Page 1 of 1
Stop intruder
Posted: 2019-06-20 16:00
by PeterChan
Hi,
It is currently bad to find out that other people were making use of my domain to send out messages like
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru lucas@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru beth@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru dean@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru victoria@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru alexandra@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
such User account were never appear within my AD. How to stop this? I did already create proper SPF record on the domain (and Namecheap.com did confirm to me that SPF record was working fine) but the intruder was still working on my domain!
Re: Stop intruder
Posted: 2019-06-20 16:02
by mattg
They are all 550 rejections
No mail being sent there
(Do you have other logging options enabled other than AWStats? AWStats logs aren't really good for troubleshooting)
Re: Stop intruder
Posted: 2019-06-21 03:50
by PeterChan
Thanks. All 550 events are rejections, right?
"DEBUG" 3812 "2019-06-21 08:35:23.921" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.921" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.921" "185.222.211.13" "RECEIVED: RCPT TO:<
cheryl@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.937" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "RECEIVED: RCPT TO:<
fernanda@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.952" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "RECEIVED: RCPT TO:<
luis@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.968" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.968" "185.222.211.13" "RECEIVED: RCPT TO:<
will@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "RECEIVED: RCPT TO:<
carl@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.984" "AWStats::LogDeliveryFailure"
Do you mean to enable other log?
Re: Stop intruder
Posted: 2019-06-21 06:04
by mattg
yes all 550 are rejections
SMTP + debug is OK to troubleshoot later
Re: Stop intruder
Posted: 2019-06-21 06:12
by PeterChan
Can you tell me meaning of "RECEIVED: RCPT TO:<
offers@a.co>", to the below?
"DEBUG" 3772 "2019-06-21 11:42:57.870" "AWStats::LogDeliveryFailure"
"SMTPD" 3772 41 "2019-06-21 11:42:57.870" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 41 "2019-06-21 11:42:57.870" "185.222.211.13" "RECEIVED: RCPT TO:<
offers@a.co>"
Re: Stop intruder
Posted: 2019-06-21 08:07
by mattg
Sure
Your SMTP Daemon (incoming SMTP connection) @ time '2019-06-21 11:42:57.870' received a instruction from IP '185.222.211.13'
The instruction as received was 'RCPT TO:<
offers@a.co>'
This is saying that we would like to send our email to '
offers@a.co"
You server responds with SENT at the next line (next line down - not shown) that says '550 Unknown User'
This means your mail is rejected as we don't know have a mailbox by that name to receive your message
Re: Stop intruder
Posted: 2019-06-21 08:30
by PeterChan
Thanks a lot!
It means IP 185.222.211.13 is repeatedly annoying my server, by giving "rubbish" commands, right?
Re: Stop intruder
Posted: 2019-06-21 11:03
by mattg
yes
autoban, with a maximum number of bad commands being set would block those
run this and post the results >>
viewtopic.php?f=20&t=30914
Re: Stop intruder
Posted: 2019-06-21 11:17
by PeterChan
Thanks a lot!
What is the purpose of the relevant party, who ridiculously are repeatedly running jobs for doing such "BAD" routines? Does it mean they're trying to steal any "potential" resources for doing their jobs?
Re: Stop intruder
Posted: 2019-06-22 01:13
by mattg
That's just what SPAMmers do.
Not quite as bad as those who actively try to hack systems, or bring down systems by over abuse (DOS attacks and DDOS attacks), but yes certainly still a huge waste of resources.
I reckon that I spend far more time fighting spam and blocking attacks than anything else admin related on my servers. There are some sophisticated attackers out there, and most of those are just looking for a server that they can exploit to send out SPAM, or to steal email credentials so that they can scam users.
I'm sure that there are some who beat my attempts at blocking them.
Re: Stop intruder
Posted: 2019-06-22 02:12
by PeterChan
Mattg,
Thanks a lot!
How would it be easy to totally block their try from "checking/validating (or attempting to steal)" against the server? Did you ever succeed in doing this?
Re: Stop intruder
Posted: 2019-06-22 06:50
by mattg
PeterChan wrote: ↑2019-06-22 02:12
Did you ever succeed in doing this?
no
I just keep fine tuning my systems
It is hard to allow genuine users through, but only block malicious users.
Some things that I do
- not allow PORT 25 AUTH at all
- Force all connections to ONLY use only TLSv1.2 when the connection is secured
- Force all connections that AUTH to be secure
- drop and ban all IMAP and POP3 connections that don't originate in Australia (my server is in Australia)
- ban all high spam score IPs
- ban all IPs that 'look' like they are scamming / hacking / trying stuff
and more
Re: Stop intruder
Posted: 2019-06-22 11:32
by palinka
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
Re: Stop intruder
Posted: 2019-06-22 13:32
by PeterChan
Mattg,
Thanks a lot!
How to force all connections to ONLY use TLSv1.2 when the connection is secured?
Re: Stop intruder
Posted: 2019-06-22 13:54
by SorenR
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
SpamAssassin is like our children, you have teach it what is good and what is bad. If you only teach it what is good you'll end up with a Bayesian database like our current generation pf young people - completely unable to deal with "bad", who gets offended by anyone and anything, converts civil disobediance to hashtags and shitstorms and who believe pretty much anything that is written on the Internet to be true.
PS. You being an American. Were you aware that statistically all "Great Presidents" in the USA started a war?
Perhaps you should listen to your wife and get out before you are drafted.
