Page 1 of 2
Stop intruder
Posted: 2019-06-20 16:00
by PeterChan
Hi,
It is currently bad to find out that other people were making use of my domain to send out messages like
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru lucas@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru beth@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru dean@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru victoria@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17
3n899f3lvn2en@artist-oil.ru alexandra@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
such User account were never appear within my AD. How to stop this? I did already create proper SPF record on the domain (and Namecheap.com did confirm to me that SPF record was working fine) but the intruder was still working on my domain!
Re: Stop intruder
Posted: 2019-06-20 16:02
by mattg
They are all 550 rejections
No mail being sent there
(Do you have other logging options enabled other than AWStats? AWStats logs aren't really good for troubleshooting)
Re: Stop intruder
Posted: 2019-06-21 03:50
by PeterChan
Thanks. All 550 events are rejections, right?
"DEBUG" 3812 "2019-06-21 08:35:23.921" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.921" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.921" "185.222.211.13" "RECEIVED: RCPT TO:<
cheryl@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.937" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "RECEIVED: RCPT TO:<
fernanda@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.952" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "RECEIVED: RCPT TO:<
luis@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.968" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.968" "185.222.211.13" "RECEIVED: RCPT TO:<
will@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "RECEIVED: RCPT TO:<
carl@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.984" "AWStats::LogDeliveryFailure"
Do you mean to enable other log?
Re: Stop intruder
Posted: 2019-06-21 06:04
by mattg
yes all 550 are rejections
SMTP + debug is OK to troubleshoot later
Re: Stop intruder
Posted: 2019-06-21 06:12
by PeterChan
Can you tell me meaning of "RECEIVED: RCPT TO:<
offers@a.co>", to the below?
"DEBUG" 3772 "2019-06-21 11:42:57.870" "AWStats::LogDeliveryFailure"
"SMTPD" 3772 41 "2019-06-21 11:42:57.870" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 41 "2019-06-21 11:42:57.870" "185.222.211.13" "RECEIVED: RCPT TO:<
offers@a.co>"
Re: Stop intruder
Posted: 2019-06-21 08:07
by mattg
Sure
Your SMTP Daemon (incoming SMTP connection) @ time '2019-06-21 11:42:57.870' received a instruction from IP '185.222.211.13'
The instruction as received was 'RCPT TO:<
offers@a.co>'
This is saying that we would like to send our email to '
offers@a.co"
You server responds with SENT at the next line (next line down - not shown) that says '550 Unknown User'
This means your mail is rejected as we don't know have a mailbox by that name to receive your message
Re: Stop intruder
Posted: 2019-06-21 08:30
by PeterChan
Thanks a lot!
It means IP 185.222.211.13 is repeatedly annoying my server, by giving "rubbish" commands, right?
Re: Stop intruder
Posted: 2019-06-21 11:03
by mattg
yes
autoban, with a maximum number of bad commands being set would block those
run this and post the results >>
viewtopic.php?f=20&t=30914
Re: Stop intruder
Posted: 2019-06-21 11:17
by PeterChan
Thanks a lot!
What is the purpose of the relevant party, who ridiculously are repeatedly running jobs for doing such "BAD" routines? Does it mean they're trying to steal any "potential" resources for doing their jobs?
Re: Stop intruder
Posted: 2019-06-22 01:13
by mattg
That's just what SPAMmers do.
Not quite as bad as those who actively try to hack systems, or bring down systems by over abuse (DOS attacks and DDOS attacks), but yes certainly still a huge waste of resources.
I reckon that I spend far more time fighting spam and blocking attacks than anything else admin related on my servers. There are some sophisticated attackers out there, and most of those are just looking for a server that they can exploit to send out SPAM, or to steal email credentials so that they can scam users.
I'm sure that there are some who beat my attempts at blocking them.
Re: Stop intruder
Posted: 2019-06-22 02:12
by PeterChan
Mattg,
Thanks a lot!
How would it be easy to totally block their try from "checking/validating (or attempting to steal)" against the server? Did you ever succeed in doing this?
Re: Stop intruder
Posted: 2019-06-22 06:50
by mattg
PeterChan wrote: ↑2019-06-22 02:12
Did you ever succeed in doing this?
no
I just keep fine tuning my systems
It is hard to allow genuine users through, but only block malicious users.
Some things that I do
- not allow PORT 25 AUTH at all
- Force all connections to ONLY use only TLSv1.2 when the connection is secured
- Force all connections that AUTH to be secure
- drop and ban all IMAP and POP3 connections that don't originate in Australia (my server is in Australia)
- ban all high spam score IPs
- ban all IPs that 'look' like they are scamming / hacking / trying stuff
and more
Re: Stop intruder
Posted: 2019-06-22 11:32
by palinka
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
Re: Stop intruder
Posted: 2019-06-22 13:32
by PeterChan
Mattg,
Thanks a lot!
How to force all connections to ONLY use TLSv1.2 when the connection is secured?
Re: Stop intruder
Posted: 2019-06-22 13:54
by SorenR
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
SpamAssassin is like our children, you have teach it what is good and what is bad. If you only teach it what is good you'll end up with a Bayesian database like our current generation pf young people - completely unable to deal with "bad", who gets offended by anyone and anything, converts civil disobediance to hashtags and shitstorms and who believe pretty much anything that is written on the Internet to be true.
PS. You being an American. Were you aware that statistically all "Great Presidents" in the USA started a war?
Perhaps you should listen to your wife and get out before you are drafted.

