Spam Assistance

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
MarHMS
Normal user
Normal user
Posts: 116
Joined: 2015-12-11 17:10

Spam Assistance

Post by MarHMS » 2019-10-21 17:50

I'm requesting a review of my HMS configuration, please.

We've been receiving quite a lot of bounce back spam emails. The emails usually originate from 4 of our email addresses. We've changed the passwords numerous times, but the issue remains.

SPF, DKIM and DMARC have all been configured for all domains.

I've recently change the Minutes Before Reset to 1.

We have quite a few distribution emails which are being used for sending spam, so all email addresses associated with them are receiving bounce backs.

Code: Select all

2019-10-21   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - emxxxxxxxx.com                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: e:\email security\Domain1.com\dkim\Domain1.com.key
                                                Selector:    hashed

   "Domain2.com" - fixxxxxxxxxx.com               Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: e:\email security\Domain2.com\dkim\Domain2.com.key
                                                Selector:    hashed

   "Domain3.com" - fuxxxxxx.com                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: e:\email security\Domain3.com\dkim\Domain3.com.key
                                                Selector:    hashed

   "Domain4.com" - obxx.otxxxxxx.com              Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: e:\email security\Domain4.com\dkim\Domain4.com.key
                                                Selector:    hashed

   "Domain5.com" - otxxxxxx.com                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: e:\email security\Domain5.com\dkim\Domain5.com.key
                                                Selector:    hashed

   "Domain6.com" - pixxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: True    
                   Max message size:        0   Header:   Relaxed  Plus addressing: False
                   Max size of accounts:    0   Body:     Relaxed
                                                Algorithm: SHA256  Greylisting:     False
                                                Private key: e:\email security\Domain6.com\dkim\Domain6.com.key
                                                Selector:    hashed
-----------------------------------------------------------------------------------------------

RULES
  1, Global Spam Rule 1           Criteria:  Use AND
     Custom: X-Spam-Level              Contains        *******
                                  -----Actions-----
             Move To Folder                            Trash
 ---------------------------------------------------------------------
  2, Global Spam Rule 2           Criteria:  Use AND
     Custom: X-Spam-Level              Contains        ***
                                  -----Actions-----
             Move To Folder                            Spam
 ---------------------------------------------------------------------
  3, Spam                         Criteria:  Use OR
             From                      Contains        goaster.com
             From                      Contains        paramount.net.pk
             From                      Contains        whereareyounow.net
             From                      Contains        tollgroup.com
             From                      Contains        ntks.ru
                                  -----Actions-----
             Delete
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 192.168.0.1 - 192.168.0.254     Priority: 25     Name: Branch00-HeadOffice

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.1.1 - 10.1.1.254     Priority: 25     Name: Branch01-New Kingston

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch01-New Kingston-HFC

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.2.1 - 10.1.2.254     Priority: 25     Name: Branch02-Kingston Mall

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch02-Kingston Mall-HFC

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.3.0.1 - 10.3.0.254     Priority: 25     Name: Branch03-Falmouth

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.4.1 - 10.1.4.254     Priority: 25     Name: Branch04-Mandeville

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch04-Mandeville-HFC

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.5.1 - 10.1.5.254     Priority: 25     Name: Branch05-Montego Bay

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch05-Montego Bay-HFC

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.6.0.1 - 10.6.0.254     Priority: 25     Name: Branch06-Portland

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.7.0.1 - 10.7.0.254     Priority: 25     Name: Branch07-Savanna-la-Mar

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.8.1 - 10.1.8.254     Priority: 25     Name: Branch08-May Pen

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch08-May Pen-HFC

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.9.1 - 10.1.9.254     Priority: 25     Name: Branch09-Spanish Town

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch09-Spanish Town-DigicelPlay

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.10.1 - 10.1.10.254     Priority: 25     Name: Branch10-Ocho Rios

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch10-Ocho Rios-HFC

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.11.0.1 - 10.11.0.254     Priority: 25     Name: Branch11-Linstead

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 10.1.13.1 - 10.1.13.254     Priority: 25     Name: Branch12-Westminster

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Branch12-Westminster-HFC

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: x.x.x.x - x.x.x.x     Priority: 25     Name: Webmail-FUF

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:  False                              Antivirus:   True
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


------------------------------------------------------
AUTOBANNED Local Addresses:
    192.168.0.1          Expires : 10/23/2019 9:41:34 AM
    ...
    192.168.0.112        Expires : 10/22/2019 9:32:25 AM
    192.168.0.5          Expires : 10/22/2019 11:12:01 AM
    192.168.0.5          Expires : 10/22/2019 1:43:10 PM
    192.168.0.1          Expires : 10/21/2019 10:52:55 PM
    192.168.0.1          Expires : 10/21/2019 10:59:43 PM
    192.168.0.1          Expires : 10/21/2019 11:02:52 PM
    192.168.0.1          Expires : 10/21/2019 11:05:12 PM
    192.168.0.1          Expires : 10/21/2019 11:07:46 PM
    192.168.0.1          Expires : 10/22/2019 9:04:27 AM
    192.168.0.1          Expires : 10/21/2019 10:23:26 AM
    192.168.0.1          Expires : 10/21/2019 10:06:00 AM
    192.168.0.1          Expires : 10/23/2019 8:42:07 AM

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      3
                              Minutes Before Reset:            1  (0.02 hours, 0.00 days)
                              Minutes to Autoban:         527520  (8,792.00 hours, 366.33 days)

There is a total of 2615 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries: 30 Mins:  5   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:    10
Max Msg Size: 26500  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:  50  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
 !! Service Not Enabled !!

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:       False        Use SA score: False -   5
              Subject Text: "[Possible Spam]"
  Spam delete threshold: 8         Maximum message size: 26500

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
            b.barracudacentral.org      Score: 2     Result: 127.0.0.2
           bl.spameatingmonkey.net      Score: 2     Result: 127.0.0.2-3
                   cbl.abuseat.org      Score: 2     Result: 127.0.0.2

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS

GENERAL:
  When found - Delete email. Notify Sender: False,  Notify Receiver: True

  Max Message Size: 26500
     CLAM AV:   True       Hostname: localhost    Port: 3310
     CLAMWIN:   False
     CUSTOMAV:  False

  Block Attachments: True
               *.7z              
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.docm            Macro enabled Office
               *.dotm            Macro enabled Office
               *.exe             Executable file
               *.inf             Setup file
               *.js              JavaScript files
               *.lnk             Windows link file
               *.msg             .msg message files -  G Roach
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.pif             Program information file
               *.rar             Winrar archives
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
               *.vbs             VBScript
               *.zip             
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   mail.Domain2.com
       Certificate: C:\wamp\bin\apache\apache2.4.9\conf\SSL\8e8268e1f460c9c4.crt
       Private key: C:\wamp\bin\apache\apache2.4.9\conf\SSL\mail.Domain2.com.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: mail.Domain2.com
               0.0.0.0         / 143   / IMAP   -   None                
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: mail.Domain2.com
               0.0.0.0         / 587   / SMTP   -   StartTLS Required   Cert: mail.Domain2.com
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: mail.Domain2.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  E:\HMAIL\Logs\hmailserver_2019-10-21.log
    Error:    E:\HMAIL\Logs\ERROR_hmailserver_2019-10-21.log
    Event:    E:\HMAIL\Logs\hmailserver_events.log - Not present
    Awstats:  E:\HMAIL\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -      .
                        IMAP        -      .
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

Backup directory E:\Backup is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: 
Data folder:     E:\HMAIL\Data
Log folder:      E:\HMAIL\Logs
Temp folder:     E:\HMAIL\Temp
Event folder:    E:\HMAIL\Events

[Database]
Type=              MSSQL
Username=          hmsdb
PasswordEncryption=1
Port=              0
Server=            localhost\SQLEXPRESS
Internal=          0
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.92, Hmailserver Forum.

