Apparent SPAMMER Attack By Assumed Distribution List

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
jim.bus
Senior user
Senior user
Posts: 301
Joined: 2011-05-28 11:49
Location: US

Apparent SPAMMER Attack By Assumed Distribution List

Post by jim.bus » 2019-07-18 21:09

I just noticed an apparent attack by a spammer today when going through my logs.

An IP Address sent email to apparently one of my legitimate email ids (this email id seemed to have been stolen from someone's address book whom I communicate with a long time ago). My SPAM tests only caught a HELO server error returning a SPAM Error of only 2 and passed my SPAM Tests on SPAM Test Scoring. My Greylisting seem to respond as I saw a reply was sent back to 'Please try again later' but then the same IP Address proceeded to send several, several other email ids. My legitimate email id of course was found but all the other email ids failed on Unknown User. It was obviously an attempt to guess a legitimate email id on my Domain. Ultimately the Remote Server finally terminated the connection.

In the logs I saw nothing which would have told me a distribution list was being used but from all the RCPT TO commands in the log, it would appear some kind of Distribution List or equivalent was used. The first email id which was my legitimate email id was the email id which seemed to be detected by Greylisting and all the subsequent email ids were apparently not Greylisted in that none of those had the 'Please try again later' response.

If my assumption that this was a Distribution List is correct, then is my understanding of hMailServer Antispam safegurads correct that there is no antispam feature which would protect against this because none of the other email ids appeared to trigger any hMailServer spam checking other than to respond with Unknown User.

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Apparent SPAMMER Attack By Assumed Distribution List

Post by RvdH » 2019-07-18 21:25

Correct,
If a user doesn't exist it responds with a permanent failure, Unknown User.
If a user does exist it returns temporary failure if the sender IP is greylisted, Please try again later, once greylist period expires the mail will or will not be delivered after it spam is filtered

This is the first time you see this kind of behavior? Man...lucky you, our company servers gets hammered with nonsense like this :wink:

distributionlist, spammers just trying random mailboxes, who knows? What is the problem with that? What should be protected?

i'm a bit clueless what you want/expect...
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jim.bus
Senior user
Senior user
Posts: 301
Joined: 2011-05-28 11:49
Location: US

Re: Apparent SPAMMER Attack By Assumed Distribution List

Post by jim.bus » 2019-07-19 08:51

RvdH wrote:
2019-07-18 21:25
Correct,
If a user doesn't exist it responds with a permanent failure, Unknown User.
If a user does exist it returns temporary failure if the sender IP is greylisted, Please try again later, once greylist period expires the mail will or will not be delivered after it spam is filtered

This is the first time you see this kind of behavior? Man...lucky you, our company servers gets hammered with nonsense like this :wink:

distributionlist, spammers just trying random mailboxes, who knows? What is the problem with that? What should be protected?

i'm a bit clueless what you want/expect...
I'm not sure if you understood the circumstances. First I am making some assumptions since I didn't see any actual explicit indication in the log for this connection and how the Email Message was actually sent. It appeared that there may have been one email message with either a Distribution List of email ids with only the one legitimate Email ID followed by the 'guessing Email IDs or it could have been an email message sent to the legitimate Email ID followed by a Copy To or Blind Copy To set of Email IDs or Distribution list. People sending to a Blind Copy To Distribution list will frequently include one Email ID in the To Field Entry so they can Blind Copy a Distribution List (at least in Outlook).

The legitimate Email ID of course is recognized by hMailServer but the rest of the Email IDs which were sent were all incorrect guesses but they all came in the one email connection to hMailServer. All of the incorrect guesses Email IDs were rejected as Unknown User whereas the legitimate Email ID was recognized but hMailServer responded with 'Please try again later' for each of the guessed Email IDs which were not valid until the sending (Remote) email server gave up and terminated the connection. Presumably the sender of the Email Message was Greylisted in this situation because the sender wasn't Whitelisted.

So to summarize for the one email message connection to hMailServer, it appeared there was one legitimate Email ID followed by many 'guessed' Email IDs. The legitimate Email Id received the response 'Please try again later' whereas the 'guessed' invalid Email IDs only got the 'Unknown User' response.

I am not necessarily wanting anything but to understand the correct behavior of hMailServer in this situation. I looked at the logs and the Help Documentation again and strictly speaking it would appear this might be correct behavior but it was a little unclear to me. It looks like correct behavior in that the Greylisting Triplet does include the Recipient Email Id and the legitimate Email Id did indeed appear to behave that way. What was a little unclear to me was that all the Unknown User Email IDs apparently came in on the same Email Message and Session Connection as they all were rejected on the same Connection Session ID (Session 1 in one of the cases in my log). So based on what I see in the log and the Greylisting Help Documentation it appears there must be multiple Delivery attempts from the same IP Address on the same Session ID and the invalid Email ID will get the 'Unknown User' rejection. I sort of thought when I first saw this log behavior that I would have expected the Session Connection would have been terminated at the point the 'Please try again later' message was generated.

User avatar
RvdH
Senior user
Senior user
Posts: 798
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Apparent SPAMMER Attack By Assumed Distribution List

Post by RvdH » 2019-07-19 09:12

jim.bus wrote:
2019-07-19 08:51
So based on what I see in the log and the Greylisting Help Documentation it appears there must be multiple Delivery attempts from the same IP Address on the same Session ID and the invalid Email ID will get the 'Unknown User' rejection. I sort of thought when I first saw this log behavior that I would have expected the Session Connection would have been terminated at the point the 'Please try again later' message was generated.
That is how it should work, but like you suggested this spammer had probably Many-to's in the message.
There is not a single method that spammers use, one spammer tries to send their crap to a single address and another uses many CC and or BBC's as apparently here is the case

I would say, don't worry to much, the spam hasn't come true :mrgreen:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3190
Joined: 2006-08-21 15:38
Location: Denmark

Re: Apparent SPAMMER Attack By Assumed Distribution List

Post by SorenR » 2019-07-19 13:35

jim.bus wrote:
2019-07-19 08:51
I'm not sure if you understood the circumstances. First I am making some assumptions since I didn't see any actual explicit indication in the log for this connection and how the Email Message was actually sent. It appeared that there may have been one email message with either a Distribution List of email ids with only the one legitimate Email ID followed by the 'guessing Email IDs or it could have been an email message sent to the legitimate Email ID followed by a Copy To or Blind Copy To set of Email IDs or Distribution list. People sending to a Blind Copy To Distribution list will frequently include one Email ID in the To Field Entry so they can Blind Copy a Distribution List (at least in Outlook).
Just a note... Headers such as To, From, Cc and Bcc (not really ;-) ) are unknown to hMailServer until OnAcceptMessage / SURBL, DKIM, SpamAssassin tests and they need not match real-world sender and recipient.

Greylisting is done based on oMessage.FromAddress and oMessage.Recipients(i).Address, only one of these will be included as email header later and that is "Return-Path:" AKA "X-Envelope-From:".
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jim.bus
Senior user
Senior user
Posts: 301
Joined: 2011-05-28 11:49
Location: US

Re: Apparent SPAMMER Attack By Assumed Distribution List

Post by jim.bus » 2019-07-20 03:30

RvdH wrote:
2019-07-19 09:12
jim.bus wrote:
2019-07-19 08:51
So based on what I see in the log and the Greylisting Help Documentation it appears there must be multiple Delivery attempts from the same IP Address on the same Session ID and the invalid Email ID will get the 'Unknown User' rejection. I sort of thought when I first saw this log behavior that I would have expected the Session Connection would have been terminated at the point the 'Please try again later' message was generated.
That is how it should work, but like you suggested this spammer had probably Many-to's in the message.
There is not a single method that spammers use, one spammer tries to send their crap to a single address and another uses many CC and or BBC's as apparently here is the case

I would say, don't worry to much, the spam hasn't come true :mrgreen:
It has occurred to me this would explain why I haven't seen any new Autoban IP Addresses for several months now. Spammers attempting to deliver email messages to many CC or BCC items as long as they have one valid Email ID can by virtue of delivering 'guessed' Email IDs to the Domain of the valid Email ID can circumvent the Greylisting functionality (I would think they wouldn't even need the one valid Email ID) because with Delivery of Email sent to Guessed Email IDs, the SPAMMER doesn't need to attempt to logon and therefore avoid being Autobanned due to exceeding the allowed number of failed Logon attempts. The SPAMMER knows which Email IDs did succeed to be delivered to the Email Domain the SPAMMER is trying to hack into. Once he has obtained the successful delivery attempt of the SPAMMER's email message, the SPAMMER can then attempt to guess the password of the Email ID he now knows is a good email ID. This wouldn't eliminate all Greylisting functionality but it would limit the amount of Autobans hMailServer would generate.

Post Reply