Urgent help please, spammers using my server

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Urgent help please, spammers using my server

Post by hottroc » 2017-04-01 14:11

Hi,

As the title suggests I need to stop spammers sending their crap through my hMS. Can't understand how they are getting to do it?

Here is my diagnostics:

[code]01/04/2017 13:09:19 Hmailserver: 5.6.7-B2407

IP: 127.0.0.1 - 127.0.0.1 Priority: 30 Name: My computer

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - False


IP: 192.168.0.1 - 192.168.0.255 Priority: 25 Name: MyLAN

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - False
Local To External - True Local To External - False
External To Local - True External To Local - False
External To External - True External To External - True


IP: 0.0.0.0 - 255.255.255.255 Priority: 11 Name: Internet

Allow connections Other
SMTP: True Antispam : True
POP3: True Antivirus: True !! ANTIVIRUS NOT CONFIGURED !!
IMAP: True SSL/TLS: False

Allow Deliveries from Require Authentication from
Local To Local - True Local To Local - True
Local To External - True Local To External - True
External To Local - True External To Local - False
External To External - False


------------------------------------------------------
AUTOBANNED Local Addresses:
No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
Autoban Enabled: True Max invalid logon attempts: 3
Minutes Before Reset: 30 (0.50 hours, 0.02 days)
Minutes to Autoban: 60 (1.00 hours, 0.04 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
No entries
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL SPAM TESTS Score SPAMASSASSIN
Spam Mark: 5 Use SPF: False - 3 Use Spamassassin: True
Add X-HmailServer-Spam: True Check HELO host: True - 2 Hostname: 127.0.0.1
Add X-HmailServer-Reason: True Check MX records: False - 2 Port: 783
Add X-HmailServer-Subject: True Verify DKIM: False - 5 Use SA score: False - 5
Subject Text: "[SPAM]"
Spam delete threshold: 15 Maximum message size: 4096

GREYLISTING:
Greylisting: False

DNSBL ENTRIES:
zen.spamhaus.org Score: 4 Result: 127.0.0.2-8|127.0.0.10-11
bl.spamcop.net Score: 3 Result: 127.0.0.2
cbl.abuseat.org Score: 2 Result: 127.0.0.2
b.barracudacentral.org Score: 2 Result: 127.0.0.2

SURBL ENTRIES:
multi.surbl.org Score: 3
-----------------------------------------------------------------------------------------------

WHITELISTING
No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS: No application configured.

Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL/TLS
SSL 3.0 : False
TLS 1.0 : True
TLS 1.1 : True
TLS 1.2 : True Verify Remote SSL/TLS Certs: False
SslCipherList :

ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256
kEDH+AESGCM - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA - ECDHE-ECDSA-AES256-SHA
DHE-RSA-AES128-SHA256 - DHE-RSA-AES128-SHA - DHE-DSS-AES128-SHA256
DHE-RSA-AES256-SHA256 - DHE-DSS-AES256-SHA - DHE-RSA-AES256-SHA
AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-RSA-RC4-SHA
ECDHE-ECDSA-RC4-SHA - AES128 - AES256
RC4-SHA - HIGH - !aNULL
!eNULL - !EXPORT - !DES
!3DES - !MD5 - !PSK;
-----------------------------------------------------------------------------------------------

TCPIP PORTS Connection Sec
0.0.0.0 / 25 / SMTP - None
0.0.0.0 / 110 / POP3 - None
0.0.0.0 / 143 / IMAP - StartTLS Optional
0.0.0.0 / 465 / SMTP - SSL/TLS
-----------------------------------------------------------------------------------------------

LOGGING Logging Enabled: True

Paths:- Current: C:\Program Files (x86)\hMailServer\Logs\hmailserver_2017-04-01.log
Error: C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2017-04-01.log
Event: C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log
Awstats: C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
APPLICATION - True
SMTP - True
POP3 - .
IMAP - True
TCPIP - True
DEBUG - .
AWSTATS - .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

Backup directory C:\Program Files (x86)\hMailServer\backup is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

[/code]
Generated by HMSSettingsDiagnostics v1.48, Hmailserver Forum.

Please help. Thanks.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-01 15:02

I have disabled External to External deliveries from my Local IP range.

Here is a sample of one of hundreds of messages I found in my delivery queue:

Code: Select all

Received: from [127.0.0.1] (10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
	by mail.hottroc.co.uk with ESMTPSA
	(version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256)
	; Sat, 1 Apr 2017 13:37:53 +0100
From: james@jctconsulting.com
To: leonisa.saliva@wanadoo.com
Cc: scholz@ferguson.com, qhi4u@yahoo.com, breecemom01@yahoo.com,
 kennydhicks@yahoo.com, mbhughes@hotmail.com, jjpenaalfaro@yahoo.com
Subject: N(C(Cc1ccccc1)C)C?
Message-ID: <62807DC9.3FF1EE6DD437ECCD@jctconsulting.com>
X-Priority: 3
Importance: Normal
Date: Sat, 1 Apr 2017 15:37:49 +0300
Content-Type: multipart/alternative;
 boundary="--InfrawareEmailBoundaryDepth1_4CCFF2E1--"
MIME-Version: 1.0
X-Mailer: Infraware POLARIS Mobile Mailer v2.5

This is a multi-part message in MIME format

----InfrawareEmailBoundaryDepth1_4CCFF2E1--
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

http://barryhutchison.com/M1O4kR
Is little evidence to judge the abuse!
A pilot Phase I clinical trial conducted? Within 3=C3=A2=E2=82=AC=E2=80=
=9C20 minutes of injection? Is little evidence to judge the abuse!

----InfrawareEmailBoundaryDepth1_4CCFF2E1--
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<a href=3D"http://barryhutchison.com/M1O4kR">Tramadol is a synthetic o=
pioid of!</a> <p>Is little evidence to judge the abuse!</p> <p>A pilot=
 Phase I clinical trial conducted? Within 3=C3=A2=E2=82=AC=E2=80=9C20 =
minutes of injection? Is little evidence to judge the abuse!

----InfrawareEmailBoundaryDepth1_4CCFF2E1----


But I don't understand....if the system is getting this wrong and allowing external clients to present themselves as the local machine then surely the whole system is flawed and vulnerable?

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Urgent help please, spammers using my server

Post by Dravion » 2017-04-01 15:18

Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department

$ whois 221.237.208.10
% Information related to '221.236.0.0 - 221.237.255.255'

inetnum: 221.236.0.0 - 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN

e-mail: anti-spam@ns.chinanet.cn.net <---

Just write an email to the above email address, describe your Situation and copy
and paste the following log entry into your Email:

Attacking spam host:
(10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
Date: Sat, 1 Apr 2017 13:37 +0100


Next your should setup your hMailServer IP ranges correctly. You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-01 16:08

Dravion wrote:Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department

$ whois 221.237.208.10
Thanks for the help and info, I will do that.
Next your should setup your hMailServer IP ranges correctly.
What haven't I got set correctly?
You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
OK didn't know that was possible, would the block relate purely to hMS and email? If so I will definitely do the same as I never directly email those countries.

How is this set? I cannot find GEO-IP block in hMS Administrator anywhere.

User avatar
Dravion
Senior user
Senior user
Posts: 2071
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Urgent help please, spammers using my server

Post by Dravion » 2017-04-01 16:11

No. Its not only Email. Every Connection attemp from a geoblocked ip range will be dropped.

GEO-Block is something you must do outside hMailServer on Operating System level with a
Firewall. On Linux there exist builtin solution to filter ip blocks but on Windows you need a
Thridparty Networking Software which can do the same.

ps:
This Howto and Powershellscript can do almost the same as the Linux built in Solution
but you need a bit of Powershell and Firewall understanding:

https://cyber-defense.sans.org/blog/201 ... ork-ranges

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-01 17:40

OK thanks, I'll have a look at that soon, thanks.