User avatar
mattg
Moderator
Moderator
Posts: 20640
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Assistance

Post by mattg » 2019-10-22 00:47

MarHMS wrote:
2019-10-21 17:50
We have quite a few distribution emails which are being used for sending spam, so all email addresses associated with them are receiving bounce backs.
How do you know that these are used to SEND spam?

Or is it just that is where the NDRs (Non Delivery Reports) are going, causing everyone in the distribution list to get a copy

diagnostics look fine to me
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 116
Joined: 2015-12-11 17:10

Re: Spam Assistance

Post by MarHMS » 2019-10-22 03:02

mattg wrote:
2019-10-22 00:47
MarHMS wrote:
2019-10-21 17:50
We have quite a few distribution emails which are being used for sending spam, so all email addresses associated with them are receiving bounce backs.
How do you know that these are used to SEND spam?

Or is it just that is where the NDRs (Non Delivery Reports) are going, causing everyone in the distribution list to get a copy

diagnostics look fine to me
That's where the non-delivery reports goes to. All emails associated with the distribution email gets a copy of the email sent.

Here's a copy of one of the most recent email's header. It had a .doc attachment. This wasn't a non-delivery email; email was sent to the distribution email.

Code: Select all

Return-Path: jemima@chaswood.com.my
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on FUF-SVHMAIL.FUF.LOCAL
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:  * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000] *  0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL *      was blocked.  See *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for *      more information. *      [46.165.232.175 listed in list.dnswl.org] *
Received: from mx12-out5.antispamcloud.com (mx12-out5.antispamcloud.com [46.165.232.175]) by mail.ourdomain.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Mon, 21 Oct 2019 11:17:52 -0500
Received: from mail-01.chaswood.com.my ([103.10.159.86]) by mx147.antispamcloud.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <jemima@chaswood.com.my>) id 1iMaN7-0006UM-U4 for fufgroup@ourdomain.com; Mon, 21 Oct 2019 18:17:43 +0200
Received: from [105.247.25.67] by mail-01.chaswood.com.my with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <jemima@chaswood.com.my>) id 1iMaJw-0005y0-V1 for fufgroup@ourdomain.com; Tue, 22 Oct 2019 00:14:31 +0800
Date: Mon, 21 Oct 2019 18:14:25 +0200
From: "ourdomain" <jemima@chaswood.com.my>
To: <fufgroup@ourdomain.com>
Subject: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_1176_848417114.8244986193679149960"
Message-ID: <GENERATED-WASMISSING-1iMaJw-0005y0-V1@mail-01.chaswood.com.my>
X-ACL-Warn: Adding Message-ID header because it is missing!
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Originating-IP: 103.10.159.86
X-Spampanel-Domain: chaswood.com.my
X-Spampanel-Username: smtp
Authentication-Results: antispamcloud.com; auth=pass (login) smtp.auth=smtp@chaswood.com.my
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.65)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0QRKNbAP+Q7R/EWH3Kru/cipSDasLI4SayDByyq9LIhVbV6cQIaEN6ch 7fRLkD3Xy0TNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDUz2ony76gScX5gbV8D2qqJTU UoBNe6TLGNEScVPKM47VtNOx8rqjotGC77m0KBZW871Cr0Nwq//LoppHTKluuTg9YkzbMy6DOYhG 3MUcvhptcM8xBzkj6dGN5lzpebw7fwpogNgi0CKEkerRSmMZayXAqEAQZXCFCwvZK9SRAKXxEGJs X0M0hOKpM/2F9L3NzEpNqCZDfEzJVnTtQRFbPHoFNewXFxLOGkUcq5UN3xK7LyU0NLRBZaQAOGXu CUJH09uuFKZbba1bXIHGBFPxuQzcLiPibp7eiMkmZ+TDXbkvTRxdebmKLQZvPPRB7w6pA1aO0ASg ODHLSquIn2D3FxUS9itywBHw11Tnbe8A27rGJ7hFVksSjB21NM5DTNxBcXqUwaiTYU5RrSlJK7QV oO09NmV3aEMTLP/4jhOBZYYgr/U0flMcy2Vi/IcBgY4aCN1vmHLh3z+T5GW+QPsBOahnaR+eDmt1 fCO+lThL5cAflz3RF6rme7dDFDjKzVAdiEinhNpARcnVaJ28Eth6e4IIbFZO3pHH5mnItVE/fW9r Rr8C0SDdFZIkl3kxpMkmLLibKuP31K2n4MFn6dxvzAE9FrvLEUPXJbB4TOB4dAFErSs0X3oyoTc8 j/o7qulx0MUdYWPstPbh3RR5QNrF/aylvaB9WMKFyzX4syKy+HuoStoc2ReGEGomN0LH+kJXcBqo OkBuXNpVaixwVvG6y4W+axx2DzNv8BNlsyaVn+Wm4w4EPwDtOn/zADts2T/Cz1caQoi44Wcfj1z/ J5tTtwZdUvs2plefllfRUKaDLI3boTg++3VDf4fp6H7dQmAS3jR5NeVaJQBh0uawl0Cg8gkFJY4U lg4VofOxwUi4TVKOKogdFzFUBtke4lHzswE2sXE60PQytTuUfwPvUJjiNHqu6Lib85KNkeZKNHu6 /LkxL7hrJSk60SF3F6RYOYr2
X-Report-Abuse-To: spam@quarantine10.antispamcloud.com
Here are 2 copies of the non-delivery emails. After confirming the email that was being utilized to send the spam, I changed the password and the sending stopped.
1st COPY - Non Delivery - header