Despite what you hear in the news, "Socialist" Europe is a pretty solid place to live. We all drive Audi, Mercedes and BMW and use Huawei phones as they are superior.

Re: Stop intruder
Posted: 2019-06-22 14:23
by palinka
SorenR wrote: ↑2019-06-22 13:54
Perhaps you should listen to your wife and get out before you are drafted.
1) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination)
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool.
7) ^^ still off topic

Re: Stop intruder
Posted: 2019-06-22 14:30
by palinka
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Re: Stop intruder
Posted: 2019-06-22 17:38
by SorenR
palinka wrote: ↑2019-06-22 14:30
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Can I just say on behalf of myself and my generation (60+) of Danish IT geeks and Motorheads (US version

), you made a short and to the point observation. What's to be offended about that?
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Re: Stop intruder
Posted: 2019-06-22 17:53
by palinka
SorenR wrote: ↑2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Ace of spades

Re: Stop intruder
Posted: 2019-06-22 18:02
by jimimaseye
SorenR wrote: ↑2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Trippy!!



Re: Stop intruder
Posted: 2019-06-23 00:18
by mattg
palinka wrote: ↑2019-06-22 17:53
Ace of spades

Yep, I'm going with the rock band too
Re: Stop intruder
Posted: 2019-06-23 02:31
by mattg
palinka wrote: ↑2019-06-22 11:32
mattg wrote: ↑2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
In an effort to stop some backscatter, I accept all spam, without rejection.
If the spamscore is high, I ban the IP and delete the message
If the spamscore is medium (in the range where it might be SPAM or might be HAM from a poorly managed server), I send it to a spam@ account for review
I have seen SPAM score up to 199 on my system
Re: Stop intruder
Posted: 2019-06-23 12:04
by PeterChan
Good day Mattg,
How to ban one IP from "approaching" our server?
Re: Stop intruder
Posted: 2019-06-23 12:44
by palinka
PeterChan wrote: ↑2019-06-23 12:04
Good day Mattg,
How to ban one IP from "approaching" our server?
One method -
Firewall Ban
Warning - still in alpha stage. Pretty close to beta.
Re: Stop intruder
Posted: 2019-06-24 00:56
by mattg
Or ban at the edge of your network with a firewall appliance or in your modem / router
Re: Stop intruder
Posted: 2019-06-24 12:09
by PeterChan
On below URL
http://hmailserver.com/forum/viewtopic.php?f=9&t=34082
it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?
Re: Stop intruder
Posted: 2019-06-24 12:31
by palinka
Yes. But i couldn't say how much work that would be. For the basic stuff - meaning the powershell script and EventHandlers.vbs - it would be pretty easy, but there are so many database calls in the webadmin that it could be a lot of work to untangle. Or maybe it works right out of the box. I literally have no idea. I only know that i can't and won't be doing it.
Re: Stop intruder
Posted: 2019-06-27 03:46
by PeterChan
Hi,
I want to know what it does do, per below log details?
