Urgent help please, spammers using my server
Urgent help please, spammers using my server
Hi,
As the title suggests I need to stop spammers sending their crap through my hMS. Can't understand how they are getting to do it?
Here is my diagnostics:
[code]01/04/2017 13:09:19 Hmailserver: 5.6.7-B2407
IP: 127.0.0.1 - 127.0.0.1 Priority: 30 Name: My computer
Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False
Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - False
IP: 192.168.0.1 - 192.168.0.255 Priority: 25 Name: MyLAN
Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False
Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True
IP: 0.0.0.0 - 255.255.255.255 Priority: 11 Name: Internet
Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False
Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False
------------------------------------------------------
AUTOBANNED Local Addresses:
No entries
-----------------------------------------------------------------------------------------------
AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30 (0.50 hours, 0.02 days)
Minutes to Autoban: 60 (1.00 hours, 0.04 days)
No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------
INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------
ANTISPAM
GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: False - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: False - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False - 5 Use SA score: False - 5
Subject Text: "[SPAM]"
Spam delete threshold: 15 Maximum message size: 4096
GREYLISTING:
Greylisting: False
DNSBL ENTRIES:
zen.spamhaus.org Score: 4 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2
cbl.abuseat.org Score: 2 Result: 127.0.0.2
b.barracudacentral.org Score: 2 Result: 127.0.0.2
SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------
WHITELISTING
No entries
-----------------------------------------------------------------------------------------------
ANTIVIRUS: No application configured.
Block Attachments: False
-----------------------------------------------------------------------------------------------
SSL/TLS
SSL 3.0 : False
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: False
SslCipherList :
ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------
TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - StartTLS Optional
0.0.0.0 / 465 / SMTP - SSL/TLS
-----------------------------------------------------------------------------------------------
LOGGING Logging Enabled: True
Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-04-01.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-04-01.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - .
IMAP - True
TCPIP - True
DEBUG - .
AWSTATS - .
-----------------------------------------------------------------------------------------------
SYSTEM TESTS
Database type: MSSQL
IPv6 support is available in operating system.
Backup directory C:\Program Files (x86)\hMailServer\backup is writable.
Relative message paths are stored in the database for all messages.
-----------------------------------------------------------------------------------------------
[/code]Generated by HMSSettingsDiagnostics v1.48, Hmailserver Forum.
Please help. Thanks.
As the title suggests I need to stop spammers sending their crap through my hMS. Can't understand how they are getting to do it?
Here is my diagnostics:
[code]01/04/2017 13:09:19 Hmailserver: 5.6.7-B2407
IP: 127.0.0.1 - 127.0.0.1 Priority: 30 Name: My computer
Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False
Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - False
IP: 192.168.0.1 - 192.168.0.255 Priority: 25 Name: MyLAN
Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False
Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True
IP: 0.0.0.0 - 255.255.255.255 Priority: 11 Name: Internet
Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False
Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False
------------------------------------------------------
AUTOBANNED Local Addresses:
No entries
-----------------------------------------------------------------------------------------------
AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30 (0.50 hours, 0.02 days)
Minutes to Autoban: 60 (1.00 hours, 0.04 days)
No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------
INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------
ANTISPAM
GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: False - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: False - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False - 5 Use SA score: False - 5
Subject Text: "[SPAM]"
Spam delete threshold: 15 Maximum message size: 4096
GREYLISTING:
Greylisting: False
DNSBL ENTRIES:
zen.spamhaus.org Score: 4 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2
cbl.abuseat.org Score: 2 Result: 127.0.0.2
b.barracudacentral.org Score: 2 Result: 127.0.0.2
SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------
WHITELISTING
No entries
-----------------------------------------------------------------------------------------------
ANTIVIRUS: No application configured.
Block Attachments: False
-----------------------------------------------------------------------------------------------
SSL/TLS
SSL 3.0 : False
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: False
SslCipherList :
ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------
TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - StartTLS Optional
0.0.0.0 / 465 / SMTP - SSL/TLS
-----------------------------------------------------------------------------------------------
LOGGING Logging Enabled: True
Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-04-01.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-04-01.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - .
IMAP - True
TCPIP - True
DEBUG - .
AWSTATS - .
-----------------------------------------------------------------------------------------------
SYSTEM TESTS
Database type: MSSQL
IPv6 support is available in operating system.
Backup directory C:\Program Files (x86)\hMailServer\backup is writable.
Relative message paths are stored in the database for all messages.
-----------------------------------------------------------------------------------------------
[/code]Generated by HMSSettingsDiagnostics v1.48, Hmailserver Forum.
Please help. Thanks.
Re: Urgent help please, spammers using my server
I have disabled External to External deliveries from my Local IP range.
Here is a sample of one of hundreds of messages I found in my delivery queue:
But I don't understand....if the system is getting this wrong and allowing external clients to present themselves as the local machine then surely the whole system is flawed and vulnerable?
Here is a sample of one of hundreds of messages I found in my delivery queue:
Code: Select all
Received: from [127.0.0.1] (10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
by mail.hottroc.co.uk with ESMTPSA
(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256)
; Sat, 1 Apr 2017 13:37:53 +0100
From: james@jctconsulting.com
To: leonisa.saliva@wanadoo.com
Cc: scholz@ferguson.com, qhi4u@yahoo.com, breecemom01@yahoo.com,
kennydhicks@yahoo.com, mbhughes@hotmail.com, jjpenaalfaro@yahoo.com
Subject: N(C(Cc1ccccc1)C)C?
Message-ID: <62807DC9.3FF1EE6DD437ECCD@jctconsulting.com>
X-Priority: 3
Importance: Normal
Date: Sat, 1 Apr 2017 15:37:49 +0300
Content-Type: multipart/alternative;
boundary="--InfrawareEmailBoundaryDepth1_4CCFF2E1--"
MIME-Version: 1.0
X-Mailer: Infraware POLARIS Mobile Mailer v2.5
This is a multi-part message in MIME format
----InfrawareEmailBoundaryDepth1_4CCFF2E1--
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
http://barryhutchison.com/M1O4kR
Is little evidence to judge the abuse!
A pilot Phase I clinical trial conducted? Within 3=C3=A2=E2=82=AC=E2=80=
=9C20 minutes of injection? Is little evidence to judge the abuse!
----InfrawareEmailBoundaryDepth1_4CCFF2E1--
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<a href=3D"http://barryhutchison.com/M1O4kR">Tramadol is a synthetic o=
pioid of!</a> <p>Is little evidence to judge the abuse!</p> <p>A pilot=
Phase I clinical trial conducted? Within 3=C3=A2=E2=82=AC=E2=80=9C20 =
minutes of injection? Is little evidence to judge the abuse!
----InfrawareEmailBoundaryDepth1_4CCFF2E1----
But I don't understand....if the system is getting this wrong and allowing external clients to present themselves as the local machine then surely the whole system is flawed and vulnerable?