In the meantime, I was trying to send the email you suggested in your first reply, but since I disallowed the External to External deliveries hMS appears to be blocking me from sending my own email out from one of my domain "Names". It has sat in the delivery queue and retried 3 times so far. However this action (unticking Ext to Ext) has at least stopped the spammers and I have deleted all the spam messages that were in the queue and no new spam is being added....but I need my own mail to work.

So what is wrong with my config?

Thanks.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-01 19:30

Oh no, my mistake, my mail is still working as I sent a test, it's just the one to that abuse email address that is not going.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-01 19:35

Dravion wrote:No. Its not only Email. Every Connection attemp from a geoblocked ip range will be dropped....but on Windows you need a
Thridparty Networking Software which can do the same.
OK so will that block incoming and outgoing connections? I occasionally buy thing from sellers in China and look at Chinese websites etc, so don't want to block everything.

I am on Windows, would Windows Firewall do the trick, or would a firewall such as Comodo do it?
ps:
This Howto and Powershellscript can do almost the same as the Linux built in Solution
but you need a bit of Powershell and Firewall understanding:
https://cyber-defense.sans.org/blog/201 ... ork-ranges
Will look at that soon, many thanks, just a bit snowed under atm.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help please, spammers using my server

Post by mattg » 2017-04-02 00:54

hottroc wrote:But I don't understand....if the system is getting this wrong and allowing external clients to present themselves as the local machine then surely the whole system is flawed and vulnerable?
hMailserver is as secure as your passwords if set correctly, and default settings are correct for 99%+ of users.

Can you show some logs of your hmailserver receiving mail if you think it is still allowing spam to be sent from it...

If you have mail in your queue that you don't want to deliver, then you can simply delete it
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-02 13:53

mattg wrote:hMailserver is as secure as your passwords if set correctly, and default settings are correct for 99%+ of users.
Can you show some logs of your hmailserver receiving mail if you think it is still allowing spam to be sent from it...
I'll just post a sample, let me know if you need more...