"DEBUG" 3820 "2019-06-27 09:07:47.898" "Creating session 397"
"TCPIP" 3820 "2019-06-27 09:07:47.906" "TCP - 3.94.116.70 connected to 113.255.213.124:25."
"DEBUG" 3820 "2019-06-27 09:07:47.914" "TCP connection started for session 396"
"SMTPD" 3820 396 "2019-06-27 09:07:47.917" "3.94.116.70" "SENT: 220 WIN-APIUFD1NJEU ESMTP"
"SMTPD" 3784 396 "2019-06-27 09:07:48.212" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3784 396 "2019-06-27 09:07:48.215" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3800 396 "2019-06-27 09:07:48.478" "3.94.116.70" "RECEIVED: STARTTLS"
"SMTPD" 3800 396 "2019-06-27 09:07:48.482" "3.94.116.70" "SENT: 220 Ready to start TLS"
"DEBUG" 3784 "2019-06-27 09:07:48.487" "Performing SSL/TLS handshake for session 396. Verify certificate: False"
"TCPIP" 3820 "2019-06-27 09:07:49.030" "TCPConnection - TLS/SSL handshake completed. Session Id: 396, Remote IP: 3.94.116.70, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"SMTPD" 3820 396 "2019-06-27 09:07:49.371" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3820 396 "2019-06-27 09:07:49.375" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"DEBUG" 3784 "2019-06-27 09:07:59.629" "The read operation failed. Bytes transferred: 0 Remote IP: 3.94.116.70, Session: 396, Code: 335544539, Message: short read"
"DEBUG" 3784 "2019-06-27 09:07:59.634" "Ending session 396"
Re: Stop intruder
Posted: 2019-06-27 13:13
by mattg
That looks to me like a system that checks your Security, and not sends mail
The OTHER server seems to have dropped the connection
And the name of the other server makes me think it is scanning ssl certificates
Re: Stop intruder
Posted: 2019-06-27 16:56
by SorenR
My thoughts too. I had a similar visit by shodan.io ... Interesting search engine
https://www.shodan.io/search?query=hmailserver
Re: Stop intruder
Posted: 2019-06-28 05:14
by mattg
WOW
We asked Martin to take the name hmailserver out of the SMTP greeting some 10 years back I reckon.
Anyone still showing that is on a really old version
Seems like a security risk to me, but seeing the number of recent results it's clear that hmailserver just keeps working
Re: Stop intruder
Posted: 2019-06-28 12:09
by palinka
Takes a lickin' and keeps on tickin'..
Sheesh... hmailserver is probably the most stable software written for windows EVER.
Re: Stop intruder
Posted: 2019-10-03 14:19
by SorenR
Well... This is one way to stop the intruder...

The Russian IL-20M (COOT-A) "just cruising around"
Danish F-16 is besides being a member of the strategic air defense also a member of the national air defense show group. Thus it is showing it's true colours
Picture is dated October 1'st 2019 and is from the outer limits of the Danish airspace. The F-16 is pretty but dangerous - the stingers are live and the message is clear; "Go home or go down in flames!"
Re: Stop intruder
Posted: 2019-10-03 14:24
by palinka
SorenR wrote: ↑2019-10-03 14:19
The F-16 is pretty but dangerous - the stingers are live and the message is clear; "Go home or ...."
We'll board you and pillage you! Hey, we're Vikings after all!

