message 1916113: No mail servers could be found for the address smacomber@twc.cpm."
"TCPIP"	1892	"2017-03-02 00:37:32.352"	"DNS - MX Result: 1 IP addresses were found."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Summarizing delivery result"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Starting external delivery process. Server: sitemail.everyone.net (216.200.145.235), Port: 25, Security: 2, User name: "
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Summarized delivery results"
"DEBUG"	1892	"2017-03-02 00:37:32.352"	"Creating session 1221300"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"SD::RescheduleDelivery_"
"TCPIP"	1892	"2017-03-02 00:37:32.352"	"Connecting to 216.200.145.235:25..."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Retrieving retry options."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Starting rescheduling."
"APPLICATION"	1884	"2017-03-02 00:37:32.352"	"SMTPDeliverer - Message 1916113: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1884	"2017-03-02 00:37:32.352"	"Message rescheduled for later delivery."
"APPLICATION"	1884	"2017-03-02 00:37:32.368"	"SMTPDeliverer - Message 1916113: Message delivery thread completed."
"DEBUG"	1828	"2017-03-02 00:37:32.477"	"TCP connection started for session 1221300"
"SMTPC"	1828	1221300	"2017-03-02 00:37:32.605"	"216.200.145.235"	"RECEIVED: 220 m0088636.mta.everyone.net ESMTP EON-INBOUND"
"SMTPC"	1828	1221300	"2017-03-02 00:37:32.605"	"216.200.145.235"	"SENT: EHLO ***"
"SMTPC"	1836	1221300	"2017-03-02 00:37:32.732"	"216.200.145.235"	"RECEIVED: 250-m0088636.mta.everyone.net[nl]250-PIPELINING[nl]250-SIZE 50000000[nl]250-AUTH PLAIN LOGIN[nl]250-AUTH=LOGIN[nl]250-STARTTLS[nl]250 8BITMIME"
"SMTPC"	1836	1221300	"2017-03-02 00:37:32.732"	"216.200.145.235"	"SENT: STARTTLS"
"SMTPC"	1828	1221300	"2017-03-02 00:37:33.846"	"216.200.145.235"	"RECEIVED: 220 Ready to start TLS"
"DEBUG"	1828	"2017-03-02 00:37:33.846"	"Performing SSL/TLS handshake for session 1221300. Verify certificate: True, Expected remote host name: sitemail.everyone.net"
"DEBUG"	1828	"2017-03-02 00:37:34.154"	"Certificate verification succeeded for session 1221300."
"TCPIP"	1836	"2017-03-02 00:37:34.559"	"TCPConnection - TLS/SSL handshake completed. Session Id: 1221300, Remote IP: 216.200.145.235, Version: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256, Bits: 128"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.559"	"216.200.145.235"	"SENT: EHLO ***"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.691"	"216.200.145.235"	"RECEIVED: 250-m0088636.mta.everyone.net[nl]250-PIPELINING[nl]250-SIZE 50000000[nl]250-AUTH PLAIN LOGIN[nl]250-AUTH=LOGIN[nl]250 8BITMIME"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.691"	"216.200.145.235"	"SENT: MAIL FROM:<anthonytataesq@gmail.com>"
"SMTPC"	1820	1221300	"2017-03-02 00:37:34.800"	"216.200.145.235"	"RECEIVED: 250 Sender okay"
"SMTPC"	1820	1221300	"2017-03-02 00:37:34.800"	"216.200.145.235"	"SENT: RCPT TO:<likaskala759@muchomail.com>"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.941"	"216.200.145.235"	"RECEIVED: 450 Recipient Rejected: Domain pending confirmation"
"SMTPC"	1836	1221300	"2017-03-02 00:37:34.941"	"216.200.145.235"	"SENT: QUIT"
"SMTPC"	1848	1221300	"2017-03-02 00:37:35.066"	"216.200.145.235"	"RECEIVED: 221 Bye"
"DEBUG"	1848	"2017-03-02 00:37:35.066"	"Ending session 1221300"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"External delivery process completed"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Summarizing delivery result"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Summarized delivery results"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"SD::RescheduleDelivery_"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Retrieving retry options."
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Starting rescheduling."
"APPLICATION"	1892	"2017-03-02 00:37:35.066"	"SMTPDeliverer - Message 1920942: Message could not be delivered. Scheduling it for later delivery in 5 minutes."
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	1892	"2017-03-02 00:37:35.066"	"Message rescheduled for later delivery."
"APPLICATION"	1892	"2017-03-02 00:37:35.066"	"SMTPDeliverer - Message 1920942: Message delivery thread completed."
Thanks

Re: HMS sending Spam

Posted: 2017-03-02 19:18
by MarHMS
I can't edit the post above.