Re: Urgent help please, spammers using my server
Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department
$ whois 221.237.208.10
% Information related to '221.236.0.0 - 221.237.255.255'
inetnum: 221.236.0.0 - 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
e-mail: anti-spam@ns.chinanet.cn.net <---
Just write an email to the above email address, describe your Situation and copy
and paste the following log entry into your Email:
Attacking spam host:
(10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
Date: Sat, 1 Apr 2017 13:37 +0100
Next your should setup your hMailServer IP ranges correctly. You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
$ whois 221.237.208.10
% Information related to '221.236.0.0 - 221.237.255.255'
inetnum: 221.236.0.0 - 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
e-mail: anti-spam@ns.chinanet.cn.net <---
Just write an email to the above email address, describe your Situation and copy
and paste the following log entry into your Email:
Attacking spam host:
(10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
Date: Sat, 1 Apr 2017 13:37 +0100
Next your should setup your hMailServer IP ranges correctly. You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
Re: Urgent help please, spammers using my server
Thanks for the help and info, I will do that.Dravion wrote:Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department
$ whois 221.237.208.10
What haven't I got set correctly?Next your should setup your hMailServer IP ranges correctly.
OK didn't know that was possible, would the block relate purely to hMS and email? If so I will definitely do the same as I never directly email those countries.You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
How is this set? I cannot find GEO-IP block in hMS Administrator anywhere.
Re: Urgent help please, spammers using my server
No. Its not only Email. Every Connection attemp from a geoblocked ip range will be dropped.
GEO-Block is something you must do outside hMailServer on Operating System level with a
Firewall. On Linux there exist builtin solution to filter ip blocks but on Windows you need a
Thridparty Networking Software which can do the same.
ps:
This Howto and Powershellscript can do almost the same as the Linux built in Solution
but you need a bit of Powershell and Firewall understanding:
https://cyber-defense.sans.org/blog/201 ... ork-ranges
GEO-Block is something you must do outside hMailServer on Operating System level with a
Firewall. On Linux there exist builtin solution to filter ip blocks but on Windows you need a
Thridparty Networking Software which can do the same.
ps:
This Howto and Powershellscript can do almost the same as the Linux built in Solution
but you need a bit of Powershell and Firewall understanding:
https://cyber-defense.sans.org/blog/201 ... ork-ranges
Re: Urgent help please, spammers using my server
OK thanks, I'll have a look at that soon, thanks.
In the meantime, I was trying to send the email you suggested in your first reply, but since I disallowed the External to External deliveries hMS appears to be blocking me from sending my own email out from one of my domain "Names". It has sat in the delivery queue and retried 3 times so far. However this action (unticking Ext to Ext) has at least stopped the spammers and I have deleted all the spam messages that were in the queue and no new spam is being added....but I need my own mail to work.
So what is wrong with my config?
Thanks.
In the meantime, I was trying to send the email you suggested in your first reply, but since I disallowed the External to External deliveries hMS appears to be blocking me from sending my own email out from one of my domain "Names". It has sat in the delivery queue and retried 3 times so far. However this action (unticking Ext to Ext) has at least stopped the spammers and I have deleted all the spam messages that were in the queue and no new spam is being added....but I need my own mail to work.
So what is wrong with my config?
Thanks.
Re: Urgent help please, spammers using my server
Oh no, my mistake, my mail is still working as I sent a test, it's just the one to that abuse email address that is not going.
Re: Urgent help please, spammers using my server
OK so will that block incoming and outgoing connections? I occasionally buy thing from sellers in China and look at Chinese websites etc, so don't want to block everything.Dravion wrote:No. Its not only Email. Every Connection attemp from a geoblocked ip range will be dropped....but on Windows you need a
Thridparty Networking Software which can do the same.
I am on Windows, would Windows Firewall do the trick, or would a firewall such as Comodo do it?
Will look at that soon, many thanks, just a bit snowed under atm.ps:
This Howto and Powershellscript can do almost the same as the Linux built in Solution
but you need a bit of Powershell and Firewall understanding:
https://cyber-defense.sans.org/blog/201 ... ork-ranges
Re: Urgent help please, spammers using my server
hMailserver is as secure as your passwords if set correctly, and default settings are correct for 99%+ of users.hottroc wrote:But I don't understand....if the system is getting this wrong and allowing external clients to present themselves as the local machine then surely the whole system is flawed and vulnerable?
Can you show some logs of your hmailserver receiving mail if you think it is still allowing spam to be sent from it...
If you have mail in your queue that you don't want to deliver, then you can simply delete it
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Urgent help please, spammers using my server
I'll just post a sample, let me know if you need more...mattg wrote:hMailserver is as secure as your passwords if set correctly, and default settings are correct for 99%+ of users.
Can you show some logs of your hmailserver receiving mail if you think it is still allowing spam to be sent from it...
Code: Select all
"APPLICATION" 19520 "2017-04-02 09:01:36.480" "SMTPDeliverer - Message 15005: Message delivery thread completed."
"SMTPC" 20212 17462 "2017-04-02 09:01:36.543" "212.159.9.107" "RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC" 20212 17462 "2017-04-02 09:01:36.543" "212.159.9.107" "SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC" 20164 17462 "2017-04-02 09:01:36.574" "212.159.9.107" "RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC" 20164 17462 "2017-04-02 09:01:36.574" "212.159.9.107" "SENT: RCPT TO:<lapem@hotmail.com>"
"SMTPD" 20128 17442 "2017-04-02 09:01:37.466" "58.17.124.8" "RECEIVED: EHLO [127.0.0.1]"
"SMTPD" 20128 17442 "2017-04-02 09:01:37.466" "58.17.124.8" "SENT: 250-mail.hottroc.co.uk[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 20212 17442 "2017-04-02 09:01:38.763" "58.17.124.8" "RECEIVED: AUTH LOGIN"
"SMTPD" 20212 17442 "2017-04-02 09:01:38.763" "58.17.124.8" "SENT: 334 VXNlcm5hbWU6"
"SMTPC" 20164 17460 "2017-04-02 09:01:39.294" "212.159.8.107" "RECEIVED: 452 <artkathmarie@gmail.com> too many recipients in last hour"
"SMTPC" 20164 17460 "2017-04-02 09:01:39.294" "212.159.8.107" "SENT: RCPT TO:<artandmel2003@yahoo.ca>"
"TCPIP" 20072 "2017-04-02 09:01:39.294" "Connecting to 212.159.9.107:25..."
"SMTPD" 20164 17442 "2017-04-02 09:01:39.841" "58.17.124.8" "RECEIVED: amFtZXNAamN0Y29uc3VsdGluZy5jb20="
"SMTPD" 20164 17442 "2017-04-02 09:01:39.841" "58.17.124.8" "SENT: 334 UGFzc3dvcmQ6"
"SMTPC" 20164 17463 "2017-04-02 09:01:40.388" "212.159.9.107" "RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC" 20164 17463 "2017-04-02 09:01:40.388" "212.159.9.107" "SENT: HELO mail.hottroc.co.uk"
"SMTPC" 20164 17463 "2017-04-02 09:01:40.419" "212.159.9.107" "RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC" 20164 17463 "2017-04-02 09:01:40.419" "212.159.9.107" "SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC" 20212 17463 "2017-04-02 09:01:40.468" "212.159.9.107" "RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC" 20212 17463 "2017-04-02 09:01:40.468" "212.159.9.107" "SENT: RCPT TO:<artkathmarie@gmail.com>"
"SMTPC" 20164 17461 "2017-04-02 09:01:40.686" "212.159.9.107" "RECEIVED: 452 <sico143@yahoo.com> too many recipients in last hour"
"SMTPC" 20164 17461 "2017-04-02 09:01:40.686" "212.159.9.107" "SENT: RCPT TO:<enkov@scps.k12.fl.us>"
"APPLICATION" 20076 "2017-04-02 09:01:40.686" "SMTPDeliverer - Message 15006: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION" 20076 "2017-04-02 09:01:40.686" "SMTPDeliverer - Message 15006: Message delivery thread completed."