Code: Select all

"APPLICATION"	19520	"2017-04-02 09:01:36.480"	"SMTPDeliverer - Message 15005: Message delivery thread completed."
"SMTPC"	20212	17462	"2017-04-02 09:01:36.543"	"212.159.9.107"	"RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC"	20212	17462	"2017-04-02 09:01:36.543"	"212.159.9.107"	"SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC"	20164	17462	"2017-04-02 09:01:36.574"	"212.159.9.107"	"RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC"	20164	17462	"2017-04-02 09:01:36.574"	"212.159.9.107"	"SENT: RCPT TO:<lapem@hotmail.com>"
"SMTPD"	20128	17442	"2017-04-02 09:01:37.466"	"58.17.124.8"	"RECEIVED: EHLO [127.0.0.1]"
"SMTPD"	20128	17442	"2017-04-02 09:01:37.466"	"58.17.124.8"	"SENT: 250-mail.hottroc.co.uk[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	20212	17442	"2017-04-02 09:01:38.763"	"58.17.124.8"	"RECEIVED: AUTH LOGIN"
"SMTPD"	20212	17442	"2017-04-02 09:01:38.763"	"58.17.124.8"	"SENT: 334 VXNlcm5hbWU6"
"SMTPC"	20164	17460	"2017-04-02 09:01:39.294"	"212.159.8.107"	"RECEIVED: 452 <artkathmarie@gmail.com> too many recipients in last hour"
"SMTPC"	20164	17460	"2017-04-02 09:01:39.294"	"212.159.8.107"	"SENT: RCPT TO:<artandmel2003@yahoo.ca>"
"TCPIP"	20072	"2017-04-02 09:01:39.294"	"Connecting to 212.159.9.107:25..."
"SMTPD"	20164	17442	"2017-04-02 09:01:39.841"	"58.17.124.8"	"RECEIVED: amFtZXNAamN0Y29uc3VsdGluZy5jb20="
"SMTPD"	20164	17442	"2017-04-02 09:01:39.841"	"58.17.124.8"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPC"	20164	17463	"2017-04-02 09:01:40.388"	"212.159.9.107"	"RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC"	20164	17463	"2017-04-02 09:01:40.388"	"212.159.9.107"	"SENT: HELO mail.hottroc.co.uk"
"SMTPC"	20164	17463	"2017-04-02 09:01:40.419"	"212.159.9.107"	"RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC"	20164	17463	"2017-04-02 09:01:40.419"	"212.159.9.107"	"SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC"	20212	17463	"2017-04-02 09:01:40.468"	"212.159.9.107"	"RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC"	20212	17463	"2017-04-02 09:01:40.468"	"212.159.9.107"	"SENT: RCPT TO:<artkathmarie@gmail.com>"
"SMTPC"	20164	17461	"2017-04-02 09:01:40.686"	"212.159.9.107"	"RECEIVED: 452 <sico143@yahoo.com> too many recipients in last hour"
"SMTPC"	20164	17461	"2017-04-02 09:01:40.686"	"212.159.9.107"	"SENT: RCPT TO:<enkov@scps.k12.fl.us>"
"APPLICATION"	20076	"2017-04-02 09:01:40.686"	"SMTPDeliverer - Message 15006: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION"	20076	"2017-04-02 09:01:40.686"	"SMTPDeliverer - Message 15006: Message delivery thread completed."
"SMTPC"	20212	17462	"2017-04-02 09:01:41.577"	"212.159.9.107"	"RECEIVED: 452 <lapem@hotmail.com> too many recipients in last hour"
"SMTPC"	20212	17462	"2017-04-02 09:01:41.577"	"212.159.9.107"	"SENT: RCPT TO:<oberrader@online.de>"
"APPLICATION"	20040	"2017-04-02 09:01:41.577"	"SMTPDeliverer - Message 15007: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION"	20040	"2017-04-02 09:01:41.577"	"SMTPDeliverer - Message 15007: Message delivery thread completed."
"SMTPD"	20128	17442	"2017-04-02 09:01:42.077"	"58.17.124.8"	"RECEIVED: ***"
"SMTPD"	20128	17442	"2017-04-02 09:01:42.093"	"58.17.124.8"	"SENT: 235 authenticated."
"SMTPD"	20164	17442	"2017-04-02 09:01:43.108"	"58.17.124.8"	"RECEIVED: RSET"
"SMTPD"	20164	17442	"2017-04-02 09:01:43.108"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:01:45.078"	"58.17.124.8"	"RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD"	20164	17442	"2017-04-02 09:01:45.078"	"58.17.124.8"	"SENT: 250 OK"
"SMTPC"	20128	17463	"2017-04-02 09:01:45.485"	"212.159.9.107"	"RECEIVED: 452 <artkathmarie@gmail.com> too many recipients in last hour"
"SMTPC"	20128	17463	"2017-04-02 09:01:45.485"	"212.159.9.107"	"SENT: RCPT TO:<artandmel2003@yahoo.ca>"
"APPLICATION"	20072	"2017-04-02 09:01:45.485"	"SMTPDeliverer - Message 15008: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION"	20072	"2017-04-02 09:01:45.485"	"SMTPDeliverer - Message 15008: Message delivery thread completed."
"SMTPD"	20212	17442	"2017-04-02 09:01:47.626"	"58.17.124.8"	"RECEIVED: RCPT TO:<evg@bis.midco.net>"
"SMTPD"	20212	17442	"2017-04-02 09:01:47.626"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:01:49.768"	"58.17.124.8"	"RECEIVED: RCPT TO:<charles_antle@yahoo.ca>"
"SMTPD"	20212	17442	"2017-04-02 09:01:49.783"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:01:50.721"	"58.17.124.8"	"RECEIVED: RCPT TO:<chapmanlouis32@gmail.com>"
"SMTPD"	20164	17442	"2017-04-02 09:01:50.721"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:01:51.613"	"58.17.124.8"	"RECEIVED: RCPT TO:<vik.seeborun@candi.ac.uk>"
"SMTPD"	20128	17442	"2017-04-02 09:01:51.613"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:01:52.753"	"58.17.124.8"	"RECEIVED: RCPT TO:<rhindss@aol.com>"
"SMTPD"	20128	17442	"2017-04-02 09:01:52.753"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:01:53.832"	"58.17.124.8"	"RECEIVED: RCPT TO:<hs@kvale.no>"
"SMTPD"	20128	17442	"2017-04-02 09:01:53.832"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:01:54.723"	"58.17.124.8"	"RECEIVED: RCPT TO:<faussie11@hotmail.com>"
"SMTPD"	20164	17442	"2017-04-02 09:01:54.738"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:01:56.739"	"58.17.124.8"	"RECEIVED: RCPT TO:<leeee2@juno.com>"
"SMTPD"	20128	17442	"2017-04-02 09:01:56.739"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:01:59.333"	"58.17.124.8"	"RECEIVED: RCPT TO:<legbaa@hotmail.com>"
"SMTPD"	20212	17442	"2017-04-02 09:01:59.333"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:02:00.413"	"58.17.124.8"	"RECEIVED: RCPT TO:<anthony.cinquemano.jdq0@statefarm.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:00.413"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:02:01.460"	"58.17.124.8"	"RECEIVED: RCPT TO:<onoyes@yahoo.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:01.460"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:02:02.413"	"58.17.124.8"	"RECEIVED: RCPT TO:<nelson@hotelonix.pt>"
"SMTPD"	20164	17442	"2017-04-02 09:02:02.413"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:02:03.428"	"58.17.124.8"	"RECEIVED: RCPT TO:<wildmandan64@yahoo.com>"
"SMTPD"	20128	17442	"2017-04-02 09:02:03.428"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:02:06.184"	"58.17.124.8"	"RECEIVED: RCPT TO:<cchristian007@videotron.ca>"
"SMTPD"	20212	17442	"2017-04-02 09:02:06.184"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:02:07.296"	"58.17.124.8"	"RECEIVED: RCPT TO:<william_bellman@hotmail.com>"
"SMTPD"	20212	17442	"2017-04-02 09:02:07.296"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:02:09.579"	"58.17.124.8"	"RECEIVED: RCPT TO:<donmeckler@msn.com>"
"SMTPD"	20212	17442	"2017-04-02 09:02:09.594"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:02:10.422"	"58.17.124.8"	"RECEIVED: RCPT TO:<mauldin@resilientelectric.com>"
"SMTPD"	20128	17442	"2017-04-02 09:02:10.422"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:02:11.204"	"58.17.124.8"	"RECEIVED: RCPT TO:<adorf@zabra.de>"
"SMTPD"	20164	17442	"2017-04-02 09:02:11.204"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:02:12.688"	"58.17.124.8"	"RECEIVED: DATA"
"SMTPD"	20212	17442	"2017-04-02 09:02:12.688"	"58.17.124.8"	"SENT: 354 OK, send."
"SMTPD"	15780	17442	"2017-04-02 09:02:15.080"	"58.17.124.8"	"SENT: 250 Queued (2.360 seconds)"
"APPLICATION"	20072	"2017-04-02 09:02:15.080"	"SMTPDeliverer - Message 15009: Delivering message from james@jctconsulting.com to evg@bis.midco.net, charles_antle@yahoo.ca, chapmanlouis32@gmail.com, vik.seeborun@candi.ac.uk, rhindss@aol.com, hs@kvale.no, faussie11@hotmail.com, leeee2@juno.com, legbaa@hotmail.com, anthony.cinquemano.jdq0@statefarm.com, onoyes@yahoo.com, nelson@hotelonix.pt, wildmandan64@yahoo.com, cchristian007@videotron.ca, william_bellman@hotmail.com, donmeckler@msn.com, mauldin@resilientelectric.com, adorf@zabra.de. File: C:\Program Files (x86)\hMailServer\Data\{FA6CC5D1-D97B-4950-813E-F29996733DB6}.eml"
"APPLICATION"	20072	"2017-04-02 09:02:15.127"	"SMTPDeliverer - Message 15009: Relaying to host relay.plus.net."