Those excerpts are before the suspicious email got authenticated. Can you explain?

Below excerpt is when it got authenticated:

Code: Select all

"DEBUG"	1848	"2017-03-02 02:27:26.278"	"Creating session 1221903"
"TCPIP"	1848	"2017-03-02 02:27:26.278"	"TCP - 112.124.76.177 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 02:27:26.278"	"TCP connection started for session 1221881"
"SMTPD"	1848	1221881	"2017-03-02 02:27:26.278"	"112.124.76.177"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1832	1221881	"2017-03-02 02:27:26.702"	"112.124.76.177"	"RECEIVED: HELO *** Welcome to the FirstUnion"
"SMTPD"	1832	1221881	"2017-03-02 02:27:26.702"	"112.124.76.177"	"SENT: 250 Hello."
"SMTPD"	1848	1221881	"2017-03-02 02:27:27.138"	"112.124.76.177"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1848	1221881	"2017-03-02 02:27:27.138"	"112.124.76.177"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1832	1221881	"2017-03-02 02:27:28.563"	"112.124.76.177"	"RECEIVED: ZmVybmFuZG8="
"SMTPD"	1832	1221881	"2017-03-02 02:27:28.563"	"112.124.76.177"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1848	1221881	"2017-03-02 02:27:31.730"	"112.124.76.177"	"RECEIVED: ***"
"SMTPD"	1848	1221881	"2017-03-02 02:27:31.745"	"112.124.76.177"	"SENT: 535 Authentication failed. Restarting authentication process."
"SMTPD"	1832	1221881	"2017-03-02 02:27:32.170"	"112.124.76.177"	"RECEIVED: QUIT"
"SMTPD"	1832	1221881	"2017-03-02 02:27:32.170"	"112.124.76.177"	"SENT: 221 goodbye"
"DEBUG"	1848	"2017-03-02 02:27:32.170"	"Ending session 1221881"
"DEBUG"	1848	"2017-03-02 02:27:36.234"	"Creating session 1221905"
"TCPIP"	1848	"2017-03-02 02:27:36.234"	"TCP - 35.164.135.168 connected to 192.168.0.7:25."
"DEBUG"	1848	"2017-03-02 02:27:36.234"	"TCP connection started for session 1221903"
"SMTPD"	1848	1221903	"2017-03-02 02:27:36.234"	"35.164.135.168"	"SENT: 220 *** Welcome to the FirstUnion SMTP Server ( Exim )"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.344"	"35.164.135.168"	"RECEIVED: EHLO WIN-HON4OMN1707"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.344"	"35.164.135.168"	"SENT: 250-***[nl]250-SIZE 32000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.449"	"35.164.135.168"	"RECEIVED: AUTH LOGIN"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.449"	"35.164.135.168"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.569"	"35.164.135.168"	"RECEIVED: dm9pY2VtYWls"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.569"	"35.164.135.168"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.679"	"35.164.135.168"	"RECEIVED: ***"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.679"	"35.164.135.168"	"SENT: 235 authenticated."
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.830"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1832	1221903	"2017-03-02 02:27:36.830"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.926"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1844	1221903	"2017-03-02 02:27:36.942"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.051"	"35.164.135.168"	"RECEIVED: RCPT TO: <habana171@hotmail.com>"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.051"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.161"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.161"	"35.164.135.168"	"SENT: 354 OK, send."
"DEBUG"	1844	"2017-03-02 02:27:37.491"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:37.491"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:37.491"	"Saving message: {1FD2EF55-05FC-4BE4-9EFD-41BF9307D190}.eml"
"DEBUG"	1620	"2017-03-02 02:27:37.491"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	1620	1221903	"2017-03-02 02:27:37.491"	"35.164.135.168"	"SENT: 250 Queued (0.320 seconds)"
"DEBUG"	1764	"2017-03-02 02:27:37.506"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Delivering message..."
"APPLICATION"	1904	"2017-03-02 02:27:37.506"	"SMTPDeliverer - Message 1923063: Delivering message from anthonytataesq@gmail.com to habana171@hotmail.com. File: E:\HMAIL\Data\{1FD2EF55-05FC-4BE4-9EFD-41BF9307D190}.eml"
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1904	"2017-03-02 02:27:37.506"	"Connecting to ClamAV stream port..."
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.616"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1848	1221903	"2017-03-02 02:27:37.616"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.739"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.739"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:37.844"	"35.164.135.168"	"RECEIVED: RCPT TO: <habana171@yahoo.com>"
"SMTPD"	1844	1221903	"2017-03-02 02:27:37.844"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.953"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1832	1221903	"2017-03-02 02:27:37.969"	"35.164.135.168"	"SENT: 354 OK, send."
"DEBUG"	1824	"2017-03-02 02:27:38.188"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.188"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.188"	"Saving message: {F3878594-3259-4FCC-ACEA-33EA14DDC958}.eml"
"DEBUG"	1620	"2017-03-02 02:27:38.188"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	1620	1221903	"2017-03-02 02:27:38.188"	"35.164.135.168"	"SENT: 250 Queued (0.224 seconds)"
"DEBUG"	1764	"2017-03-02 02:27:38.188"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1896	"2017-03-02 02:27:38.188"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1896	"2017-03-02 02:27:38.188"	"Delivering message..."
"APPLICATION"	1896	"2017-03-02 02:27:38.188"	"SMTPDeliverer - Message 1923064: Delivering message from anthonytataesq@gmail.com to habana171@yahoo.com. File: E:\HMAIL\Data\{F3878594-3259-4FCC-ACEA-33EA14DDC958}.eml"