"SMTPC" 20212 17462 "2017-04-02 09:01:41.577" "212.159.9.107" "RECEIVED: 452 <lapem@hotmail.com> too many recipients in last hour"
"SMTPC" 20212 17462 "2017-04-02 09:01:41.577" "212.159.9.107" "SENT: RCPT TO:<oberrader@online.de>"
"APPLICATION" 20040 "2017-04-02 09:01:41.577" "SMTPDeliverer - Message 15007: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION" 20040 "2017-04-02 09:01:41.577" "SMTPDeliverer - Message 15007: Message delivery thread completed."
"SMTPD" 20128 17442 "2017-04-02 09:01:42.077" "58.17.124.8" "RECEIVED: ***"
"SMTPD" 20128 17442 "2017-04-02 09:01:42.093" "58.17.124.8" "SENT: 235 authenticated."
"SMTPD" 20164 17442 "2017-04-02 09:01:43.108" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20164 17442 "2017-04-02 09:01:43.108" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:45.078" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:45.078" "58.17.124.8" "SENT: 250 OK"
"SMTPC" 20128 17463 "2017-04-02 09:01:45.485" "212.159.9.107" "RECEIVED: 452 <artkathmarie@gmail.com> too many recipients in last hour"
"SMTPC" 20128 17463 "2017-04-02 09:01:45.485" "212.159.9.107" "SENT: RCPT TO:<artandmel2003@yahoo.ca>"
"APPLICATION" 20072 "2017-04-02 09:01:45.485" "SMTPDeliverer - Message 15008: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION" 20072 "2017-04-02 09:01:45.485" "SMTPDeliverer - Message 15008: Message delivery thread completed."
"SMTPD" 20212 17442 "2017-04-02 09:01:47.626" "58.17.124.8" "RECEIVED: RCPT TO:<evg@bis.midco.net>"
"SMTPD" 20212 17442 "2017-04-02 09:01:47.626" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:49.768" "58.17.124.8" "RECEIVED: RCPT TO:<charles_antle@yahoo.ca>"
"SMTPD" 20212 17442 "2017-04-02 09:01:49.783" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:50.721" "58.17.124.8" "RECEIVED: RCPT TO:<chapmanlouis32@gmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:50.721" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:51.613" "58.17.124.8" "RECEIVED: RCPT TO:<vik.seeborun@candi.ac.uk>"
"SMTPD" 20128 17442 "2017-04-02 09:01:51.613" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:52.753" "58.17.124.8" "RECEIVED: RCPT TO:<rhindss@aol.com>"
"SMTPD" 20128 17442 "2017-04-02 09:01:52.753" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:53.832" "58.17.124.8" "RECEIVED: RCPT TO:<hs@kvale.no>"
"SMTPD" 20128 17442 "2017-04-02 09:01:53.832" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:54.723" "58.17.124.8" "RECEIVED: RCPT TO:<faussie11@hotmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:54.738" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:56.739" "58.17.124.8" "RECEIVED: RCPT TO:<leeee2@juno.com>"
"SMTPD" 20128 17442 "2017-04-02 09:01:56.739" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:59.333" "58.17.124.8" "RECEIVED: RCPT TO:<legbaa@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:01:59.333" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:00.413" "58.17.124.8" "RECEIVED: RCPT TO:<anthony.cinquemano.jdq0@statefarm.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:00.413" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:01.460" "58.17.124.8" "RECEIVED: RCPT TO:<onoyes@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:01.460" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:02.413" "58.17.124.8" "RECEIVED: RCPT TO:<nelson@hotelonix.pt>"
"SMTPD" 20164 17442 "2017-04-02 09:02:02.413" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:03.428" "58.17.124.8" "RECEIVED: RCPT TO:<wildmandan64@yahoo.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:03.428" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:06.184" "58.17.124.8" "RECEIVED: RCPT TO:<cchristian007@videotron.ca>"
"SMTPD" 20212 17442 "2017-04-02 09:02:06.184" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:07.296" "58.17.124.8" "RECEIVED: RCPT TO:<william_bellman@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:07.296" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:09.579" "58.17.124.8" "RECEIVED: RCPT TO:<donmeckler@msn.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:09.594" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:10.422" "58.17.124.8" "RECEIVED: RCPT TO:<mauldin@resilientelectric.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:10.422" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:11.204" "58.17.124.8" "RECEIVED: RCPT TO:<adorf@zabra.de>"
"SMTPD" 20164 17442 "2017-04-02 09:02:11.204" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:12.688" "58.17.124.8" "RECEIVED: DATA"
"SMTPD" 20212 17442 "2017-04-02 09:02:12.688" "58.17.124.8" "SENT: 354 OK, send."
"SMTPD" 15780 17442 "2017-04-02 09:02:15.080" "58.17.124.8" "SENT: 250 Queued (2.360 seconds)"
"APPLICATION" 20072 "2017-04-02 09:02:15.080" "SMTPDeliverer - Message 15009: Delivering message from james@jctconsulting.com to evg@bis.midco.net, charles_antle@yahoo.ca, chapmanlouis32@gmail.com, vik.seeborun@candi.ac.uk, rhindss@aol.com, hs@kvale.no, faussie11@hotmail.com, leeee2@juno.com, legbaa@hotmail.com, anthony.cinquemano.jdq0@statefarm.com, onoyes@yahoo.com, nelson@hotelonix.pt, wildmandan64@yahoo.com, cchristian007@videotron.ca, william_bellman@hotmail.com, donmeckler@msn.com, mauldin@resilientelectric.com, adorf@zabra.de. File: C:\Program Files (x86)\hMailServer\Data\{FA6CC5D1-D97B-4950-813E-F29996733DB6}.eml"
"APPLICATION" 20072 "2017-04-02 09:02:15.127" "SMTPDeliverer - Message 15009: Relaying to host relay.plus.net."
"TCPIP" 20072 "2017-04-02 09:02:15.127" "Connecting to 212.159.8.107:25..."
