Spambot pumping out emails blocking my server's IP

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
reflex84
Normal user
Normal user
Posts: 124
Joined: 2015-01-18 11:49

Spambot pumping out emails blocking my server's IP

Post by reflex84 » 2020-04-27 14:24

Hi,

This started on the 23rd April, when I was informed by a client who wasn't receiving her own test emails, which prompted me to see if her emails still await in the delivery queue. Low and behold - I see hundreds of spam emails piling up in the delivery queue from "order@unileverprocurement.nl".

I stopped / paused HM for 5 minutes and restarted HM again which seemed to have stopped anymore spam from sending.
I removed all the spam emails from the delivery queue and kept an eye on live logging.

No more of that spam until it started pumping out emails again today the 27th April - also from order@unileverprocurement.nl

order@unileverprocurement.nl is NOT a domain I have.
So this is spam sending from external to external it seems
It's definitely using my server's IP to send emails because I am blacklisted on a couple of servers when checking through MXToolBox.com

I am under the assumption that one of my clients has a virus or malware on their PC BUT I have no idea how to find out which client it is considering the FROM email is always order@unileverprocurement.nl ??

Here is a log snippet:

Code: Select all


"DEBUG"	6132	"2020-04-27 06:52:02.764"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	6132	"2020-04-27 06:52:02.764"	"Delivering message..."
"APPLICATION"	6132	"2020-04-27 06:52:02.764"	"SMTPDeliverer - Message 2970337: Delivering message from order@unileverprocurement.nl to chrisp@bwssal.com, chrisp@proautonya.com, chrisp@rochester.rr.com, chrispak24@freewhole.com, chrispalmer@aelawyers.com, chrisparton@mindspring.com, chrispattersoninc@yahoo.com, chrispells@home.com, chrispetrarca@yahoo.com, chrispj@webtv.net, chrisposey@attbi.com, chrispsi@bellsouth.net, chrisreplogle1489@hotmail.com, chrisrhood@aol.com, chrisrichardloanfirm@gmail.com, chrisrichardloanfirm@hotmail.com, chrisrobinloan002@gmail.com, chrisroth@bellsouth.net, chrisroth@hancockinsurance.com, chriss1c@comcast.net. File: C:\Program Files (x86)\hMailServer\Data\{1557916D-F282-4528-A9F1-413010AD47BD}.eml"
"DEBUG"	6132	"2020-04-27 06:52:02.764"	"Applying rules"
"DEBUG"	6132	"2020-04-27 06:52:02.764"	"Performing local delivery"
"DEBUG"	6132	"2020-04-27 06:52:02.764"	"Local delivery completed"
"TCPIP"	6132	"2020-04-27 06:52:02.764"	"DNS MX lookup: home.com"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.795"	"197.185.109.83"	"RECEIVED: mail FROM:<order@unileverprocurement.nl> size=252366"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.795"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.826"	"197.185.109.83"	"RECEIVED: rcpt TO:<chriss@northeast-tool.com>"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.826"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	2012	299833	"2020-04-27 06:52:02.857"	"197.185.109.83"	"RECEIVED: rcpt TO:<chriss@redwavenet.com>"
"SMTPD"	2012	299833	"2020-04-27 06:52:02.857"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.904"	"197.185.109.83"	"RECEIVED: rcpt TO:<chriss@spectralogic.com>"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.904"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	2012	299833	"2020-04-27 06:52:02.936"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissac@microsoft.com>"
"SMTPD"	2012	299833	"2020-04-27 06:52:02.936"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.967"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissackiw@gmail.com>"
"SMTPD"	4544	299833	"2020-04-27 06:52:02.967"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.014"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrisserubi@hotmail.com>"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.014"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.061"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrisservice@ycnx.net>"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.061"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.092"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissietuller@yahoo.com>"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.107"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.139"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissmith@tooldoctor.net>"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.139"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.170"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissmsm@hotmail.com>"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.170"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.201"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissolarin@yahoo.com>"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.201"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.248"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissstuff@msn.com>"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.248"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.295"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissy528@juno.com>"
"SMTPD"	2012	299833	"2020-04-27 06:52:03.295"	"197.185.109.83"	"SENT: 250 OK"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.326"	"197.185.109.83"	"RECEIVED: rcpt TO:<chrissy81_379@hotmail.com>"
"SMTPD"	4544	299833	"2020-04-27 06:52:03.326"	"197.185.109.83"	"SENT: 250 OK"
"TCPIP"	6132	"2020-04-27 06:52:03.342"	"DNS - MX Result: 6 IP addresses were found."
"DEBUG"	6132	"2020-04-27 06:52:03.342"	"Starting external delivery process. Server: home.com (198.58.118.167), Port: 25, Security: 2, User name: "
"DEBUG"	6132	"2020-04-27 06:52:03.342"	"Creating session 299837"
"TCPIP"	6132	"2020-04-27 06:52:03.342"	"Connecting to 198.58.118.167:25..."

