A way to auto-ban on "SENT: 550 Unknown user"

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
bagu
Normal user
Normal user
Posts: 219
Joined: 2005-06-17 03:08
Location: France
Contact:

A way to auto-ban on "SENT: 550 Unknown user"

Post by bagu » 2018-08-12 16:04

Hello,

I use the latest hmailserver and i wonder if there is a way to auto-ban an ip for a configurable time on "SENT: 550 Unknown user" message ?
Thanks a lot for your help.
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
jimimaseye
Moderator
Moderator
Posts: 8633
Joined: 2011-09-08 17:48

Re: A way to auto-ban on "SENT: 550 Unknown user"

Post by jimimaseye » 2018-08-12 19:19

No. Autobans are for attempted breakins or unauthorised access (not typo's in email addresses).
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
bagu
Normal user
Normal user
Posts: 219
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: A way to auto-ban on "SENT: 550 Unknown user"

Post by bagu » 2018-08-12 19:58

Even trough a vbs script ?
hMailServer 5.6.8 With SpamAssassin 3.4.2

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: A way to auto-ban on "SENT: 550 Unknown user"

Post by Dravion » 2018-08-12 20:46

Maybe you can scan the hMailServer logfiles by an external program which simply add the ip to a Windows Firewall blocklist which caused the Unknown user Message.

User avatar
mattg
Moderator
Moderator
Posts: 20892
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: A way to auto-ban on "SENT: 550 Unknown user"

Post by mattg » 2018-08-12 23:45

I do something similar for checking 504 rejections in my logs. I have AUTH banned on port 25, and this looks for those IPs that attempt to AUTH on port 25.

I run this as standalone VBS (It's actually an extract, so not tested as is)

Code: Select all

Rem
Rem Checks logs and bans AUTH attempts on port 25
Rem

Option Explicit
Private const g_sAdminPassword = "Top_Secret_Password"

Dim oApp
Set oApp = CreateObject("hMailServer.Application")

' Give this script permission to access all
' hMailServer settings.
Call oApp.Authenticate("Administrator", g_sAdminPassword)

Dim sYear, iMonth, iDay, sMonth, sDay
Dim s, FSO, OBJfile, OBJfile1, OBJoutfile 
Dim FileIn, FileOut, Filebase
Dim a, b(5), c, d, i, j, e, f, g(5), t
Dim LastLogLine(15), NoIndexIssueFound, DateToUse

NoIndexIssueFound = true
'DateToUse = DateAdd("d",-1,Now())
DateToUse = Now()


sYear = Year(DateToUse)
iMonth = Month(DateToUse)
iDay = Day(DateToUse)

if  iMonth < 10 then
	sMonth = "0" + cstr(iMonth)
Else 'iMonth >= 10
	sMonth = cstr(iMonth)
End if

If iDay < 10 then
	sDay = "0" + cstr(iDay)
Else 'sDay >= 10
	sDay = cstr(iDay)
End if

Filebase = oapp.Settings.Directories.LogDirectory
FileOut = Filebase + "\504 Rejections" & "_" & sYear & "-" & sMonth & ".log"

Call CreateFiles(FileOut)
Set OBJoutfile = FSO.opentextfile(FileOut,8)

FileIn = filebase & "\hMailserver_" & cstr(sYear) & "-" & sMonth & "-" & sDay & ".log"
If fso.FileExists(Filein) Then
	set OBJfile = FSO.opentextfile(filein,1,0)
	While Not OBJfile.atendofstream
		s = OBJfile.ReadLine
		For i = 15 To 2 Step -1
			LastLogLine(i) = LastLogLine(i-1)
		Next
		LastLogLine(1) = s
		If InStr(s,"SENT: 504 Authentication not enabled.") > 0 Then
'			OBJoutfile.writeline s
				
			a = Split(s,Chr(9))
			i = 0

			For Each c In a
				b(i) = c
				i = i + 1
			Next 'c		
			set OBJfile1 = FSO.opentextfile(filein,1,0)
			While Not OBJfile1.atendofstream
				t = OBJfile1.ReadLine
				If InStr(t,b(2)) > 0 And InStr(t,"SMTPD") > 0 Then
					If InStr(t,"RECEIVED: HELO") > 0 Or InStr(t,"RECEIVED: EHLO") > 0 Then
						e = Split(t,Chr(9))
						j = 0
						For Each f In e
							g(j) = f
							j = j + 1
						Next 'f
'						OBJoutfile.WriteLine b(3) & Chr(9) & g(4) & Chr(9) & g(5) & Chr(9) & b(5)
						Call AutobanIP(Replace(g(4),Chr(34),""),7,"Port 25 AUTH - " & Replace(g(5),"RECEIVED: ",""))
						t = OBJfile1.ReadAll
					End If ' get HELO/EHLO	
				End If 'same messageID	
			Wend	
		End If
	Wend
	OBJfile.close
	set Objfile = Nothing
End If





Sub CreateFiles(Name)
	Set FSO = CreateObject("Scripting.FileSystemObject")
	If Not FSO.FileExists(Name) Then
		Dim txtFile
		Set txtFile = FSO.CreateTextFile(Name,true)
		txtFile.close
	End If
End Sub

Sub AutobanIP(IPAddress, NumberOfDays, ReasonForBan)
	'custom event
	'uses functions: 
	'uses globals: g_sAdminPassword

	Dim i
	For i = 0 To oApp.Settings.SecurityRanges.Count -1
		If IPAddress = oApp.Settings.SecurityRanges.Item(i).LowerIP Then Exit sub
	Next

	oApp.Settings.SecurityRanges.Refresh
	With oApp.Settings.SecurityRanges.Add()
		.lowerip = ipaddress
		.upperip = ipaddress
		.priority = 20
		.allowdeliveryfromlocaltolocal = False
		.allowdeliveryfromlocaltoremote = False
		.allowdeliveryfromremotetolocal = False
		.allowdeliveryfromremotetoremote = False
		.allowimapconnections = False
		.allowsmtpconnections = False
		.allowpop3connections = False
		.expires = True
		.ExpiresTime = DateAdd("d", NumberOfDays, Now())
		.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress
		On Error Resume Next
		.save
		If (Err.Number = 0) Then
			OBJoutfile.WriteLine "Autoban IP range saved for IP Address " & IPAddress & " with Reason-" & reasonforban
		ElseIf (Err.Number <> 0) Then
			OBJoutfile.WriteLine"ERROR: EventHandlers.vbs : Function LockFile"
			OBJoutfile.WriteLine"Error       : " & Err.Number
			OBJoutfile.WriteLine"Source      : " & Err.Source
			OBJoutfile.WriteLine"Description : " & Err.Description
			Err.Clear
		End If
		On Error Goto 0
	End With
End Sub
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
bagu
Normal user
Normal user
Posts: 219
Joined: 2005-06-17 03:08
Location: France
Contact:

Re: A way to auto-ban on "SENT: 550 Unknown user"

Post by bagu » 2019-09-10 22:44

Work well for 504.

I have made a small change to search through hmailserver_STMP-date.log instead of hmailserver_date.log
I will try to adapt it for 550 unknown user because the dravion utility just don't work on my system (sad, really sad for me)

Code: Select all

Rem
Rem Checks logs and bans AUTH attempts from unknown user
Rem

Option Explicit
Private const g_sAdminPassword = "supersecretpassword"

Dim oApp
Set oApp = CreateObject("hMailServer.Application")

' Give this script permission to access all
' hMailServer settings.
Call oApp.Authenticate("Administrator", g_sAdminPassword)

Dim sYear, iMonth, iDay, sMonth, sDay
Dim s, FSO, OBJfile, OBJfile1, OBJoutfile 
Dim FileIn, FileOut, Filebase
Dim a, b(5), c, d, i, j, e, f, g(5), t
Dim LastLogLine(15), NoIndexIssueFound, DateToUse

NoIndexIssueFound = true
'DateToUse = DateAdd("d",-1,Now())
DateToUse = Now()


sYear = Year(DateToUse)
iMonth = Month(DateToUse)
iDay = Day(DateToUse)

if  iMonth < 10 then
	sMonth = "0" + cstr(iMonth)
Else 'iMonth >= 10
	sMonth = cstr(iMonth)
End if

If iDay < 10 then
	sDay = "0" + cstr(iDay)
Else 'sDay >= 10
	sDay = cstr(iDay)
End if

Filebase = oapp.Settings.Directories.LogDirectory
FileOut = Filebase + "\550 Rejections" & "_" & sYear & "-" & sMonth & ".log"

Call CreateFiles(FileOut)
Set OBJoutfile = FSO.opentextfile(FileOut,8)

FileIn = filebase & "\hMailserver_SMTP_" & cstr(sYear) & "-" & sMonth & "-" & sDay & ".log"
If fso.FileExists(Filein) Then
	set OBJfile = FSO.opentextfile(filein,1,0)
	While Not OBJfile.atendofstream
		s = OBJfile.ReadLine
		For i = 15 To 2 Step -1
			LastLogLine(i) = LastLogLine(i-1)
		Next
		LastLogLine(1) = s
		If InStr(s,"SENT: 550 Unknown user") > 0 Then
'			OBJoutfile.writeline s
				
			a = Split(s,Chr(9))
			i = 0

			For Each c In a
				b(i) = c
				i = i + 1
			Next 'c		
			set OBJfile1 = FSO.opentextfile(filein,1,0)
			While Not OBJfile1.atendofstream
				t = OBJfile1.ReadLine
				If InStr(t,b(2)) > 0 And InStr(t,"SMTPD") > 0 Then
					If InStr(t,"RECEIVED: HELO") > 0 Or InStr(t,"RECEIVED: EHLO") > 0 Then
						e = Split(t,Chr(9))
						j = 0
						For Each f In e
							g(j) = f
							j = j + 1
						Next 'f
'						OBJoutfile.WriteLine b(3) & Chr(9) & g(4) & Chr(9) & g(5) & Chr(9) & b(5)
						Call AutobanIP(Replace(g(4),Chr(34),""),7,"Unknown 550 AUTH - " & Replace(g(5),"RECEIVED: ",""))
						t = OBJfile1.ReadAll
					End If ' get HELO/EHLO	
				End If 'same messageID	
			Wend	
		End If
	Wend
	OBJfile.close
	set Objfile = Nothing
End If

Sub CreateFiles(Name)
	Set FSO = CreateObject("Scripting.FileSystemObject")
	If Not FSO.FileExists(Name) Then
		Dim txtFile
		Set txtFile = FSO.CreateTextFile(Name,true)
		txtFile.close
	End If
End Sub

Sub AutobanIP(IPAddress, NumberOfDays, ReasonForBan)
	'custom event
	'uses functions: 
	'uses globals: g_sAdminPassword

	Dim i
	For i = 0 To oApp.Settings.SecurityRanges.Count -1
		If IPAddress = oApp.Settings.SecurityRanges.Item(i).LowerIP Then Exit sub
	Next

	oApp.Settings.SecurityRanges.Refresh
	With oApp.Settings.SecurityRanges.Add()
		.lowerip = ipaddress
		.upperip = ipaddress
		.priority = 20
		.allowdeliveryfromlocaltolocal = False
		.allowdeliveryfromlocaltoremote = False
		.allowdeliveryfromremotetolocal = False
		.allowdeliveryfromremotetoremote = False
		.allowimapconnections = False
		.allowsmtpconnections = False
		.allowpop3connections = False
		.expires = True
		.ExpiresTime = DateAdd("d", NumberOfDays, Now())
		.name = ReasonForBan & " - banned for " & NumberOfDays & " days - " & ipaddress
		On Error Resume Next
		.save
		If (Err.Number = 0) Then
			OBJoutfile.WriteLine "Autoban IP range saved for IP Address " & IPAddress & " with Reason-" & reasonforban
		ElseIf (Err.Number <> 0) Then
			OBJoutfile.WriteLine"ERROR: EventHandlers.vbs : Function LockFile"
			OBJoutfile.WriteLine"Error       : " & Err.Number
			OBJoutfile.WriteLine"Source      : " & Err.Source
			OBJoutfile.WriteLine"Description : " & Err.Description
			Err.Clear
		End If
		On Error Goto 0
	End With
End Sub
hMailServer 5.6.8 With SpamAssassin 3.4.2

Post Reply