"SMTPC" 20128 17464 "2017-04-02 09:02:16.205" "212.159.8.107" "RECEIVED: 220 avasout04 smtp relay.plus.net"
"SMTPC" 20128 17464 "2017-04-02 09:02:16.205" "212.159.8.107" "SENT: HELO mail.hottroc.co.uk"
"SMTPC" 20164 17464 "2017-04-02 09:02:16.236" "212.159.8.107" "RECEIVED: 250 avasout04 hello [195.166.157.113], pleased to meet you"
"SMTPC" 20164 17464 "2017-04-02 09:02:16.236" "212.159.8.107" "SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC" 20212 17464 "2017-04-02 09:02:16.283" "212.159.8.107" "RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC" 20212 17464 "2017-04-02 09:02:16.283" "212.159.8.107" "SENT: RCPT TO:<adorf@zabra.de>"
"SMTPD" 20212 17442 "2017-04-02 09:02:17.410" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20212 17442 "2017-04-02 09:02:17.410" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:18.786" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:18.786" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:19.817" "58.17.124.8" "RECEIVED: RCPT TO:<rnsm4@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:19.832" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:21.209" "58.17.124.8" "RECEIVED: RCPT TO:<firstmark@me.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:21.209" "58.17.124.8" "SENT: 250 OK"
"SMTPC" 20212 17464 "2017-04-02 09:02:21.303" "212.159.8.107" "RECEIVED: 452 <adorf@zabra.de> too many recipients in last hour"
"SMTPC" 20212 17464 "2017-04-02 09:02:21.303" "212.159.8.107" "SENT: RCPT TO:<cchristian007@videotron.ca>"
"TCPIP" 20072 "2017-04-02 09:02:21.303" "Connecting to 212.159.9.107:25..."
"SMTPD" 20128 17442 "2017-04-02 09:02:22.162" "58.17.124.8" "RECEIVED: RCPT TO:<munoz2287@windstream.net>"
"SMTPD" 20128 17442 "2017-04-02 09:02:22.162" "58.17.124.8" "SENT: 250 OK"
"SMTPC" 20164 17465 "2017-04-02 09:02:22.381" "212.159.9.107" "RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC" 20164 17465 "2017-04-02 09:02:22.381" "212.159.9.107" "SENT: HELO mail.hottroc.co.uk"
"SMTPC" 20128 17465 "2017-04-02 09:02:22.428" "212.159.9.107" "RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC" 20128 17465 "2017-04-02 09:02:22.428" "212.159.9.107" "SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC" 20164 17465 "2017-04-02 09:02:22.460" "212.159.9.107" "RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC" 20164 17465 "2017-04-02 09:02:22.460" "212.159.9.107" "SENT: RCPT TO:<adorf@zabra.de>"
"SMTPD" 20212 17442 "2017-04-02 09:02:23.179" "58.17.124.8" "RECEIVED: RCPT TO:<dubchak.alexandr@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:23.179" "58.17.124.8" "SENT: 250 OK"
"SMTPC" 20128 17465 "2017-04-02 09:02:27.480" "212.159.9.107" "RECEIVED: 452 <adorf@zabra.de> too many recipients in last hour"
"SMTPC" 20128 17465 "2017-04-02 09:02:27.480" "212.159.9.107" "SENT: RCPT TO:<cchristian007@videotron.ca>"
"APPLICATION" 20072 "2017-04-02 09:02:27.480" "SMTPDeliverer - Message 15009: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION" 20072 "2017-04-02 09:02:27.480" "SMTPDeliverer - Message 15009: Message delivery thread completed."
"SMTPD" 20164 17442 "2017-04-02 09:02:27.777" "58.17.124.8" "RECEIVED: RCPT TO:<themitchproject@gmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:27.777" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:32.107" "58.17.124.8" "RECEIVED: RCPT TO:<dennisc1@gci.net>"
"SMTPD" 20128 17442 "2017-04-02 09:02:32.107" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:36.704" "58.17.124.8" "RECEIVED: RCPT TO:<romalaguna@yahoo.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:36.720" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:38.283" "58.17.124.8" "RECEIVED: RCPT TO:<pockebackman@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:38.298" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:40.018" "58.17.124.8" "RECEIVED: RCPT TO:<bill_muck@yahoo.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:40.018" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:41.049" "58.17.124.8" "RECEIVED: DATA"
"SMTPD" 20128 17442 "2017-04-02 09:02:41.049" "58.17.124.8" "SENT: 354 OK, send."
"SMTPD" 15780 17442 "2017-04-02 09:02:42.598" "58.17.124.8" "SENT: 250 Queued (1.528 seconds)"
"APPLICATION" 20072 "2017-04-02 09:02:42.613" "SMTPDeliverer - Message 15010: Delivering message from james@jctconsulting.com to rnsm4@yahoo.com, firstmark@me.com, munoz2287@windstream.net, dubchak.alexandr@hotmail.com, themitchproject@gmail.com, dennisc1@gci.net, romalaguna@yahoo.com, pockebackman@hotmail.com, bill_muck@yahoo.com. File: C:\Program Files (x86)\hMailServer\Data\{245DC3D9-5D99-4AAF-BBEE-8CB8AA16BB3B}.eml"
"APPLICATION" 20072 "2017-04-02 09:02:42.645" "SMTPDeliverer - Message 15010: Relaying to host relay.plus.net."
"TCPIP" 20072 "2017-04-02 09:02:42.645" "Connecting to 212.159.8.107:25..."
"SMTPC" 20212 17466 "2017-04-02 09:02:43.692" "212.159.8.107" "RECEIVED: 220 avasout04 smtp relay.plus.net"
"SMTPC" 20212 17466 "2017-04-02 09:02:43.692" "212.159.8.107" "SENT: HELO mail.hottroc.co.uk"
"SMTPC" 20128 17466 "2017-04-02 09:02:43.739" "212.159.8.107" "RECEIVED: 250 avasout04 hello [195.166.157.113], pleased to meet you"
"SMTPC" 20128 17466 "2017-04-02 09:02:43.739" "212.159.8.107" "SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC" 20128 17466 "2017-04-02 09:02:43.770" "212.159.8.107" "RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC" 20128 17466 "2017-04-02 09:02:43.770" "212.159.8.107" "SENT: RCPT TO:<firstmark@me.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:46.442" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20212 17442 "2017-04-02 09:02:46.442" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:47.912" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:47.912" "58.17.124.8" "SENT: 250 OK"
"SMTPC" 20128 17466 "2017-04-02 09:02:48.787" "212.159.8.107" "RECEIVED: 452 <firstmark@me.com> too many recipients in last hour"
"SMTPC" 20128 17466 "2017-04-02 09:02:48.803" "212.159.8.107" "SENT: RCPT TO:<themitchproject@gmail.com>"
"TCPIP" 20072 "2017-04-02 09:02:48.803" "Connecting to 212.159.9.107:25..."