Code: Select all

Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on FUF-SVHMAIL.FUF.LOCAL
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00,HTML_MESSAGE, LOTS_OF_MONEY,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:  *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block *      for more information. *      [URIs: ourdomain.com] * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000] *  0.0 HTML_MESSAGE BODY: HTML included in message *  0.0 LOTS_OF_MONEY Huge... sums of money *
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-bgr052100135076.outbound.protection.outlook.com [52.100.135.76]) by mail.ourdomain.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256) ; Mon, 21 Oct 2019 11:15:19 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c8iJEs4dlv1Vvcx+EBlJUF1RWTqrdKL2ma/lnczlQ2bCSDxYu31aq3rAxituFnHTP/nnv3OxIXsIPJ3eL+VMbTp7OLhCoIUxJGhpjddL6vzQCy/780I0h50PeS9gF5ijRvWFfWKOJv3V0/XHBjnwQo3EjMrraSGjfEzJ6zXD4YXp3YVHmAdYZL2NuwfZ0hUInmNoEgtNa9EWkk18Yhmin9hm54oilnjJRm96acH9ZG/KmRp7U8SH9JxRh8350kewsHgeJm01IFgZYzAV7o5ir6Tydkyryt4KYsTw6WS9sWGs3t9g2GJNshsYY6dv1FnhEUym8UMGOEdsp7dJHD4wrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6vQWBX3MMQFuuijXsYxe8RNJmfHAfJdMgYDx2hzhMfY=; b=ZFEcnl+15xmaZFog65duhlUCib1c1U9dP/b8MDJo4Nvdjmto5KnimaCkcRrSwT0X7h4IuEorSexYcsr194VtR8aXtmkpa9523QzdTHYhUuXKmsAJKhYixGE1tK7ajBQdNVgs87YC6KORxtoar+k8tOaVoF1H6dC9Z1zIHwNdV+Nxlm4EyVZTrhZlk4xNyk9jdIaRpLH/W1lYOHEFzC0LEdpaYANkwk4cXMJVppDls32r94Y3BbkvBK/fdPuUospJ7cGdF7eO9FeRJs+0i8YyIfis2M2rN0Oin5EElpQlYkrsGnaebSpabXfuUq4739xv9P+ERl0sxq6KsFmY1DYM3g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass; dmarc=pass action=none header.from=sdusd.onmicrosoft.com; dkim=pass header.d=sdusd.onmicrosoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SDUSD.onmicrosoft.com; s=selector2-SDUSD-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6vQWBX3MMQFuuijXsYxe8RNJmfHAfJdMgYDx2hzhMfY=; b=mvuf6gTxPvttb5WxKtEBWGQv6uPFf/ngVH3eNopDg1PvicWYmzW6AQ3NxzDtxL66Y6wYvUosut/yYTjIpL/SQJQzYc+lqseGXUIvo/jMBCUZocYf/Mw1BDxMrQq+IkOD6b+wLYyHir/CPxY5PT3D92wQmcZ7+rvf3byGtffo1JA=
MIME-Version: 1.0
From: <postmaster@SDUSD.onmicrosoft.com>
To: <loansapproval@ourdomain.com>
Date: Mon, 21 Oct 2019 16:15:16 +0000
Content-Type: multipart/report; report-type=delivery-status; boundary="79fa56f1-0648-4144-9433-d097ebd86bbe"
X-MS-Exchange-Message-Is-Ndr: 
Content-Language: en-US
Message-ID:  <94320c7c-c9c1-41e6-b68b-affa516ce261@MWHPR03MB3343.namprd03.prod.outlook.com>
In-Reply-To: <4FE75E85-33B8-44FE-9E72-C236D65013E6@mail.ourdomain.com>
References: <4FE75E85-33B8-44FE-9E72-C236D65013E6@mail.ourdomain.com>
Subject: Undeliverable: RE: Lease-Leaseback Announcement
Auto-Submitted: auto-replied
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWHPR03MB3343:
X-MS-Exchange-PUrlCount: 5
X-Microsoft-Antispam-PRVS:  <MWHPR03MB3343049510AC573698F99167B8690@MWHPR03MB3343.namprd03.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:8273;
X-Forefront-PRVS: 0197AFBD92
X-Forefront-Antispam-Report:  SFV:NSPM;SFS:(10009020)(50650200002)(366004)(346002)(376002)(396003)(136003)(39850400004)(199004)(189003)(1930700014)(2351001)(71190400001)(81166006)(1706002)(81156014)(5320300001)(10126004)(78352004)(8676002)(66576008)(76176011)(606006)(11286001)(498600001)(66946007)(66574012)(78496005)(86902001)(590304002)(14444005)(74316002)(6306002)(64872007)(30864003)(733005)(31696002)(486006)(6916009)(236005)(2906002)(42882007)(1476002)(6346003)(5660300002)(476003)(786003)(42186006)(446003)(316002)(16586007)(53546011)(52230400001)(9686003)(2876002)(11346002)(82146005)(579004)(299355004);DIR:OUT;SFP:1501;SCL:1;SRVR:MWHPR03MB3343;H:;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:0;MX:0;
Received-SPF: None (protection.outlook.com:  does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=<>; 
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:  xdlgF7zB+iPTt9ZFEyaKN+w6ljljEv7TvMarw4SWOTz2r+SlAvLsOBiy1WP5rDXe0bfK45T/y75wB43LK2I2qkNiisFhWD7cgVrSjYVyE0r/S+aA66pxAs6Zel5dYVfQ3K/rylWaB4E9W2UjVTonj2zZHnbbU/8PGLsMxk5L1MnIz9cmyPmEw9s4CgHJOe2KB/KiYEbIUctw+Lpx5ae3xmHDsJgzPDa+B45kBZYaQ4Gauk+QSUgB7hUg0g4ZgAcdZiCM1Sc21Qf4vtHO1mxFAT+xCx6tyxzYah9pl2Nz2OX/YTJFTrd6Tmcs1EAxw79AQ+fYJffVVmTH1/3EBSKVaitZe8d5lMHmFSLJt9DWkS8Jewt8RUExXcRj/yyKrJNq7AO5qLnHieuhXCgBmUhmwkQvNi04bYj7OL9B2jrMNh6j0X6QVkASeOtY52WbWZCdsDMkDDW9TRikEG7Ogt7FrgNhO7UBehvDoM+vJ/RrXEGYwDwVcZCCDmssVYw3N+7FHiLFYnDzqp/JEqEyx4yiTU3+PSZkDHA8tK9PXnKvpCzg9k5hMyTzw8fDwBy93Er6
X-OriginatorOrg: SDUSD.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Oct 2019 16:15:16.0236 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Network-Message-Id:  62f4f8c7-0ef8-461c-5f64-08d75641dc03
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR03MB3343
2nd COPY - Non Delivery - header

Code: Select all

Return-Path: 
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on FUF-SVHMAIL.FUF.LOCAL
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:  *  0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. *       See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block *      for more information. *      [URIs: ourdomain.com] *  0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL *      was blocked.  See *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for *      more information. *      [202.164.42.142 listed in list.dnswl.org] * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000] *
Received: from mail.dukeindia.com (dukeindia.com [202.164.42.142]) by mail.ourdomain.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Mon, 21 Oct 2019 14:04:56 -0500
Received: by mail.dukeindia.com (Postfix) id 8B9F7140CC2; Tue, 22 Oct 2019 00:43:39 +0530 (IST)
Date: Tue, 22 Oct 2019 00:43:39 +0530 (IST)
From: MAILER-DAEMON@localhost (Mail Delivery System)
Subject: Delayed Mail (still being retried)
To: loansapproval@ourdomain.com
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status; boundary="249AE140D30.1571685219/mail.dukeindia.com"
Content-Transfer-Encoding: 7bit
Message-Id: <20191021191339.8B9F7140CC2@mail.dukeindia.com>
3rd COPY - Non Delivery - header

Code: Select all

Return-Path: 
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Return-Path: <>
Message-ID: <2B609870-BF98-4386-9C74-CAE361A1D94C@mail.ourdomain.com>
Date: Mon, 21 Oct 2019 19:48:19 -0500
From: mailer-daemon@mail.ourdomain.com
To: accountsreceivables@ourdomain.com
Subject: Message undeliverable: 
Content-Transfer-Encoding: quoted-printable
X-hMailServer-LoopCount: 1
3rd COPY - Non Delivery - body

Code: Select all

Your message did not reach some or all of the intended recipients.