Re: Stop intruder
Posted: 2019-10-04 13:49
by jim.bus
I've been seeing the types of attacks PeterChan is getting to.
The first set pf Log Entries where the IP Address was just sending RCPT TO commands, I figured the IP Address was just trying to see if it could get a hit on an Email ID being found on your Server. Once that Email ID came back as a successful hit then the IP Address could try guessing the Password then Log On to that Email Account. I was told by one of the regulars here that it probably was a bot and would probably stop. It did after some days finally stop. It kept sending these connections about every minute
The scanner.sslsonar.org set of Log Entries I saw in my Logs a couple of days ago, too.
Not too long ago, I saw a website that apparently periodically does Port Scans. The Port Scanner was MASSCAN. I just banned the IP Address permanently.
Re: Stop intruder
Posted: 2019-10-04 13:58
by jim.bus
palinka wrote: ↑2019-06-22 14:23
SorenR wrote: ↑2019-06-22 13:54
Perhaps you should listen to your wife and get out before you are drafted.
1) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination)
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool.
7) ^^ still off topic
Hey, I kinda thought you must be located somewhere near my Time Zone as your Time Stamps on your Forum Postings were all somewhat near my own Local Time. So my guess was right you were US.
When I found junkemailfilter.com for MX Backup Email Service, I was a bit surprised they were located about 30-45 minute drive from me not to mention ASUS US Corporate Office is located in the same vicinity to. When I needed to have warranty work done on my ASUS Router, instead of sending it to the support center in I believe it was Jefferson Indiana, I had hear one of the Support people refer to the Engineer at ASUS by his first name. So I called up their office here asked for him by his first name and told them he worked with the Routers and they put me right through to him and he said they readily accepted the stuff from us Locals there so I took it there and got faster service with less hassles.
By the way I'm always telling people that hMailServer is my best application as it never crashes and I've been using it for around 8 years.
Re: Stop intruder
Posted: 2019-10-04 14:05
by palinka
Oh it crashes. You just have to find a way to force it.

Re: Stop intruder
Posted: 2019-10-04 14:19
by jim.bus
palinka wrote: ↑2019-10-04 14:05
Oh it crashes. You just have to find a way to force it.
I know a way to make it fail but I don't think it crashes. You can make it not work by Restoring your Backed up settings and not restarting hMailServer first but I don't think it crashes. I figure you can make it crash but I never do anything sophisticated enough that would make it crash which I figure I would probably have to do some Custom Scripts to make it crash and the only thing I have done is to modify the Backup Script to to put my Password into it so not much chance of crashing hMailServer.
Re: Stop intruder
Posted: 2019-10-04 14:22
by SorenR
jim.bus wrote: ↑2019-10-04 13:49
I've been seeing the types of attacks PeterChan is getting to.
The first set pf Log Entries where the IP Address was just sending RCPT TO commands, I figured the IP Address was just trying to see if it could get a hit on an Email ID being found on your Server. Once that Email ID came back as a successful hit then the IP Address could try guessing the Password then Log On to that Email Account. I was told by one of the regulars here that it probably was a bot and would probably stop. It did after some days finally stop. It kept sending these connections about every minute
The scanner.sslsonar.org set of Log Entries I saw in my Logs a couple of days ago, too.
Not too long ago, I saw a website that apparently periodically does Port Scans. The Port Scanner was MASSCAN. I just banned the IP Address permanently.
Somewere burried in these forums you can find my IDS script code ... 3 connects without actually sending mail will put the IP address on my blocklist - No mercy
1- IPaddress is registered in database during OnClientConnect (SMTP ports only). Counter is incremented if exists.
2- IPAddress is unregistered in database during OnAcceptMessage.
3- External "handler" scan database every minute for high counters and add IPaddress to blocklist.
Does not affect performance of hMailServer, will only use CPU cycles.
Re: Stop intruder
Posted: 2019-10-04 15:14
by palinka
SorenR wrote: ↑2019-10-04 14:22
3 connects without actually sending mail will put the IP address on my blocklist - No mercy
...
Does not affect performance of hMailServer, will only use CPU cycles.
You allow 2 unencumbered? I would call that extremely merciful. Your ancestors would never have allowed 2 attempts. In fact, after the first, they would have found the offending server, burned the entire village down and stolen their cattle. You are a peaceful man.
Also, I agree that loading up autoban entries has no effect on performance - except for one thing: viewing IP ranges takes several seconds to load with a few thousand entries. Worse on phpadmin since they're presented in a single list without paging.
Come to think of it, merging your IDS into my firewall ban sounds like a really good idea. I will do that this weekend.
Re: Stop intruder
Posted: 2019-10-04 17:24
by SorenR
palinka wrote: ↑2019-10-04 15:14
SorenR wrote: ↑2019-10-04 14:22
3 connects without actually sending mail will put the IP address on my blocklist - No mercy
...
Does not affect performance of hMailServer, will only use CPU cycles.
You allow 2 unencumbered? I would call that extremely merciful. Your ancestors would never have allowed 2 attempts. In fact, after the first, they would have found the offending server, burned the entire village down and stolen their cattle. You are a peaceful man.
Also, I agree that loading up autoban entries has no effect on performance - except for one thing: viewing IP ranges takes several seconds to load with a few thousand entries. Worse on phpadmin since they're presented in a single list without paging.
Come to think of it, merging your IDS into my firewall ban sounds like a really good idea. I will do that this weekend.
When things go wild here I have maybe 150 entries in my autoban list, more than that and you deffo need to sweet talk your firewall.
I also use the 20 sec delay during SMTP conversations I sometimes see connections break but that's due to senders misconfiguration and having a short temper