"SMTPD" 20164 17442 "2017-04-02 09:02:49.443" "58.17.124.8" "RECEIVED: RCPT TO:<hondamaniac600v@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:49.459" "58.17.124.8" "SENT: 250 OK"
"SMTPC" 20128 17467 "2017-04-02 09:02:49.882" "212.159.9.107" "RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC" 20128 17467 "2017-04-02 09:02:49.882" "212.159.9.107" "SENT: HELO mail.hottroc.co.uk"
"SMTPC" 20212 17467 "2017-04-02 09:02:49.929" "212.159.9.107" "RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC" 20212 17467 "2017-04-02 09:02:49.929" "212.159.9.107" "SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC" 20164 17467 "2017-04-02 09:02:49.961" "212.159.9.107" "RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC" 20164 17467 "2017-04-02 09:02:49.961" "212.159.9.107" "SENT: RCPT TO:<firstmark@me.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:51.477" "58.17.124.8" "RECEIVED: RCPT TO:<aronoff@checkbookengineering.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:51.492" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:52.852" "58.17.124.8" "RECEIVED: RCPT TO:<hoanghaivupham@yahoo.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:52.852" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:53.899" "58.17.124.8" "RECEIVED: RCPT TO:<beube@videotron.ca>"
"SMTPD" 20164 17442 "2017-04-02 09:02:53.899" "58.17.124.8" "SENT: 250 OK"
"SMTPC" 20128 17467 "2017-04-02 09:02:54.977" "212.159.9.107" "RECEIVED: 452 <firstmark@me.com> too many recipients in last hour"
"SMTPC" 20128 17467 "2017-04-02 09:02:54.977" "212.159.9.107" "SENT: RCPT TO:<themitchproject@gmail.com>"
"APPLICATION" 20072 "2017-04-02 09:02:54.977" "SMTPDeliverer - Message 15010: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION" 20072 "2017-04-02 09:02:54.993" "SMTPDeliverer - Message 15010: Message delivery thread completed."
Code: Select all
"SMTPD" 20164 17836 "2017-04-02 09:14:44.064" "61.54.110.110" "RECEIVED: RCPT TO:<kimandgreg@sbcglobal.net>"
"SMTPD" 20164 17836 "2017-04-02 09:14:44.064" "61.54.110.110" "SENT: 250 OK"
"SMTPD" 20164 17879 "2017-04-02 09:14:44.424" "220.177.50.195" "RECEIVED: RCPT TO:<mrfreddie@earthlink.net>"
"SMTPD" 20164 17879 "2017-04-02 09:14:44.424" "220.177.50.195" "SENT: 250 OK"
"SMTPD" 20172 17836 "2017-04-02 09:14:44.658" "61.54.110.110" "RECEIVED: RCPT TO:<casslarsen@cox.net>"
"SMTPD" 20172 17836 "2017-04-02 09:14:44.658" "61.54.110.110" "SENT: 250 OK"
"SMTPD" 20164 17879 "2017-04-02 09:14:45.128" "220.177.50.195" "RECEIVED: RCPT TO:<demetry189@hotmail.com>"
"SMTPD" 20164 17879 "2017-04-02 09:14:45.128" "220.177.50.195" "SENT: 250 OK"
"SMTPC" 20172 17913 "2017-04-02 09:14:45.300" "212.159.8.107" "RECEIVED: 452 <lrieke7030@gmail.com> too many recipients in last hour"
"SMTPC" 20172 17913 "2017-04-02 09:14:45.300" "212.159.8.107" "SENT: RCPT TO:<james.thompson2@verizon.net>"
"TCPIP" 20064 "2017-04-02 09:14:45.300" "Connecting to 212.159.9.107:25..."
"SMTPD" 20164 17836 "2017-04-02 09:14:45.331" "61.54.110.110" "RECEIVED: RCPT TO:<enkqp@dadd.ti.com>"
"SMTPD" 20164 17836 "2017-04-02 09:14:45.331" "61.54.110.110" "SENT: 250 OK"
"SMTPD" 20164 17836 "2017-04-02 09:14:45.987" "61.54.110.110" "RECEIVED: RCPT TO:<j_iliz@yahoo.com>"
"SMTPD" 20164 17836 "2017-04-02 09:14:45.987" "61.54.110.110" "SENT: 250 OK"
"SMTPD" 20172 17879 "2017-04-02 09:14:46.019" "220.177.50.195" "RECEIVED: RCPT TO:<osbert.wilde@gmail.com>"
"SMTPD" 20172 17879 "2017-04-02 09:14:46.019" "220.177.50.195" "SENT: 250 OK"
"SMTPC" 20172 17923 "2017-04-02 09:14:46.394" "212.159.9.107" "RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC" 20172 17923 "2017-04-02 09:14:46.394" "212.159.9.107" "SENT: HELO mail.hottroc.co.uk"
"SMTPC" 20164 17923 "2017-04-02 09:14:46.425" "212.159.9.107" "RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC" 20164 17923 "2017-04-02 09:14:46.425" "212.159.9.107" "SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC" 20164 17923 "2017-04-02 09:14:46.472" "212.159.9.107" "RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC" 20164 17923 "2017-04-02 09:14:46.472" "212.159.9.107" "SENT: RCPT TO:<lrieke7030@gmail.com>"
"SMTPC" 20128 17916 "2017-04-02 09:14:46.487" "212.159.9.107" "RECEIVED: 452 <riviera1975@live.it> too many recipients in last hour"
"SMTPC" 20164 17921 "2017-04-02 09:14:46.487" "212.159.9.107" "RECEIVED: 452 <bradkaminski@msn.com> too many recipients in last hour"
"SMTPC" 20204 17917 "2017-04-02 09:14:46.487" "212.159.9.107" "RECEIVED: 452 <louise@averyhouse.wanadoo.co.uk> too many recipients in last hour"
"SMTPC" 20172 17914 "2017-04-02 09:14:46.487" "212.159.9.107" "RECEIVED: 452 <schnekla_223@jfreed.com> too many recipients in last hour"
Thanks yes I've done that now but still lots had gone out, (I am getting the bouncebacks), so hoping I don't get blacklisted, and of course that it won't happen again.If you have mail in your queue that you don't want to deliver, then you can simply delete it
Re: Urgent help please, spammers using my server
As show in log james @ jctconsulting.com account are in use to sending.
You need change that password!
You need change that password!
Code: Select all
"SMTPD" 20128 17442 "2017-04-02 09:01:37.466" "58.17.124.8" "RECEIVED: EHLO [127.0.0.1]"
"SMTPD" 20128 17442 "2017-04-02 09:01:37.466" "58.17.124.8" "SENT: 250-mail.hottroc.co.uk[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 20212 17442 "2017-04-02 09:01:38.763" "58.17.124.8" "RECEIVED: AUTH LOGIN"
"SMTPD" 20212 17442 "2017-04-02 09:01:38.763" "58.17.124.8" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 20164 17442 "2017-04-02 09:01:39.841" "58.17.124.8" "RECEIVED: amFtZXNAamN0Y29uc3VsdGluZy5jb20=" [ james@jctconsulting.com ]
"SMTPD" 20164 17442 "2017-04-02 09:01:39.841" "58.17.124.8" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 20128 17442 "2017-04-02 09:01:42.077" "58.17.124.8" "RECEIVED: ***"
"SMTPD" 20128 17442 "2017-04-02 09:01:42.093" "58.17.124.8" "SENT: 235 authenticated."