Sent: Tue, 22 Oct 2019 05:48:11 +0500
Subject:

The following recipient(s) could not be reached:

brandon@timbertrading.com.au
Error Type: SMTP
Remote server (64.233.185.27) issued an error.
hMailServer sent: RCPT TO:<brandon@timbertrading.com.au>
Remote server replied: 550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1  https://support.google.com/mail/?p=NoSuchUser v1si5848946ybo.295 - gsmtp

hMailServer

User avatar
mattg
Moderator
Moderator
Posts: 20640
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Assistance

Post by mattg » 2019-10-22 07:43

Is the .doc attachment being sent to that list a problem?



To catch the NDRs you can use a global rule

From contains 'mailer-daemon'
AND
To contains 'list@example.com'
Action
Forward to admin@example.com
Delete mail


You are confident that the problem was the compromised account that you changed the password to?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 116
Joined: 2015-12-11 17:10

Re: Spam Assistance

Post by MarHMS » 2019-10-22 12:27

mattg wrote:
2019-10-22 07:43
Is the .doc attachment being sent to that list a problem?
The anti-virus detects it as a trojan. I viewed it online, and it contains what looks like an image stating that ms word couldn't start the last time and needs start in safe mode.
mattg wrote:
2019-10-22 07:43
To catch the NDRs you can use a global rule

From contains 'mailer-daemon'
AND
To contains 'list@example.com'
Action
Forward to admin@example.com
Delete mail
I like this idea. However, how will we treat the NDRs being sent to compromised emails?
mattg wrote:
2019-10-22 07:43
You are confident that the problem was the compromised account that you changed the password to?
I confirmed in the Delivery Queue that there are 100s of emails being sent from the compromised account. Upon changing the password, all that activity ended. Then hours/few days later, the account begins to send emails again. We only know that the account is sending emails due to the NDRs. We could use a global rule for this, but it would also affect genuine NDRs.

There's a pfSense firewall before the server, am I gonna have to isolate all the IPs and manually block them?

Can you please confirm that my auto-ban settings was properly configured?

User avatar
mattg
Moderator
Moderator
Posts: 20640
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Assistance

Post by mattg » 2019-10-22 12:51

Is your PFsense on 192.168.0.1?

If so you have a config error there somewhere as that IP is 'autobanned' a lot
Your Higher IP range takes precedence over the autoban IP range correctly, but a LAN device triggering Autoban typically means that you have bad password stored, or have a Trojan on that machine...

How much mail does this server normally handle per day?

I catch all NDRs and send a copy to my administrator account, without stopping the original NDR by removing the TO line of the rule

You can catch and delete NDRs to the compromised account with the same rule, just a different TO address

You would need a global rule each recipient address
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 116
Joined: 2015-12-11 17:10

Re: Spam Assistance

Post by MarHMS » 2019-10-22 14:54

mattg wrote:
2019-10-22 12:51
Is your PFsense on 192.168.0.1?

If so you have a config error there somewhere as that IP is 'autobanned' a lot
Your Higher IP range takes precedence over the autoban IP range correctly, but a LAN device triggering Autoban typically means that you have bad password stored, or have a Trojan on that machine...
This could be users utilizing Ms Outlook. At least 90% of all accounts on hMS are linked to their respective Active Directory Account so when passwords expire bad logins are recorded.
mattg wrote:
2019-10-22 12:51
How much mail does this server normally handle per day?
At least 100 emails per day
mattg wrote:
2019-10-22 12:51
I catch all NDRs and send a copy to my administrator account, without stopping the original NDR by removing the TO line of the rule

You can catch and delete NDRs to the compromised account with the same rule, just a different TO address

You would need a global rule each recipient address
So I'll start with catching all NDRs sent to all hosted domains.

This should be good right?

From contains 'mailer-daemon'
Action
Forward to admin@example.com
Delete mail

MarHMS
Normal user
Normal user
Posts: 116
Joined: 2015-12-11 17:10

Re: Spam Assistance

Post by MarHMS » 2019-10-22 15:15

MarHMS wrote:
2019-10-22 03:02
mattg wrote:
2019-10-22 00:47
How do you know that these are used to SEND spam?

Or is it just that is where the NDRs (Non Delivery Reports) are going, causing everyone in the distribution list to get a copy

diagnostics look fine to me
That's where the non-delivery reports goes to. All emails associated with the distribution email gets a copy of the email sent.

Here's a copy of one of the most recent email's header. It had a .doc attachment. This wasn't a non-delivery email; email was sent to the distribution email.

Code: Select all

Return-Path: jemima@chaswood.com.my
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on FUF-SVHMAIL.FUF.LOCAL
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:  * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000] *  0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL *      was blocked.  See *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for *      more information. *      [46.165.232.175 listed in list.dnswl.org] *
Received: from mx12-out5.antispamcloud.com (mx12-out5.antispamcloud.com [46.165.232.175]) by mail.ourdomain.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Mon, 21 Oct 2019 11:17:52 -0500
Received: from mail-01.chaswood.com.my ([103.10.159.86]) by mx147.antispamcloud.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <jemima@chaswood.com.my>) id 1iMaN7-0006UM-U4 for fufgroup@ourdomain.com; Mon, 21 Oct 2019 18:17:43 +0200
Received: from [105.247.25.67] by mail-01.chaswood.com.my with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <jemima@chaswood.com.my>) id 1iMaJw-0005y0-V1 for fufgroup@ourdomain.com; Tue, 22 Oct 2019 00:14:31 +0800
Date: Mon, 21 Oct 2019 18:14:25 +0200
From: "ourdomain" <jemima@chaswood.com.my>
To: <fufgroup@ourdomain.com>
Subject: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_1176_848417114.8244986193679149960"
Message-ID: <GENERATED-WASMISSING-1iMaJw-0005y0-V1@mail-01.chaswood.com.my>
X-ACL-Warn: Adding Message-ID header because it is missing!
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Originating-IP: 103.10.159.86
X-Spampanel-Domain: chaswood.com.my
X-Spampanel-Username: smtp
Authentication-Results: antispamcloud.com; auth=pass (login) smtp.auth=smtp@chaswood.com.my
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.65)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0QRKNbAP+Q7R/EWH3Kru/cipSDasLI4SayDByyq9LIhVbV6cQIaEN6ch 7fRLkD3Xy0TNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDUz2ony76gScX5gbV8D2qqJTU UoBNe6TLGNEScVPKM47VtNOx8rqjotGC77m0KBZW871Cr0Nwq//LoppHTKluuTg9YkzbMy6DOYhG 3MUcvhptcM8xBzkj6dGN5lzpebw7fwpogNgi0CKEkerRSmMZayXAqEAQZXCFCwvZK9SRAKXxEGJs X0M0hOKpM/2F9L3NzEpNqCZDfEzJVnTtQRFbPHoFNewXFxLOGkUcq5UN3xK7LyU0NLRBZaQAOGXu CUJH09uuFKZbba1bXIHGBFPxuQzcLiPibp7eiMkmZ+TDXbkvTRxdebmKLQZvPPRB7w6pA1aO0ASg ODHLSquIn2D3FxUS9itywBHw11Tnbe8A27rGJ7hFVksSjB21NM5DTNxBcXqUwaiTYU5RrSlJK7QV oO09NmV3aEMTLP/4jhOBZYYgr/U0flMcy2Vi/IcBgY4aCN1vmHLh3z+T5GW+QPsBOahnaR+eDmt1 fCO+lThL5cAflz3RF6rme7dDFDjKzVAdiEinhNpARcnVaJ28Eth6e4IIbFZO3pHH5mnItVE/fW9r Rr8C0SDdFZIkl3kxpMkmLLibKuP31K2n4MFn6dxvzAE9FrvLEUPXJbB4TOB4dAFErSs0X3oyoTc8 j/o7qulx0MUdYWPstPbh3RR5QNrF/aylvaB9WMKFyzX4syKy+HuoStoc2ReGEGomN0LH+kJXcBqo OkBuXNpVaixwVvG6y4W+axx2DzNv8BNlsyaVn+Wm4w4EPwDtOn/zADts2T/Cz1caQoi44Wcfj1z/ J5tTtwZdUvs2plefllfRUKaDLI3boTg++3VDf4fp6H7dQmAS3jR5NeVaJQBh0uawl0Cg8gkFJY4U lg4VofOxwUi4TVKOKogdFzFUBtke4lHzswE2sXE60PQytTuUfwPvUJjiNHqu6Lib85KNkeZKNHu6 /LkxL7hrJSk60SF3F6RYOYr2
X-Report-Abuse-To: spam@quarantine10.antispamcloud.com
How would this be handled tho?