FYI: I do not know this IP:
197.185.109.83


Diagnostic Tool:

Code: Select all


[size=85][code]2020-04-27   Hmailserver: 5.6-B2145

DOMAINS

   "Domain1.com" - acxxxxxxxxxxx.co.za            Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - acxxxxxxxxxxxxxxxxxxxxx.co.za  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain3.com" - avxxxxxxxxxxxxx.co.za          Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain4.com" - buxxxxxxxxxxxxxxx.co.za        Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - coxxxxxxxxxxxxxxxx.co.za       Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain6.com" - coxxxxxxxxxxx.co.za            Enabled: False

   "Domain7.com" - elxxxxxxxxxxxxxxxxxx.co.za     Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain8.com" - frxxxxxxxxxxxxxx.co.za         Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain9.com" - khxxxxxx.com                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain10.com" - kuxxxxxxxxx.com               Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain11.com" - kwxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain12.com" - maxxxxxxxxxxxxx.orx.za        Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain13.com" - maxxxxxxxxxxx.com             Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain14.com" - mdxxx.co.za                   Enabled: False

   "Domain15.com" - mixxxxxxxxxxx.co.za           Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain16.com" - mixxxxxx.co.za                Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain17.com" - mjxxxxxxxx.co.za              Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain18.com" - sexxxxxxxxxxxxxxxxxxx.co.za   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain19.com" - stxxxxx.co.za                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain20.com" - tdxxxxx.com                   Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain21.com" - thxxxxxxxxxxxxxxx.com         Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain22.com" - thxxxxxxxxxxxxxx.co.za        Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain23.com" - toxxxxx.co.za                 Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain24.com" - trxxxxxxxxxxxxxx.co.za        Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain25.com" - umxxxxxxxxxxxxxxxxxx.co.za    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain26.com" - umxxxxxxxxxxxxx.co.za         Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain27.com" - vixxxxxxxxx.co.za             Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain28.com" - whxxxxxxx.co.za               Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External - False


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      2
                              Minutes Before Reset:         1500  (25,00 hours, 1,04 days)
                              Minutes to Autoban:          10140  (169,00 hours, 7,04 days)

There is a total of 243 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 60   Plain Text:        False  Bind: 
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 26480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:  False  Delivered-To hdr: False
                                                                         Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject:  True    Verify DKIM:       False        Use SA score: False -   5
              Subject Text: "[SPAM]"
  Spam delete threshold: 8         Maximum message size: 2048

DNSBL ENTRIES:
                  zen.spamhaus.org      Score: 5     Result: 127.0.0.2-8|127.0.0.10-11
                    bl.spamcop.net      Score: 3     Result: 127.0.0.2
     hostkarma.junkemailfilter.com      Score: 2     Result: 127.0.0.2|127.0.0.4
            b.barracudacentral.org      Score: 2     Result: 127.0.0.2|127.0.0.4
                   cbl.abuseat.org      Score: 2     Result: 127.0.0.2
           bl.spameatingmonkey.net      Score: 2     Result: 127.0.0.2-3

SURBL ENTRIES:
                   multi.surbl.org      Score: 3

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               127.0.0.1       / 25    / SMTP   -   None
               197.189.238.154 / 25    / SMTP   -   None
               197.189.238.154 / 110   / POP3   -   None
               197.189.238.154 / 143   / IMAP   -   None
               197.189.238.154 / 587   / SMTP   -   None
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2020-04-27.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2020-04-27.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

ERROR: Backup directory has not been specified.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

[/size]Generated by HMSSettingsDiagnostics v1.84, Hmailserver Forum.