"SMTPD" 20164 17442 "2017-04-02 09:01:43.108" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20164 17442 "2017-04-02 09:01:43.108" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:45.078" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:45.078" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:47.626" "58.17.124.8" "RECEIVED: RCPT TO:<evg@bis.midco.net>"
"SMTPD" 20212 17442 "2017-04-02 09:01:47.626" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:49.768" "58.17.124.8" "RECEIVED: RCPT TO:<charles_antle@yahoo.ca>"
"SMTPD" 20212 17442 "2017-04-02 09:01:49.783" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:50.721" "58.17.124.8" "RECEIVED: RCPT TO:<chapmanlouis32@gmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:50.721" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:51.613" "58.17.124.8" "RECEIVED: RCPT TO:<vik.seeborun@candi.ac.uk>"
"SMTPD" 20128 17442 "2017-04-02 09:01:51.613" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:52.753" "58.17.124.8" "RECEIVED: RCPT TO:<rhindss@aol.com>"
"SMTPD" 20128 17442 "2017-04-02 09:01:52.753" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:53.832" "58.17.124.8" "RECEIVED: RCPT TO:<hs@kvale.no>"
"SMTPD" 20128 17442 "2017-04-02 09:01:53.832" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:54.723" "58.17.124.8" "RECEIVED: RCPT TO:<faussie11@hotmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:54.738" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:56.739" "58.17.124.8" "RECEIVED: RCPT TO:<leeee2@juno.com>"
"SMTPD" 20128 17442 "2017-04-02 09:01:56.739" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:59.333" "58.17.124.8" "RECEIVED: RCPT TO:<legbaa@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:01:59.333" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:00.413" "58.17.124.8" "RECEIVED: RCPT TO:<anthony.cinquemano.jdq0@statefarm.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:00.413" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:01.460" "58.17.124.8" "RECEIVED: RCPT TO:<onoyes@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:01.460" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:02.413" "58.17.124.8" "RECEIVED: RCPT TO:<nelson@hotelonix.pt>"
"SMTPD" 20164 17442 "2017-04-02 09:02:02.413" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:03.428" "58.17.124.8" "RECEIVED: RCPT TO:<wildmandan64@yahoo.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:03.428" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:06.184" "58.17.124.8" "RECEIVED: RCPT TO:<cchristian007@videotron.ca>"
"SMTPD" 20212 17442 "2017-04-02 09:02:06.184" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:07.296" "58.17.124.8" "RECEIVED: RCPT TO:<william_bellman@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:07.296" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:09.579" "58.17.124.8" "RECEIVED: RCPT TO:<donmeckler@msn.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:09.594" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:10.422" "58.17.124.8" "RECEIVED: RCPT TO:<mauldin@resilientelectric.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:10.422" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:11.204" "58.17.124.8" "RECEIVED: RCPT TO:<adorf@zabra.de>"
"SMTPD" 20164 17442 "2017-04-02 09:02:11.204" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:12.688" "58.17.124.8" "RECEIVED: DATA"
"SMTPD" 20212 17442 "2017-04-02 09:02:12.688" "58.17.124.8" "SENT: 354 OK, send."
"SMTPD" 15780 17442 "2017-04-02 09:02:15.080" "58.17.124.8" "SENT: 250 Queued (2.360 seconds)"
"SMTPD" 20212 17442 "2017-04-02 09:02:17.410" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20212 17442 "2017-04-02 09:02:17.410" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:18.786" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:18.786" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:19.817" "58.17.124.8" "RECEIVED: RCPT TO:<rnsm4@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:19.832" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:21.209" "58.17.124.8" "RECEIVED: RCPT TO:<firstmark@me.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:21.209" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:22.162" "58.17.124.8" "RECEIVED: RCPT TO:<munoz2287@windstream.net>"
"SMTPD" 20128 17442 "2017-04-02 09:02:22.162" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:23.179" "58.17.124.8" "RECEIVED: RCPT TO:<dubchak.alexandr@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:23.179" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:27.777" "58.17.124.8" "RECEIVED: RCPT TO:<themitchproject@gmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:27.777" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:32.107" "58.17.124.8" "RECEIVED: RCPT TO:<dennisc1@gci.net>"
"SMTPD" 20128 17442 "2017-04-02 09:02:32.107" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:36.704" "58.17.124.8" "RECEIVED: RCPT TO:<romalaguna@yahoo.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:36.720" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:38.283" "58.17.124.8" "RECEIVED: RCPT TO:<pockebackman@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:38.298" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:40.018" "58.17.124.8" "RECEIVED: RCPT TO:<bill_muck@yahoo.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:40.018" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:41.049" "58.17.124.8" "RECEIVED: DATA"
"SMTPD" 20128 17442 "2017-04-02 09:02:41.049" "58.17.124.8" "SENT: 354 OK, send."
"SMTPD" 15780 17442 "2017-04-02 09:02:42.598" "58.17.124.8" "SENT: 250 Queued (1.528 seconds)"
"SMTPD" 20212 17442 "2017-04-02 09:02:46.442" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20212 17442 "2017-04-02 09:02:46.442" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:47.912" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:47.912" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:49.443" "58.17.124.8" "RECEIVED: RCPT TO:<hondamaniac600v@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:49.459" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:51.477" "58.17.124.8" "RECEIVED: RCPT TO:<aronoff@checkbookengineering.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:51.492" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:52.852" "58.17.124.8" "RECEIVED: RCPT TO:<hoanghaivupham@yahoo.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:52.852" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:53.899" "58.17.124.8" "RECEIVED: RCPT TO:<beube@videotron.ca>"
"SMTPD" 20164 17442 "2017-04-02 09:02:53.899" "58.17.124.8" "SENT: 250 OK"
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.
Re: Urgent help please, spammers using my server
OK, thanks.
How did this occur? So they actually are passing the SMTP Authentication? If so how would they do that? This has never happened before.
How did this occur? So they actually are passing the SMTP Authentication? If so how would they do that? This has never happened before.
Re: Urgent help please, spammers using my server
by hottroc » 2017-04-02 16:58
OK, thanks.
How did this occur? So they actually are passing the SMTP Authentication? If so how would they do that? This has never happened before.
they figured out the password... for jameses account...
( happened to me once... i had the same password for the hmailserver administrator as my useraccount... "they used me" and i added 1 letter to the useraccounts password and "they" didnt come in again... I still have the same password for the hmailserver administrator )
lets cheat darwin out of his legacy, find a cure for cancer...
Re: Urgent help please, spammers using my server
But my password is not one of those easy to guess ones. I doubt if it's guessable. How would they get your hMS Administrator password anyway?
Re: Urgent help please, spammers using my server
y hottroc » 2017-04-02 20:33
But my password is not one of those easy to guess ones. I doubt if it's guessable. How would they get your hMS Administrator password anyway?
well i just wrote what happened to me... sometimes that will get insight to others.. ( and yes Im very curious as how "they"could guess my useraccounts password, and in my case I happened to have the same password for hmailadministrator and my abused useraccount.. )
i would say my password is not easy guessed either... but hey.. they "guessed" it somehow... i was a spammer for a short intervall of time fortunately for me my server wasnt up for the task so it dipped of the load of incomming trash and those warning signs made me be able to stop it really early.... but thats ages ago... ... . still have the same password for hmail administrator though..
lets cheat darwin out of his legacy, find a cure for cancer...