"TCPIP"	20072	"2017-04-02 09:02:15.127"	"Connecting to 212.159.8.107:25..."
"SMTPC"	20128	17464	"2017-04-02 09:02:16.205"	"212.159.8.107"	"RECEIVED: 220 avasout04 smtp relay.plus.net"
"SMTPC"	20128	17464	"2017-04-02 09:02:16.205"	"212.159.8.107"	"SENT: HELO mail.hottroc.co.uk"
"SMTPC"	20164	17464	"2017-04-02 09:02:16.236"	"212.159.8.107"	"RECEIVED: 250 avasout04 hello [195.166.157.113], pleased to meet you"
"SMTPC"	20164	17464	"2017-04-02 09:02:16.236"	"212.159.8.107"	"SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC"	20212	17464	"2017-04-02 09:02:16.283"	"212.159.8.107"	"RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC"	20212	17464	"2017-04-02 09:02:16.283"	"212.159.8.107"	"SENT: RCPT TO:<adorf@zabra.de>"
"SMTPD"	20212	17442	"2017-04-02 09:02:17.410"	"58.17.124.8"	"RECEIVED: RSET"
"SMTPD"	20212	17442	"2017-04-02 09:02:17.410"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:02:18.786"	"58.17.124.8"	"RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD"	20128	17442	"2017-04-02 09:02:18.786"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:02:19.817"	"58.17.124.8"	"RECEIVED: RCPT TO:<rnsm4@yahoo.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:19.832"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:02:21.209"	"58.17.124.8"	"RECEIVED: RCPT TO:<firstmark@me.com>"
"SMTPD"	20128	17442	"2017-04-02 09:02:21.209"	"58.17.124.8"	"SENT: 250 OK"
"SMTPC"	20212	17464	"2017-04-02 09:02:21.303"	"212.159.8.107"	"RECEIVED: 452 <adorf@zabra.de> too many recipients in last hour"
"SMTPC"	20212	17464	"2017-04-02 09:02:21.303"	"212.159.8.107"	"SENT: RCPT TO:<cchristian007@videotron.ca>"
"TCPIP"	20072	"2017-04-02 09:02:21.303"	"Connecting to 212.159.9.107:25..."
"SMTPD"	20128	17442	"2017-04-02 09:02:22.162"	"58.17.124.8"	"RECEIVED: RCPT TO:<munoz2287@windstream.net>"
"SMTPD"	20128	17442	"2017-04-02 09:02:22.162"	"58.17.124.8"	"SENT: 250 OK"
"SMTPC"	20164	17465	"2017-04-02 09:02:22.381"	"212.159.9.107"	"RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC"	20164	17465	"2017-04-02 09:02:22.381"	"212.159.9.107"	"SENT: HELO mail.hottroc.co.uk"
"SMTPC"	20128	17465	"2017-04-02 09:02:22.428"	"212.159.9.107"	"RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC"	20128	17465	"2017-04-02 09:02:22.428"	"212.159.9.107"	"SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC"	20164	17465	"2017-04-02 09:02:22.460"	"212.159.9.107"	"RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC"	20164	17465	"2017-04-02 09:02:22.460"	"212.159.9.107"	"SENT: RCPT TO:<adorf@zabra.de>"
"SMTPD"	20212	17442	"2017-04-02 09:02:23.179"	"58.17.124.8"	"RECEIVED: RCPT TO:<dubchak.alexandr@hotmail.com>"
"SMTPD"	20212	17442	"2017-04-02 09:02:23.179"	"58.17.124.8"	"SENT: 250 OK"
"SMTPC"	20128	17465	"2017-04-02 09:02:27.480"	"212.159.9.107"	"RECEIVED: 452 <adorf@zabra.de> too many recipients in last hour"
"SMTPC"	20128	17465	"2017-04-02 09:02:27.480"	"212.159.9.107"	"SENT: RCPT TO:<cchristian007@videotron.ca>"
"APPLICATION"	20072	"2017-04-02 09:02:27.480"	"SMTPDeliverer - Message 15009: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION"	20072	"2017-04-02 09:02:27.480"	"SMTPDeliverer - Message 15009: Message delivery thread completed."
"SMTPD"	20164	17442	"2017-04-02 09:02:27.777"	"58.17.124.8"	"RECEIVED: RCPT TO:<themitchproject@gmail.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:27.777"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:02:32.107"	"58.17.124.8"	"RECEIVED: RCPT TO:<dennisc1@gci.net>"
"SMTPD"	20128	17442	"2017-04-02 09:02:32.107"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:02:36.704"	"58.17.124.8"	"RECEIVED: RCPT TO:<romalaguna@yahoo.com>"
"SMTPD"	20212	17442	"2017-04-02 09:02:36.720"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:02:38.283"	"58.17.124.8"	"RECEIVED: RCPT TO:<pockebackman@hotmail.com>"
"SMTPD"	20212	17442	"2017-04-02 09:02:38.298"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:02:40.018"	"58.17.124.8"	"RECEIVED: RCPT TO:<bill_muck@yahoo.com>"
"SMTPD"	20128	17442	"2017-04-02 09:02:40.018"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20128	17442	"2017-04-02 09:02:41.049"	"58.17.124.8"	"RECEIVED: DATA"
"SMTPD"	20128	17442	"2017-04-02 09:02:41.049"	"58.17.124.8"	"SENT: 354 OK, send."
"SMTPD"	15780	17442	"2017-04-02 09:02:42.598"	"58.17.124.8"	"SENT: 250 Queued (1.528 seconds)"
"APPLICATION"	20072	"2017-04-02 09:02:42.613"	"SMTPDeliverer - Message 15010: Delivering message from james@jctconsulting.com to rnsm4@yahoo.com, firstmark@me.com, munoz2287@windstream.net, dubchak.alexandr@hotmail.com, themitchproject@gmail.com, dennisc1@gci.net, romalaguna@yahoo.com, pockebackman@hotmail.com, bill_muck@yahoo.com. File: C:\Program Files (x86)\hMailServer\Data\{245DC3D9-5D99-4AAF-BBEE-8CB8AA16BB3B}.eml"
"APPLICATION"	20072	"2017-04-02 09:02:42.645"	"SMTPDeliverer - Message 15010: Relaying to host relay.plus.net."
"TCPIP"	20072	"2017-04-02 09:02:42.645"	"Connecting to 212.159.8.107:25..."
"SMTPC"	20212	17466	"2017-04-02 09:02:43.692"	"212.159.8.107"	"RECEIVED: 220 avasout04 smtp relay.plus.net"
"SMTPC"	20212	17466	"2017-04-02 09:02:43.692"	"212.159.8.107"	"SENT: HELO mail.hottroc.co.uk"
"SMTPC"	20128	17466	"2017-04-02 09:02:43.739"	"212.159.8.107"	"RECEIVED: 250 avasout04 hello [195.166.157.113], pleased to meet you"
"SMTPC"	20128	17466	"2017-04-02 09:02:43.739"	"212.159.8.107"	"SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC"	20128	17466	"2017-04-02 09:02:43.770"	"212.159.8.107"	"RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC"	20128	17466	"2017-04-02 09:02:43.770"	"212.159.8.107"	"SENT: RCPT TO:<firstmark@me.com>"
"SMTPD"	20212	17442	"2017-04-02 09:02:46.442"	"58.17.124.8"	"RECEIVED: RSET"
"SMTPD"	20212	17442	"2017-04-02 09:02:46.442"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:02:47.912"	"58.17.124.8"	"RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:47.912"	"58.17.124.8"	"SENT: 250 OK"
"SMTPC"	20128	17466	"2017-04-02 09:02:48.787"	"212.159.8.107"	"RECEIVED: 452 <firstmark@me.com> too many recipients in last hour"
"SMTPC"	20128	17466	"2017-04-02 09:02:48.803"	"212.159.8.107"	"SENT: RCPT TO:<themitchproject@gmail.com>"
"TCPIP"	20072	"2017-04-02 09:02:48.803"	"Connecting to 212.159.9.107:25..."
"SMTPD"	20164	17442	"2017-04-02 09:02:49.443"	"58.17.124.8"	"RECEIVED: RCPT TO:<hondamaniac600v@yahoo.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:49.459"	"58.17.124.8"	"SENT: 250 OK"
"SMTPC"	20128	17467	"2017-04-02 09:02:49.882"	"212.159.9.107"	"RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC"	20128	17467	"2017-04-02 09:02:49.882"	"212.159.9.107"	"SENT: HELO mail.hottroc.co.uk"
"SMTPC"	20212	17467	"2017-04-02 09:02:49.929"	"212.159.9.107"	"RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC"	20212	17467	"2017-04-02 09:02:49.929"	"212.159.9.107"	"SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC"	20164	17467	"2017-04-02 09:02:49.961"	"212.159.9.107"	"RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC"	20164	17467	"2017-04-02 09:02:49.961"	"212.159.9.107"	"SENT: RCPT TO:<firstmark@me.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:51.477"	"58.17.124.8"	"RECEIVED: RCPT TO:<aronoff@checkbookengineering.com>"
"SMTPD"	20164	17442	"2017-04-02 09:02:51.492"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20212	17442	"2017-04-02 09:02:52.852"	"58.17.124.8"	"RECEIVED: RCPT TO:<hoanghaivupham@yahoo.com>"
"SMTPD"	20212	17442	"2017-04-02 09:02:52.852"	"58.17.124.8"	"SENT: 250 OK"
"SMTPD"	20164	17442	"2017-04-02 09:02:53.899"	"58.17.124.8"	"RECEIVED: RCPT TO:<beube@videotron.ca>"
"SMTPD"	20164	17442	"2017-04-02 09:02:53.899"	"58.17.124.8"	"SENT: 250 OK"
"SMTPC"	20128	17467	"2017-04-02 09:02:54.977"	"212.159.9.107"	"RECEIVED: 452 <firstmark@me.com> too many recipients in last hour"
"SMTPC"	20128	17467	"2017-04-02 09:02:54.977"	"212.159.9.107"	"SENT: RCPT TO:<themitchproject@gmail.com>"
"APPLICATION"	20072	"2017-04-02 09:02:54.977"	"SMTPDeliverer - Message 15010: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"APPLICATION"	20072	"2017-04-02 09:02:54.993"	"SMTPDeliverer - Message 15010: Message delivery thread completed."