[/code]

Any way I can stop this from occurring again?
Can I find out which DOMAIN this bot is using to spam perhaps?

Much appreciated!

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spambot pumping out emails blocking my server's IP

Post by SorenR » 2020-04-27 14:41

AutoBan the IP address! NOW!

Check YOUR SMTP log for something like this: (I used the IP address you listed)

Code: Select all

"SMTPD"	492	175	"2020-04-01 08:47:38.848"	"197.185.109.83"	"RECEIVED: AUTH LOGIN"
"SMTPD"	492	175	"2020-04-01 08:47:38.848"	"197.185.109.83"	"SENT: 334 VXNlcXXXbWU6"
"SMTPD"	596	175	"2020-04-01 08:47:38.910"	"197.185.109.83"	"RECEIVED: bGXXXXNl"
"SMTPD"	596	175	"2020-04-01 08:47:38.910"	"197.185.109.83"	"SENT: 334 UGFXXXdvcmQ6"
"SMTPD"	4076	175	"2020-04-01 08:47:38.973"	"197.185.109.83"	"RECEIVED: ***"
"SMTPD"	4076	175	"2020-04-01 08:47:38.989"	"197.185.109.83"	"SENT: 235 authenticated."
Paste it into this webpage https://log.damnation.org.uk/ and press [Analyze]

You should see the emailaddress of whoever is sending this..
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

reflex84
Normal user
Normal user
Posts: 124
Joined: 2015-01-18 11:49

Re: Spambot pumping out emails blocking my server's IP

Post by reflex84 » 2020-04-27 15:13

Hi,

Thank you for your prompt response!

I have added the IP to autoban (see image attached) - As you can see I put no email address after NAME: Auto-ban:
AutoBan.JPG
You should see the emailaddress of whoever is sending this..
YES!!! This worked! I can see who's account has been targeted!

Should I disable my client's email account on HM and contact him via whatsapp to notify that he may have a virus / malware? Assuming that his PC / device has been compromised by a virus / malware?

User avatar
RvdH
Senior user
Senior user
Posts: 1137
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spambot pumping out emails blocking my server's IP

Post by RvdH » 2020-04-27 16:03

Simply change the accounts password, and they will contact you😉

If you disable the account you won't be able to receive mail for that account too, so that's not desirable, might result in missing mails
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 1137
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spambot pumping out emails blocking my server's IP

Post by RvdH » 2020-04-27 16:21

Was the spammer using the authenticated accounts (From) e-mailadres?
If not, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

reflex84
Normal user
Normal user
Posts: 124
Joined: 2015-01-18 11:49

Re: Spambot pumping out emails blocking my server's IP

Post by reflex84 » 2020-04-27 18:40

If you disable the account you won't be able to receive mail for that account too, so that's not desirable, might result in missing mails
Yes this is true ... I did instead change the password on HM and on my client's PC - so that's done.
Was the spammer using the authenticated accounts (From) e-mailadres? If not, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
It looks like the spambot was using my client's authenticated accounts (From) e-mailadress (I found this out by using the Log Analyzer) but under a different alias of order@unileverprocurement.nl ?? But I'm just guessing now...
Either way ... I have added that script to my EventHandlers.vbs file - thanks!

FYI: I asked my client to do a full PC scan for viruses / malware using SuperAntiSpyware and ADWcleaner and it shows his computer is pretty clean apart from the common adware that's usually detected... so I cannot be sure how my client's account was compromised.

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spambot pumping out emails blocking my server's IP

Post by SorenR » 2020-04-27 20:00

Perhaps someone cracked the password??

Sender is using an IP Address belonging to: "rain-197-185-109-83.rain.network"

address: Block D
address: The Main Straight Office Park
address: 392 Main Road
address: Bryanston
address: Johannesburg
address: 2191

Domain:
https://www.whois.com/whois/rain.network

It seems like you are somewhere in

City: Philadelphia
StateProv: PA
PostalCode: 19106
Country: US

8)
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

reflex84
Normal user
Normal user
Posts: 124
Joined: 2015-01-18 11:49

Re: Spambot pumping out emails blocking my server's IP

Post by reflex84 » 2020-04-27 20:09

Ya, maybe I set an easy password for this particular client and it was cracked.
I generally create almost impossible passwords to guess.