"DEBUG"	1896	"2017-03-02 02:27:38.188"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1896	"2017-03-02 02:27:38.203"	"Connecting to ClamAV stream port..."
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.321"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.321"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:38.430"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1844	1221903	"2017-03-02 02:27:38.430"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1824	1221903	"2017-03-02 02:27:38.541"	"35.164.135.168"	"RECEIVED: RCPT TO: <christinacragg63@gmail.com>"
"SMTPD"	1824	1221903	"2017-03-02 02:27:38.541"	"35.164.135.168"	"SENT: 250 OK"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"No virus detected: stream: OK"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Applying rules"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Applying rule Global Spam Rule"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Performing local delivery"
"DEBUG"	1904	"2017-03-02 02:27:38.572"	"Local delivery completed"
"TCPIP"	1904	"2017-03-02 02:27:38.572"	"DNS MX lookup: hotmail.com"
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.650"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1848	1221903	"2017-03-02 02:27:38.650"	"35.164.135.168"	"SENT: 354 OK, send."
"TCPIP"	1904	"2017-03-02 02:27:38.682"	"DNS - MX Result: 72 IP addresses were found."
"DEBUG"	1904	"2017-03-02 02:27:38.682"	"Maximum number of MX host reached. Truncating MX server list."
"DEBUG"	1904	"2017-03-02 02:27:38.682"	"Starting external delivery process. Server: mx1.hotmail.com (65.55.92.184), Port: 25, Security: 2, User name: "
"DEBUG"	1904	"2017-03-02 02:27:38.682"	"Creating session 1221906"
"TCPIP"	1904	"2017-03-02 02:27:38.682"	"Connecting to 65.55.92.184:25..."
"DEBUG"	1844	"2017-03-02 02:27:38.760"	"TCP connection started for session 1221906"
"SMTPC"	1824	1221906	"2017-03-02 02:27:38.838"	"65.55.92.184"	"RECEIVED: 220 SNT004-MC4F2.hotmail.com Sending unsolicited commercial or bulk e-mail to Microsoft's computer network is prohibited. Other restrictions are found at http://privacy.microsoft.com/en-us/anti-spam.mspx. Wed, 1 Mar 2017 23:27:40 -0800 "
"SMTPC"	1824	1221906	"2017-03-02 02:27:38.838"	"65.55.92.184"	"SENT: EHLO ***"
"DEBUG"	1832	"2017-03-02 02:27:38.885"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.885"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	1620	"2017-03-02 02:27:38.885"	"Saving message: {8E95FD57-FE34-46D7-A177-01306FEF73EF}.eml"
"DEBUG"	1620	"2017-03-02 02:27:38.885"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	1620	1221903	"2017-03-02 02:27:38.885"	"35.164.135.168"	"SENT: 250 Queued (0.240 seconds)"
"DEBUG"	1764	"2017-03-02 02:27:38.885"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Delivering message..."
"APPLICATION"	1908	"2017-03-02 02:27:38.885"	"SMTPDeliverer - Message 1923065: Delivering message from anthonytataesq@gmail.com to christinacragg63@gmail.com. File: E:\HMAIL\Data\{8E95FD57-FE34-46D7-A177-01306FEF73EF}.eml"
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Connecting to ClamAV virus scanner..."
"DEBUG"	1908	"2017-03-02 02:27:38.885"	"Connecting to ClamAV stream port..."
"SMTPC"	1844	1221906	"2017-03-02 02:27:38.900"	"65.55.92.184"	"RECEIVED: 250-SNT004-MC4F2.hotmail.com (3.22.0.27) Hello [***][nl]250-SIZE 36909875[nl]250-PIPELINING[nl]250-8bitmime[nl]250-BINARYMIME[nl]250-CHUNKING[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250-AUTH=LOGIN[nl]250 OK"
"SMTPC"	1844	1221906	"2017-03-02 02:27:38.900"	"65.55.92.184"	"SENT: STARTTLS"
"SMTPC"	1832	1221906	"2017-03-02 02:27:38.987"	"65.55.92.184"	"RECEIVED: 220 SMTP server ready"
"DEBUG"	1832	"2017-03-02 02:27:38.987"	"Performing SSL/TLS handshake for session 1221906. Verify certificate: True, Expected remote host name: mx1.hotmail.com"
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.002"	"35.164.135.168"	"RECEIVED: RSET"
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.002"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.112"	"35.164.135.168"	"RECEIVED: MAIL FROM: <anthonytataesq@gmail.com>"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.127"	"35.164.135.168"	"SENT: 250 OK"
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.237"	"35.164.135.168"	"RECEIVED: RCPT TO: <pfdrreynolds@bellsouth.net>"
"DEBUG"	1832	"2017-03-02 02:27:39.237"	"Certificate verification succeeded for session 1221906."
"SMTPD"	1844	1221903	"2017-03-02 02:27:39.237"	"35.164.135.168"	"SENT: 250 OK"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"No virus detected: stream: OK"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Applying rules"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Applying rule Global Spam Rule"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Applying rule whereareyounow.net Spam"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Performing local delivery"
"DEBUG"	1896	"2017-03-02 02:27:39.268"	"Local delivery completed"
"TCPIP"	1896	"2017-03-02 02:27:39.268"	"DNS MX lookup: yahoo.com"
"TCPIP"	1848	"2017-03-02 02:27:39.330"	"TCPConnection - TLS/SSL handshake completed. Session Id: 1221906, Remote IP: 65.55.92.184, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-SHA384, Bits: 256"
"SMTPC"	1848	1221906	"2017-03-02 02:27:39.330"	"65.55.92.184"	"SENT: EHLO ***"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.346"	"35.164.135.168"	"RECEIVED: DATA"
"SMTPD"	1832	1221903	"2017-03-02 02:27:39.346"	"35.164.135.168"	"SENT: 354 OK, send."
"TCPIP"	1896	"2017-03-02 02:27:39.377"	"DNS - MX Result: 24 IP addresses were found."
"DEBUG"	1896	"2017-03-02 02:27:39.377"	"Maximum number of MX host reached. Truncating MX server list."
I changed the password for the compromised account. Thanks.