How about another global rule?

From contains 'ourdomain'
AND
Body contains 'Report'
AND
Subject equals

Action
Forward to admin@example.com
Delete mail

Problem is it might catch genuine emails. The spam email's From in the header above is "ourdomain" <jemima@chaswood.com.my>, how can i handle that?

User avatar
mattg
Moderator
Moderator
Posts: 20640
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Assistance

Post by mattg » 2019-10-22 23:28

Rules use the SMTP envelop FROM and TO, and not the message headers

You would need to check logs in HMailserver to see what is used.

I don't delete any NDRs (I like my users to see them when they get an address wrong), but I do like to get a copy...
My rule (I think) catches both inbound and outbound daemon messages
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 116
Joined: 2015-12-11 17:10

Re: Spam Assistance

Post by MarHMS » 2019-10-24 07:24

MarHMS wrote:
2019-10-22 15:15
MarHMS wrote:
2019-10-22 03:02
mattg wrote:
2019-10-22 00:47
How do you know that these are used to SEND spam?

Or is it just that is where the NDRs (Non Delivery Reports) are going, causing everyone in the distribution list to get a copy

diagnostics look fine to me
That's where the non-delivery reports goes to. All emails associated with the distribution email gets a copy of the email sent.

Here's a copy of one of the most recent email's header. It had a .doc attachment. This wasn't a non-delivery email; email was sent to the distribution email.

Code: Select all

Return-Path: jemima@chaswood.com.my
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on FUF-SVHMAIL.FUF.LOCAL
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=3.0 tests=BAYES_00, RCVD_IN_DNSWL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0
X-Spam-Report:  * -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% *      [score: 0.0000] *  0.0 RCVD_IN_DNSWL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to DNSWL *      was blocked.  See *      http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for *      more information. *      [46.165.232.175 listed in list.dnswl.org] *
Received: from mx12-out5.antispamcloud.com (mx12-out5.antispamcloud.com [46.165.232.175]) by mail.ourdomain.com with ESMTPS (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Mon, 21 Oct 2019 11:17:52 -0500
Received: from mail-01.chaswood.com.my ([103.10.159.86]) by mx147.antispamcloud.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <jemima@chaswood.com.my>) id 1iMaN7-0006UM-U4 for fufgroup@ourdomain.com; Mon, 21 Oct 2019 18:17:43 +0200
Received: from [105.247.25.67] by mail-01.chaswood.com.my with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <jemima@chaswood.com.my>) id 1iMaJw-0005y0-V1 for fufgroup@ourdomain.com; Tue, 22 Oct 2019 00:14:31 +0800
Date: Mon, 21 Oct 2019 18:14:25 +0200
From: "ourdomain" <jemima@chaswood.com.my>
To: <fufgroup@ourdomain.com>
Subject: 
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_Part_1176_848417114.8244986193679149960"
Message-ID: <GENERATED-WASMISSING-1iMaJw-0005y0-V1@mail-01.chaswood.com.my>
X-ACL-Warn: Adding Message-ID header because it is missing!
X-Antivirus-Scanner: Clean mail though you should still use an Antivirus
X-Originating-IP: 103.10.159.86
X-Spampanel-Domain: chaswood.com.my
X-Spampanel-Username: smtp
Authentication-Results: antispamcloud.com; auth=pass (login) smtp.auth=smtp@chaswood.com.my
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.65)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0QRKNbAP+Q7R/EWH3Kru/cipSDasLI4SayDByyq9LIhVbV6cQIaEN6ch 7fRLkD3Xy0TNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDUz2ony76gScX5gbV8D2qqJTU UoBNe6TLGNEScVPKM47VtNOx8rqjotGC77m0KBZW871Cr0Nwq//LoppHTKluuTg9YkzbMy6DOYhG 3MUcvhptcM8xBzkj6dGN5lzpebw7fwpogNgi0CKEkerRSmMZayXAqEAQZXCFCwvZK9SRAKXxEGJs X0M0hOKpM/2F9L3NzEpNqCZDfEzJVnTtQRFbPHoFNewXFxLOGkUcq5UN3xK7LyU0NLRBZaQAOGXu CUJH09uuFKZbba1bXIHGBFPxuQzcLiPibp7eiMkmZ+TDXbkvTRxdebmKLQZvPPRB7w6pA1aO0ASg ODHLSquIn2D3FxUS9itywBHw11Tnbe8A27rGJ7hFVksSjB21NM5DTNxBcXqUwaiTYU5RrSlJK7QV oO09NmV3aEMTLP/4jhOBZYYgr/U0flMcy2Vi/IcBgY4aCN1vmHLh3z+T5GW+QPsBOahnaR+eDmt1 fCO+lThL5cAflz3RF6rme7dDFDjKzVAdiEinhNpARcnVaJ28Eth6e4IIbFZO3pHH5mnItVE/fW9r Rr8C0SDdFZIkl3kxpMkmLLibKuP31K2n4MFn6dxvzAE9FrvLEUPXJbB4TOB4dAFErSs0X3oyoTc8 j/o7qulx0MUdYWPstPbh3RR5QNrF/aylvaB9WMKFyzX4syKy+HuoStoc2ReGEGomN0LH+kJXcBqo OkBuXNpVaixwVvG6y4W+axx2DzNv8BNlsyaVn+Wm4w4EPwDtOn/zADts2T/Cz1caQoi44Wcfj1z/ J5tTtwZdUvs2plefllfRUKaDLI3boTg++3VDf4fp6H7dQmAS3jR5NeVaJQBh0uawl0Cg8gkFJY4U lg4VofOxwUi4TVKOKogdFzFUBtke4lHzswE2sXE60PQytTuUfwPvUJjiNHqu6Lib85KNkeZKNHu6 /LkxL7hrJSk60SF3F6RYOYr2
X-Report-Abuse-To: spam@quarantine10.antispamcloud.com
How would this be handled tho?
How will I handle these emails? They are spam emails being sent to individuals email addresses and distribution addresses. These aren't NDRs. They have .doc attachments.

User avatar
mattg
Moderator
Moderator
Posts: 20640
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam Assistance

Post by mattg » 2019-10-24 09:28

So your users are receiving SPAM, not NDRs??