2'nd time (for some reason) it usually works OR they go direct for my Backup-MX ...
Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database...
Eventhandlers.vbs
Code: Select all
'******************************************************************************************************************************
'********** hMailServer IDS Client Code (MySQL) **********
'******************************************************************************************************************************
'
' Global Constants
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "VeRySeCrEtPaSsWoRd"
Private Const idsTable = "hm_ids"
Private Const idsHits = 2
Private Const idsMinutes = 180
'
' hm_ids CREATE TABLE hm_ids (
' idsid int(11) NOT NULL AUTO_INCREMENT,
' timestamp datetime DEFAULT NULL,
' ipaddress varchar(192) NOT NULL,
' port int(11) DEFAULT NULL,
' hits int(11) DEFAULT NULL,
' PRIMARY KEY (idsid),
' UNIQUE KEY idsid (idsid),
' UNIQUE KEY ipaddress (ipaddress)
' ) ENGINE=InnoDB DEFAULT CHARSET=latin1
'
Function idsAddIP(sIPAddress, iPort)
Dim strSQL, oDB : Set oDB = GetDatabaseObject
strSQL = "INSERT INTO " & idsTable & " (timestamp,ipaddress,port,hits) VALUES (NOW(),'" & sIPAddress & "'," & iPort & ",1) ON DUPLICATE KEY UPDATE hits=(hits+1),timestamp=NOW();"
Call oDB.ExecuteSQL(strSQL)
Set oDB = Nothing
End Function
Function idsDelIP(sIPAddress)
Dim strSQL, oDB : Set oDB = GetDatabaseObject
strSQL = "DELETE FROM " & idsTable & " WHERE ipaddress = '" & sIPAddress & "';"
Call oDB.ExecuteSQL(strSQL)
Set oDB = Nothing
End Function
Function GetDatabaseObject()
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
Set GetDatabaseObject = oApp.Database
Set oApp = Nothing
End Function
'******************************************************************************************************************************
'********** hMailServer Triggers **********
'******************************************************************************************************************************
Sub OnClientConnect(oClient)
'
' Check all SMTP traffic
'
If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub
Sub OnAcceptMessage(oClient, oMessage)
'
' Cleanup IDS registry
'
Call idsDelIP(oClient.IPAddress)
End Sub
Handler.vbs
Code: Select all
Option Explicit
'******************************************************************************************************************************
'********** Settings **********
'******************************************************************************************************************************
'
' COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "MySeCrEtPaSsWoRd"
'
' Misc. settings
'
Private Const TEMPDIR = "C:\hMailServer\Temp"
'
' MySQL
'
Private Const DBNAME = "hmailserver"
Private Const DBUID = "script"
Private Const DBPW = "NotTellingYou!"
Private Const idsTable = "hm_ids"
Private Const idsHits = 3
Private Const idsMinutes = 180
Dim idsDBDrv : idsDBDrv = "DRIVER={MySQL ODBC 5.3 Unicode Driver};Database="&DBNAME&";Uid="&DBUID&";Pwd="&DBPW&";FOUND_ROWS=1;"
'
' DRIVER={MySQL ODBC 5.3 Unicode Driver};Server=localhost;Port=3306;Database=%idsdb%;Uid=%idsuid%;Pwd=%idspwd%;Option=3;
'
' hm_ids CREATE TABLE hm_ids (
' idsid int(11) NOT NULL AUTO_INCREMENT,
' timestamp datetime DEFAULT NULL,
' ipaddress varchar(192) NOT NULL,
' port int(11) DEFAULT NULL,
' hits int(11) DEFAULT NULL,
' PRIMARY KEY (idsid),
' UNIQUE KEY idsid (idsid),
' UNIQUE KEY ipaddress (ipaddress)
' ) ENGINE=InnoDB DEFAULT CHARSET=latin1
'
'******************************************************************************************************************************
'********** Functions **********
'******************************************************************************************************************************
Function Wait(sec)
With CreateObject("WScript.Shell")
.Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
End With
End Function
Function LockFile(strPath)
Const Append = 8
Const Unicode = -1
Dim i
On Error Resume Next
With CreateObject("Scripting.FileSystemObject")
For i = 0 To 30
Err.Clear
Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
If (Not Err.Number = 70) Then Exit For
Wait(1)
Next
End With
If (Err.Number = 70) Then
EventLog.Write( "ERROR: EventHandlers.vbs" )
EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
Err.Clear
ElseIf (Err.Number <> 0) Then
EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
EventLog.Write( "Error : " & Err.Number )
EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
EventLog.Write( "Source : " & Err.Source )
EventLog.Write( "Description : " & Err.Description )
Err.Clear
End If
On Error Goto 0
End Function
Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
'
' sType can be one of the following;