Despite what you hear in the news, "Socialist" Europe is a pretty solid place to live. We all drive Audi, Mercedes and BMW and use Huawei phones as they are superior.
Re: Stop intruder
Posted: 2019-06-22 14:23
by palinka
SorenR wrote: ↑2019-06-22 13:54
Perhaps you should listen to your wife and get out before you are drafted.
1) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination)
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool.
7) ^^ still off topic
Re: Stop intruder
Posted: 2019-06-22 14:30
by palinka
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Re: Stop intruder
Posted: 2019-06-22 17:38
by SorenR
palinka wrote: ↑2019-06-22 14:30
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Can I just say on behalf of myself and my generation (60+) of Danish IT geeks and Motorheads (US version
), you made a short and to the point observation. What's to be offended about that?
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Re: Stop intruder
Posted: 2019-06-22 17:53
by palinka
SorenR wrote: ↑2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Ace of spades
Re: Stop intruder
Posted: 2019-06-22 18:02
by jimimaseye
SorenR wrote: ↑2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Trippy!!
Re: Stop intruder
Posted: 2019-06-23 00:18
by mattg
palinka wrote: ↑2019-06-22 17:53
Ace of spades
Yep, I'm going with the rock band too
Re: Stop intruder
Posted: 2019-06-23 02:31
by mattg
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
In an effort to stop some backscatter, I accept all spam, without rejection.
If the spamscore is high, I ban the IP and delete the message
If the spamscore is medium (in the range where it might be SPAM or might be HAM from a poorly managed server), I send it to a spam@ account for review
I have seen SPAM score up to 199 on my system
Re: Stop intruder
Posted: 2019-06-23 12:04
by PeterChan
Good day Mattg,
How to ban one IP from "approaching" our server?
Re: Stop intruder
Posted: 2019-06-23 12:44
by palinka
PeterChan wrote: ↑2019-06-23 12:04
Good day Mattg,
How to ban one IP from "approaching" our server?
One method -
Firewall Ban
Warning - still in alpha stage. Pretty close to beta.
Re: Stop intruder
Posted: 2019-06-24 00:56
by mattg
Or ban at the edge of your network with a firewall appliance or in your modem / router
Re: Stop intruder
Posted: 2019-06-24 12:09
by PeterChan
On below URL
http://hmailserver.com/forum/viewtopic.php?f=9&t=34082
it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?
Re: Stop intruder
Posted: 2019-06-24 12:31
by palinka
Yes. But i couldn't say how much work that would be. For the basic stuff - meaning the powershell script and EventHandlers.vbs - it would be pretty easy, but there are so many database calls in the webadmin that it could be a lot of work to untangle. Or maybe it works right out of the box. I literally have no idea. I only know that i can't and won't be doing it.
Re: Stop intruder
Posted: 2019-06-27 03:46
by PeterChan
Hi,
I want to know what it does do, per below log details?
"DEBUG" 3820 "2019-06-27 09:07:47.898" "Creating session 397"
"TCPIP" 3820 "2019-06-27 09:07:47.906" "TCP - 3.94.116.70 connected to 113.255.213.124:25."
"DEBUG" 3820 "2019-06-27 09:07:47.914" "TCP connection started for session 396"
"SMTPD" 3820 396 "2019-06-27 09:07:47.917" "3.94.116.70" "SENT: 220 WIN-APIUFD1NJEU ESMTP"
"SMTPD" 3784 396 "2019-06-27 09:07:48.212" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3784 396 "2019-06-27 09:07:48.215" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3800 396 "2019-06-27 09:07:48.478" "3.94.116.70" "RECEIVED: STARTTLS"
"SMTPD" 3800 396 "2019-06-27 09:07:48.482" "3.94.116.70" "SENT: 220 Ready to start TLS"
"DEBUG" 3784 "2019-06-27 09:07:48.487" "Performing SSL/TLS handshake for session 396. Verify certificate: False"
"TCPIP" 3820 "2019-06-27 09:07:49.030" "TCPConnection - TLS/SSL handshake completed. Session Id: 396, Remote IP: 3.94.116.70, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"SMTPD" 3820 396 "2019-06-27 09:07:49.371" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3820 396 "2019-06-27 09:07:49.375" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"DEBUG" 3784 "2019-06-27 09:07:59.629" "The read operation failed. Bytes transferred: 0 Remote IP: 3.94.116.70, Session: 396, Code: 335544539, Message: short read"
"DEBUG" 3784 "2019-06-27 09:07:59.634" "Ending session 396"
Re: Stop intruder
Posted: 2019-06-27 13:13
by mattg
That looks to me like a system that checks your Security, and not sends mail
The OTHER server seems to have dropped the connection
And the name of the other server makes me think it is scanning ssl certificates
Re: Stop intruder
Posted: 2019-06-27 16:56
by SorenR
My thoughts too. I had a similar visit by shodan.io ... Interesting search engine
https://www.shodan.io/search?query=hmailserver
Re: Stop intruder
Posted: 2019-06-28 05:14
by mattg
WOW
We asked Martin to take the name hmailserver out of the SMTP greeting some 10 years back I reckon.
Anyone still showing that is on a really old version
Seems like a security risk to me, but seeing the number of recent results it's clear that hmailserver just keeps working
Re: Stop intruder
Posted: 2019-06-28 12:09
by palinka
Takes a lickin' and keeps on tickin'..
Sheesh... hmailserver is probably the most stable software written for windows EVER.