Code: Select all

"SMTPD"	20164	17836	"2017-04-02 09:14:44.064"	"61.54.110.110"	"RECEIVED: RCPT TO:<kimandgreg@sbcglobal.net>"
"SMTPD"	20164	17836	"2017-04-02 09:14:44.064"	"61.54.110.110"	"SENT: 250 OK"
"SMTPD"	20164	17879	"2017-04-02 09:14:44.424"	"220.177.50.195"	"RECEIVED: RCPT TO:<mrfreddie@earthlink.net>"
"SMTPD"	20164	17879	"2017-04-02 09:14:44.424"	"220.177.50.195"	"SENT: 250 OK"
"SMTPD"	20172	17836	"2017-04-02 09:14:44.658"	"61.54.110.110"	"RECEIVED: RCPT TO:<casslarsen@cox.net>"
"SMTPD"	20172	17836	"2017-04-02 09:14:44.658"	"61.54.110.110"	"SENT: 250 OK"
"SMTPD"	20164	17879	"2017-04-02 09:14:45.128"	"220.177.50.195"	"RECEIVED: RCPT TO:<demetry189@hotmail.com>"
"SMTPD"	20164	17879	"2017-04-02 09:14:45.128"	"220.177.50.195"	"SENT: 250 OK"
"SMTPC"	20172	17913	"2017-04-02 09:14:45.300"	"212.159.8.107"	"RECEIVED: 452 <lrieke7030@gmail.com> too many recipients in last hour"
"SMTPC"	20172	17913	"2017-04-02 09:14:45.300"	"212.159.8.107"	"SENT: RCPT TO:<james.thompson2@verizon.net>"
"TCPIP"	20064	"2017-04-02 09:14:45.300"	"Connecting to 212.159.9.107:25..."
"SMTPD"	20164	17836	"2017-04-02 09:14:45.331"	"61.54.110.110"	"RECEIVED: RCPT TO:<enkqp@dadd.ti.com>"
"SMTPD"	20164	17836	"2017-04-02 09:14:45.331"	"61.54.110.110"	"SENT: 250 OK"
"SMTPD"	20164	17836	"2017-04-02 09:14:45.987"	"61.54.110.110"	"RECEIVED: RCPT TO:<j_iliz@yahoo.com>"
"SMTPD"	20164	17836	"2017-04-02 09:14:45.987"	"61.54.110.110"	"SENT: 250 OK"
"SMTPD"	20172	17879	"2017-04-02 09:14:46.019"	"220.177.50.195"	"RECEIVED: RCPT TO:<osbert.wilde@gmail.com>"
"SMTPD"	20172	17879	"2017-04-02 09:14:46.019"	"220.177.50.195"	"SENT: 250 OK"
"SMTPC"	20172	17923	"2017-04-02 09:14:46.394"	"212.159.9.107"	"RECEIVED: 220 avasout01 smtp relay.plus.net"
"SMTPC"	20172	17923	"2017-04-02 09:14:46.394"	"212.159.9.107"	"SENT: HELO mail.hottroc.co.uk"
"SMTPC"	20164	17923	"2017-04-02 09:14:46.425"	"212.159.9.107"	"RECEIVED: 250 avasout01 hello [195.166.157.113], pleased to meet you"
"SMTPC"	20164	17923	"2017-04-02 09:14:46.425"	"212.159.9.107"	"SENT: MAIL FROM:<james@jctconsulting.com>"
"SMTPC"	20164	17923	"2017-04-02 09:14:46.472"	"212.159.9.107"	"RECEIVED: 250 <james@jctconsulting.com> sender ok"
"SMTPC"	20164	17923	"2017-04-02 09:14:46.472"	"212.159.9.107"	"SENT: RCPT TO:<lrieke7030@gmail.com>"
"SMTPC"	20128	17916	"2017-04-02 09:14:46.487"	"212.159.9.107"	"RECEIVED: 452 <riviera1975@live.it> too many recipients in last hour"
"SMTPC"	20164	17921	"2017-04-02 09:14:46.487"	"212.159.9.107"	"RECEIVED: 452 <bradkaminski@msn.com> too many recipients in last hour"
"SMTPC"	20204	17917	"2017-04-02 09:14:46.487"	"212.159.9.107"	"RECEIVED: 452 <louise@averyhouse.wanadoo.co.uk> too many recipients in last hour"
"SMTPC"	20172	17914	"2017-04-02 09:14:46.487"	"212.159.9.107"	"RECEIVED: 452 <schnekla_223@jfreed.com> too many recipients in last hour"
If you have mail in your queue that you don't want to deliver, then you can simply delete it
Thanks yes I've done that now but still lots had gone out, (I am getting the bouncebacks), so hoping I don't get blacklisted, and of course that it won't happen again.

tunis
Senior user
Senior user
Posts: 351
Joined: 2015-01-05 20:22
Location: Sweden

Re: Urgent help please, spammers using my server

Post by tunis » 2017-04-02 14:13

As show in log james @ jctconsulting.com account are in use to sending.
You need change that password!