Re: Urgent help please, spammers using my server
I recently had a complex randomly generated password 'guessed' for my daughter's account. More than 10 characters with a random mix of numbers, lowercase letters, uppercase letters, and special characters.
Did a virus / malware sweep of her PC, her phone, her laptop - nothing....
I always enforce SSL or TLS connections for authentication from the internet, and don't allow authentication on port 25
viewtopic.php?f=8&t=30990
Did a virus / malware sweep of her PC, her phone, her laptop - nothing....
I always enforce SSL or TLS connections for authentication from the internet, and don't allow authentication on port 25
viewtopic.php?f=8&t=30990
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Urgent help please, spammers using my server
I wish we had a script that could mine our logs and fish out spammers and have them auto-reported.Dravion wrote: ↑2017-04-01 15:18Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department
$ whois 221.237.208.10
% Information related to '221.236.0.0 - 221.237.255.255'
inetnum: 221.236.0.0 - 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
e-mail: anti-spam@ns.chinanet.cn.net <---
Just write an email to the above email address, describe your Situation and copy
and paste the following log entry into your Email:
Attacking spam host:
(10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
Date: Sat, 1 Apr 2017 13:37 +0100
Next your should setup your hMailServer IP ranges correctly. You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
Re: Urgent help please, spammers using my server
Yes that would be great. Except it wouldn't help against cases where IP addresses are spoofed.
Re: Urgent help please, spammers using my server
Can IP addresses be spoofed in the hMailserver logs?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Urgent help please, spammers using my server
No. "envelope" information cannot be spoofed, only mail information.
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Urgent help please, spammers using my server
You can, i can share a program i wrote if you wish to report to blocklist.de using their API, blocklist.de then sends the abuse mails to network owners (abuse@*)charleso wrote: ↑2019-01-28 16:32I wish we had a script that could mine our logs and fish out spammers and have them auto-reported.Dravion wrote: ↑2017-04-01 15:18Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department
$ whois 221.237.208.10
% Information related to '221.236.0.0 - 221.237.255.255'
inetnum: 221.236.0.0 - 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN
e-mail: anti-spam@ns.chinanet.cn.net <---
Just write an email to the above email address, describe your Situation and copy
and paste the following log entry into your Email:
Attacking spam host:
(10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
Date: Sat, 1 Apr 2017 13:37 +0100
Next your should setup your hMailServer IP ranges correctly. You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Urgent help please, spammers using my server
Yes I know
My question was me being cheeky.
Yes please
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: Urgent help please, spammers using my server
How to use?
First you need to register a account on blocklist.de, https://www.blocklist.de/en/register.html to get your own API key
Download
fail2ban.zip (Requires Net 4.5)
Code: Select all
fail2ban Options:
-a, --apikey=VALUE Your blocklist.de account API key
-e, --email=VALUE Your blocklist.de account registered email or Id
-i, --ipaddress=VALUE Attacker IP address
-s, --service=VALUE Attacked service, eg: pop3, smtp, imap
-l, --logs=VALUE Attack logs
-v, --verbose increase debug message verbosity
-h, --help show this message and exit
Code: Select all
Function fail2ban(sIPAddress, sService, sLogs)
dim sApikey : sApikey = "Your blocklist.de account API key"
dim sServerId : sServerId = "Your blocklist.de account registered email or Id"
With CreateObject("WScript.Shell")
.Run """C:\Program Files (x86)\hMailServer\Events\fail2ban.exe"" /a " & sApikey & " /e " & sServerId & " /i " & sIPAddress & " /s " & sService & " /l " & sLogs & "",0,True
End With
End Function
Code: Select all
Sub OnHELO(oClient)
Dim oRegEx
Set oRegEx = CreateObject("VBScript.RegExp")
oRegEx.IgnoreCase = True
oRegEx.Global = False
oRegEx.Pattern = "^(ylmf\-pc)$"
If oRegEx.Test(oClient.HELO) Then
Call fail2ban(oClient.IPAddress, "badbot", Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & oClient.HELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
End If
Set oRegEx = Nothing
End Sub
Code: Select all
Sub OnClientLogon(oClient)
If Not oClient.Authenticated then
dim service : service = Empty
Select Case oClient.Port
Case 25, 465, 587
service = "smtp"
case 143, 993
service = "imap"
case 110, 995
service = "pop3"
End Select
Dim oRegEx
Set oRegEx = CreateObject("VBScript.RegExp")
oRegEx.IgnoreCase = True
oRegEx.Global = False
oRegEx.Pattern = "^(test|unix|sales|library|ldap|admin|administrator|news|printer|abuse)\@?"
If oRegEx.Test(oClient.Username) Then
Call fail2ban(oClient.IPAddress, service, Escape(Now() & VbTab & "Failed login for a non-existent email address/account (honeypot)" & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
Exit Sub
End If
Set oRegEx = Nothing
End If
End Sub
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Urgent help please, spammers using my server
Oooh... Had a go at it to include into my 'handler (and style) and F'ing remembered I still need to upgrade to get Sub OnClientLogon(oClient) ... Bummer...
So Sub OnClientLogon(oClient) is triggered regardless if the user authenticated or not?
Is "If Not oClient.Authenticated Then" the only indication of failed/skipped authentication?
So Sub OnClientLogon(oClient) is triggered regardless if the user authenticated or not?
Is "If Not oClient.Authenticated Then" the only indication of failed/skipped authentication?
Code: Select all
Option Explicit
Private Const APIKey = "Your blocklist.de account API key"
Private Const ServerID = "Your blocklist.de account registered email or Id"
Private Const Fail2Ban = "C:\hMailServer\Events\fail2ban.exe"
' Fail2Ban Options:
' -a, --apikey=VALUE Your blocklist.de account API key
' -e, --email=VALUE Your blocklist.de account registered email or Id
' -i, --ipaddress=VALUE Attacker IP address
' -s, --service=VALUE Attacked service, eg: pop3, smtp, imap
' -l, --logs=VALUE Attack logs
' -v, --verbose Increase debug message verbosity
' -h, --help Show this message and exit
Function Lookup(strRegEx, strMatch) : Lookup = False
With CreateObject("VBScript.RegExp")
.Pattern = strRegEx
.Global = False
.MultiLine = True
.IgnoreCase = True
If .Test(strMatch) Then Lookup = True
End With
End Function
Sub OnHELO(oClient)
Dim strRegEx
'
' "[123.123.123.123]" is your public address, BOT's sometimes use that
' "mydomain.tld" and "mx.mydomain.tld" are also used by BOT's
' "0.0.0.0" may be a BOT or a misconfiguration
' "127.0.0.1" ... questionable, local device, BOT or spammer.
' "ylmf\-pc"
'
strRegEx = "^(\[123\.123\.123\.123\])$|" &_
"^(mydomain\.tld)$|" &_
"^(mx\.mydomain\.tld)$|" &_
"(0\.0\.0\.0)|" &_
"(127(?:\.[0-9]{1,3}){3})|" &_
"^(ylmf\-pc)$"
If Lookup(strRegEx, oClient.HELO) Then
With CreateObject("WScript.Shell")
.Run Chr(34) & Fail2Ban & Chr(34) &_
" /a " & APIKey &_
" /e " & ServerID &_
" /i " & oClient.IPAddress &_
" /s " & "badbot" &_
" /l " & Escape(Now() & vbTab & "Common BOT infected EHLO/HELO hostname: " & oClient.HELO & vbCrLf & Now() & vbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port) &_
"",0,True
End With
Exit Sub
End If
'
' Validate HELO/EHLO greeting. FQDN, IPv4 and IPv6 according to RFC.
