Stop intruder

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Stop intruder

Post by PeterChan » 2019-06-20 16:00

Hi,
It is currently bad to find out that other people were making use of my domain to send out messages like

2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru lucas@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru beth@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru dean@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru victoria@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru alexandra@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0

such User account were never appear within my AD. How to stop this? I did already create proper SPF record on the domain (and Namecheap.com did confirm to me that SPF record was working fine) but the intruder was still working on my domain!

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-20 16:02

They are all 550 rejections

No mail being sent there

(Do you have other logging options enabled other than AWStats? AWStats logs aren't really good for troubleshooting)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 03:50

Thanks. All 550 events are rejections, right?
"DEBUG" 3812 "2019-06-21 08:35:23.921" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.921" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.921" "185.222.211.13" "RECEIVED: RCPT TO:<cheryl@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.937" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "RECEIVED: RCPT TO:<fernanda@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.952" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "RECEIVED: RCPT TO:<luis@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.968" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.968" "185.222.211.13" "RECEIVED: RCPT TO:<will@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "RECEIVED: RCPT TO:<carl@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.984" "AWStats::LogDeliveryFailure"
Do you mean to enable other log?

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-21 06:04

yes all 550 are rejections

SMTP + debug is OK to troubleshoot later
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 06:12

Can you tell me meaning of "RECEIVED: RCPT TO:<offers@a.co>", to the below?
"DEBUG" 3772 "2019-06-21 11:42:57.870" "AWStats::LogDeliveryFailure"
"SMTPD" 3772 41 "2019-06-21 11:42:57.870" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 41 "2019-06-21 11:42:57.870" "185.222.211.13" "RECEIVED: RCPT TO:<offers@a.co>"

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-21 08:07

Sure

Your SMTP Daemon (incoming SMTP connection) @ time '2019-06-21 11:42:57.870' received a instruction from IP '185.222.211.13'

The instruction as received was 'RCPT TO:<offers@a.co>'

This is saying that we would like to send our email to 'offers@a.co"

You server responds with SENT at the next line (next line down - not shown) that says '550 Unknown User'
This means your mail is rejected as we don't know have a mailbox by that name to receive your message
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 08:30

Thanks a lot!
It means IP 185.222.211.13 is repeatedly annoying my server, by giving "rubbish" commands, right?

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-21 11:03

yes

autoban, with a maximum number of bad commands being set would block those

run this and post the results >> viewtopic.php?f=20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 11:17

Thanks a lot!
What is the purpose of the relevant party, who ridiculously are repeatedly running jobs for doing such "BAD" routines? Does it mean they're trying to steal any "potential" resources for doing their jobs?

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-22 01:13

That's just what SPAMmers do.

Not quite as bad as those who actively try to hack systems, or bring down systems by over abuse (DOS attacks and DDOS attacks), but yes certainly still a huge waste of resources.

I reckon that I spend far more time fighting spam and blocking attacks than anything else admin related on my servers. There are some sophisticated attackers out there, and most of those are just looking for a server that they can exploit to send out SPAM, or to steal email credentials so that they can scam users.

I'm sure that there are some who beat my attempts at blocking them.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-22 02:12

Mattg,
Thanks a lot!
How would it be easy to totally block their try from "checking/validating (or attempting to steal)" against the server? Did you ever succeed in doing this?

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-22 06:50

PeterChan wrote:
2019-06-22 02:12
Did you ever succeed in doing this?
no

I just keep fine tuning my systems
It is hard to allow genuine users through, but only block malicious users.

Some things that I do
- not allow PORT 25 AUTH at all
- Force all connections to ONLY use only TLSv1.2 when the connection is secured
- Force all connections that AUTH to be secure
- drop and ban all IMAP and POP3 connections that don't originate in Australia (my server is in Australia)
- ban all high spam score IPs
- ban all IPs that 'look' like they are scamming / hacking / trying stuff

and more
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 882
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 11:32

mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-22 13:32

Mattg,
Thanks a lot!
How to force all connections to ONLY use TLSv1.2 when the connection is secured?

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-06-22 13:54

palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
SpamAssassin is like our children, you have teach it what is good and what is bad. If you only teach it what is good you'll end up with a Bayesian database like our current generation pf young people - completely unable to deal with "bad", who gets offended by anyone and anything, converts civil disobediance to hashtags and shitstorms and who believe pretty much anything that is written on the Internet to be true.

