Blocking hackers gaining user names via "550 Unknown user"

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
superscan811
New user
New user
Posts: 2
Joined: 2019-05-12 11:14

Blocking hackers gaining user names via "550 Unknown user"

Post by superscan811 » 2019-05-12 11:31

Is there a way to Auto Ban an IP from consecutive attempts to gain valid email addresses via the 550 error, similar to the login attempt Auto Ban

Have been getting an excessive amount of attempts like this..

"SMTPD" 5108 3342 "2019-05-12 00:33:10.846" "185.222.211.30" "RECEIVED: RCPT TO:<ihk7o11olbvofcu@xxxxxx>"
"DEBUG" 5108 "2019-05-12 00:33:10.846" "AWStats::LogDeliveryFailure"
"SMTPD" 5108 3342 "2019-05-12 00:33:10.846" "185.222.211.30" "SENT: 550 Unknown user"


Cheers.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Blocking hackers gaining user names via "550 Unknown user"

Post by SorenR » 2019-05-12 12:17

superscan811 wrote:
2019-05-12 11:31
Is there a way to Auto Ban an IP from consecutive attempts to gain valid email addresses via the 550 error, similar to the login attempt Auto Ban

Have been getting an excessive amount of attempts like this..

"SMTPD" 5108 3342 "2019-05-12 00:33:10.846" "185.222.211.30" "RECEIVED: RCPT TO:<ihk7o11olbvofcu@xxxxxx>"
"DEBUG" 5108 "2019-05-12 00:33:10.846" "AWStats::LogDeliveryFailure"
"SMTPD" 5108 3342 "2019-05-12 00:33:10.846" "185.222.211.30" "SENT: 550 Unknown user"


Cheers.
Create a Catch-All user ... Then every thinkable username exists on your server :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

superscan811
New user
New user
Posts: 2
Joined: 2019-05-12 11:14

Re: Blocking hackers gaining user names via "550 Unknown user"

Post by superscan811 » 2019-05-12 13:03

I like that idea, only I have very limited bandwidth.
I manually firewall auto banned IP's, just to help gain back a little speed, rather than allow them to continuously re-attempt to login.

The majority of the time they end up being auto banned, because as soon as they find a valid email, their script attempt to login.

Just wanting to further reduce their impact.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Blocking hackers gaining user names via "550 Unknown user"

Post by mattg » 2019-05-12 15:59

In SMTP >> RFC Compliance

What do you have for Maximum number of invalid commands?
I have mine set to 5
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: Blocking hackers gaining user names via "550 Unknown user"

Post by SorenR » 2019-05-12 18:02

You could try this...

1: You will delay anything they do.
2: BOT's and general SPAM is all about time, if you delay them they skip your server.
3: Any LEGIT SMTP server WILL ignore the 20 sec delay and proceed to deliver mail.
4: Disable AUTH on port 25, move your clients to port 587 TLS or 465 SSL by inserting [settings] DisableAuthList=25 into hmailserver.ini.

Code: Select all

Option Explicit

Function Wait(sec)
   With CreateObject("WScript.Shell")
      .Run "timeout /T " & Int(sec), 0, True       ' Windows 7/2003/2008 or later
'     .Run "sleep -m " & Int(sec * 1000), 0, True  ' Windows 2003 Resource Kit
'     .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
   End With
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
   '
   '   Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)
End Sub

Sub OnHELO(oClient)
   '
   '   Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Port = 25) Then Wait(20)
End Sub

'*
'*  ********** SPAM test: DNSBlackLists, HeloHost, MXRecords, SPF
'*

Sub OnSMTPData(oClient, oMessage)
   '
   '   Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Username = "") Then Wait(20)
End Sub

'*
'*  ********** SPAM test: SURBL, DKIM, SpamAssassin
'*

Sub OnAcceptMessage(oClient, oMessage)
   '
   '   Filter out "impatient" servers. Alternative to GreyListing.
   '
   If (oClient.Username = "") Then Wait(20)
End Sub

'*
'*  ********** Saving EML to DATA
'*

'* Sub OnDeliveryStart(oMessage)
'* End Sub

'*
'*  ********** Antivirus check, Global rules
'*

'* Sub OnDeliverMessage(oMessage)
'* End Sub

'*
'*  ********** Local rules, Message delivered to recipient(s)
'*

'* Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
'* End Sub

'* Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
'* End Sub

'* Sub OnBackupFailed(sReason)
'* End Sub

'* Sub OnBackupCompleted()
'* End Sub

'* Sub OnError(iSeverity, iCode, sSource, sDescription)
'* End Sub

'******************************************************************************************************************************
'********** END                                                                                                      **********
'******************************************************************************************************************************
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Post Reply