Code: Select all

"SMTPD" 20128 17442 "2017-04-02 09:01:37.466" "58.17.124.8" "RECEIVED: EHLO [127.0.0.1]"
"SMTPD" 20128 17442 "2017-04-02 09:01:37.466" "58.17.124.8" "SENT: 250-mail.hottroc.co.uk[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 20212 17442 "2017-04-02 09:01:38.763" "58.17.124.8" "RECEIVED: AUTH LOGIN"
"SMTPD" 20212 17442 "2017-04-02 09:01:38.763" "58.17.124.8" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 20164 17442 "2017-04-02 09:01:39.841" "58.17.124.8" "RECEIVED: amFtZXNAamN0Y29uc3VsdGluZy5jb20=" [ james@jctconsulting.com ]
"SMTPD" 20164 17442 "2017-04-02 09:01:39.841" "58.17.124.8" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 20128 17442 "2017-04-02 09:01:42.077" "58.17.124.8" "RECEIVED: ***"
"SMTPD" 20128 17442 "2017-04-02 09:01:42.093" "58.17.124.8" "SENT: 235 authenticated."
"SMTPD" 20164 17442 "2017-04-02 09:01:43.108" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20164 17442 "2017-04-02 09:01:43.108" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:45.078" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:45.078" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:47.626" "58.17.124.8" "RECEIVED: RCPT TO:<evg@bis.midco.net>"
"SMTPD" 20212 17442 "2017-04-02 09:01:47.626" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:49.768" "58.17.124.8" "RECEIVED: RCPT TO:<charles_antle@yahoo.ca>"
"SMTPD" 20212 17442 "2017-04-02 09:01:49.783" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:50.721" "58.17.124.8" "RECEIVED: RCPT TO:<chapmanlouis32@gmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:50.721" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:51.613" "58.17.124.8" "RECEIVED: RCPT TO:<vik.seeborun@candi.ac.uk>"
"SMTPD" 20128 17442 "2017-04-02 09:01:51.613" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:52.753" "58.17.124.8" "RECEIVED: RCPT TO:<rhindss@aol.com>"
"SMTPD" 20128 17442 "2017-04-02 09:01:52.753" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:53.832" "58.17.124.8" "RECEIVED: RCPT TO:<hs@kvale.no>"
"SMTPD" 20128 17442 "2017-04-02 09:01:53.832" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:01:54.723" "58.17.124.8" "RECEIVED: RCPT TO:<faussie11@hotmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:01:54.738" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:01:56.739" "58.17.124.8" "RECEIVED: RCPT TO:<leeee2@juno.com>"
"SMTPD" 20128 17442 "2017-04-02 09:01:56.739" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:01:59.333" "58.17.124.8" "RECEIVED: RCPT TO:<legbaa@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:01:59.333" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:00.413" "58.17.124.8" "RECEIVED: RCPT TO:<anthony.cinquemano.jdq0@statefarm.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:00.413" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:01.460" "58.17.124.8" "RECEIVED: RCPT TO:<onoyes@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:01.460" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:02.413" "58.17.124.8" "RECEIVED: RCPT TO:<nelson@hotelonix.pt>"
"SMTPD" 20164 17442 "2017-04-02 09:02:02.413" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:03.428" "58.17.124.8" "RECEIVED: RCPT TO:<wildmandan64@yahoo.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:03.428" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:06.184" "58.17.124.8" "RECEIVED: RCPT TO:<cchristian007@videotron.ca>"
"SMTPD" 20212 17442 "2017-04-02 09:02:06.184" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:07.296" "58.17.124.8" "RECEIVED: RCPT TO:<william_bellman@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:07.296" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:09.579" "58.17.124.8" "RECEIVED: RCPT TO:<donmeckler@msn.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:09.594" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:10.422" "58.17.124.8" "RECEIVED: RCPT TO:<mauldin@resilientelectric.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:10.422" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:11.204" "58.17.124.8" "RECEIVED: RCPT TO:<adorf@zabra.de>"
"SMTPD" 20164 17442 "2017-04-02 09:02:11.204" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:12.688" "58.17.124.8" "RECEIVED: DATA"
"SMTPD" 20212 17442 "2017-04-02 09:02:12.688" "58.17.124.8" "SENT: 354 OK, send."
"SMTPD" 15780 17442 "2017-04-02 09:02:15.080" "58.17.124.8" "SENT: 250 Queued (2.360 seconds)"
"SMTPD" 20212 17442 "2017-04-02 09:02:17.410" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20212 17442 "2017-04-02 09:02:17.410" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:18.786" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:18.786" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:19.817" "58.17.124.8" "RECEIVED: RCPT TO:<rnsm4@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:19.832" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:21.209" "58.17.124.8" "RECEIVED: RCPT TO:<firstmark@me.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:21.209" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:22.162" "58.17.124.8" "RECEIVED: RCPT TO:<munoz2287@windstream.net>"
"SMTPD" 20128 17442 "2017-04-02 09:02:22.162" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:23.179" "58.17.124.8" "RECEIVED: RCPT TO:<dubchak.alexandr@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:23.179" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:27.777" "58.17.124.8" "RECEIVED: RCPT TO:<themitchproject@gmail.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:27.777" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:32.107" "58.17.124.8" "RECEIVED: RCPT TO:<dennisc1@gci.net>"
"SMTPD" 20128 17442 "2017-04-02 09:02:32.107" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:36.704" "58.17.124.8" "RECEIVED: RCPT TO:<romalaguna@yahoo.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:36.720" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:38.283" "58.17.124.8" "RECEIVED: RCPT TO:<pockebackman@hotmail.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:38.298" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:40.018" "58.17.124.8" "RECEIVED: RCPT TO:<bill_muck@yahoo.com>"
"SMTPD" 20128 17442 "2017-04-02 09:02:40.018" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20128 17442 "2017-04-02 09:02:41.049" "58.17.124.8" "RECEIVED: DATA"
"SMTPD" 20128 17442 "2017-04-02 09:02:41.049" "58.17.124.8" "SENT: 354 OK, send."
"SMTPD" 15780 17442 "2017-04-02 09:02:42.598" "58.17.124.8" "SENT: 250 Queued (1.528 seconds)"
"SMTPD" 20212 17442 "2017-04-02 09:02:46.442" "58.17.124.8" "RECEIVED: RSET"
"SMTPD" 20212 17442 "2017-04-02 09:02:46.442" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:47.912" "58.17.124.8" "RECEIVED: MAIL FROM:<james@jctconsulting.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:47.912" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:49.443" "58.17.124.8" "RECEIVED: RCPT TO:<hondamaniac600v@yahoo.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:49.459" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:51.477" "58.17.124.8" "RECEIVED: RCPT TO:<aronoff@checkbookengineering.com>"
"SMTPD" 20164 17442 "2017-04-02 09:02:51.492" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20212 17442 "2017-04-02 09:02:52.852" "58.17.124.8" "RECEIVED: RCPT TO:<hoanghaivupham@yahoo.com>"
"SMTPD" 20212 17442 "2017-04-02 09:02:52.852" "58.17.124.8" "SENT: 250 OK"
"SMTPD" 20164 17442 "2017-04-02 09:02:53.899" "58.17.124.8" "RECEIVED: RCPT TO:<beube@videotron.ca>"
"SMTPD" 20164 17442 "2017-04-02 09:02:53.899" "58.17.124.8" "SENT: 250 OK"
HMS 5.6.8 B2534.28 on Windows Server 2019 Core VM.
HMS 5.6.9 B2641.67 on Windows Server 2016 Core VM.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-02 16:58

OK, thanks.

How did this occur? So they actually are passing the SMTP Authentication? If so how would they do that? This has never happened before.

User avatar
johang
Senior user
Senior user
Posts: 1128
Joined: 2008-09-01 09:20

Re: Urgent help please, spammers using my server

Post by johang » 2017-04-02 18:12

by hottroc » 2017-04-02 16:58

OK, thanks.

How did this occur? So they actually are passing the SMTP Authentication? If so how would they do that? This has never happened before.

they figured out the password... for jameses account...

( happened to me once... i had the same password for the hmailserver administrator as my useraccount... "they used me" and i added 1 letter to the useraccounts password and "they" didnt come in again... I still have the same password for the hmailserver administrator )
lets cheat darwin out of his legacy, find a cure for cancer...

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2017-04-02 20:33

But my password is not one of those easy to guess ones. I doubt if it's guessable. How would they get your hMS Administrator password anyway?

User avatar
johang
Senior user
Senior user
Posts: 1128
Joined: 2008-09-01 09:20

Re: Urgent help please, spammers using my server

Post by johang » 2017-04-03 00:04

y hottroc » 2017-04-02 20:33

But my password is not one of those easy to guess ones. I doubt if it's guessable. How would they get your hMS Administrator password anyway?

well i just wrote what happened to me... sometimes that will get insight to others.. ( and yes Im very curious as how "they"could guess my useraccounts password, and in my case I happened to have the same password for hmailadministrator and my abused useraccount.. )




i would say my password is not easy guessed either... 8) but hey.. they "guessed" it somehow... i was a spammer for a short intervall of time fortunately for me my server wasnt up for the task so it dipped of the load of incomming trash and those warning signs made me be able to stop it really early.... but thats ages ago... ... . still have the same password for hmail administrator though.. :D
lets cheat darwin out of his legacy, find a cure for cancer...

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help please, spammers using my server

Post by mattg » 2017-04-03 00:53

I recently had a complex randomly generated password 'guessed' for my daughter's account. More than 10 characters with a random mix of numbers, lowercase letters, uppercase letters, and special characters.

Did a virus / malware sweep of her PC, her phone, her laptop - nothing....
I always enforce SSL or TLS connections for authentication from the internet, and don't allow authentication on port 25

viewtopic.php?f=8&t=30990
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

charleso
Normal user
Normal user
Posts: 32
Joined: 2016-09-22 15:45

Re: Urgent help please, spammers using my server

Post by charleso » 2019-01-28 16:32

Dravion wrote:
2017-04-01 15:18
Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department

$ whois 221.237.208.10
% Information related to '221.236.0.0 - 221.237.255.255'

inetnum: 221.236.0.0 - 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN

e-mail: anti-spam@ns.chinanet.cn.net <---

Just write an email to the above email address, describe your Situation and copy
and paste the following log entry into your Email:

Attacking spam host:
(10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
Date: Sat, 1 Apr 2017 13:37 +0100


Next your should setup your hMailServer IP ranges correctly. You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
I wish we had a script that could mine our logs and fish out spammers and have them auto-reported.

hottroc
Normal user
Normal user
Posts: 181
Joined: 2017-03-05 14:46

Re: Urgent help please, spammers using my server

Post by hottroc » 2019-01-29 22:41

Yes that would be great. Except it wouldn't help against cases where IP addresses are spoofed.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help please, spammers using my server

Post by mattg » 2019-01-29 22:47

Can IP addresses be spoofed in the hMailserver logs?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Urgent help please, spammers using my server

Post by SorenR » 2019-01-29 23:05

mattg wrote:
2019-01-29 22:47
Can IP addresses be spoofed in the hMailserver logs?
No. "envelope" information cannot be spoofed, only mail information.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Urgent help please, spammers using my server

Post by RvdH » 2019-01-30 01:06

charleso wrote:
2019-01-28 16:32
Dravion wrote:
2017-04-01 15:18
Not a direct instant help but do you and us a favor and report this Bastard to the Networkowners Antispam Department