Sender is using an IP Address belonging to: "rain-197-185-109-83.rain.network"

address: Block D
address: The Main Straight Office Park
address: 392 Main Road
address: Bryanston
address: Johannesburg
address: 2191

Domain:
https://www.whois.com/whois/rain.network

It seems like you are somewhere in

City: Philadelphia
StateProv: PA
PostalCode: 19106
Country: US
Where did you get the US / Philadelphia address from? Because I / my server is also located in South Africa...

Might have to pay my spammer a visit ... oh wait, we still in lockdown ffs

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spambot pumping out emails blocking my server's IP

Post by SorenR » 2020-04-27 21:04

reflex84 wrote:
2020-04-27 20:09

Where did you get the US / Philadelphia address from? Because I / my server is also located in South Africa...

Might have to pay my spammer a visit ... oh wait, we still in lockdown ffs
Ah.. it may be a recipient of the SPAM..

Code: Select all

C:\WINDOWS\system32>nslookup 198.58.118.167
Server:  bigbrother.xxxxx.xxx
Address:  192.168.0.50

Name:    li647-167.members.linode.com
Address:  198.58.118.167
Hilton hotel - Cape Town ... Do they still have a sign saying "You are required to check in your guns at the reception desk" coming up from the parking garage ??

Last time I was there I stayed at Villa Via Hotel in a suite facing the waterfront... Fantastic food :mrgreen:
Last edited by SorenR on 2020-04-27 21:10, edited 1 time in total.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

reflex84
Normal user
Normal user
Posts: 124
Joined: 2015-01-18 11:49

Re: Spambot pumping out emails blocking my server's IP

Post by reflex84 » 2020-04-27 21:10

Oh right, thanks for clarifying.
Well SORBS has finally removed my IP from their blacklist and have sent them an email to this thread so they can see my legitimacy. I'm just waiting for automated TRUNCATE to remove my IP... grrrrr - I need to send off important emails FROM my actual address

reflex84
Normal user
Normal user
Posts: 124
Joined: 2015-01-18 11:49

Re: Spambot pumping out emails blocking my server's IP

Post by reflex84 » 2020-04-28 15:52

Hilton hotel - Cape Town ... Do they still have a sign saying "You are required to check in your guns at the reception desk" coming up from the parking garage ?? Last time I was there I stayed at Villa Via Hotel in a suite facing the waterfront... Fantastic food
Haha - is this for real??
Wouldn't be surprised if the hotel was anywhere near the cape flats, lol

You definitely went to one of South Africa's best holiday destinations though. The entire Western and Eastern Cape (Route 62 & Garden Route) is a must see for foreigners and locals. I'm itching to explore these areas myself and I'm from Durban.

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spambot pumping out emails blocking my server's IP

Post by SorenR » 2020-04-28 16:23

reflex84 wrote:
2020-04-28 15:52
Hilton hotel - Cape Town ... Do they still have a sign saying "You are required to check in your guns at the reception desk" coming up from the parking garage ?? Last time I was there I stayed at Villa Via Hotel in a suite facing the waterfront... Fantastic food
Haha - is this for real??
Wouldn't be surprised if the hotel was anywhere near the cape flats, lol

You definitely went to one of South Africa's best holiday destinations though. The entire Western and Eastern Cape (Route 62 & Garden Route) is a must see for foreigners and locals. I'm itching to explore these areas myself and I'm from Durban.
Well, to be honest it was back in 1999 and it was work... UUNet needed a new billing system and we needed to talk to Telkom SA, Citech, SITA, AST, Debris and about 10 other telco's. We went to JoBurg (or was it Pretoria) on the caged in motorway, that was an eyeopener :shock: but we also had time to cruise the south-east tip for some seafood places :mrgreen:

One of our guys in SA aparently had done time for shooting a couple of burglers during a home invation. Police claimed he shot them outside and dragged the bodies inside after... Weird rules you have about "equal force".

The Cisco systems specialist I traveled with was carrying and when we got on the plane they gave him a lock box for his gun to carry on and it was unlocked when we arrived...

That was ... eh ... a somewhat different experience.

But then again so was Indonesia, Mexico and Brazil :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

Post Reply