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
With LockFile(TEMPDIR & "\autoban.lck")
On Error Resume Next
Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
If Err.Number = 9 Then
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & sIPAddress
.LowerIP = sIPAddress
.UpperIP = sIPAddress
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
AutoBan = True
End If
On Error Goto 0
.Close
End With
Set oApp = Nothing
End Function
'******************************************************************************************************************************
'********** CODE **********
'******************************************************************************************************************************
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
Dim EventLog : Set EventLog = CreateObject("hMailServer.EventLog")
Dim oRecord, oConn : Set oConn = CreateObject("ADODB.Connection")
oConn.Open idsDBDrv
If oConn.State <> 1 Then
EventLog.Write( "Handler - ERROR: Could not connect to database" )
WScript.Quit 1
End If
Set oRecord = oConn.Execute("SELECT * FROM " & idsTable & " WHERE hits > " & idsHits & " AND DATE_SUB(NOW(), INTERVAL " & idsMinutes & " MINUTE) < timestamp;")
Do Until oRecord.EOF
If AutoBan(oRecord("ipaddress"), "IDS", 7, "d") Then _
oConn.Execute "DELETE FROM " & idsTable & " WHERE ipaddress = '" & oRecord("ipaddress") & "';"
oRecord.MoveNext
Loop
oConn.Execute "DELETE FROM " & idsTable & " WHERE DATE_ADD(timestamp, INTERVAL 12 HOUR) < NOW();"
oConn.Close
Set oRecord = Nothing
Set EventLogX = Nothing
'******************************************************************************************************************************
'********** END **********
'******************************************************************************************************************************
Re: Stop intruder
Posted: 2019-10-04 17:55
by palinka
Cool. Yea, I have a powershell script in the firewall ban for autoexpiry, among other things.
Also, I have to do something with this: ON DUPLICATE KEY UPDATE hits=(hits+1) because I necessarily use a unique ID. Possibly, I could just add your columns to my table or create a new table just for counting IDS hits. Or query the count. I'll figure it out. But its definitely a useful addition.
Re: Stop intruder
Posted: 2019-10-04 21:37
by SorenR
palinka wrote: ↑2019-10-04 17:55
Cool. Yea, I have a powershell script in the firewall ban for autoexpiry, among other things.
Also, I have to do something with this: ON DUPLICATE KEY UPDATE hits=(hits+1) because I necessarily use a unique ID. Possibly, I could just add your columns to my table or create a new table just for counting IDS hits. Or query the count. I'll figure it out. But its definitely a useful addition.
ipaddress is UNIQUE KEY so therefore:
INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1)
is similar to:
If found(ipaddress) then
hits=hits+1
else
create record(ipaddress)
hits = 1
end if
Re: Stop intruder
Posted: 2019-10-04 21:52
by palinka
SorenR wrote: ↑2019-10-04 21:37
ipaddress is UNIQUE KEY so therefore:
INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1)
Exactly. But my firewall ban requires unique key on ID to allow for duplicate IP addresses (for a few reasons). So I'll probably just prepend the column names with ids_ in order to just follow the same structure. Then, on count(ids_ipaddress) > 3, ban to firewall instead of autoban.
Re: Stop intruder
Posted: 2019-10-04 22:18
by SorenR
palinka wrote: ↑2019-10-04 21:52
SorenR wrote: ↑2019-10-04 21:37
ipaddress is UNIQUE KEY so therefore:
INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1)
Exactly. But my firewall ban requires unique key on ID to allow for duplicate IP addresses (for a few reasons). So I'll probably just prepend the column names with ids_ in order to just follow the same structure. Then, on count(ids_ipaddress) > 3, ban to firewall instead of autoban.
You can have more than one unique key on the same table... Why would you have duplicate IPaddresses?
Re: Stop intruder
Posted: 2019-10-04 22:23
by palinka
SorenR wrote: ↑2019-10-04 22:18
You can have more than one unique key on the same table... Why would you have duplicate IPaddresses?
Because I want to see/count IPs that have been added/removed from the firewall. For example, its possible to be listed, removed, listed again, rebanned, and permanently marked safe from future rebans. Certainly this is useful for false positives. If I get a FP, I want to know why.
Re: Stop intruder
Posted: 2019-10-04 22:41
by SorenR
Spammers/hackers do not stay on the same IPaddress for too long so over time you'll be "playing" with maillinglists.
History data is only usefull for legitimate services