We find the SaneSecurity database catches a lot of this type of SPAM
https://www.hmailserver.com/forum/viewt ... 58#p180258

I run Clam + SaneSecrity checks via my SpamAssassin rules
You could do that or just use ClamAV + SaneSecurity Definitions as an AV solution
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

MarHMS
Normal user
Normal user
Posts: 116
Joined: 2015-12-11 17:10

Re: Spam Assistance

Post by MarHMS » 2019-10-27 04:59

mattg wrote:
2019-10-24 09:28
So your users are receiving SPAM, not NDRs??

We find the SaneSecurity database catches a lot of this type of SPAM
https://www.hmailserver.com/forum/viewt ... 58#p180258

I run Clam + SaneSecrity checks via my SpamAssassin rules
You could do that or just use ClamAV + SaneSecurity Definitions as an AV solution
I actually have all of these already set up.

Latest sigupdate

Code: Select all

Started: Sat 10/26/2019-21:00:00.35 
Downloading files from mirror...  
opening tcp connection to rsync.sanesecurity.net port 873
sending daemon args: --server --sender -vvtpze.LsfxC --timeout=120 . "sanesecurity/*"  (6 args)
delta-transmission enabled
.f          MiscreantPunch-Info.txt
.f          MiscreantPunch099-INFO-Low.ldb
.f          MiscreantPunch099-INFO-Low.ldb.md5
.f          MiscreantPunch099-INFO-Low.ldb.sha256
.f          MiscreantPunch099-INFO-Low.ldb.sig
.f          MiscreantPunch099-Low.ldb
.f          MiscreantPunch099-Low.ldb.md5
.f          MiscreantPunch099-Low.ldb.sha256
.f          MiscreantPunch099-Low.ldb.sig
.f          Sanesecurity_BlackEnergy.yara
.f          Sanesecurity_BlackEnergy.yara.md5
.f          Sanesecurity_BlackEnergy.yara.sha256
.f          Sanesecurity_BlackEnergy.yara.sig
.f          Sanesecurity_sigtest.yara
.f          Sanesecurity_sigtest.yara.md5
.f          Sanesecurity_sigtest.yara.sha256
.f          Sanesecurity_sigtest.yara.sig
.f          Sanesecurity_spam.yara
.f          Sanesecurity_spam.yara.md5
.f          Sanesecurity_spam.yara.sha256
.f          Sanesecurity_spam.yara.sig
.f          TIMESTAMP
.f          TIMESTAMP.sig
.f          badmacro.ndb
.f          badmacro.ndb.md5
.f          badmacro.ndb.sha256
.f          badmacro.ndb.sig
.f          blurl.ndb
.f          blurl.ndb.md5
.f          blurl.ndb.sha256
.f          blurl.ndb.sig
.f          bofhland_cracked_URL.ndb
.f          bofhland_cracked_URL.ndb.md5
.f          bofhland_cracked_URL.ndb.sha256
.f          bofhland_cracked_URL.ndb.sig
.f          bofhland_malware_URL.ndb
.f          bofhland_malware_URL.ndb.md5
.f          bofhland_malware_URL.ndb.sha256
.f          bofhland_malware_URL.ndb.sig
.f          bofhland_malware_attach.hdb
.f          bofhland_malware_attach.hdb.md5
.f          bofhland_malware_attach.hdb.sha256
.f          bofhland_malware_attach.hdb.sig
.f          bofhland_phishing_URL.ndb
.f          bofhland_phishing_URL.ndb.md5
.f          bofhland_phishing_URL.ndb.sha256
.f          bofhland_phishing_URL.ndb.sig
.f          crdfam.clamav.hdb
.f          crdfam.clamav.hdb.md5
.f          crdfam.clamav.hdb.sha256
.f          crdfam.clamav.hdb.sig
.f          doppelstern-phishtank.ndb
.f          doppelstern-phishtank.ndb.md5
.f          doppelstern-phishtank.ndb.sha256
.f          doppelstern-phishtank.ndb.sig
.f          doppelstern.hdb
.f          doppelstern.hdb.md5
.f          doppelstern.hdb.sha256
.f          doppelstern.hdb.sig
.f          doppelstern.ndb
.f          doppelstern.ndb.md5
.f          doppelstern.ndb.sha256
.f          doppelstern.ndb.sig
.f          foxhole_all.cdb
.f          foxhole_all.cdb.md5
.f          foxhole_all.cdb.sha256
.f          foxhole_all.cdb.sig
.f          foxhole_all.ndb
.f          foxhole_all.ndb.md5
.f          foxhole_all.ndb.sha256
.f          foxhole_all.ndb.sig
.f          foxhole_filename.cdb
.f          foxhole_filename.cdb.md5
.f          foxhole_filename.cdb.sha256
.f          foxhole_filename.cdb.sig
.f          foxhole_generic.cdb
.f          foxhole_generic.cdb.md5
.f          foxhole_generic.cdb.sha256
.f          foxhole_generic.cdb.sig
.f          foxhole_js.cdb
.f          foxhole_js.cdb.md5
.f          foxhole_js.cdb.sha256
.f          foxhole_js.cdb.sig
.f          foxhole_js.ndb
.f          foxhole_js.ndb.md5
.f          foxhole_js.ndb.sha256
.f          foxhole_js.ndb.sig
.f          foxhole_mail.cdb
.f          foxhole_mail.cdb.md5
.f          foxhole_mail.cdb.sha256
.f          foxhole_mail.cdb.sig
.f          grab_winnow.err
.f          hackingteam.hsb
.f          hackingteam.hsb.md5
.f          hackingteam.hsb.sha256
.f          hackingteam.hsb.sig
.f          junk.ndb
.f          junk.ndb.md5
.f          junk.ndb.sha256
.f          junk.ndb.sig
.f          jurlbl.ndb
.f          jurlbl.ndb.md5
.f          jurlbl.ndb.sha256
.f          jurlbl.ndb.sig
.f          jurlbla.ndb
.f          jurlbla.ndb.md5
.f          jurlbla.ndb.sha256
.f          jurlbla.ndb.sig
.f          lott.ndb
.f          lott.ndb.md5
.f          lott.ndb.sha256
.f          lott.ndb.sig
.f          malware.expert.fp
.f          malware.expert.fp.md5
.f          malware.expert.fp.sha256
.f          malware.expert.fp.sig
.f          malware.expert.hdb
.f          malware.expert.hdb.md5
.f          malware.expert.hdb.sha256
.f          malware.expert.hdb.sig
.f          malware.expert.ldb
.f          malware.expert.ldb.md5
.f          malware.expert.ldb.sha256
.f          malware.expert.ldb.sig
.f          malware.expert.ndb
.f          malware.expert.ndb.md5
.f          malware.expert.ndb.sha256
.f          malware.expert.ndb.sig
.f          malwarehash.hsb
.f          malwarehash.hsb.md5
.f          malwarehash.hsb.sha256
.f          malwarehash.hsb.sig
.f          phish.ndb
.f          phish.ndb.md5
.f          phish.ndb.sha256
.f          phish.ndb.sig
.f          phishtank.ndb
.f          phishtank.ndb.md5
.f          phishtank.ndb.sha256
.f          phishtank.ndb.sig
.f          porcupine.hsb
.f          porcupine.hsb.md5
.f          porcupine.hsb.sha256
.f          porcupine.hsb.sig
.f          porcupine.ndb
.f          porcupine.ndb.md5
.f          porcupine.ndb.sha256
.f          porcupine.ndb.sig
.f          readme.txt
.f          rogue.hdb
.f          rogue.hdb.md5
.f          rogue.hdb.sha256
.f          rogue.hdb.sig
.f          sanesecurity.ftm
.f          sanesecurity.ftm.md5
.f          sanesecurity.ftm.sha256
.f          sanesecurity.ftm.sig
.f          scam.ndb
.f          scam.ndb.md5
.f          scam.ndb.sha256
.f          scam.ndb.sig
.f          scamnailer.ndb
.f          scamnailer.ndb.md5
.f          scamnailer.ndb.sha256
.f          scamnailer.ndb.sig
.f          shelter.ldb
.f          shelter.ldb.md5
.f          shelter.ldb.sha256
.f          shelter.ldb.sig
.f          sigs_updated.txt
.f          sigwhitelist.ign2
.f          sigwhitelist.ign2.md5
.f          sigwhitelist.ign2.sha256
.f          sigwhitelist.ign2.sig
.f          spam.ldb
.f          spam.ldb.md5
.f          spam.ldb.sha256
.f          spam.ldb.sig
.f          spamattach.hdb
.f          spamattach.hdb.md5
.f          spamattach.hdb.sha256
.f          spamattach.hdb.sig
.f          spamimg.hdb
.f          spamimg.hdb.md5
.f          spamimg.hdb.sha256
.f          spamimg.hdb.sig
.f          spear.ndb
.f          spear.ndb.md5
.f          spear.ndb.sha256
.f          spear.ndb.sig
.f          spearl.ndb
.f          spearl.ndb.md5
.f          spearl.ndb.sha256
.f          spearl.ndb.sig
.f          winnow.attachments.hdb
.f          winnow.attachments.hdb.md5
.f          winnow.attachments.hdb.sha256
.f          winnow.attachments.hdb.sig
.f          winnow.complex.patterns.ldb
.f          winnow.complex.patterns.ldb.md5
.f          winnow.complex.patterns.ldb.sha256
.f          winnow.complex.patterns.ldb.sig
.f          winnow_bad_cw.hdb
.f          winnow_bad_cw.hdb.md5
.f          winnow_bad_cw.hdb.sha256
.f          winnow_bad_cw.hdb.sig
.f          winnow_extended_malware.hdb
.f          winnow_extended_malware.hdb.md5
.f          winnow_extended_malware.hdb.sha256
.f          winnow_extended_malware.hdb.sig
.f          winnow_extended_malware_links.ndb
.f          winnow_extended_malware_links.ndb.md5
.f          winnow_extended_malware_links.ndb.sha256
.f          winnow_extended_malware_links.ndb.sig
.f          winnow_malware.hdb
.f          winnow_malware.hdb.md5
.f          winnow_malware.hdb.sha256
.f          winnow_malware.hdb.sig
.f          winnow_malware_links.ndb
.f          winnow_malware_links.ndb.md5
.f          winnow_malware_links.ndb.sha256
.f          winnow_malware_links.ndb.sig
.f          winnow_phish_complete.ndb
.f          winnow_phish_complete.ndb.md5
.f          winnow_phish_complete.ndb.sha256
.f          winnow_phish_complete.ndb.sig
.f          winnow_phish_complete_url.ndb
.f          winnow_phish_complete_url.ndb.md5
.f          winnow_phish_complete_url.ndb.sha256
.f          winnow_phish_complete_url.ndb.sig
.f          winnow_spam_complete.ndb
.f          winnow_spam_complete.ndb.md5
.f          winnow_spam_complete.ndb.sha256
.f          winnow_spam_complete.ndb.sig

sent 722 bytes  received 7,624 bytes  5,564.00 bytes/sec
total size is 27,196,795  speedup is 3,258.66
Copying changed databases into ClamAV/ClamWin [C:\ProgramData\.clamwin\db] database directory... 
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
Finished: Sat 10/26/2019-21:00:02.01 
Last time it downloaded an update

Code: Select all

Started: Thu 10/24/2019-23:00:03.06 
Downloading files from mirror...  
opening tcp connection to rsync.sanesecurity.net port 873
sending daemon args: --server --sender -vvtpze.LsfxC --timeout=120 . "sanesecurity/*"  (6 args)
delta-transmission enabled
>f..t...... MiscreantPunch-Info.txt
>f..t...... MiscreantPunch099-INFO-Low.ldb
>f..t...... MiscreantPunch099-INFO-Low.ldb.md5
>f..t...... MiscreantPunch099-INFO-Low.ldb.sha256
>f..t...... MiscreantPunch099-INFO-Low.ldb.sig
>f..t...... MiscreantPunch099-Low.ldb
>f..t...... MiscreantPunch099-Low.ldb.md5
>f..t...... MiscreantPunch099-Low.ldb.sha256
>f..t...... MiscreantPunch099-Low.ldb.sig
.f          Sanesecurity_BlackEnergy.yara
.f          Sanesecurity_BlackEnergy.yara.md5
.f          Sanesecurity_BlackEnergy.yara.sha256
.f          Sanesecurity_BlackEnergy.yara.sig
.f          Sanesecurity_sigtest.yara
.f          Sanesecurity_sigtest.yara.md5
.f          Sanesecurity_sigtest.yara.sha256
.f          Sanesecurity_sigtest.yara.sig
.f          Sanesecurity_spam.yara
.f          Sanesecurity_spam.yara.md5
.f          Sanesecurity_spam.yara.sha256
.f          Sanesecurity_spam.yara.sig
>f..t...... TIMESTAMP
>f..t...... TIMESTAMP.sig
.f          badmacro.ndb
.f          badmacro.ndb.md5
.f          badmacro.ndb.sha256
.f          badmacro.ndb.sig
>f..t...... blurl.ndb
>f..t...... blurl.ndb.md5
>f..t...... blurl.ndb.sha256
>f..t...... blurl.ndb.sig
>f..t...... bofhland_cracked_URL.ndb
.f          bofhland_cracked_URL.ndb.md5
.f          bofhland_cracked_URL.ndb.sha256
.f          bofhland_cracked_URL.ndb.sig
>f..t...... bofhland_malware_URL.ndb
.f          bofhland_malware_URL.ndb.md5
.f          bofhland_malware_URL.ndb.sha256
.f          bofhland_malware_URL.ndb.sig
>f..t...... bofhland_malware_attach.hdb
.f          bofhland_malware_attach.hdb.md5
.f          bofhland_malware_attach.hdb.sha256
.f          bofhland_malware_attach.hdb.sig
>f..t...... bofhland_phishing_URL.ndb
.f          bofhland_phishing_URL.ndb.md5
.f          bofhland_phishing_URL.ndb.sha256
.f          bofhland_phishing_URL.ndb.sig
.f          crdfam.clamav.hdb
.f          crdfam.clamav.hdb.md5
.f          crdfam.clamav.hdb.sha256
.f          crdfam.clamav.hdb.sig
.f          doppelstern-phishtank.ndb
.f          doppelstern-phishtank.ndb.md5
.f          doppelstern-phishtank.ndb.sha256
.f          doppelstern-phishtank.ndb.sig
.f          doppelstern.hdb
.f          doppelstern.hdb.md5
.f          doppelstern.hdb.sha256
.f          doppelstern.hdb.sig
.f          doppelstern.ndb
.f          doppelstern.ndb.md5
.f          doppelstern.ndb.sha256
.f          doppelstern.ndb.sig
.f          foxhole_all.cdb
.f          foxhole_all.cdb.md5
.f          foxhole_all.cdb.sha256
.f          foxhole_all.cdb.sig
.f          foxhole_all.ndb
.f          foxhole_all.ndb.md5
.f          foxhole_all.ndb.sha256
.f          foxhole_all.ndb.sig
.f          foxhole_filename.cdb
.f          foxhole_filename.cdb.md5
.f          foxhole_filename.cdb.sha256
.f          foxhole_filename.cdb.sig
.f          foxhole_generic.cdb
.f          foxhole_generic.cdb.md5
.f          foxhole_generic.cdb.sha256
.f          foxhole_generic.cdb.sig
.f          foxhole_js.cdb
.f          foxhole_js.cdb.md5
.f          foxhole_js.cdb.sha256
.f          foxhole_js.cdb.sig
.f          foxhole_js.ndb
.f          foxhole_js.ndb.md5
.f          foxhole_js.ndb.sha256
.f          foxhole_js.ndb.sig
.f          foxhole_mail.cdb
.f          foxhole_mail.cdb.md5
.f          foxhole_mail.cdb.sha256
.f          foxhole_mail.cdb.sig
.f          grab_winnow.err
.f          hackingteam.hsb
.f          hackingteam.hsb.md5
.f          hackingteam.hsb.sha256
.f          hackingteam.hsb.sig
.f          junk.ndb
.f          junk.ndb.md5
.f          junk.ndb.sha256
.f          junk.ndb.sig
.f          jurlbl.ndb
.f          jurlbl.ndb.md5
.f          jurlbl.ndb.sha256
.f          jurlbl.ndb.sig
>f..t...... jurlbla.ndb
>f..t...... jurlbla.ndb.md5
>f..t...... jurlbla.ndb.sha256
>f..t...... jurlbla.ndb.sig
.f          lott.ndb
.f          lott.ndb.md5
.f          lott.ndb.sha256
.f          lott.ndb.sig
>f..t...... malware.expert.fp