$ whois 221.237.208.10
% Information related to '221.236.0.0 - 221.237.255.255'

inetnum: 221.236.0.0 - 221.237.255.255
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: China Telecom
descr: A12,Xin-Jie-Kou-Wai Street
descr: Beijing 100088
country: CN

e-mail: anti-spam@ns.chinanet.cn.net <---

Just write an email to the above email address, describe your Situation and copy
and paste the following log entry into your Email:

Attacking spam host:
(10.208.237.221.broad.dz.sc.dynamic.163data.com.cn [221.237.208.10])
Date: Sat, 1 Apr 2017 13:37 +0100


Next your should setup your hMailServer IP ranges correctly. You also can block regions,
networks and whole countries via GEO-IP block. I block China and Russia because i have no business with them but many attacks.
I wish we had a script that could mine our logs and fish out spammers and have them auto-reported.
You can, i can share a program i wrote if you wish to report to blocklist.de using their API, blocklist.de then sends the abuse mails to network owners (abuse@*)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Urgent help please, spammers using my server

Post by mattg » 2019-01-30 03:36

SorenR wrote:
2019-01-29 23:05
mattg wrote:
2019-01-29 22:47
Can IP addresses be spoofed in the hMailserver logs?
No. "envelope" information cannot be spoofed, only mail information.
Yes I know :mrgreen: :mrgreen:
My question was me being cheeky.
RvdH wrote:
2019-01-30 01:06
i can share a program i wrote if you wish to report to blocklist.de using their API
Yes please
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Urgent help please, spammers using my server

Post by RvdH » 2019-01-30 18:11

mattg wrote:
2019-01-30 03:36
RvdH wrote:
2019-01-30 01:06
i can share a program i wrote if you wish to report to blocklist.de using their API
Yes please
How to use?
First you need to register a account on blocklist.de, https://www.blocklist.de/en/register.html to get your own API key

Download
fail2ban.zip (Requires Net 4.5)

Code: Select all

fail2ban Options:
  -a, --apikey=VALUE         Your blocklist.de account API key
  -e, --email=VALUE          Your blocklist.de account registered email or Id
  -i, --ipaddress=VALUE      Attacker IP address
  -s, --service=VALUE        Attacked service, eg: pop3, smtp, imap
  -l, --logs=VALUE           Attack logs
  -v, --verbose              increase debug message verbosity
  -h, --help                 show this message and exit
Function calling fail2ban from EventHandlers.vbs

Code: Select all

Function fail2ban(sIPAddress, sService, sLogs)
  dim sApikey : sApikey = "Your blocklist.de account API key"
  dim sServerId : sServerId = "Your blocklist.de account registered email or Id"
  With CreateObject("WScript.Shell")
     .Run """C:\Program Files (x86)\hMailServer\Events\fail2ban.exe"" /a " & sApikey & " /e " & sServerId & " /i " & sIPAddress & " /s " & sService & " /l " & sLogs & "",0,True
  End With
End Function
Usage example:

Code: Select all

Sub OnHELO(oClient)

	Dim oRegEx
	Set oRegEx = CreateObject("VBScript.RegExp")
	oRegEx.IgnoreCase = True
	oRegEx.Global = False
	oRegEx.Pattern = "^(ylmf\-pc)$"
	If oRegEx.Test(oClient.HELO) Then 
		Call fail2ban(oClient.IPAddress, "badbot", Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & oClient.HELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
	End If
	Set oRegEx = Nothing
	
End Sub
Usage example for use with my experimental build on OnClientLogon() :

Code: Select all

Sub OnClientLogon(oClient)
	If Not oClient.Authenticated then
		dim service : service = Empty
		Select Case oClient.Port
		Case 25, 465, 587
			service = "smtp"
		case 143, 993
			service = "imap"
		case 110, 995
			service = "pop3"
		End Select
		
		Dim oRegEx
		Set oRegEx = CreateObject("VBScript.RegExp")
		oRegEx.IgnoreCase = True
		oRegEx.Global = False
		oRegEx.Pattern = "^(test|unix|sales|library|ldap|admin|administrator|news|printer|abuse)\@?" 
		If oRegEx.Test(oClient.Username) Then
			Call fail2ban(oClient.IPAddress, service, Escape(Now() & VbTab & "Failed login for a non-existent email address/account (honeypot)" & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
			Exit Sub
		End If
		Set oRegEx = Nothing
	End If
End Sub
Note: Logfile entries requirers a minimum of 20 characters and must include minimal 1 line-break
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Urgent help please, spammers using my server

Post by SorenR » 2019-01-30 23:53

Oooh... Had a go at it to include into my 'handler (and style) and F'ing remembered I still need to upgrade to get Sub OnClientLogon(oClient) ... Bummer...

So Sub OnClientLogon(oClient) is triggered regardless if the user authenticated or not?
Is "If Not oClient.Authenticated Then" the only indication of failed/skipped authentication?

Code: Select all

Option Explicit

Private Const APIKey   = "Your blocklist.de account API key"
Private Const ServerID = "Your blocklist.de account registered email or Id"
Private Const Fail2Ban = "C:\hMailServer\Events\fail2ban.exe"

' Fail2Ban Options:
'  -a, --apikey=VALUE         Your blocklist.de account API key
'  -e, --email=VALUE          Your blocklist.de account registered email or Id
'  -i, --ipaddress=VALUE      Attacker IP address
'  -s, --service=VALUE        Attacked service, eg: pop3, smtp, imap
'  -l, --logs=VALUE           Attack logs
'  -v, --verbose              Increase debug message verbosity
'  -h, --help                 Show this message and exit

Function Lookup(strRegEx, strMatch) : Lookup = False
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = False
      .MultiLine = True
      .IgnoreCase = True
      If .Test(strMatch) Then Lookup = True
   End With
End Function

Sub OnHELO(oClient)
   Dim strRegEx
   '
   '   "[123.123.123.123]" is your public address, BOT's sometimes use that
   '   "mydomain.tld" and "mx.mydomain.tld" are also used by BOT's
   '   "0.0.0.0" may be a BOT or a misconfiguration
   '   "127.0.0.1" ... questionable, local device, BOT or spammer.
   '   "ylmf\-pc"
   '
   strRegEx = "^(\[123\.123\.123\.123\])$|" &_
              "^(mydomain\.tld)$|" &_
              "^(mx\.mydomain\.tld)$|" &_
              "(0\.0\.0\.0)|" &_
              "(127(?:\.[0-9]{1,3}){3})|" &_
              "^(ylmf\-pc)$"
   If Lookup(strRegEx, oClient.HELO) Then
      With CreateObject("WScript.Shell")
         .Run Chr(34) & Fail2Ban & Chr(34) &_
            " /a " & APIKey &_
            " /e " & ServerID &_
            " /i " & oClient.IPAddress &_
            " /s " & "badbot" &_
            " /l " & Escape(Now() & vbTab & "Common BOT infected EHLO/HELO hostname: " & oClient.HELO & vbCrLf & Now() & vbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port) &_
            "",0,True
      End With
      Exit Sub
   End If
   '
   '   Validate HELO/EHLO greeting. FQDN, IPv4 and IPv6 according to RFC.
   '
   Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
   Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
   Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
   strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6
   If (Lookup(strRegEx, oClient.HELO) = False) Then
      Result.Value = 2
      Result.Message = "5.3.0 CODE03 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
End Sub

Sub OnClientLogon(oClient)
   Dim strRegEx, strService
   If Not oClient.Authenticated Then
      strService = Trim(Mid("SMTP SMTPSSUBM IMAP IMAPSPOP3 POP3S", _
                      InStr("25   465  587  143  993  110  995  ", oClient.Port), 5))
      strRegEx = "^(test|unix|sales|library|ldap|admin|administrator|news|printer|abuse)\@?"
      If Lookup(strRegEx, oClient.Username) Then
         With CreateObject("WScript.Shell")
            .Run Chr(34) & Fail2Ban & Chr(34) &_
               " /a " & APIKey &_
               " /e " & ServerID &_
               " /i " & oClient.IPAddress &_
               " /s " & strService &_
               " /l " & Escape(Now() & vbTab & "Failed login for a non-existent email address/account (honeypot)" & vbCrLf & Now() & vbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port) &_
               "",0,True
         End With
         Exit Sub
      End If
   End If
End Sub
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Urgent help please, spammers using my server