PS. You being an American. Were you aware that statistically all "Great Presidents" in the USA started a war?
Perhaps you should listen to your wife and get out before you are drafted. :wink: Despite what you hear in the news, "Socialist" Europe is a pretty solid place to live. We all drive Audi, Mercedes and BMW and use Huawei phones as they are superior. :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 882
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 14:23

SorenR wrote:
2019-06-22 13:54
Perhaps you should listen to your wife and get out before you are drafted. :wink:
1) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination) :D
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool. :mrgreen:
7) ^^ still off topic :lol:

palinka
Senior user
Senior user
Posts: 882
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 14:30

palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-06-22 17:38

palinka wrote:
2019-06-22 14:30
palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Can I just say on behalf of myself and my generation (60+) of Danish IT geeks and Motorheads (US version ;-) ), you made a short and to the point observation. What's to be offended about that?
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

palinka
Senior user
Senior user
Posts: 882
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 17:53

SorenR wrote:
2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Ace of spades :mrgreen:

User avatar
jimimaseye
Moderator
Moderator
Posts: 8006
Joined: 2011-09-08 17:48

Re: Stop intruder

Post by jimimaseye » 2019-06-22 18:02

SorenR wrote:
2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Trippy!! 🕺👽🤯
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-23 00:18

palinka wrote:
2019-06-22 17:53
Ace of spades :mrgreen:
Yep, I'm going with the rock band too
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-23 02:31

palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
In an effort to stop some backscatter, I accept all spam, without rejection.

If the spamscore is high, I ban the IP and delete the message
If the spamscore is medium (in the range where it might be SPAM or might be HAM from a poorly managed server), I send it to a spam@ account for review

I have seen SPAM score up to 199 on my system
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-23 12:04

Good day Mattg,
How to ban one IP from "approaching" our server?

palinka
Senior user
Senior user
Posts: 882
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-23 12:44

PeterChan wrote:
2019-06-23 12:04
Good day Mattg,
How to ban one IP from "approaching" our server?
One method - Firewall Ban :mrgreen:

Warning - still in alpha stage. Pretty close to beta.

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-24 00:56

Or ban at the edge of your network with a firewall appliance or in your modem / router
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-24 12:09

On below URL

http://hmailserver.com/forum/viewtopic.php?f=9&t=34082

it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?

palinka
Senior user
Senior user
Posts: 882
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-24 12:31

PeterChan wrote:
2019-06-24 12:09
On below URL

http://hmailserver.com/forum/viewtopic.php?f=9&t=34082

it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?
Yes. But i couldn't say how much work that would be. For the basic stuff - meaning the powershell script and EventHandlers.vbs - it would be pretty easy, but there are so many database calls in the webadmin that it could be a lot of work to untangle. Or maybe it works right out of the box. I literally have no idea. I only know that i can't and won't be doing it.

PeterChan
Normal user
Normal user
Posts: 40
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-27 03:46

Hi,
I want to know what it does do, per below log details?
"DEBUG" 3820 "2019-06-27 09:07:47.898" "Creating session 397"
"TCPIP" 3820 "2019-06-27 09:07:47.906" "TCP - 3.94.116.70 connected to 113.255.213.124:25."
"DEBUG" 3820 "2019-06-27 09:07:47.914" "TCP connection started for session 396"
"SMTPD" 3820 396 "2019-06-27 09:07:47.917" "3.94.116.70" "SENT: 220 WIN-APIUFD1NJEU ESMTP"
"SMTPD" 3784 396 "2019-06-27 09:07:48.212" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3784 396 "2019-06-27 09:07:48.215" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3800 396 "2019-06-27 09:07:48.478" "3.94.116.70" "RECEIVED: STARTTLS"
"SMTPD" 3800 396 "2019-06-27 09:07:48.482" "3.94.116.70" "SENT: 220 Ready to start TLS"
"DEBUG" 3784 "2019-06-27 09:07:48.487" "Performing SSL/TLS handshake for session 396. Verify certificate: False"
"TCPIP" 3820 "2019-06-27 09:07:49.030" "TCPConnection - TLS/SSL handshake completed. Session Id: 396, Remote IP: 3.94.116.70, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"SMTPD" 3820 396 "2019-06-27 09:07:49.371" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3820 396 "2019-06-27 09:07:49.375" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"DEBUG" 3784 "2019-06-27 09:07:59.629" "The read operation failed. Bytes transferred: 0 Remote IP: 3.94.116.70, Session: 396, Code: 335544539, Message: short read"
"DEBUG" 3784 "2019-06-27 09:07:59.634" "Ending session 396"

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-27 13:13

That looks to me like a system that checks your Security, and not sends mail

The OTHER server seems to have dropped the connection
And the name of the other server makes me think it is scanning ssl certificates
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3153
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-06-27 16:56

My thoughts too. I had a similar visit by shodan.io ... Interesting search engine :mrgreen:

https://www.shodan.io/search?query=hmailserver
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19878
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-28 05:14

WOW

We asked Martin to take the name hmailserver out of the SMTP greeting some 10 years back I reckon.
Anyone still showing that is on a really old version

Seems like a security risk to me, but seeing the number of recent results it's clear that hmailserver just keeps working
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 882
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-28 12:09

Takes a lickin' and keeps on tickin'..

Sheesh... hmailserver is probably the most stable software written for windows EVER.

Post Reply