>f..t...... malware.expert.fp.md5
>f..t...... malware.expert.fp.sha256
>f..t...... malware.expert.fp.sig
>f..t...... malware.expert.hdb
>f..t...... malware.expert.hdb.md5
>f..t...... malware.expert.hdb.sha256
>f..t...... malware.expert.hdb.sig
>f..t...... malware.expert.ldb
>f..t...... malware.expert.ldb.md5
>f..t...... malware.expert.ldb.sha256
>f..t...... malware.expert.ldb.sig
>f..t...... malware.expert.ndb
>f..t...... malware.expert.ndb.md5
>f..t...... malware.expert.ndb.sha256
>f..t...... malware.expert.ndb.sig
.f          malwarehash.hsb
.f          malwarehash.hsb.md5
.f          malwarehash.hsb.sha256
.f          malwarehash.hsb.sig
.f          phish.ndb
.f          phish.ndb.md5
.f          phish.ndb.sha256
.f          phish.ndb.sig
>f..t...... phishtank.ndb
.f          phishtank.ndb.md5
.f          phishtank.ndb.sha256
.f          phishtank.ndb.sig
>f.st...... porcupine.hsb
>f..t...... porcupine.hsb.md5
>f..t...... porcupine.hsb.sha256
>f..t...... porcupine.hsb.sig
>f..t...... porcupine.ndb
.f          porcupine.ndb.md5
.f          porcupine.ndb.sha256
.f          porcupine.ndb.sig
.f          readme.txt
.f          rogue.hdb
.f          rogue.hdb.md5
.f          rogue.hdb.sha256
.f          rogue.hdb.sig
.f          sanesecurity.ftm
.f          sanesecurity.ftm.md5
.f          sanesecurity.ftm.sha256
.f          sanesecurity.ftm.sig
.f          scam.ndb
.f          scam.ndb.md5
.f          scam.ndb.sha256
.f          scam.ndb.sig
.f          scamnailer.ndb
.f          scamnailer.ndb.md5
.f          scamnailer.ndb.sha256
.f          scamnailer.ndb.sig
.f          shelter.ldb
.f          shelter.ldb.md5
.f          shelter.ldb.sha256
.f          shelter.ldb.sig
>f.st...... sigs_updated.txt
.f          sigwhitelist.ign2
.f          sigwhitelist.ign2.md5
.f          sigwhitelist.ign2.sha256
.f          sigwhitelist.ign2.sig
.f          spam.ldb
.f          spam.ldb.md5
.f          spam.ldb.sha256
.f          spam.ldb.sig
.f          spamattach.hdb
.f          spamattach.hdb.md5
.f          spamattach.hdb.sha256
.f          spamattach.hdb.sig
.f          spamimg.hdb
.f          spamimg.hdb.md5
.f          spamimg.hdb.sha256
.f          spamimg.hdb.sig
>f..t...... spear.ndb
.f          spear.ndb.md5
.f          spear.ndb.sha256
.f          spear.ndb.sig
.f          spearl.ndb
.f          spearl.ndb.md5
.f          spearl.ndb.sha256
.f          spearl.ndb.sig
.f          winnow.attachments.hdb
.f          winnow.attachments.hdb.md5
.f          winnow.attachments.hdb.sha256
.f          winnow.attachments.hdb.sig
.f          winnow.complex.patterns.ldb
.f          winnow.complex.patterns.ldb.md5
.f          winnow.complex.patterns.ldb.sha256
.f          winnow.complex.patterns.ldb.sig
.f          winnow_bad_cw.hdb
.f          winnow_bad_cw.hdb.md5
.f          winnow_bad_cw.hdb.sha256
.f          winnow_bad_cw.hdb.sig
.f          winnow_extended_malware.hdb
.f          winnow_extended_malware.hdb.md5
.f          winnow_extended_malware.hdb.sha256
.f          winnow_extended_malware.hdb.sig
.f          winnow_extended_malware_links.ndb
.f          winnow_extended_malware_links.ndb.md5
.f          winnow_extended_malware_links.ndb.sha256
.f          winnow_extended_malware_links.ndb.sig
.f          winnow_malware.hdb
.f          winnow_malware.hdb.md5
.f          winnow_malware.hdb.sha256
.f          winnow_malware.hdb.sig
.f          winnow_malware_links.ndb
.f          winnow_malware_links.ndb.md5
.f          winnow_malware_links.ndb.sha256
.f          winnow_malware_links.ndb.sig
.f          winnow_phish_complete.ndb
.f          winnow_phish_complete.ndb.md5
.f          winnow_phish_complete.ndb.sha256
.f          winnow_phish_complete.ndb.sig
.f          winnow_phish_complete_url.ndb
.f          winnow_phish_complete_url.ndb.md5
.f          winnow_phish_complete_url.ndb.sha256
.f          winnow_phish_complete_url.ndb.sig
.f          winnow_spam_complete.ndb
.f          winnow_spam_complete.ndb.md5
.f          winnow_spam_complete.ndb.sha256
.f          winnow_spam_complete.ndb.sig

sent 31,732 bytes  received 10,486 bytes  7,676.00 bytes/sec
total size is 27,171,434  speedup is 643.60
Copying changed databases into ClamAV/ClamWin [C:\ProgramData\.clamwin\db] database directory... 
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
E:\ClamWin\Sigupdate\dbtemp\blurl.ndb -> C:\ProgramData\.clamwin\db\blurl.ndb
1 File(s) copied
0 File(s) copied
0 File(s) copied
0 File(s) copied
Finished: Thu 10/24/2019-23:00:12.43 

Post Reply