Re: Stop intruder
Posted: 2019-10-05 03:04
by palinka
SorenR wrote: ↑2019-10-04 22:41
Spammers/hackers do not stay on the same IPaddress for too long so over time you'll be "playing" with maillinglists.
Actually it's been working out pretty well. I parse the firewall log to see who comes back and how many times. About half of them come back. Some just a few times, some hundreds of times. The end result, of course, is not an end of spam, but a steady decrease in the number of spammers making connections. Once in a while i see a small spike as more bots come online. Here you can see what the firewall is actually blocking. It's not a small amount for my tiny mail service.
Re: Stop intruder
Posted: 2019-10-05 12:52
by palinka
Here's one that is maybe more explanative. Total number of firewall drops per day on smtp ports. The trend line shows 3,189 per day as of now. It's a bit skewed by one "spammer" that turned out to be ethersoft in Japan pinging me 100k times over the course of a couple days because i had a ddns setup with their openvpn software that i abandoned. You can see the days that was happening in the large spikes. But the rest are bona fide spammers. A spammer blocked is a spammer without a chance to spam and my logs are pretty quiet thanks in large part to this.
Re: Stop intruder
Posted: 2019-10-05 16:54
by palinka
SorenR wrote: ↑2019-10-04 17:24
Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database...
Done. A couple of minor changes, but nothing to write home about. I want to run it a few days before committing to github.
One question - what is the column "port" for? It records "0" into the db.
Code: Select all
If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
I left it there, but I don't see what use there is for it.
Re: Stop intruder
Posted: 2019-10-05 18:05
by SorenR
palinka wrote: ↑2019-10-05 16:54
SorenR wrote: ↑2019-10-04 17:24
Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database...
Done. A couple of minor changes, but nothing to write home about. I want to run it a few days before committing to github.
One question - what is the column "port" for? It records "0" into the db.
Code: Select all
If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
I left it there, but I don't see what use there is for it.
I used it for GEO blocking on select ports but eventually removed the code from Handler.vbs - never got around to remove the column from DB.

Re: Stop intruder
Posted: 2019-10-06 01:24
by palinka
SorenR wrote: ↑2019-10-05 18:05
I used it for GEO blocking on select ports but eventually removed the code from Handler.vbs - never got around to remove the column from DB.
OK, cool. I got rid of it and ID as well. No real need for it when you have:
Code: Select all
ON DUPLICATE KEY UPDATE hits=(hits+1)
Re: Stop intruder
Posted: 2019-10-07 12:58
by palinka
You can check it out on my firewall ban demo:
http://hmsfirewallbandemo.ddns.net/IDS.php 
Re: Stop intruder
Posted: 2019-10-07 13:18
by SorenR
Did you keep the 180 minute window ?
Working with AutoBan somtimes aggressive settings will kill your server performance, which is why I only look at a 180 minutes window. No point in banning someone that will send a probe every 2 days.

Re: Stop intruder
Posted: 2019-10-07 13:39
by palinka
SorenR wrote: ↑2019-10-07 13:18
Did you keep the 180 minute window ?
Working with AutoBan somtimes aggressive settings will kill your server performance, which is why I only look at a 180 minutes window. No point in banning someone that will send a probe every 2 days.
Nah, they're banned for life. Unless I see that is a false positive. There's no need to autoban - these guys go straight to the firewall (>3 hits).
FPs are pretty rare and usually have a good reason. I noticed that starting a few days ago, fakebook brought new mail servers online and the HELO contained the entire IP. WTF? Don't they know that's begging to get tripped up in dynamic IP filters? And that's what happened, so i had to release them from the firewall and prevent them from getting listed again. Bad fakebook! Bad!
Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN!
I've had some debate here about how wise it might be to permanently firewall ban spammers. The truth is that 99.99% are bots living on infected corporate workstations and those IPs wil never ever become legitimate mail servers. Legit mail servers will never be firewall banned - except rare FPs - even if they occasionally send spam.
And by the way, there is 0 performance hit for having 10k (so far) firewall rules.
It's all good, baby!

Re: Stop intruder
Posted: 2019-10-08 01:36
by mattg
palinka wrote: ↑2019-10-07 13:39
Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN!
Except they are usually connecting from dynamic IPs, which may later end being used by a genuine sender
Re: Stop intruder
Posted: 2019-10-08 01:56
by palinka
mattg wrote: ↑2019-10-08 01:36
palinka wrote: ↑2019-10-07 13:39
Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN!
Except they are usually connecting from dynamic IPs, which may later end being used by a genuine sender
Good point, but none of my filters go that deep. I'm only checking servers, so if an ip ends up in the doghouse, and later they clean the bot infection, they're still 99.99% chance not going to be a mail server and therefore not be affected by my firewall ban. They'll be relaying mail through a mail server, not sending directly to me.
And i don't believe they're connecting from dynamic IPs. That virtually ended when ISPs started blocking port 25 outgoing. I believe (could be wrong - wouldn't be the first time) that most bots are on corporate networks that have not blocked port 25. There seem to be plenty of non maintenance maintainers out there.
Re: Stop intruder
Posted: 2019-10-08 02:00
by mattg
Or perhaps using TOR
Re: Stop intruder
Posted: 2019-10-08 02:38
by palinka
mattg wrote: ↑2019-10-08 02:00
Or perhaps using TOR
Maybe, but still, how many mall servers also act as tor exit nodes?
Anyway, the vast majority of connections i drop are geo ip based, so i wouldn't accept them no matter what the circumstances are. Even if they were bona fide legit mail servers.
Re: Stop intruder
Posted: 2019-10-08 03:09
by jim.bus
How come I keep hearing how ISPs block outgoing Port 25? I've been on two major ISPs in the 8 or more years I've been using hMailServer and neither one of them blocked Port 25 to me though one kept documenting they may do it but I never ran into it. Granted I now use a Static IP Address from my ISP but that has been only for about a year now.
Is this maybe a bit isolated to Europe and Australia, etc? I'm just curious.