Re: HMS sending Spam

Posted: 2017-03-03 00:18
by mattg
So the compromised account was 'voicemail'
You have a default domain set - that alone should have triggered some failures in the open-relay tests

Once they authenticated, they'd send a message, RSET, then send another (rinse , repeat)

turn off your default domain
make all mail clients use authentication like 'username@example.com', not just 'username'
Clear your queue, this may take a few attempts to achieve, and may take many minutes.

https://log.damnation.org.uk/

Re: HMS sending Spam

Posted: 2017-03-03 04:44
by MarHMS
The accounts are authenticated using username@example.com, not username. It's odd though how it got authenticated with just voicemail though.

Default domain?
I don't think I'm understanding.

Re: HMS sending Spam

Posted: 2017-03-03 05:54
by mattg
having a default domain set is the ONLY way that accounts can authenticate with just a username

Admin GUI >> Advanced

You have a default domain set, please make that blank

Re: HMS sending Spam

Posted: 2017-03-03 11:38
by jimimaseye
mattg wrote:having a default domain set is the ONLY way that accounts can authenticate with just a username

Admin GUI >> Advanced

You have a default domain set, please make that blank
I see another version of the 'settings' script coming with an additional field being included. (This is very important in identifying potential security risks - as proven here.)

Re: HMS sending Spam

Posted: 2017-03-03 19:37
by MarHMS
mattg wrote:having a default domain set is the ONLY way that accounts can authenticate with just a username

Admin GUI >> Advanced

You have a default domain set, please make that blank
I cleared the default domain box.
Thanks a lot guys!

I also enabled Auto Ban. I use a webmail which resides on the same server as HMS. I read that in order to exclude it, I would have to create a IP Range for said webmail IP. Will the computer IP Range suffice, or do I have to add the public IP address?

Re: HMS sending Spam

Posted: 2017-03-03 19:57
by jimimaseye
You use whatever the IP ADDRESS is that is identified to HMS at the time of connection and the priority must be higher than 20.

Re: HMS sending Spam

Posted: 2017-03-04 01:18
by MarHMS
jimimaseye wrote:You use whatever the IP ADDRESS is that is identified to HMS at the time of connection and the priority must be higher than 20.
Will do that.

Thanks