'
Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6
If (Lookup(strRegEx, oClient.HELO) = False) Then
Result.Value = 2
Result.Message = "5.3.0 CODE03 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
Exit Sub
End If
End Sub
Sub OnClientLogon(oClient)
Dim strRegEx, strService
If Not oClient.Authenticated Then
strService = Trim(Mid("SMTP SMTPSSUBM IMAP IMAPSPOP3 POP3S", _
InStr("25 465 587 143 993 110 995 ", oClient.Port), 5))
strRegEx = "^(test|unix|sales|library|ldap|admin|administrator|news|printer|abuse)\@?"
If Lookup(strRegEx, oClient.Username) Then
With CreateObject("WScript.Shell")
.Run Chr(34) & Fail2Ban & Chr(34) &_
" /a " & APIKey &_
" /e " & ServerID &_
" /i " & oClient.IPAddress &_
" /s " & strService &_
" /l " & Escape(Now() & vbTab & "Failed login for a non-existent email address/account (honeypot)" & vbCrLf & Now() & vbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port) &_
"",0,True
End With
Exit Sub
End If
End If
End Sub
SørenR.
Woke is Marxism advancing through Maoist cultural revolution.
Woke is Marxism advancing through Maoist cultural revolution.
Re: Urgent help please, spammers using my server
- In the OnClientLogon(oClient) event, oClient.Username always holds the value passed when authenticating the user, in later events like OnSmtpData, OnAcceptMessage the oClient.Username is empty when authentication has failed (to be compatible with current behavior/scripts)
- OnSmtpData, OnAcceptMessage events can also make use of the value oClient.Authenticated (Boolean)
Code: Select all
Sub OnClientLogon(oClient)
If oClient.Authenticated then
EventLog.Write("Successful login for " & oClient.Username & " from " & oClient.IpAddress & " on port " & oClient.Port & "")
Else
EventLog.Write("Failed login for " & oClient.Username & " from " & oClient.IpAddress & " on port " & oClient.Port & "")
End if
End Sub
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Urgent help please, spammers using my server
For the ones who already downloaded fail2ban.zip, i pushed a new version (1.1.0.2) that fixes a NullReferenceException
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Urgent help please, spammers using my server
Hello @RvDHRvdH wrote: ↑2019-01-30 18:11How to use?
First you need to register a account on blocklist.de, https://www.blocklist.de/en/register.html to get your own API key
Download
fail2ban.zip (Requires Net 4.5)
Function calling fail2ban from EventHandlers.vbsCode: Select all
fail2ban Options: -a, --apikey=VALUE Your blocklist.de account API key -e, --email=VALUE Your blocklist.de account registered email or Id -i, --ipaddress=VALUE Attacker IP address -s, --service=VALUE Attacked service, eg: pop3, smtp, imap -l, --logs=VALUE Attack logs -v, --verbose increase debug message verbosity -h, --help show this message and exit
Usage example:Code: Select all
Function fail2ban(sIPAddress, sService, sLogs) dim sApikey : sApikey = "Your blocklist.de account API key" dim sServerId : sServerId = "Your blocklist.de account registered email or Id" With CreateObject("WScript.Shell") .Run """C:\Program Files (x86)\hMailServer\Events\fail2ban.exe"" /a " & sApikey & " /e " & sServerId & " /i " & sIPAddress & " /s " & sService & " /l " & sLogs & "",0,True End With End Function
Usage example for use with my experimental build on OnClientLogon() :Code: Select all
Sub OnHELO(oClient) Dim oRegEx Set oRegEx = CreateObject("VBScript.RegExp") oRegEx.IgnoreCase = True oRegEx.Global = False oRegEx.Pattern = "^(ylmf\-pc)$" If oRegEx.Test(oClient.HELO) Then Call fail2ban(oClient.IPAddress, "badbot", Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & oClient.HELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port)) End If Set oRegEx = Nothing End Sub
Note: Logfile entries requirers a minimum of 20 characters and must include minimal 1 line-breakCode: Select all
Sub OnClientLogon(oClient) If Not oClient.Authenticated then dim service : service = Empty Select Case oClient.Port Case 25, 465, 587 service = "smtp" case 143, 993 service = "imap" case 110, 995 service = "pop3" End Select Dim oRegEx Set oRegEx = CreateObject("VBScript.RegExp") oRegEx.IgnoreCase = True oRegEx.Global = False oRegEx.Pattern = "^(test|unix|sales|library|ldap|admin|administrator|news|printer|abuse)\@?" If oRegEx.Test(oClient.Username) Then Call fail2ban(oClient.IPAddress, service, Escape(Now() & VbTab & "Failed login for a non-existent email address/account (honeypot)" & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port)) Exit Sub End If Set oRegEx = Nothing End If End Sub
Followed this guide and getting the error
Code: Select all
"ERROR" 11724 "2022-09-02 10:34:19.502" "Script Error: Source: Microsoft VBScript runtime error - Error: 800A01C2 - Description: Wrong number of arguments or invalid property assignment: 'Escape' - Line: 2359 Column: 3 - Code: (null)"
Code: Select all
Call fail2ban(oClient.IPAddress, "badbot", Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & oClient.HELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
TIA
Re: Urgent help please, spammers using my server
Escape is a VBS native function, eg: https://ss64.com/vb/escape.html
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Urgent help please, spammers using my server
OK understood
Then any pointer what may be wrong in my code?
Re: Urgent help please, spammers using my server
Nah not really, just tested your str in a vbs, works fine
Code: Select all
dim strHELO, strPort, strIPAddress
strHELO = "ylmf-pc"
strPort = 25
strIPAddress = "127.0.0.1"
MsgBox Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & strHELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & strIPAddress & " on port: " & strPort)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
Re: Urgent help please, spammers using my server
@Rvdh
Got it working, I had a Function named Escape which was used for other work and which clashed with native VB Escape
One small issue
How to prevent duplicate reporting in a short time span.
Got it working, I had a Function named Escape which was used for other work and which clashed with native VB Escape
One small issue
How to prevent duplicate reporting in a short time span.
Code: Select all
1149 "2022-09-09 14:24:42.855" "REPORT: /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........."
1088 "2022-09-09 14:24:42.871" "REPORT: /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........."
Re: Urgent help please, spammers using my server
I combine it with a added autoban entry, so there never be successive reportsgotspatel wrote: ↑2022-09-09 11:52@Rvdh
Got it working, I had a Function named Escape which was used for other work and which clashed with native VB Escape
One small issue
How to prevent duplicate reporting in a short time span.
Code: Select all
1149 "2022-09-09 14:24:42.855" "REPORT: /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........." 1088 "2022-09-09 14:24:42.871" "REPORT: /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........."
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup