Server is being attacked

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
vectorrx7
New user
New user
Posts: 20
Joined: 2006-11-27 01:22
Contact:

Server is being attacked

Post by vectorrx7 » 2019-04-03 14:40

I see that there is a bot or something that is trying to use a specific email address to authenticate but is masking tons of IP addresses as it's starting point. I am banning after 3 bad attempts but what happens is that I have 413 addresses in the ban list and some of these are yahoo mail servers, outlook,com and other email servers. What is the best way to battle this?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8006
Joined: 2011-09-08 17:48

Re: Server is being attacked

Post by jimimaseye » 2019-04-03 18:27

Lie back, take a glass of wine and celebrate that your server security is doing its job.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

vectorrx7
New user
New user
Posts: 20
Joined: 2006-11-27 01:22
Contact:

Re: Server is being attacked

Post by vectorrx7 » 2019-04-03 19:07

I would normally but this server isn't running an SSL. I have tried to implement this many times but every time I do, the communication stops. I have purchased an SSL, added it to the server and tested the SSL online to see that it is functioning well. I then export the private key and add SSL to hMailServer. I then create 2 TCP/ IP ports. Once for SMTP at port 465 and one for POP3 at port 995. I am able to go to canyouseeme.org and validate that these ports are open. I then add the SSL/TLS to the port and I can no longer see the port using the canyouseeme.org

My fear is that eventually the passwords are going to be hacked if I am not running SSL

User avatar
jimimaseye
Moderator
Moderator
Posts: 8006
Joined: 2011-09-08 17:48

Re: Server is being attacked

Post by jimimaseye » 2019-04-03 19:25

A thousand bots trying to log in to you is not a consequence of a man in the middle or sniffer attack - it's because you have found to have port 25 open (likely) on the internet. We all have it. What you desire with ssl certificates will not do anything against these bots - they will still attempt to get in.

You will benefit from adding this: https://www.hmailserver.com/forum/viewt ... 42#p209542


As for certificates: although i don't denounce their use and importance, you y will have to be pretty unlucky to get chosen to be sniffed out externally of your network amongst the millions of other connections going on to servers of the world.

So in the meantime just keep tight control on your network devices to ensure they don't get malware.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19880
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Server is being attacked

Post by mattg » 2019-04-04 02:39

vectorrx7 wrote:
2019-04-03 19:07
I would normally but this server isn't running an SSL.
And let me add that SSL will NOT stop these hacking attempts

It will not even slow them down.
Read this post for some scary bedtime reading >> viewtopic.php?f=7&t=33713&p=210546&hili ... 65#p210546
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Server is being attacked

Post by estradis » 2019-04-24 13:49

mattg wrote:
2019-04-04 02:39
vectorrx7 wrote:
2019-04-03 19:07
I would normally but this server isn't running an SSL.
And let me add that SSL will NOT stop these hacking attempts
I can definitely confirm that!

As part of our defense strategy, we reduced the number of allowed errors to 1, so each failed login starts our extended autoban procedure.

At first I was afraid to lock out our own users, but that didn't happen, because all of their passwords are stored in their MUAs. So it really only hit external IP addresses. In the meantime, the number of banned addresses has settled at almost 2300 and as a side effect, the number of delivery attempts of spam has been reduced as well. The number of intrusion attempts has now reached about 3-5 per week.

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: Server is being attacked

Post by insomniac2k2 » 2019-04-24 20:18

I get 2300 banned IP's a day on my servers ;)
estradis wrote:
2019-04-24 13:49
mattg wrote:
2019-04-04 02:39
vectorrx7 wrote:
2019-04-03 19:07
I would normally but this server isn't running an SSL.
And let me add that SSL will NOT stop these hacking attempts
I can definitely confirm that!

As part of our defense strategy, we reduced the number of allowed errors to 1, so each failed login starts our extended autoban procedure.

At first I was afraid to lock out our own users, but that didn't happen, because all of their passwords are stored in their MUAs. So it really only hit external IP addresses. In the meantime, the number of banned addresses has settled at almost 2300 and as a side effect, the number of delivery attempts of spam has been reduced as well. The number of intrusion attempts has now reached about 3-5 per week.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Server is being attacked

Post by estradis » 2019-04-24 23:46

insomniac2k2 wrote:
2019-04-24 20:18
I get 2300 banned IP's a day on my servers ;)
Just as we had in the beginning either, but we had to realize relatively quickly that the negative effects were too great. That's why we've implemented an external audit process that takes corrective action. If certain criteria are met, banned addresses are released after 5 minutes. If other criteria apply, the ban time is increased to two months. Especially stubborn IP addresses are even forwarded to the firewall where they are globally blocked. This action has had the greatest effect! With each block, the user is informed and can unblock the address himself if he was the responsible party.

And of course the addresses won't be banned forever.

User avatar
mattg
Moderator
Moderator
Posts: 19880
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Server is being attacked

Post by mattg » 2019-04-25 01:30

Anyone else checking ports / protocols other than SMTP?

I get dozens of attempts per week on IMAP and POP3 ports, and some even on unusual custom ports that would only be visible following a port scan.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: Server is being attacked

Post by insomniac2k2 » 2019-04-25 02:32

I'm curious what that looks like? The reason why I ask, is because I have just completed a complete and working implementation of a central MYSQL based banning and auto-whitelisting system that I call from Hmail. Being that it's in MySQL, I'm adding more and more fields which can be used for auto removal criteria with simple scheduled query's (which is what I am presently working on). By use of simple scripting, any IP could be added to a firewall automatically (undecided it i care enough yet). I implemented in this manner because I was accumulating near 80k windows firewall bans on each box. Now they have 0 and all banned IP's are warned and discarded immediately.

I made a post in the forums about it, but I am presently cleaning up a large revamp that included auto whitelisting.

So essentially, you can ban anything like usual, but more importantly, you can whitelist anything and override a ban, based on any criteria you choose. Presently, I have my timings hard coded, but its as simple as setting a variable and reading a config file.

My flow looks as such:

Code: Select all

Sub OnHELO(oClient)

	Dim oRegEx
	Set oRegEx = CreateObject("VBScript.RegExp")
	oRegEx.IgnoreCase = True
	oRegEx.Global = False

	oRegEx.Pattern = "^(User)$|^(ylmf-pc)$|^(Welcome-PC)$|^(THP-PC)$|^(Administrator)$|^(localhost\.localdomain)$|^(127\.0\.0\.1)$"
	If oRegEx.Test(oClient.HELO) Then Call AutoBan(oClient.IPAddress, oClient.HELO, 2, "d")
	Set oRegEx = Nothing

   '''''check to see if incoming IP is already added to whitelist
   If IsWhitelist(oClient.IPAddress) Then
	EventLog.Write("Whitelist Verified: " & oClient.IPAddress & "")
	Exit Sub
   End If
  '''''check to see if incoming IP is already added to whitelist

  '''''check to see if incoming IP is already added to banlist
   If IsAlreadyBanned(oClient.IPAddress) Then
	ClientIp				= oClient.IpAddress			'Connecting remote IP address
	EventLog.Write("Previous Ban Check Positive: " & ClientIp & "")
      	Result.Value = 2
      	Result.Message = "5.7.1 CODE01 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
	Call Disconnect(ClientIp)
	Exit Sub
   End If
  '''''check to see if incoming IP is already added to banlist

   '
   ' SnowShoe SPAM detection
   '
   If IsSnowShoe(oClient.IPAddress) Then
      Result.Value = 2
      Result.Message = "5.7.1 CODE01 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
	'NEW
	Dim objShell
	Dim objExec
	Dim strPSResults
	Dim ip
	ClientIp				= oClient.IpAddress			'Connecting remote IP address
   'test SQL ban
	EventLog.Write("Writing SQL BAN: " & ClientIp & "")
	Call SQLBan(ClientIp)
   'test SQL ban
	EventLog.Write("Forcefully Disconnecting: " & ClientIp & "")
	Call Disconnect(ClientIp)
      Exit Sub
   Else 
	EventLog.Write("Attempting to add to Whitelist: " & oClient.IPAddress & "")
	Add2WL(oClient.IPAddress)
   End If
End Sub

Function IsSnowShoe(strIP) : IsSnowShoe = False
   Dim a
   a = Split(strIP, ".")
   With CreateObject("SScripting.IPNetwork")
      strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".sbl.spamhaus.org")
   End With
   If (strIP = "127.0.0.3") Then IsSnowShoe = True
End Function

Function IsAlreadyBanned(chkIP) : IsAlreadyBanned = False
	shellCommand="""C:\Program Files (x86)\hMailServer\Bin\dbban.exe"" -verify "
	Set oShell=CreateObject("Wscript.Shell")
	iReturn=oShell.run(shellCommand & chkIP,1,True)
   If (iReturn = "0") Then IsAlreadyBanned = True
End Function

Function SQLBan(banIP)
	shellCommand="""C:\Program Files (x86)\hMailServer\Bin\dbban.exe"" -ban "
	Set oShell=CreateObject("Wscript.Shell")
	iReturn=oShell.Run(shellCommand & banIP,0,True)
End Function

Function Disconnect(dcIP)
	shellCommand="""C:\Program Files (x86)\hMailServer\Events\Disconnect.exe"""
	Set oShell=CreateObject("Wscript.Shell")
	iReturn=oShell.Run(shellCommand & " " & dcIP,0,True)
	EventLog.Write("Forcefully Disconnecting due to previous BAN: " & dcIP & "")
End Function

Function IsWhitelist(chkIP) : IsWhitelist = False
	shellCommand="""C:\Program Files (x86)\hMailServer\Bin\dbban.exe"" -verifywl "
	Set oShell=CreateObject("Wscript.Shell")
	iReturn=oShell.run(shellCommand & chkIP,1,True)
   If (iReturn = "0") Then IsWhitelist = True
End Function

Function Add2WL(addIP)
	shellCommand="""C:\Program Files (x86)\hMailServer\Bin\dbban.exe"" -whitelist "
	Set oShell=CreateObject("Wscript.Shell")
	iReturn=oShell.Run(shellCommand & addIP,0,True)
End Function

This Yields results like this now:
ban-whitelist.png
estradis wrote:
2019-04-24 23:46
insomniac2k2 wrote:
2019-04-24 20:18
I get 2300 banned IP's a day on my servers ;)
Just as we had in the beginning either, but we had to realize relatively quickly that the negative effects were too great. That's why we've implemented an external audit process that takes corrective action. If certain criteria are met, banned addresses are released after 5 minutes. If other criteria apply, the ban time is increased to two months. Especially stubborn IP addresses are even forwarded to the firewall where they are globally blocked. This action has had the greatest effect! With each block, the user is informed and can unblock the address himself if he was the responsible party.

And of course the addresses won't be banned forever.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: Server is being attacked

Post by estradis » 2019-04-25 09:58

insomniac2k2 wrote:
2019-04-25 02:32
I'm curious what that looks like? The reason why I ask, is because I have just completed a complete and working implementation of a central MYSQL based banning and auto-whitelisting system that I call from Hmail.
Without a doubt, your idea is great and maybe we can adapt it in our company as well. I'll take a deeper look on it as soon as I have enough time to do.

We are going a different way. The security implementation in hms is powerful enough to handle these addresses at its own. Therefore we just register the ip addresses in the DNS system after a decision in OnAcceptMessage was made. Once the IP was registered in DNS, it will be dropped out in OnSMTPData as soon as the event recognized that the recipient is not listed in "never-refuse" list. Attackers will even be disconnected by hms itself by querying the dnsbl on its own. (We experienced the best performance this way.)

I attached two trace files, generated during OnAcceptMessage to show our way until a decision was made and how the eventhandler handles it.

Example 1 (Spam was recocnized and rejected):

Code: Select all

[2019.03.02 18:44:30.757]: EventHandlers.vbs: DEBUG: sEventName="OnAcceptMessage"
[2019.03.02 18:44:30.757]: EventHandlers.vbs: DEBUG: oMessage.From="<john.doe@example.com>"
[2019.03.02 18:44:30.757]: EventHandlers.vbs: DEBUG: oMessage.FromAddress="johnk@imagemillinc.com"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: oMessage.Filename="C:\Program Files\hMailServer\Data\{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: sMsgFileName="C%3A%5CProgram%20Files%5ChMailServer%5CData%5C{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: sAdressesInHeaders="john.doe@example.com;"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: oRecipient.Address="jane.doe@example.com"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: oRecipient.OriginalAddress="john.doe@example.com"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: g_sBccList=""
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: oMessage.Subject="*****SPAM***** This account has been hacked! Change your password right now!"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: DEBUG: sTraceTarget="74.94.69.177"
[2019.03.02 18:44:30.773]: EventHandlers.vbs: Query url "http://localhost/antispam/ExecuteEvent.php?en=OnAcceptMessage&ci=74.94.69.177&cp=25&cu=&ms=<john.doe@example.com>;johnk@imagemillinc.com&mr=jane.doe@example.com;1;john.doe@example.com&mf=C%3A%5CProgram%20Files%5ChMailServer%5CData%5C{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml&fu=&fs=&fn=&ru="
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Server returned status code "200"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Start processing server results ...
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Message contains NOT confidential or internal account informations
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Will advise mailserver to set header 'X-Deliverer-ClientPort' to '25'.
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: HeaderValue("X-Deliverer-ClientPort") is actually set to ""
[2019.03.02 18:44:32.062]: EventHandlers.vbs: HeaderValue("X-Deliverer-ClientPort") will be set to "25"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: HeaderValue("X-Deliverer-ClientPort") was set to "25"
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Will advise mailserver to set header 'X-Deliverer-Address' to '74.94.69.177'.
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: HeaderValue("X-Deliverer-Address") is actually set to ""
[2019.03.02 18:44:32.062]: EventHandlers.vbs: HeaderValue("X-Deliverer-Address") will be set to "74.94.69.177"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: HeaderValue("X-Deliverer-Address") was set to "74.94.69.177"
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client IP 74.94.69.177 is NOT internal
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Will advise mailserver to set header 'X-Deliverer-CountryCode' to 'US'.
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: HeaderValue("X-Deliverer-CountryCode") is actually set to ""
[2019.03.02 18:44:32.062]: EventHandlers.vbs: HeaderValue("X-Deliverer-CountryCode") will be set to "US"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: HeaderValue("X-Deliverer-CountryCode") was set to "US"
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client is NOT authenticated
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client is NOT backup mx
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client is NOT whitelisted
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Spamassassin test is NOT whitelisted
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Sender is NOT whitelisted
[2019.03.02 18:44:32.062]: ExecuteEvent.php : No recipients are listed to never be refused.
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Spamassassin test is dynamic
[2019.03.02 18:44:32.062]: ExecuteEvent.php : DEBUG: IsDnsResult('127.0.0.4', '127.0.0.10')
[2019.03.02 18:44:32.062]: ExecuteEvent.php : DEBUG: QueryDNSService::Query('177.69.94.74.ip.internal-dns.bl.', 'ANY')='0.0.0.0'
[2019.03.02 18:44:32.062]: ExecuteEvent.php : DEBUG: QueryDNSService::Query('177.69.94.74.dul.dnsbl.sorbs.net.', 'ANY')='NXDOMAIN'
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client is NOT dynamic by IP
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Spamassassin test is spam source
[2019.03.02 18:44:32.062]: ExecuteEvent.php : DEBUG: IsDnsResult('127.0.0.[26]', '127.0.0.[6-9]')
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client is NOT spam source by IP
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Message is spam
[2019.03.02 18:44:32.062]: ExecuteEvent.php : DEBUG: IsDnsResult('127.0.0.4', '127.0.0.10')
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client is NOT dynamic by IP
[2019.03.02 18:44:32.062]: ExecuteEvent.php : DEBUG: IsDnsResult('127.0.0.[26]', '127.0.0.[6-9]')
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Client is NOT spam source by IP
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Will advise mailserver to reject message: Message is spam!
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Result.Value will be set to "2"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Result.Value was set to "2"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Result.Message will be set to "5.7.1 [0x80001654] Message refused by DeepHeader check. This email has been rejected. The email message was detected as spam."
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Result.Message was set to "5.7.1 [0x80001654] Message refused by DeepHeader check. This email has been rejected. The email message was detected as spam."
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Will advise mailserver to move mail to quarantine
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Need to save current changes berfore mail can be quarantined
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Changes in oMessage will be saved.
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Changes in oMessage were saved.
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: File name for email to quarantine is "{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: Source path for email to quarantine is "C:\Program Files\hMailServer\Data\{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: Destination path for email to quarantine is "C:\Program Files\AntiSpamEngine\Quarantine\20190302\\{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: mail quarantined as "C:\Program Files\AntiSpamEngine\Quarantine\20190302\\{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml"
[2019.03.02 18:44:32.062]: ExecuteEvent.php : Will advise mailserver to write values to hMailservers event log!
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: g_oMessage.From="<john.doe@example.com>"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: g_oMessage.FromAddress="johnk@imagemillinc.com"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: DEBUG: sFromNormalized="<john.doe@example.com> <johnk@imagemillinc.com>"
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Will write to log 'OnAcceptMessage"	"74.94.69.177:25"	"Reject:{64034210-6D74-4717-BC51-7F7B4B22CA7D}.eml"	"Message is spam"	"554"	"5.7.1 [0x80001654] Message refused by DeepHeader check. This email has been rejected. The email message was detected as spam."	"Yes"	"20.9"	"5.0"	"<john.doe@example.com> <johnk@imagemillinc.com>"	"john.doe@example.com"	""	""	"jane.doe@example.com;john.doe@example.com"	"*****SPAM***** This account has been hacked! Change your password right now!"	"Yes, score=20.9 required=5.0 tests=Yes,score=20.9required=5.0tests=BITCOIN_EXTORT_01,DATE_IN_PAST_96_XX,FORGED_INTERNAL_SENDER,RCVD_IN_PSBL,RCVD_IN_RP_RNBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_SPAM,RCVD_IN_SORBS_WEB,RDNS_DYNAMICautolearn=noautolearn_force=noversion=3.4.2 shortcircuit=Yes,score=20.9required=5.0tests=BITCOIN_EXTORT_01,DATE_IN_PAST_96_XX,FORGED_INTERNAL_SENDER,RCVD_IN_PSBL,RCVD_IN_RP_RNBL,RCVD_IN_SBL_CSS,RCVD_IN_SORBS_SPAM,RCVD_IN_SORBS_WEB,RDNS_DYNAMICautolearn=noautolearn_force=noversion=3.4.2 autolearn=noautolearn_force=no version=3.4.2'
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Log have been written
[2019.03.02 18:44:32.062]: EventHandlers.vbs: Changes in oMessage will be saved.
[2019.03.02 18:44:32.078]: EventHandlers.vbs: Changes in oMessage were saved.
Example 2 (Spam was recocnized but delivered as the recipient is listed in "never-refuse" list):

Code: Select all

[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: sEventName="OnAcceptMessage"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: oMessage.From="<bill.doe@example.com>"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: oMessage.FromAddress="ranjana_yp@brlp.in"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: oMessage.Filename="C:\Program Files\hMailServer\Data\{7930A49C-0D7A-425E-874C-0EA362EDD9C7}.eml"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: sMsgFileName="C%3A%5CProgram%20Files%5ChMailServer%5CData%5C{7930A49C-0D7A-425E-874C-0EA362EDD9C7}.eml"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: sAdressesInHeaders="bill.doe@example.com;"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: oRecipient.Address="bill.doe@example.com"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: oRecipient.OriginalAddress="bill.doe@example.com"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: g_sBccList=""
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: oMessage.Subject="*****SPAM***** bill.doe"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: DEBUG: sTraceTarget="1.6.36.80"
[2019.02.28 03:27:48.779]: EventHandlers.vbs: Query url "http://localhost/antispam/ExecuteEvent.php?en=OnAcceptMessage&ci=1.6.36.80&cp=25&cu=&ms=<bill.doe@example.com>;ranjana_yp@brlp.in&mr=bill.doe@example.com;1;bill.doe@example.com&mf=C%3A%5CProgram%20Files%5ChMailServer%5CData%5C{7930A49C-0D7A-425E-874C-0EA362EDD9C7}.eml&fu=&fs=&fn=&ru="
[2019.02.28 03:27:50.557]: EventHandlers.vbs: Server returned status code "200"
[2019.02.28 03:27:50.557]: EventHandlers.vbs: Start processing server results ...
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Message contains NOT confidential or internal account informations
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Will advise mailserver to set header 'X-Deliverer-ClientPort' to '25'.
[2019.02.28 03:27:50.557]: EventHandlers.vbs: DEBUG: HeaderValue("X-Deliverer-ClientPort") is actually set to ""
[2019.02.28 03:27:50.557]: EventHandlers.vbs: HeaderValue("X-Deliverer-ClientPort") will be set to "25"
[2019.02.28 03:27:50.557]: EventHandlers.vbs: HeaderValue("X-Deliverer-ClientPort") was set to "25"
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Will advise mailserver to set header 'X-Deliverer-Address' to '1.6.36.80'.
[2019.02.28 03:27:50.557]: EventHandlers.vbs: DEBUG: HeaderValue("X-Deliverer-Address") is actually set to ""
[2019.02.28 03:27:50.557]: EventHandlers.vbs: HeaderValue("X-Deliverer-Address") will be set to "1.6.36.80"
[2019.02.28 03:27:50.557]: EventHandlers.vbs: HeaderValue("X-Deliverer-Address") was set to "1.6.36.80"
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Client IP 1.6.36.80 is NOT internal
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Will advise mailserver to set header 'X-Deliverer-CountryCode' to 'IN'.
[2019.02.28 03:27:50.557]: EventHandlers.vbs: DEBUG: HeaderValue("X-Deliverer-CountryCode") is actually set to ""
[2019.02.28 03:27:50.557]: EventHandlers.vbs: HeaderValue("X-Deliverer-CountryCode") will be set to "IN"
[2019.02.28 03:27:50.557]: EventHandlers.vbs: HeaderValue("X-Deliverer-CountryCode") was set to "IN"
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Client is NOT authenticated
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Client is NOT backup mx
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Client is NOT whitelisted
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Spamassassin test is NOT whitelisted
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Sender is NOT whitelisted
[2019.02.28 03:27:50.557]: ExecuteEvent.php : DEBUG: Found pattern bill.doe@example.com exaxtly in line bill.doe@example.com in FileList::FindPattern
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Recipient bill.doe@example.com is listed to never be refused.
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Will advise mailserver to continue!
[2019.02.28 03:27:50.557]: ExecuteEvent.php : Will advise mailserver to write values to hMailservers event log!
[2019.02.28 03:27:50.557]: EventHandlers.vbs: DEBUG: g_oMessage.From="<bill.doe@example.com>"
[2019.02.28 03:27:50.557]: EventHandlers.vbs: DEBUG: g_oMessage.FromAddress="ranjana_yp@brlp.in"
[2019.02.28 03:27:50.557]: EventHandlers.vbs: DEBUG: sFromNormalized="<bill.doe@example.com> <ranjana_yp@brlp.in>"
[2019.02.28 03:27:50.557]: EventHandlers.vbs: Will write to log 'OnAcceptMessage"	"1.6.36.80:25"	"Accept:"	"Recipient is in never-refuse list"	"250"	"Queued"	"Yes"	"20.6"	"5.0"	"<bill.doe@example.com> <ranjana_yp@brlp.in>"	"bill.doe@example.com"	""	""	"bill.doe@example.com;bill.doe@example.com"	"*****SPAM***** bill.doe"	"Yes, score=20.6 required=5.0 tests=Yes,score=20.6required=5.0tests=BITCOIN_EXTORT_01,BITCOIN_SPAM_02,BITCOIN_SPAM_03,BITCOIN_SPAM_07,FORGED_INTERNAL_SENDER,FORGED_MUA_MOZILLA,LOCALPART_IN_SUBJECT,RCVD_IN_PSBL,SEO_BODYautolearn=noautolearn_force=noversion=3.4.2 shortcircuit=Yes,score=20.6required=5.0tests=BITCOIN_EXTORT_01,BITCOIN_SPAM_02,BITCOIN_SPAM_03,BITCOIN_SPAM_07,FORGED_INTERNAL_SENDER,FORGED_MUA_MOZILLA,LOCALPART_IN_SUBJECT,RCVD_IN_PSBL,SEO_BODYautolearn=noautolearn_force=noversion=3.4.2 autolearn=noautolearn_force=no version=3.4.2'
[2019.02.28 03:27:50.557]: EventHandlers.vbs: Log have been written
[2019.02.28 03:27:50.557]: EventHandlers.vbs: Changes in oMessage will be saved.
[2019.02.28 03:27:50.557]: EventHandlers.vbs: Changes in oMessage were saved.

Post Reply