New kinda spammers?

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 795
Joined: 2008-06-27 14:42
Location: Netherlands

New kinda spammers?

Post by RvdH » 2019-06-08 13:28

I noticed one of my servers is being hit with spam mails where the HELO and From-address only differ one char,
example:

HELO/EHLO: eisentraut.zachariaszels.com
MAIL FROM: eisentraut@zachariaszels.com

To catch these early i did this:

Code: Select all

Sub OnSMTPData(oClient, oMessage)

	If (oMessage.FromAddress <> "") Then
		If StrComp(ereg_replace(oClient.HELO, "[\@\.]", Empty, true),ereg_replace(oMessage.FromAddress, "[\@\.]", Empty, true),1)=0 Then
			Eventlog.Write("OnSMTPdata: HELO " & oClient.HELO & " FROM " & oMessage.FromAddress & " (" & oClient.IPAddress& "). 542 Rejected" )
			Result.Message= "5.7.1 Your access to this mail system has been rejected due to "  &_
							"the sending MTA's poor reputation. If you believe that this failure is " &_
							"in error, please contact the intended recipient via alternate means."
			Result.Value = 2
			Call AutoBan(oClient.IPAddress, oMessage.FromAddress, 1, "d")
			Exit Sub
		End if
	End if

End Sub

' Function replaces pattern with replacement
' varIgnoreCase must be TRUE (match is case insensitive) or FALSE (match is case sensitive)
' from http://www.addedbytes.com/asp/vbscript-regular-expressions/
function ereg_replace(strOriginalString, strPattern, strReplacement, varIgnoreCase)
	dim objRegExp : set objRegExp = new RegExp
	With objRegExp
		.Pattern = strPattern
		.IgnoreCase = varIgnoreCase
		.Global = True
	End With
	ereg_replace = objRegExp.replace(strOriginalString, strReplacement)
	set objRegExp = nothing
end Function


What it basically does, it strips all dots (.) and AtSign (@) and then compares if the two strings are identical, in this case the strings to be compared are both 'eisentrautzachariaszelscom' which result in a 554 rejection (and auto-ban)

"SMTPD" 6132 187452 "2019-06-08 13:13:11.886" "64.44.61.130" "SENT: 220 mail.domain.com ESMTP"
"SMTPD" 7692 187452 "2019-06-08 13:13:11.980" "64.44.61.130" "RECEIVED: EHLO eisentraut.zachariaszels.com"
"SMTPD" 7692 187452 "2019-06-08 13:13:12.027" "64.44.61.130" "SENT: 250-mail.domain.com[nl]250-SIZE 51200000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.120" "64.44.61.130" "RECEIVED: STARTTLS"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.120" "64.44.61.130" "SENT: 220 Ready to start TLS"
"SMTPD" 7692 187452 "2019-06-08 13:13:12.466" "64.44.61.130" "RECEIVED: EHLO eisentraut.zachariaszels.com"
"SMTPD" 7692 187452 "2019-06-08 13:13:12.497" "64.44.61.130" "SENT: 250-mail.domain.com[nl]250-SIZE 51200000[nl]250 HELP"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.606" "64.44.61.130" "RECEIVED: MAIL FROM:<eisentraut@zachariaszels.com>"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.606" "64.44.61.130" "SENT: 250 OK"
"SMTPD" 6544 187452 "2019-06-08 13:13:12.715" "64.44.61.130" "RECEIVED: RCPT TO:<info@******.nl>"
"SMTPD" 6544 187452 "2019-06-08 13:13:12.715" "64.44.61.130" "SENT: 250 OK"
"SMTPD" 6132 187452 "2019-06-08 13:13:12.825" "64.44.61.130" "RECEIVED: DATA"
"SMTPD" 6132 187452 "2019-06-08 13:13:12.887" "64.44.61.130" "SENT: 554 5.7.1 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 950
Joined: 2017-09-12 17:57

Re: New kinda spammers?

Post by palinka » 2019-06-08 14:53

I haven't seen that yet but if it's going around I'm sure I'll see it sooner or later, so i implemented your script already. :D

User avatar
RvdH
Senior user
Senior user
Posts: 795
Joined: 2008-06-27 14:42
Location: Netherlands

Re: New kinda spammers?

Post by RvdH » 2019-06-08 16:20

I've got a single one auto-banned that shouldn't have been banned, using: mail.something.com as HELO/EHLO with From-address: mail@something.com

you can come by this, by adjusting it like:

Code: Select all

Sub OnSMTPData(oClient, oMessage)

	Dim oRegEx
	Set oRegEx = CreateObject("VBScript.RegExp")
	oRegEx.IgnoreCase = True
	oRegEx.Global = False
	oRegEx.Pattern = "^(mail\.).+$"
	If (oMessage.FromAddress <> "") And Not oRegEx.Test(oClient.HELO) Then
		If StrComp(ereg_replace(oClient.HELO, "[\@\.]", "", true),ereg_replace(oMessage.FromAddress, "[\@\.]", "", true),1)=0 Then
			Eventlog.Write("OnSMTPdata: HELO " & oClient.HELO & " FROM " & oMessage.FromAddress & " (" & oClient.IPAddress& "). 542 Rejected" )
			Result.Message= "5.7.1 Your access to this mail system has been rejected due to "  &_
							"the sending MTA's poor reputation. If you believe that this failure is " &_
							"in error, please contact the intended recipient via alternate means."
			Result.Value = 2
			Call AutoBan(oClient.IPAddress, oMessage.FromAddress, 1, "d")
			Exit Sub
		End if
	End if
	Set oRegEx = Nothing

End Sub
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

palinka
Senior user
Senior user
Posts: 950
Joined: 2017-09-12 17:57

Re: New kinda spammers?

Post by palinka » 2019-06-09 00:03

I imagine that's a pretty rare case. :mrgreen:

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: New kinda spammers?

Post by SorenR » 2019-06-09 01:01

palinka wrote:
2019-06-09 00:03
I imagine that's a pretty rare case. :mrgreen:
I reject alle mails where oMessage.FromAddress is "^(return\@.*)$". Not had a false positive in over 1 year... :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Post Reply