Post by RvdH » 2019-01-31 09:43

  1. In the OnClientLogon(oClient) event, oClient.Username always holds the value passed when authenticating the user, in later events like OnSmtpData, OnAcceptMessage the oClient.Username is empty when authentication has failed (to be compatible with current behavior/scripts)
  2. OnSmtpData, OnAcceptMessage events can also make use of the value oClient.Authenticated (Boolean)

Code: Select all

Sub OnClientLogon(oClient)
	If oClient.Authenticated then
		EventLog.Write("Successful login for " & oClient.Username & " from " & oClient.IpAddress & " on port " & oClient.Port & "")
	Else
		EventLog.Write("Failed login for " & oClient.Username & " from " & oClient.IpAddress & " on port " & oClient.Port & "")
	End if
End Sub
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Urgent help please, spammers using my server

Post by RvdH » 2019-02-02 03:15

For the ones who already downloaded fail2ban.zip, i pushed a new version (1.1.0.2) that fixes a NullReferenceException
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

gotspatel
Senior user
Senior user
Posts: 347
Joined: 2013-10-08 05:42
Location: INDIA

Re: Urgent help please, spammers using my server

Post by gotspatel » 2022-09-02 08:07

RvdH wrote:
2019-01-30 18:11
mattg wrote:
2019-01-30 03:36
RvdH wrote:
2019-01-30 01:06
i can share a program i wrote if you wish to report to blocklist.de using their API
Yes please
How to use?
First you need to register a account on blocklist.de, https://www.blocklist.de/en/register.html to get your own API key

Download
fail2ban.zip (Requires Net 4.5)

Code: Select all

fail2ban Options:
  -a, --apikey=VALUE         Your blocklist.de account API key
  -e, --email=VALUE          Your blocklist.de account registered email or Id
  -i, --ipaddress=VALUE      Attacker IP address
  -s, --service=VALUE        Attacked service, eg: pop3, smtp, imap
  -l, --logs=VALUE           Attack logs
  -v, --verbose              increase debug message verbosity
  -h, --help                 show this message and exit
Function calling fail2ban from EventHandlers.vbs

Code: Select all

Function fail2ban(sIPAddress, sService, sLogs)
  dim sApikey : sApikey = "Your blocklist.de account API key"
  dim sServerId : sServerId = "Your blocklist.de account registered email or Id"
  With CreateObject("WScript.Shell")
     .Run """C:\Program Files (x86)\hMailServer\Events\fail2ban.exe"" /a " & sApikey & " /e " & sServerId & " /i " & sIPAddress & " /s " & sService & " /l " & sLogs & "",0,True
  End With
End Function
Usage example:

Code: Select all

Sub OnHELO(oClient)

	Dim oRegEx
	Set oRegEx = CreateObject("VBScript.RegExp")
	oRegEx.IgnoreCase = True
	oRegEx.Global = False
	oRegEx.Pattern = "^(ylmf\-pc)$"
	If oRegEx.Test(oClient.HELO) Then 
		Call fail2ban(oClient.IPAddress, "badbot", Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & oClient.HELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
	End If
	Set oRegEx = Nothing
	
End Sub
Usage example for use with my experimental build on OnClientLogon() :

Code: Select all

Sub OnClientLogon(oClient)
	If Not oClient.Authenticated then
		dim service : service = Empty
		Select Case oClient.Port
		Case 25, 465, 587
			service = "smtp"
		case 143, 993
			service = "imap"
		case 110, 995
			service = "pop3"
		End Select
		Dim oRegEx
		Set oRegEx = CreateObject("VBScript.RegExp")
		oRegEx.IgnoreCase = True
		oRegEx.Global = False
		oRegEx.Pattern = "^(test|unix|sales|library|ldap|admin|administrator|news|printer|abuse)\@?" 
		If oRegEx.Test(oClient.Username) Then
			Call fail2ban(oClient.IPAddress, service, Escape(Now() & VbTab & "Failed login for a non-existent email address/account (honeypot)" & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
			Exit Sub
		End If
		Set oRegEx = Nothing
	End If
End Sub
Note: Logfile entries requirers a minimum of 20 characters and must include minimal 1 line-break
Hello @RvDH

Followed this guide and getting the error

Code: Select all

"ERROR"	11724	"2022-09-02 10:34:19.502"	"Script Error: Source: Microsoft VBScript runtime error - Error: 800A01C2 - Description: Wrong number of arguments or invalid property assignment: 'Escape' - Line: 2359 Column: 3 - Code: (null)"
Line 2359 is

Code: Select all

Call fail2ban(oClient.IPAddress, "badbot", Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & oClient.HELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & oClient.IPAddress & " on port: " & oClient.Port))
Any help please, Do I need a seperate Function for Escape? (Asking as I don't have it in my eventhandler

TIA

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Urgent help please, spammers using my server

Post by RvdH » 2022-09-02 08:47

Escape is a VBS native function, eg: https://ss64.com/vb/escape.html
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

gotspatel
Senior user
Senior user
Posts: 347
Joined: 2013-10-08 05:42
Location: INDIA

Re: Urgent help please, spammers using my server

Post by gotspatel » 2022-09-02 08:53

RvdH wrote:
2022-09-02 08:47
Escape is a VBS native function, eg: https://ss64.com/vb/escape.html
OK understood


Then any pointer what may be wrong in my code?

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Urgent help please, spammers using my server

Post by RvdH » 2022-09-02 09:17

gotspatel wrote:
2022-09-02 08:53
RvdH wrote:
2022-09-02 08:47
Escape is a VBS native function, eg: https://ss64.com/vb/escape.html
OK understood


Then any pointer what may be wrong in my code?
Nah not really, just tested your str in a vbs, works fine

Code: Select all

dim strHELO, strPort, strIPAddress
strHELO = "ylmf-pc"
strPort = 25
strIPAddress = "127.0.0.1"

MsgBox Escape(Now() & VbTab & "Common bot infected EHLO/HELO hostname: " & strHELO & VbCrLf & Now() & VbTab & "Connection from IP address: " & strIPAddress & " on port: " & strPort)

CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

gotspatel
Senior user
Senior user
Posts: 347
Joined: 2013-10-08 05:42
Location: INDIA

Re: Urgent help please, spammers using my server

Post by gotspatel » 2022-09-09 11:52

@Rvdh

Got it working, I had a Function named Escape which was used for other work and which clashed with native VB Escape :oops:

One small issue
How to prevent duplicate reporting in a short time span.

Code: Select all

1149	"2022-09-09 14:24:42.855"	"REPORT: 	  /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........."
1088	"2022-09-09 14:24:42.871"	"REPORT: 	  /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........."
:roll:

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: Urgent help please, spammers using my server

Post by RvdH » 2022-09-09 13:17

gotspatel wrote:
2022-09-09 11:52
@Rvdh

Got it working, I had a Function named Escape which was used for other work and which clashed with native VB Escape :oops:

One small issue
How to prevent duplicate reporting in a short time span.

Code: Select all

1149	"2022-09-09 14:24:42.855"	"REPORT: 	  /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........."
1088	"2022-09-09 14:24:42.871"	"REPORT: 	  /i 20.171.55.188 /s smtp /l 09-09-2022%2014%3A24%3A42%09Common%2. ........."
:roll:
I combine it with a added autoban entry, so there never be successive reports
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply