Spam attacks? Do you think you are hard done to?

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-03-16 14:26

The 20 second delay proving very effective. No further autobans added (my log files are clear of rogue attempts since implementing it) and the autoban list is just reducing (I assume will be to zero after 1 week).


(The 3-line probing is continuing in vengeance though:)
[code]"SMTPD" 4264 827 "2017-03-16 00:02:34.187" "82.200.170.116" "SENT: 221 goodbye"
"SMTPD" 4264 827 "2017-03-16 00:02:34.187" "82.200.170.116" "RECEIVED: QUIT"
"SMTPD" 4264 827 "2017-03-16 00:02:34.171" "82.200.170.116" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 836 "2017-03-16 00:05:27.129" "67.52.138.42" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 836 "2017-03-16 00:05:27.129" "67.52.138.42" "RECEIVED: QUIT"
"SMTPD" 3996 836 "2017-03-16 00:05:27.129" "67.52.138.42" "SENT: 221 goodbye"
"SMTPD" 4264 847 "2017-03-16 00:10:47.163" "79.70.254.117" "SENT: 220 Ourmail SMTP"
"SMTPD" 3696 847 "2017-03-16 00:10:47.163" "79.70.254.117" "RECEIVED: QUIT"
"SMTPD" 3696 847 "2017-03-16 00:10:47.163" "79.70.254.117" "SENT: 221 goodbye"
"SMTPD" 4264 867 "2017-03-16 00:16:20.208" "80.152.209.142" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 867 "2017-03-16 00:16:20.224" "80.152.209.142" "RECEIVED: QUIT"
"SMTPD" 4264 867 "2017-03-16 00:16:20.224" "80.152.209.142" "SENT: 221 goodbye"
"SMTPD" 4264 880 "2017-03-16 00:19:04.133" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 880 "2017-03-16 00:19:04.133" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 4264 880 "2017-03-16 00:19:04.133" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 4264 893 "2017-03-16 00:21:58.167" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 3760 893 "2017-03-16 00:21:58.167" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 3760 893 "2017-03-16 00:21:58.167" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 4264 899 "2017-03-16 00:24:40.142" "109.226.61.122" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 899 "2017-03-16 00:24:40.142" "109.226.61.122" "RECEIVED: QUIT"
"SMTPD" 4264 899 "2017-03-16 00:24:40.142" "109.226.61.122" "SENT: 221 goodbye"
"SMTPD" 4264 918 "2017-03-16 00:27:43.146" "197.245.94.133" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 919 "2017-03-16 00:30:19.115" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 3696 919 "2017-03-16 00:30:19.115" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 3696 919 "2017-03-16 00:30:19.115" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 4264 929 "2017-03-16 00:33:05.193" "82.200.170.116" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 929 "2017-03-16 00:33:05.193" "82.200.170.116" "RECEIVED: QUIT"
"SMTPD" 4264 929 "2017-03-16 00:33:05.193" "82.200.170.116" "SENT: 221 goodbye"
"SMTPD" 4264 938 "2017-03-16 00:35:53.206" "197.14.14.150" "SENT: 220 Ourmail SMTP"
"SMTPD" 2944 938 "2017-03-16 00:35:53.206" "197.14.14.150" "RECEIVED: QUIT"
"SMTPD" 2944 938 "2017-03-16 00:35:53.206" "197.14.14.150" "SENT: 221 goodbye"
"SMTPD" 4264 946 "2017-03-16 00:38:32.123" "68.191.218.91" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 946 "2017-03-16 00:38:32.123" "68.191.218.91" "RECEIVED: QUIT"
"SMTPD" 4264 946 "2017-03-16 00:38:32.123" "68.191.218.91" "SENT: 221 goodbye"
"SMTPD" 3376 956 "2017-03-16 00:44:10.207" "80.152.209.142" "SENT: 220 Ourmail SMTP"
"SMTPD" 3752 956 "2017-03-16 00:44:10.207" "80.152.209.142" "RECEIVED: QUIT"
"SMTPD" 3752 956 "2017-03-16 00:44:10.207" "80.152.209.142" "SENT: 221 goodbye"
"SMTPD" 3376 974 "2017-03-16 00:46:57.143" "113.161.80.16" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 974 "2017-03-16 00:46:57.143" "113.161.80.16" "RECEIVED: QUIT"
"SMTPD" 3376 974 "2017-03-16 00:46:57.143" "113.161.80.16" "SENT: 221 goodbye"
"SMTPD" 3376 993 "2017-03-16 00:49:43.158" "58.62.55.140" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 993 "2017-03-16 00:49:43.158" "58.62.55.140" "RECEIVED: QUIT"
"SMTPD" 3376 993 "2017-03-16 00:49:43.158" "58.62.55.140" "SENT: 221 goodbye"
"SMTPD" 3376 1025 "2017-03-16 01:03:36.151" "2.137.100.108" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 1025 "2017-03-16 01:03:36.151" "2.137.100.108" "RECEIVED: QUIT"
"SMTPD" 3376 1025 "2017-03-16 01:03:36.151" "2.137.100.108" "SENT: 221 goodbye"
"SMTPD" 3376 1035 "2017-03-16 01:06:21.200" "97.101.54.96" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1035 "2017-03-16 01:06:21.200" "97.101.54.96" "RECEIVED: QUIT"
"SMTPD" 3996 1035 "2017-03-16 01:06:21.200" "97.101.54.96" "SENT: 221 goodbye"
"SMTPD" 3376 1042 "2017-03-16 01:09:00.148" "96.57.19.234" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 1042 "2017-03-16 01:09:00.148" "96.57.19.234" "RECEIVED: QUIT"
"SMTPD" 3376 1042 "2017-03-16 01:09:00.148" "96.57.19.234" "SENT: 221 goodbye"
"SMTPD" 3376 1065 "2017-03-16 01:14:28.186" "201.190.192.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 2564 1065 "2017-03-16 01:14:28.186" "201.190.192.24" "RECEIVED: QUIT"
"SMTPD" 2564 1065 "2017-03-16 01:14:28.186" "201.190.192.24" "SENT: 221 goodbye"
"SMTPD" 3376 1070 "2017-03-16 01:17:05.138" "82.200.170.116" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 1070 "2017-03-16 01:17:05.138" "82.200.170.116" "RECEIVED: QUIT"
"SMTPD" 3376 1070 "2017-03-16 01:17:05.138" "82.200.170.116" "SENT: 221 goodbye"
"SMTPD" 3376 1081 "2017-03-16 01:19:45.147" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 1081 "2017-03-16 01:19:45.147" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 4264 1081 "2017-03-16 01:19:45.147" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 3376 1094 "2017-03-16 01:22:35.203" "78.131.87.207" "SENT: 220 Ourmail SMTP"
"SMTPD" 3696 1094 "2017-03-16 01:22:35.203" "78.131.87.207" "RECEIVED: QUIT"
"SMTPD" 3696 1094 "2017-03-16 01:22:35.203" "78.131.87.207" "SENT: 221 goodbye"
"SMTPD" 3376 1131 "2017-03-16 01:33:35.115" "79.70.254.117" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 1131 "2017-03-16 01:33:35.115" "79.70.254.117" "RECEIVED: QUIT"
"SMTPD" 3376 1131 "2017-03-16 01:33:35.115" "79.70.254.117" "SENT: 221 goodbye"
"SMTPD" 3376 1132 "2017-03-16 01:39:00.142" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 2944 1132 "2017-03-16 01:39:00.142" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 2944 1132 "2017-03-16 01:39:00.142" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 3376 1150 "2017-03-16 01:41:54.207" "117.56.161.248" "SENT: 220 Ourmail SMTP"
"SMTPD" 2984 1150 "2017-03-16 01:41:54.207" "117.56.161.248" "RECEIVED: QUIT"
"SMTPD" 2984 1150 "2017-03-16 01:41:54.207" "117.56.161.248" "SENT: 221 goodbye"
"SMTPD" 3376 1158 "2017-03-16 01:42:22.194" "59.60.28.232" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 1162 "2017-03-16 01:44:27.213" "197.14.14.150" "SENT: 220 Ourmail SMTP"
"SMTPD" 2944 1162 "2017-03-16 01:44:27.213" "197.14.14.150" "RECEIVED: QUIT"
"SMTPD" 2944 1162 "2017-03-16 01:44:27.213" "197.14.14.150" "SENT: 221 goodbye"
"SMTPD" 2564 1177 "2017-03-16 01:50:00.118" "184.68.15.58" "SENT: 220 Ourmail SMTP"
"SMTPD" 2564 1186 "2017-03-16 01:55:27.157" "97.101.54.96" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1186 "2017-03-16 01:55:27.157" "97.101.54.96" "RECEIVED: QUIT"
"SMTPD" 3996 1186 "2017-03-16 01:55:27.157" "97.101.54.96" "SENT: 221 goodbye"
"SMTPD" 3340 1202 "2017-03-16 01:58:12.127" "58.62.55.140" "SENT: 220 Ourmail SMTP"
"SMTPD" 4556 1202 "2017-03-16 01:58:12.127" "58.62.55.140" "RECEIVED: QUIT"
"SMTPD" 4556 1202 "2017-03-16 01:58:12.127" "58.62.55.140" "SENT: 221 goodbye"
"SMTPD" 3340 1213 "2017-03-16 02:01:06.102" "58.19.180.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1213 "2017-03-16 02:01:06.103" "58.19.180.138" "RECEIVED: QUIT"
"SMTPD" 3340 1213 "2017-03-16 02:01:06.103" "58.19.180.138" "SENT: 221 goodbye"
"SMTPD" 3340 1221 "2017-03-16 02:03:58.210" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 1221 "2017-03-16 02:03:58.210" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 2120 1221 "2017-03-16 02:03:58.210" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 3340 1237 "2017-03-16 02:06:49.124" "97.101.54.96" "SENT: 220 Ourmail SMTP"
"SMTPD" 3696 1237 "2017-03-16 02:06:49.124" "97.101.54.96" "RECEIVED: QUIT"
"SMTPD" 3696 1237 "2017-03-16 02:06:49.124" "97.101.54.96" "SENT: 221 goodbye"
"SMTPD" 3340 1238 "2017-03-16 02:09:35.218" "117.56.161.248" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1238 "2017-03-16 02:09:35.218" "117.56.161.248" "RECEIVED: QUIT"
"SMTPD" 3340 1238 "2017-03-16 02:09:35.218" "117.56.161.248" "SENT: 221 goodbye"
"SMTPD" 3340 1248 "2017-03-16 02:12:24.213" "82.200.170.116" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1248 "2017-03-16 02:12:24.213" "82.200.170.116" "RECEIVED: QUIT"
"SMTPD" 3340 1248 "2017-03-16 02:12:24.213" "82.200.170.116" "SENT: 221 goodbye"
"SMTPD" 3340 1272 "2017-03-16 02:18:02.109" "109.226.61.122" "SENT: 220 Ourmail SMTP"
"SMTPD" 3760 1272 "2017-03-16 02:18:02.109" "109.226.61.122" "RECEIVED: QUIT"
"SMTPD" 3760 1272 "2017-03-16 02:18:02.109" "109.226.61.122" "SENT: 221 goodbye"
"SMTPD" 3340 1276 "2017-03-16 02:23:49.179" "97.101.54.96" "SENT: 220 Ourmail SMTP"
"SMTPD" 356 1276 "2017-03-16 02:23:49.179" "97.101.54.96" "RECEIVED: QUIT"
"SMTPD" 356 1276 "2017-03-16 02:23:49.179" "97.101.54.96" "SENT: 221 goodbye"
"SMTPD" 3340 1291 "2017-03-16 02:26:34.149" "79.70.254.117" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1291 "2017-03-16 02:26:34.149" "79.70.254.117" "RECEIVED: QUIT"
"SMTPD" 3340 1291 "2017-03-16 02:26:34.149" "79.70.254.117" "SENT: 221 goodbye"
"SMTPD" 3340 1307 "2017-03-16 02:29:34.158" "183.136.237.112" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1307 "2017-03-16 02:29:34.158" "183.136.237.112" "RECEIVED: QUIT"
"SMTPD" 3996 1307 "2017-03-16 02:29:34.158" "183.136.237.112" "SENT: 221 goodbye"
"SMTPD" 3340 1309 "2017-03-16 02:32:18.145" "113.161.80.16" "SENT: 220 Ourmail SMTP"
"SMTPD" 2984 1309 "2017-03-16 02:32:18.145" "113.161.80.16" "RECEIVED: QUIT"
"SMTPD" 2984 1309 "2017-03-16 02:32:18.145" "113.161.80.16" "SENT: 221 goodbye"
"SMTPD" 3340 1321 "2017-03-16 02:34:57.172" "190.115.163.186" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 1321 "2017-03-16 02:34:57.172" "190.115.163.186" "RECEIVED: QUIT"
"SMTPD" 4264 1321 "2017-03-16 02:34:57.172" "190.115.163.186" "SENT: 221 goodbye"
"SMTPD" 3340 1327 "2017-03-16 02:37:57.213" "201.190.192.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 3696 1327 "2017-03-16 02:37:57.213" "201.190.192.24" "RECEIVED: QUIT"
"SMTPD" 3696 1327 "2017-03-16 02:37:57.213" "201.190.192.24" "SENT: 221 goodbye"
"SMTPD" 3340 1344 "2017-03-16 02:40:42.214" "197.14.14.150" "SENT: 220 Ourmail SMTP"
"SMTPD" 2944 1344 "2017-03-16 02:40:42.214" "197.14.14.150" "RECEIVED: QUIT"
"SMTPD" 2944 1344 "2017-03-16 02:40:42.214" "197.14.14.150" "SENT: 221 goodbye"
"SMTPD" 3340 1357 "2017-03-16 02:46:26.164" "61.181.245.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1357 "2017-03-16 02:46:26.164" "61.181.245.24" "RECEIVED: QUIT"
"SMTPD" 3996 1357 "2017-03-16 02:46:26.164" "61.181.245.24" "SENT: 221 goodbye"
"SMTPD" 3340 1370 "2017-03-16 02:49:12.210" "58.62.55.140" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1370 "2017-03-16 02:49:12.210" "58.62.55.140" "RECEIVED: QUIT"
"SMTPD" 3340 1370 "2017-03-16 02:49:12.210" "58.62.55.140" "SENT: 221 goodbye"
"SMTPD" 3340 1382 "2017-03-16 02:51:55.184" "74.92.105.233" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 1382 "2017-03-16 02:51:55.184" "74.92.105.233" "RECEIVED: QUIT"
"SMTPD" 2120 1382 "2017-03-16 02:51:55.184" "74.92.105.233" "SENT: 221 goodbye"
"SMTPD" 3340 1385 "2017-03-16 02:54:59.139" "58.185.138.18" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1385 "2017-03-16 02:54:59.139" "58.185.138.18" "RECEIVED: QUIT"
"SMTPD" 3340 1385 "2017-03-16 02:54:59.139" "58.185.138.18" "SENT: 221 goodbye"
"SMTPD" 3340 1395 "2017-03-16 02:57:36.185" "190.115.163.186" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1395 "2017-03-16 02:57:36.185" "190.115.163.186" "RECEIVED: QUIT"
"SMTPD" 3340 1395 "2017-03-16 02:57:36.185" "190.115.163.186" "SENT: 221 goodbye"
"SMTPD" 3340 1404 "2017-03-16 03:00:25.189" "89.216.104.92" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1404 "2017-03-16 03:00:25.190" "89.216.104.92" "RECEIVED: QUIT"
"SMTPD" 3340 1404 "2017-03-16 03:00:25.190" "89.216.104.92" "SENT: 221 goodbye"
"SMTPD" 3340 1419 "2017-03-16 03:05:59.175" "82.200.170.116" "SENT: 220 Ourmail SMTP"
"SMTPD" 360 1419 "2017-03-16 03:05:59.175" "82.200.170.116" "RECEIVED: QUIT"
"SMTPD" 360 1419 "2017-03-16 03:05:59.175" "82.200.170.116" "SENT: 221 goodbye"
"SMTPD" 3340 1430 "2017-03-16 03:11:39.146" "112.124.76.177" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1430 "2017-03-16 03:11:39.146" "112.124.76.177" "RECEIVED: QUIT"
"SMTPD" 3340 1430 "2017-03-16 03:11:39.146" "112.124.76.177" "SENT: 221 goodbye"
"SMTPD" 3340 1487 "2017-03-16 03:25:40.190" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 1487 "2017-03-16 03:25:40.190" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 2120 1487 "2017-03-16 03:25:40.190" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 3340 1496 "2017-03-16 03:28:28.126" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 3696 1496 "2017-03-16 03:28:28.126" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 3696 1496 "2017-03-16 03:28:28.126" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 3340 1518 "2017-03-16 03:34:18.159" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 1518 "2017-03-16 03:34:18.159" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 2120 1518 "2017-03-16 03:34:18.159" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 3340 1522 "2017-03-16 03:37:04.112" "115.70.20.115" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1522 "2017-03-16 03:37:04.112" "115.70.20.115" "RECEIVED: QUIT"
"SMTPD" 3340 1522 "2017-03-16 03:37:04.112" "115.70.20.115" "SENT: 221 goodbye"
"SMTPD" 3340 1533 "2017-03-16 03:39:50.128" "115.70.20.115" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1533 "2017-03-16 03:39:50.128" "115.70.20.115" "RECEIVED: QUIT"
"SMTPD" 3340 1533 "2017-03-16 03:39:50.128" "115.70.20.115" "SENT: 221 goodbye"
"SMTPD" 3340 1540 "2017-03-16 03:42:46.190" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1540 "2017-03-16 03:42:46.190" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 3340 1540 "2017-03-16 03:42:46.190" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 3340 1556 "2017-03-16 03:45:37.150" "117.56.161.248" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1556 "2017-03-16 03:45:37.150" "117.56.161.248" "RECEIVED: QUIT"
"SMTPD" 3340 1556 "2017-03-16 03:45:37.150" "117.56.161.248" "SENT: 221 goodbye"
"SMTPD" 3340 1559 "2017-03-16 03:48:44.195" "61.181.245.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1559 "2017-03-16 03:48:44.195" "61.181.245.24" "RECEIVED: QUIT"
"SMTPD" 3340 1559 "2017-03-16 03:48:44.195" "61.181.245.24" "SENT: 221 goodbye"
"SMTPD" 3340 1568 "2017-03-16 03:51:30.132" "96.57.19.234" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1568 "2017-03-16 03:51:30.132" "96.57.19.234" "RECEIVED: QUIT"
"SMTPD" 3340 1568 "2017-03-16 03:51:30.132" "96.57.19.234" "SENT: 221 goodbye"
"SMTPD" 3340 1580 "2017-03-16 03:54:53.198" "183.136.237.112" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 1580 "2017-03-16 03:54:53.198" "183.136.237.112" "RECEIVED: QUIT"
"SMTPD" 4264 1580 "2017-03-16 03:54:53.198" "183.136.237.112" "SENT: 221 goodbye"
"SMTPD" 3340 1594 "2017-03-16 03:57:18.153" "111.93.62.210" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1594 "2017-03-16 03:57:18.153" "111.93.62.210" "RECEIVED: QUIT"
"SMTPD" 3340 1594 "2017-03-16 03:57:18.153" "111.93.62.210" "SENT: 221 goodbye"
"SMTPD" 3340 1600 "2017-03-16 04:00:06.143" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 3752 1600 "2017-03-16 04:00:06.144" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 3752 1600 "2017-03-16 04:00:06.144" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 3340 1608 "2017-03-16 04:03:07.172" "178.59.97.44" "SENT: 220 Ourmail SMTP"
"SMTPD" 4444 1608 "2017-03-16 04:03:07.172" "178.59.97.44" "RECEIVED: QUIT"
"SMTPD" 4444 1608 "2017-03-16 04:03:07.172" "178.59.97.44" "SENT: 221 goodbye"
"SMTPD" 3340 1618 "2017-03-16 04:05:58.148" "113.161.80.16" "SENT: 220 Ourmail SMTP"
"SMTPD" 4444 1618 "2017-03-16 04:05:58.148" "113.161.80.16" "RECEIVED: QUIT"
"SMTPD" 4444 1618 "2017-03-16 04:05:58.148" "113.161.80.16" "SENT: 221 goodbye"
"SMTPD" 3340 1627 "2017-03-16 04:09:03.211" "58.185.138.18" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1627 "2017-03-16 04:09:03.211" "58.185.138.18" "RECEIVED: QUIT"
"SMTPD" 3340 1627 "2017-03-16 04:09:03.211" "58.185.138.18" "SENT: 221 goodbye"
"SMTPD" 3340 1633 "2017-03-16 04:11:43.158" "222.255.167.137" "SENT: 220 Ourmail SMTP"
"SMTPD" 4700 1633 "2017-03-16 04:11:43.158" "222.255.167.137" "RECEIVED: QUIT"
"SMTPD" 4700 1633 "2017-03-16 04:11:43.158" "222.255.167.137" "SENT: 221 goodbye"
"SMTPD" 3340 1642 "2017-03-16 04:14:54.212" "59.60.28.232" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1664 "2017-03-16 04:17:35.204" "58.185.138.18" "SENT: 220 Ourmail SMTP"
"SMTPD" 2984 1664 "2017-03-16 04:17:35.204" "58.185.138.18" "RECEIVED: QUIT"
"SMTPD" 2984 1664 "2017-03-16 04:17:35.204" "58.185.138.18" "SENT: 221 goodbye"
"SMTPD" 3340 1665 "2017-03-16 04:20:29.145" "222.255.167.137" "SENT: 220 Ourmail SMTP"
"SMTPD" 4556 1665 "2017-03-16 04:20:29.145" "222.255.167.137" "RECEIVED: QUIT"
"SMTPD" 4556 1665 "2017-03-16 04:20:29.145" "222.255.167.137" "SENT: 221 goodbye"
"SMTPD" 3340 1673 "2017-03-16 04:23:15.130" "112.124.76.177" "SENT: 220 Ourmail SMTP"
"SMTPD" 2944 1673 "2017-03-16 04:23:15.130" "112.124.76.177" "RECEIVED: QUIT"
"SMTPD" 2944 1673 "2017-03-16 04:23:15.130" "112.124.76.177" "SENT: 221 goodbye"
"SMTPD" 3340 1684 "2017-03-16 04:26:11.145" "117.56.161.248" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 1684 "2017-03-16 04:26:11.145" "117.56.161.248" "RECEIVED: QUIT"
"SMTPD" 2120 1684 "2017-03-16 04:26:11.145" "117.56.161.248" "SENT: 221 goodbye"
"SMTPD" 3340 1703 "2017-03-16 04:28:59.188" "109.226.61.122" "SENT: 220 Ourmail SMTP"
"SMTPD" 360 1703 "2017-03-16 04:28:59.188" "109.226.61.122" "RECEIVED: QUIT"
"SMTPD" 360 1703 "2017-03-16 04:28:59.188" "109.226.61.122" "SENT: 221 goodbye"
"SMTPD" 3340 1704 "2017-03-16 04:32:09.165" "58.62.55.140" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1704 "2017-03-16 04:32:09.165" "58.62.55.140" "RECEIVED: QUIT"
"SMTPD" 3340 1704 "2017-03-16 04:32:09.165" "58.62.55.140" "SENT: 221 goodbye"
"SMTPD" 3340 1721 "2017-03-16 04:37:43.115" "82.200.170.116" "SENT: 220 Ourmail SMTP"
"SMTPD" 3752 1721 "2017-03-16 04:37:43.115" "82.200.170.116" "RECEIVED: QUIT"
"SMTPD" 3752 1721 "2017-03-16 04:37:43.115" "82.200.170.116" "SENT: 221 goodbye"
"SMTPD" 3340 1739 "2017-03-16 04:40:37.180" "197.14.14.150" "SENT: 220 Ourmail SMTP"
"SMTPD" 2564 1739 "2017-03-16 04:40:37.180" "197.14.14.150" "RECEIVED: QUIT"
"SMTPD" 2564 1739 "2017-03-16 04:40:37.180" "197.14.14.150" "SENT: 221 goodbye"
"SMTPD" 3340 1742 "2017-03-16 04:43:35.145" "115.70.20.115" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1742 "2017-03-16 04:43:35.145" "115.70.20.115" "RECEIVED: QUIT"
"SMTPD" 3340 1742 "2017-03-16 04:43:35.145" "115.70.20.115" "SENT: 221 goodbye"
"SMTPD" 3340 1751 "2017-03-16 04:46:38.196" "117.56.161.248" "SENT: 220 Ourmail SMTP"
"SMTPD" 4556 1751 "2017-03-16 04:46:38.196" "117.56.161.248" "RECEIVED: QUIT"
"SMTPD" 4556 1751 "2017-03-16 04:46:38.196" "117.56.161.248" "SENT: 221 goodbye"
"SMTPD" 3340 1760 "2017-03-16 04:49:28.143" "58.19.180.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2944 1760 "2017-03-16 04:49:28.143" "58.19.180.138" "RECEIVED: QUIT"
"SMTPD" 2944 1760 "2017-03-16 04:49:28.143" "58.19.180.138" "SENT: 221 goodbye"
"SMTPD" 3340 1776 "2017-03-16 04:52:27.200" "109.226.61.122" "SENT: 220 Ourmail SMTP"
"SMTPD" 3340 1776 "2017-03-16 04:52:27.200" "109.226.61.122" "RECEIVED: QUIT"
"SMTPD" 3340 1776 "2017-03-16 04:52:27.200" "109.226.61.122" "SENT: 221 goodbye"
"SMTPD" 3340 1792 "2017-03-16 04:58:07.202" "80.152.209.142" "SENT: 220 Ourmail SMTP"
"SMTPD" 4568 1792 "2017-03-16 04:58:07.202" "80.152.209.142" "RECEIVED: QUIT"
"SMTPD" 4568 1792 "2017-03-16 04:58:07.202" "80.152.209.142" "SENT: 221 goodbye"
"SMTPD" 3340 1798 "2017-03-16 05:01:04.112" "222.255.167.137" "SENT: 220 Ourmail SMTP"
"SMTPD" 2564 1798 "2017-03-16 05:01:04.112" "222.255.167.137" "RECEIVED: QUIT"
"SMTPD" 2564 1798 "2017-03-16 05:01:04.113" "222.255.167.137" "SENT: 221 goodbye"
"SMTPD" 2984 1806 "2017-03-16 05:04:10.165" "58.185.138.18" "SENT: 220 Ourmail SMTP"
"SMTPD" 4700 1806 "2017-03-16 05:04:10.165" "58.185.138.18" "RECEIVED: QUIT"
"SMTPD" 4700 1806 "2017-03-16 05:04:10.165" "58.185.138.18" "SENT: 221 goodbye"
"SMTPD" 2984 1819 "2017-03-16 05:07:06.118" "222.255.167.137" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 1819 "2017-03-16 05:07:06.118" "222.255.167.137" "RECEIVED: QUIT"
"SMTPD" 1992 1819 "2017-03-16 05:07:06.118" "222.255.167.137" "SENT: 221 goodbye"
"SMTPD" 2984 1828 "2017-03-16 05:10:13.177" "200.41.170.131" "SENT: 220 Ourmail SMTP"
"SMTPD" 2984 1828 "2017-03-16 05:10:13.177" "200.41.170.131" "RECEIVED: QUIT"
"SMTPD" 2984 1828 "2017-03-16 05:10:13.177" "200.41.170.131" "SENT: 221 goodbye"
"SMTPD" 2984 1843 "2017-03-16 05:13:24.154" "111.93.62.210" "SENT: 220 Ourmail SMTP"
"SMTPD" 2984 1843 "2017-03-16 05:13:24.154" "111.93.62.210" "RECEIVED: QUIT"
"SMTPD" 2984 1843 "2017-03-16 05:13:24.154" "111.93.62.210" "SENT: 221 goodbye"
"SMTPD" 2984 1848 "2017-03-16 05:16:19.124" "74.92.63.173" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 1848 "2017-03-16 05:16:19.124" "74.92.63.173" "RECEIVED: QUIT"
"SMTPD" 2120 1848 "2017-03-16 05:16:19.124" "74.92.63.173" "SENT: 221 goodbye"
"SMTPD" 2984 1862 "2017-03-16 05:19:28.149" "178.59.97.44" "SENT: 220 Ourmail SMTP"
"SMTPD" 2984 1862 "2017-03-16 05:19:28.149" "178.59.97.44" "RECEIVED: QUIT"
"SMTPD" 2984 1862 "2017-03-16 05:19:28.149" "178.59.97.44" "SENT: 221 goodbye"
"SMTPD" 2984 1874 "2017-03-16 05:22:41.153" "67.52.138.42" "SENT: 220 Ourmail SMTP"
"SMTPD" 3628 1874 "2017-03-16 05:22:41.153" "67.52.138.42" "RECEIVED: QUIT"
"SMTPD" 3628 1874 "2017-03-16 05:22:41.153" "67.52.138.42" "SENT: 221 goodbye"
"SMTPD" 3996 1882 "2017-03-16 05:25:34.126" "58.185.138.18" "SENT: 220 Ourmail SMTP"
"SMTPD" 4568 1882 "2017-03-16 05:25:34.126" "58.185.138.18" "RECEIVED: QUIT"
"SMTPD" 4568 1882 "2017-03-16 05:25:34.126" "58.185.138.18" "SENT: 221 goodbye"
"SMTPD" 3996 1891 "2017-03-16 05:31:48.199" "183.136.237.112" "SENT: 220 Ourmail SMTP"
"SMTPD" 4444 1891 "2017-03-16 05:31:48.199" "183.136.237.112" "RECEIVED: QUIT"
"SMTPD" 4444 1891 "2017-03-16 05:31:48.199" "183.136.237.112" "SENT: 221 goodbye"
"SMTPD" 3996 1916 "2017-03-16 05:34:51.172" "190.115.163.186" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1916 "2017-03-16 05:34:51.172" "190.115.163.186" "RECEIVED: QUIT"
"SMTPD" 3996 1916 "2017-03-16 05:34:51.172" "190.115.163.186" "SENT: 221 goodbye"
"SMTPD" 3996 1920 "2017-03-16 05:38:01.180" "201.190.192.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 360 1920 "2017-03-16 05:38:01.180" "201.190.192.24" "RECEIVED: QUIT"
"SMTPD" 360 1920 "2017-03-16 05:38:01.180" "201.190.192.24" "SENT: 221 goodbye"
"SMTPD" 3996 1927 "2017-03-16 05:41:07.211" "80.152.209.142" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1927 "2017-03-16 05:41:07.211" "80.152.209.142" "RECEIVED: QUIT"
"SMTPD" 3996 1927 "2017-03-16 05:41:07.211" "80.152.209.142" "SENT: 221 goodbye"
"SMTPD" 3996 1951 "2017-03-16 05:47:13.172" "58.19.180.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1951 "2017-03-16 05:47:13.172" "58.19.180.138" "RECEIVED: QUIT"
"SMTPD" 3996 1951 "2017-03-16 05:47:13.172" "58.19.180.138" "SENT: 221 goodbye"
"SMTPD" 3996 1959 "2017-03-16 05:50:17.127" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 4792 1959 "2017-03-16 05:50:17.127" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 4792 1959 "2017-03-16 05:50:17.127" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 3996 1970 "2017-03-16 05:53:39.163" "61.181.245.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 1970 "2017-03-16 05:53:39.163" "61.181.245.24" "RECEIVED: QUIT"
"SMTPD" 3996 1970 "2017-03-16 05:53:39.163" "61.181.245.24" "SENT: 221 goodbye"
"SMTPD" 3996 1991 "2017-03-16 05:57:06.113" "82.151.83.127" "SENT: 220 Ourmail SMTP"
"SMTPD" 3696 1991 "2017-03-16 05:57:06.113" "82.151.83.127" "RECEIVED: QUIT"
"SMTPD" 3696 1991 "2017-03-16 05:57:06.113" "82.151.83.127" "SENT: 221 goodbye"
"SMTPD" 3996 1995 "2017-03-16 06:00:02.175" "197.14.14.150" "SENT: 220 Ourmail SMTP"
"SMTPD" 3760 1995 "2017-03-16 06:00:02.175" "197.14.14.150" "RECEIVED: QUIT"
"SMTPD" 3760 1995 "2017-03-16 06:00:02.175" "197.14.14.150" "SENT: 221 goodbye"
"SMTPD" 3996 2014 "2017-03-16 06:06:23.172" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 4792 2014 "2017-03-16 06:06:23.172" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 4792 2014 "2017-03-16 06:06:23.172" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 1992 2024 "2017-03-16 06:09:39.218" "89.216.104.92" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2024 "2017-03-16 06:09:39.218" "89.216.104.92" "RECEIVED: QUIT"
"SMTPD" 1992 2024 "2017-03-16 06:09:39.218" "89.216.104.92" "SENT: 221 goodbye"
"SMTPD" 1992 2037 "2017-03-16 06:12:52.128" "74.92.63.173" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2037 "2017-03-16 06:12:52.128" "74.92.63.173" "RECEIVED: QUIT"
"SMTPD" 1992 2037 "2017-03-16 06:12:52.128" "74.92.63.173" "SENT: 221 goodbye"
"SMTPD" 1992 2043 "2017-03-16 06:16:14.164" "117.56.161.248" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2043 "2017-03-16 06:16:14.164" "117.56.161.248" "RECEIVED: QUIT"
"SMTPD" 1992 2043 "2017-03-16 06:16:14.164" "117.56.161.248" "SENT: 221 goodbye"
"SMTPD" 1992 2061 "2017-03-16 06:19:29.180" "67.52.138.42" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2061 "2017-03-16 06:19:29.180" "67.52.138.42" "RECEIVED: QUIT"
"SMTPD" 1992 2061 "2017-03-16 06:19:29.180" "67.52.138.42" "SENT: 221 goodbye"
"SMTPD" 1992 2068 "2017-03-16 06:22:40.155" "221.132.28.29" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 2068 "2017-03-16 06:22:40.155" "221.132.28.29" "RECEIVED: QUIT"
"SMTPD" 4264 2068 "2017-03-16 06:22:40.155" "221.132.28.29" "SENT: 221 goodbye"
"SMTPD" 1992 2081 "2017-03-16 06:25:52.192" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 2081 "2017-03-16 06:25:52.192" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 4264 2081 "2017-03-16 06:25:52.192" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 1992 2097 "2017-03-16 06:29:14.196" "89.216.104.92" "SENT: 220 Ourmail SMTP"
"SMTPD" 3760 2097 "2017-03-16 06:29:14.196" "89.216.104.92" "RECEIVED: QUIT"
"SMTPD" 3760 2097 "2017-03-16 06:29:14.196" "89.216.104.92" "SENT: 221 goodbye"
"SMTPD" 1992 2101 "2017-03-16 06:32:33.112" "111.56.57.110" "SENT: 220 Ourmail SMTP"
"SMTPD" 3628 2101 "2017-03-16 06:32:33.112" "111.56.57.110" "RECEIVED: QUIT"
"SMTPD" 3628 2101 "2017-03-16 06:32:33.112" "111.56.57.110" "SENT: 221 goodbye"
"SMTPD" 1992 2132 "2017-03-16 06:39:21.147" "210.239.210.80" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 2132 "2017-03-16 06:39:21.147" "210.239.210.80" "RECEIVED: QUIT"
"SMTPD" 3996 2132 "2017-03-16 06:39:21.147" "210.239.210.80" "SENT: 221 goodbye"
"SMTPD" 1992 2137 "2017-03-16 06:42:38.128" "113.161.80.16" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2137 "2017-03-16 06:42:38.128" "113.161.80.16" "RECEIVED: QUIT"
"SMTPD" 1992 2137 "2017-03-16 06:42:38.128" "113.161.80.16" "SENT: 221 goodbye"
"SMTPD" 1992 2143 "2017-03-16 06:46:04.204" "200.41.170.131" "SENT: 220 Ourmail SMTP"
"SMTPD" 4444 2143 "2017-03-16 06:46:04.204" "200.41.170.131" "RECEIVED: QUIT"
"SMTPD" 4444 2143 "2017-03-16 06:46:04.204" "200.41.170.131" "SENT: 221 goodbye"
"SMTPD" 1992 2155 "2017-03-16 06:49:27.114" "201.190.192.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2155 "2017-03-16 06:49:27.114" "201.190.192.24" "RECEIVED: QUIT"
"SMTPD" 1992 2155 "2017-03-16 06:49:27.114" "201.190.192.24" "SENT: 221 goodbye"
"SMTPD" 1992 2171 "2017-03-16 06:52:49.197" "184.68.15.58" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2171 "2017-03-16 06:52:49.197" "184.68.15.58" "RECEIVED: QUIT"
"SMTPD" 2120 2171 "2017-03-16 06:52:49.197" "184.68.15.58" "SENT: 221 goodbye"
"SMTPD" 1992 2179 "2017-03-16 06:55:49.191" "59.60.28.232" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2187 "2017-03-16 06:59:16.188" "200.41.170.131" "SENT: 220 Ourmail SMTP"
"SMTPD" 4556 2187 "2017-03-16 06:59:16.188" "200.41.170.131" "RECEIVED: QUIT"
"SMTPD" 4556 2187 "2017-03-16 06:59:16.188" "200.41.170.131" "SENT: 221 goodbye"
"SMTPD" 1992 2206 "2017-03-16 07:02:27.113" "197.14.14.150" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2206 "2017-03-16 07:02:27.113" "197.14.14.150" "RECEIVED: QUIT"
"SMTPD" 1992 2206 "2017-03-16 07:02:27.113" "197.14.14.150" "SENT: 221 goodbye"
"SMTPD" 1992 2212 "2017-03-16 07:05:34.204" "74.92.105.233" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2212 "2017-03-16 07:05:34.204" "74.92.105.233" "RECEIVED: QUIT"
"SMTPD" 1992 2212 "2017-03-16 07:05:34.204" "74.92.105.233" "SENT: 221 goodbye"
"SMTPD" 1992 2230 "2017-03-16 07:08:51.216" "58.185.138.18" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2230 "2017-03-16 07:08:51.216" "58.185.138.18" "RECEIVED: QUIT"
"SMTPD" 1992 2230 "2017-03-16 07:08:51.216" "58.185.138.18" "SENT: 221 goodbye"
"SMTPD" 1992 2257 "2017-03-16 07:15:20.156" "163.13.134.152" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2257 "2017-03-16 07:15:20.156" "163.13.134.152" "RECEIVED: QUIT"
"SMTPD" 1992 2257 "2017-03-16 07:15:20.156" "163.13.134.152" "SENT: 221 goodbye"
"SMTPD" 1992 2266 "2017-03-16 07:18:24.205" "200.41.170.131" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2266 "2017-03-16 07:18:24.205" "200.41.170.131" "RECEIVED: QUIT"
"SMTPD" 1992 2266 "2017-03-16 07:18:24.205" "200.41.170.131" "SENT: 221 goodbye"
"SMTPD" 1992 2282 "2017-03-16 07:21:36.148" "117.56.161.248" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2282 "2017-03-16 07:21:36.148" "117.56.161.248" "RECEIVED: QUIT"
"SMTPD" 1992 2282 "2017-03-16 07:21:36.148" "117.56.161.248" "SENT: 221 goodbye"
"SMTPD" 1992 2293 "2017-03-16 07:24:50.134" "80.152.209.142" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2293 "2017-03-16 07:24:50.134" "80.152.209.142" "RECEIVED: QUIT"
"SMTPD" 1992 2293 "2017-03-16 07:24:50.134" "80.152.209.142" "SENT: 221 goodbye"
"SMTPD" 1992 2310 "2017-03-16 07:31:17.140" "201.190.192.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2310 "2017-03-16 07:31:17.140" "201.190.192.24" "RECEIVED: QUIT"
"SMTPD" 1992 2310 "2017-03-16 07:31:17.140" "201.190.192.24" "SENT: 221 goodbye"
"SMTPD" 1992 2329 "2017-03-16 07:34:32.109" "97.101.54.96" "SENT: 220 Ourmail SMTP"
"SMTPD" 1860 2329 "2017-03-16 07:34:32.109" "97.101.54.96" "RECEIVED: QUIT"
"SMTPD" 1860 2329 "2017-03-16 07:34:32.109" "97.101.54.96" "SENT: 221 goodbye"
"SMTPD" 1992 2331 "2017-03-16 07:37:43.178" "222.255.167.137" "SENT: 220 Ourmail SMTP"
"SMTPD" 360 2331 "2017-03-16 07:37:43.178" "222.255.167.137" "RECEIVED: QUIT"
"SMTPD" 360 2331 "2017-03-16 07:37:43.178" "222.255.167.137" "SENT: 221 goodbye"
"SMTPD" 1992 2341 "2017-03-16 07:40:54.154" "197.14.14.150" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2341 "2017-03-16 07:40:54.154" "197.14.14.150" "RECEIVED: QUIT"
"SMTPD" 1992 2341 "2017-03-16 07:40:54.154" "197.14.14.150" "SENT: 221 goodbye"
"SMTPD" 1992 2349 "2017-03-16 07:44:17.126" "183.136.237.112" "SENT: 220 Ourmail SMTP"
"SMTPD" 1860 2349 "2017-03-16 07:44:17.126" "183.136.237.112" "RECEIVED: QUIT"
"SMTPD" 1860 2349 "2017-03-16 07:44:17.126" "183.136.237.112" "SENT: 221 goodbye"
"SMTPD" 2120 2364 "2017-03-16 07:50:35.178" "111.93.62.210" "SENT: 220 Ourmail SMTP"
"SMTPD" 4264 2364 "2017-03-16 07:50:35.178" "111.93.62.210" "RECEIVED: QUIT"
"SMTPD" 4264 2364 "2017-03-16 07:50:35.178" "111.93.62.210" "SENT: 221 goodbye"
"SMTPD" 2120 2387 "2017-03-16 07:53:48.181" "184.68.15.58" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2387 "2017-03-16 07:53:48.181" "184.68.15.58" "RECEIVED: QUIT"
"SMTPD" 2120 2387 "2017-03-16 07:53:48.181" "184.68.15.58" "SENT: 221 goodbye"
"SMTPD" 2120 2406 "2017-03-16 07:57:07.144" "97.101.54.96" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2406 "2017-03-16 07:57:07.144" "97.101.54.96" "RECEIVED: QUIT"
"SMTPD" 2120 2406 "2017-03-16 07:57:07.144" "97.101.54.96" "SENT: 221 goodbye"
"SMTPD" 2120 2410 "2017-03-16 08:00:18.112" "115.70.20.115" "SENT: 220 Ourmail SMTP"
"SMTPD" 2944 2410 "2017-03-16 08:00:18.112" "115.70.20.115" "RECEIVED: QUIT"
"SMTPD" 2944 2410 "2017-03-16 08:00:18.113" "115.70.20.115" "SENT: 221 goodbye"
"SMTPD" 2120 2423 "2017-03-16 08:03:26.186" "190.115.163.186" "SENT: 220 Ourmail SMTP"
"SMTPD" 1992 2423 "2017-03-16 08:03:26.186" "190.115.163.186" "RECEIVED: QUIT"
"SMTPD" 1992 2423 "2017-03-16 08:03:26.186" "190.115.163.186" "SENT: 221 goodbye"
"SMTPD" 2120 2443 "2017-03-16 08:06:41.218" "190.115.163.186" "SENT: 220 Ourmail SMTP"
"SMTPD" 4556 2443 "2017-03-16 08:06:41.218" "190.115.163.186" "RECEIVED: QUIT"
"SMTPD" 4556 2443 "2017-03-16 08:06:41.218" "190.115.163.186" "SENT: 221 goodbye"
"SMTPD" 2120 2444 "2017-03-16 08:09:58.137" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2444 "2017-03-16 08:09:58.137" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 2120 2444 "2017-03-16 08:09:58.137" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 2120 2481 "2017-03-16 08:19:43.200" "111.93.62.210" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2481 "2017-03-16 08:19:43.200" "111.93.62.210" "RECEIVED: QUIT"
"SMTPD" 2120 2481 "2017-03-16 08:19:43.200" "111.93.62.210" "SENT: 221 goodbye"
"SMTPD" 2120 2493 "2017-03-16 08:22:54.176" "96.57.19.234" "SENT: 220 Ourmail SMTP"
"SMTPD" 2984 2493 "2017-03-16 08:22:54.176" "96.57.19.234" "RECEIVED: QUIT"
"SMTPD" 2984 2493 "2017-03-16 08:22:54.176" "96.57.19.234" "SENT: 221 goodbye"
"SMTPD" 2120 2502 "2017-03-16 08:26:07.148" "111.56.57.110" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2502 "2017-03-16 08:26:07.148" "111.56.57.110" "RECEIVED: QUIT"
"SMTPD" 2120 2502 "2017-03-16 08:26:07.148" "111.56.57.110" "SENT: 221 goodbye"
"SMTPD" 2120 2522 "2017-03-16 08:29:15.160" "78.131.87.207" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2522 "2017-03-16 08:29:15.160" "78.131.87.207" "RECEIVED: QUIT"
"SMTPD" 2120 2522 "2017-03-16 08:29:15.160" "78.131.87.207" "SENT: 221 goodbye"
"SMTPD" 2120 2525 "2017-03-16 08:32:38.179" "115.70.20.115" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2525 "2017-03-16 08:32:38.179" "115.70.20.115" "RECEIVED: QUIT"
"SMTPD" 2120 2525 "2017-03-16 08:32:38.179" "115.70.20.115" "SENT: 221 goodbye"
"SMTPD" 2120 2536 "2017-03-16 08:35:55.207" "222.255.167.137" "SENT: 220 Ourmail SMTP"
"SMTPD" 4604 2536 "2017-03-16 08:35:55.207" "222.255.167.137" "RECEIVED: QUIT"
"SMTPD" 4604 2536 "2017-03-16 08:35:55.207" "222.255.167.137" "SENT: 221 goodbye"
"SMTPD" 2120 2544 "2017-03-16 08:39:15.121" "201.190.192.24" "SENT: 220 Ourmail SMTP"
"SMTPD" 2120 2544 "2017-03-16 08:39:15.121" "201.190.192.24" "RECEIVED: QUIT"
"SMTPD" 2120 2544 "2017-03-16 08:39:15.121" "201.190.192.24" "SENT: 221 goodbye"
"SMTPD" 1860 2560 "2017-03-16 08:42:25.162" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 3628 2560 "2017-03-16 08:42:25.162" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 3628 2560 "2017-03-16 08:42:25.162" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 1860 2571 "2017-03-16 08:45:39.195" "74.92.105.233" "SENT: 220 Ourmail SMTP"
"SMTPD" 3628 2571 "2017-03-16 08:45:39.195" "74.92.105.233" "RECEIVED: QUIT"
"SMTPD" 3628 2571 "2017-03-16 08:45:39.195" "74.92.105.233" "SENT: 221 goodbye"
"SMTPD" 1860 2581 "2017-03-16 08:49:00.154" "97.101.54.96" "SENT: 220 Ourmail SMTP"
"SMTPD" 3376 2581 "2017-03-16 08:49:00.154" "97.101.54.96" "RECEIVED: QUIT"
"SMTPD" 3376 2581 "2017-03-16 08:49:00.154" "97.101.54.96" "SENT: 221 goodbye"
"SMTPD" 1860 2594 "2017-03-16 08:52:12.113" "79.70.254.117" "SENT: 220 Ourmail SMTP"
"SMTPD" 1860 2594 "2017-03-16 08:52:12.113" "79.70.254.117" "RECEIVED: QUIT"
"SMTPD" 1860 2594 "2017-03-16 08:52:12.113" "79.70.254.117" "SENT: 221 goodbye"
"SMTPD" 1860 2601 "2017-03-16 08:55:25.163" "217.111.170.217" "SENT: 220 Ourmail SMTP"
"SMTPD" 1860 2601 "2017-03-16 08:55:25.163" "217.111.170.217" "RECEIVED: QUIT"
"SMTPD" 1860 2601 "2017-03-16 08:55:25.163" "217.111.170.217" "SENT: 221 goodbye"
"SMTPD" 1860 2608 "2017-03-16 08:58:34.126" "221.132.28.29" "SENT: 220 Ourmail SMTP"
"SMTPD" 1860 2608 "2017-03-16 08:58:34.126" "221.132.28.29" "RECEIVED: QUIT"
"SMTPD" 1860 2608 "2017-03-16 08:58:34.126" "221.132.28.29" "SENT: 221 goodbye"
"SMTPD" 1860 2625 "2017-03-16 09:02:01.114" "113.161.80.16" "SENT: 220 Ourmail SMTP"
"SMTPD" 1860 2625 "2017-03-16 09:02:01.114" "113.161.80.16" "RECEIVED: QUIT"
"SMTPD" 1860 2625 "2017-03-16 09:02:01.115" "113.161.80.16" "SENT: 221 goodbye"[/code]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-03-16 17:29

Yep, I've implemented the 20 second delay on port 25 too

Most bots just drop the connection as soon as they notice that there is any delay. I saw one hold for 16 seconds before dropping but that is the exception not the rule. Most drop almost instantly when the delay starts.
I'm thinking of scanning my logs automatically for these and adding the IP address to my AutoBAN (or better, directly to my firewall appliance block list)
Great idea thanks SorenR :mrgreen:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 00:22

jimimaseye wrote:(The 3-line probing is continuing in vengeance though:)
VERY early alpha test of IDS detection. Currently it uses a Jet 4.0 database but I presume it could be changed to MSSQL or MySQL if needed.

Notice I have commented out the 20 second wait for now as I'm assessing execution times. Oh and my editor is 130 char width :wink:

Parameters: Look for the big arrow :mrgreen:
Database: Autocreated if missing 8)
HitCount = numbers of "hits" accepted before AutoBan

[code]Option Explicit

' ******************************************************************************************************************************
' ********** Settings **********
' ******************************************************************************************************************************

' COM authentication
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "Secret" ' <=========<<<<<

' ******************************************************************************************************************************
' ********** Functions **********
' ******************************************************************************************************************************

Function Wait(sec)
With CreateObject("WScript.Shell")
.Run "timeout /T " & Int(sec), 0, True
' .Run "sleep -m " & Int(sec * 1000), 0, True
' .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
End With
End Function

Function LockFile(strPath)
Const Append = 8
Const Unicode = -1
With CreateObject("Scripting.FileSystemObject")
Dim oFile, i
For i = 0 To 30
On Error Resume Next
Set oFile = .OpenTextFile(strPath, Append, True, Unicode)
If (Not Err.Number = 70) Then
Set LockFile = oFile
On Error Goto 0
Exit For
End If
On Error Goto 0
Wait(1)
Next
End With
Set oFile = Nothing
If (Err.Number = 70) Then
EventLog.Write("ERROR: EventHandlers.vbs")
EventLog.Write("File " & strPath & " is locked and timeout was exceeded.")
Err.Clear
ElseIf (Err.Number <> 0) Then
EventLog.Write("ERROR: EventHandlers.vbs : Function LockFile")
EventLog.Write("Error : " & Err.Number)
EventLog.Write("Error (hex) : 0x" & Hex(Err.Number))
EventLog.Write("Source : " & Err.Source)
EventLog.Write("Description : " & Err.Description)
Err.Clear
End If
End Function

' ******************************************************************************************************************************
' ********** Subroutines **********
' ******************************************************************************************************************************

Sub AutoBan(sIPAddress, sReason, iDuration, sType)

' sType can be one of the following;
'
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second

Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
With LockFile("c:\hmailserver\temp\autoban.lck") ' <=========<<<<<
On Error Resume Next
oApp.Settings.SecurityRanges.Refresh
If (oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing) Then
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & IPAddress
.LowerIP = sIPAddress
.UpperIP = sIPAddress
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
End If
On Error Goto 0
.Close
End With
End Sub

' ******************************************************************************************************************************
' ********** hMailServer IDS Code **********
' ******************************************************************************************************************************

Function IDSCreate(Datafile)
Dim oCat, oConn
Set oCat = CreateObject("ADOX.Catalog")
oCat.Create "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & DataFile
Set oConn = CreateObject("ADODB.Connection")
oConn.Open "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & DataFile
oConn.Execute "CREATE TABLE ids(ID COUNTER,IPAddress TEXT(255),HitCount INTEGER)"
End Function

Function IDSCheck(IPAddress)
Const FilePath = "C:\hMailServer\Temp\ids.mdb" ' <=========<<<<<
Const OpenStatic = 3
Const LockOptimistic = 3
Const HitCount = 3 ' <=========<<<<<

Dim oConn, oRecord, strSQL, IsEOF
Set oConn = CreateObject("ADODB.Connection")
Set oRecord = CreateObject("ADODB.Recordset")

' Check if JET 4.0 DB exists
On Error Resume Next
oConn.Open "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & FilePath
If Err.Number <> 0 Then
IDSCreate(FilePath)
End If
On Error Goto 0

' Check if connecting IPAddress is known
strSQL = "SELECT * FROM ids WHERE IPAddress = '" & IPAddress & "'"
oRecord.Open strSQL, oConn, OpenStatic, LockOptimistic
IsEOF = oRecord.EOF
oRecord.Close
If IsEOF = 0 Then

' IPAddress is known - bump counter
strSQL = "UPDATE ids SET HitCount = (HitCount + 1) WHERE IPAddress = '" & IPAddress & "'"
oRecord.Open strSQL, oConn, OpenStatic, LockOptimistic
Else

' IPAddress is NEW!
strSQL = "INSERT INTO ids (IPAddress, HitCount) VALUES ('" & IPAddress & "'," & 1 & ")"
oRecord.Open strSQL, oConn, OpenStatic, LockOptimistic
End If
IDSCheck = False

' Should we flag to kill connection and remove record?
strSQL = "SELECT * FROM ids WHERE HitCount > " & HitCount & " AND IPAddress = '" & IPAddress & "'"
oRecord.Open strSQL, oConn, OpenStatic, LockOptimistic
IsEOF = oRecord.EOF
oRecord.Close
If IsEOF = 0 Then
IDSCheck = True
IDSDelete(IPAddress)
End If
End Function

Function IDSDelete(IPAddress)
Const FilePath = "C:\hMailServer\Temp\ids.mdb" ' <=========<<<<<
Const OpenStatic = 3
Const LockOptimistic = 3
Dim oConn, oRecord, strSQL, IsEOF
Set oConn = CreateObject("ADODB.Connection")
Set oRecord = CreateObject("ADODB.Recordset")
oConn.Open "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & FilePath
strSQL = "DELETE * FROM ids WHERE IPAddress = '" & IPAddress & "'"
oRecord.Open strSQL, oConn, OpenStatic, LockOptimistic
End Function

' ******************************************************************************************************************************
' ********** hMailServer Triggers **********
' ******************************************************************************************************************************

Sub OnClientConnect(oClient)
If (oClient.Port = 25) Then
' Wait(20)
EventLog.Write("IDS Check IPAddress: " & oClient.IPAddress)
If IDSCheck(oClient.IPAddress) Then
EventLog.Write("IDS AutoBan IPAddress: " & oClient.IPAddress)
Call AutoBan(oClient.IPAddress, "IDS", 2, "d")
End If
End If
End Sub

' Sub OnHELO(oClient)
' End Sub

' ********** SPAM test: DNSBlackLists, HeloHost, MXRecords, SPF

Sub OnSMTPData(oClient, oMessage)
If (oClient.Port = 25) Then
EventLog.Write("IDS Delete IPAddress: " & oClient.IPAddress)
IDSDelete(oClient.IPAddress)
End If
End Sub

' ********** SPAM test: SURBL, DKIM, SpamAssassin

' Sub OnAcceptMessage(oClient, oMessage)
' End Sub

' ********** Saving EML to DATA

' Sub OnDeliveryStart(oMessage)
' End Sub

' ********** Antivirus check, Global rules

' Sub OnDeliverMessage(oMessage)
' End Sub

' ********** Local rules, Message delivered to recipient(s)

' Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
' End Sub

' Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
' End Sub

' Sub OnError(iSeverity, iCode, sSource, sDescription)
' End Sub

' ******************************************************************************************************************************
' ********** hMailServer Rules **********
' ******************************************************************************************************************************
[/code]
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-03-17 01:52

Does that assume that all incoming connections on port 25 are suspect connections?
What if you had one IP address that sent lots of legitimate mail to you in a short space of time?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 02:33

mattg wrote:Does that assume that all incoming connections on port 25 are suspect connections?
What if you had one IP address that sent lots of legitimate mail to you in a short space of time?
Well, the flow is as follows:

-> OnClientConnect -> Register IP Address/Update counter | If count > 3 = AutoBan for 2 days.
-> OnSMTPDate -> Remove IP Address from register.

It is perfectly possibly that a burst of mails from the same server may trigger an AutoBan, but that means that the script must register 4 connections BEFORE any SMTP data is sent. On my (slowish) server that is a timespan of MAX 2 seconds with 5 delivery threads.

Again, it's ALPHA code and I'll be adding in a timestamp for simple housekeeping later on - just in case ... The code should be "selfcleaning".

Minor update

Code: Select all

   Function IDSCreate(Datafile)
      Dim oCat, oConn
      Set oCat = CreateObject("ADOX.Catalog")
      oCat.Create "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & DataFile
      Set oConn = CreateObject("ADODB.Connection")
      oConn.Open "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & DataFile
      oConn.Execute "CREATE TABLE ids(ID COUNTER,IPAddress TEXT(255),HitCount INTEGER)"
      oConn.Close
   End Function

   Function IDSCheck(IPAddress)
      Const FilePath = "C:\hMailServer\Temp\ids.mdb"       ' <==============
      Const OpenStatic = 3
      Const LockOptimistic = 3
      Const HitCount = 3                                   ' <==============

      Dim oConn, oRecord, strSQL, IsEOF
      Set oConn = CreateObject("ADODB.Connection")
      Set oRecord = CreateObject("ADODB.Recordset")

      ' Check if JET 4.0 DB exists
      On Error Resume Next
      oConn.Open "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & FilePath
      If Err.Number <> 0 Then
         IDSCreate(FilePath)
         oConn.Open "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & FilePath
      End If
      On Error Goto 0

      ' Check if connecting IPAddress is known
      strSQL = "SELECT * FROM ids WHERE IPAddress = '" & IPAddress & "'"
      oRecord.Open strSQL, oConn, OpenStatic, LockOptimistic
      IsEOF = oRecord.EOF
      oRecord.Close
      If IsEOF = 0 Then

         ' IPAddress is known - bump counter
         oConn.Execute "UPDATE ids SET HitCount = (HitCount + 1) WHERE IPAddress = '" & IPAddress & "'"
      Else

         ' IPAddress is NEW!
          oConn.Execute "INSERT INTO ids (IPAddress, HitCount) VALUES ('" & IPAddress & "'," & 1 & ")"
      End If
      IDSCheck = False

      ' Should we flag to kill connection and remove record?
      strSQL = "SELECT * FROM ids WHERE HitCount > " & HitCount & " AND IPAddress = '" & IPAddress & "'"
      oRecord.Open strSQL, oConn, OpenStatic, LockOptimistic
      IsEOF = oRecord.EOF
      oRecord.Close
      If IsEOF = 0 Then
         IDSCheck = True
         IDSDelete(IPAddress)
      End If
      oConn.Close
   End Function

   Function IDSDelete(IPAddress)
      Const FilePath = "C:\hMailServer\Temp\ids.mdb"       ' <==============
      Const OpenStatic = 3
      Const LockOptimistic = 3
      Dim oConn, oRecord, strSQL, IsEOF
      Set oConn = CreateObject("ADODB.Connection")
      oConn.Open "Provider = Microsoft.Jet.OLEDB.4.0; Data Source = " & FilePath
      oConn.Execute "DELETE * FROM ids WHERE IPAddress = '" & IPAddress & "'"
      oConn.Close
   End Function
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-03-17 04:17

SorenR wrote:...that means that the script must register 4 connections BEFORE any SMTP data is sent. On my (slowish) server that is a timespan of MAX 2 seconds with 5 delivery threads.
That's certainly reasonable I'd reckon

You could certainly increase the number of hits from 3 to say 10 if this was a suspected issue...

(I had missed the OnSMTPData bit)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 19:46

jimimaseye wrote:(The 3-line probing is continuing in vengeance though:)
Thought you'd like to see this ...
[code]"SMTPD" 4072 415 "2017-03-17 17:04:39.211" "213.169.153.237" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4072 415 "2017-03-17 17:04:39.289" "213.169.153.237" "RECEIVED: EHLO buntine.mediadier.eu"
"SMTPD" 4072 415 "2017-03-17 17:04:39.289" "213.169.153.237" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4072 415 "2017-03-17 17:04:39.351" "213.169.153.237" "RECEIVED: QUIT"
"SMTPD" 4072 415 "2017-03-17 17:04:39.351" "213.169.153.237" "SENT: 221 goodbye"
"SMTPD" 4072 416 "2017-03-17 17:04:59.148" "213.169.153.237" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4072 416 "2017-03-17 17:04:59.227" "213.169.153.237" "RECEIVED: EHLO buntine.mediadier.eu"
"SMTPD" 4072 416 "2017-03-17 17:04:59.227" "213.169.153.237" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4072 416 "2017-03-17 17:04:59.305" "213.169.153.237" "RECEIVED: QUIT"
"SMTPD" 4072 416 "2017-03-17 17:04:59.305" "213.169.153.237" "SENT: 221 goodbye"
"SMTPD" 4072 417 "2017-03-17 17:05:43.164" "213.169.153.238" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4072 417 "2017-03-17 17:05:43.227" "213.169.153.238" "RECEIVED: EHLO extruct.mediadier.eu"
"SMTPD" 4072 417 "2017-03-17 17:05:43.227" "213.169.153.238" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4072 417 "2017-03-17 17:05:43.305" "213.169.153.238" "RECEIVED: QUIT"
"SMTPD" 4072 417 "2017-03-17 17:05:43.305" "213.169.153.238" "SENT: 221 goodbye"
"SMTPD" 4072 418 "2017-03-17 17:06:07.118" "213.169.153.238" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4072 418 "2017-03-17 17:06:07.196" "213.169.153.238" "RECEIVED: EHLO extruct.mediadier.eu"
"SMTPD" 4072 418 "2017-03-17 17:06:07.196" "213.169.153.238" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4072 418 "2017-03-17 17:06:07.258" "213.169.153.238" "RECEIVED: QUIT"
"SMTPD" 4072 418 "2017-03-17 17:06:07.258" "213.169.153.238" "SENT: 221 goodbye"
"SMTPD" 3976 419 "2017-03-17 17:06:07.149" "213.169.152.86" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 3976 419 "2017-03-17 17:06:07.211" "213.169.152.86" "RECEIVED: EHLO caffetannic.jackpotcity-danmark.com"
"SMTPD" 3976 419 "2017-03-17 17:06:07.227" "213.169.152.86" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 3976 419 "2017-03-17 17:06:07.289" "213.169.152.86" "RECEIVED: QUIT"
"SMTPD" 3976 419 "2017-03-17 17:06:07.289" "213.169.152.86" "SENT: 221 goodbye"
"SMTPD" 3976 420 "2017-03-17 17:06:27.165" "213.169.152.86" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 3976 420 "2017-03-17 17:06:27.243" "213.169.152.86" "RECEIVED: EHLO caffetannic.jackpotcity-danmark.com"
"SMTPD" 3976 420 "2017-03-17 17:06:27.258" "213.169.152.86" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 3976 420 "2017-03-17 17:06:27.336" "213.169.152.86" "RECEIVED: QUIT"
"SMTPD" 3976 420 "2017-03-17 17:06:27.336" "213.169.152.86" "SENT: 221 goodbye"
"SMTPD" 3976 421 "2017-03-17 17:14:15.246" "213.169.153.235" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 3976 421 "2017-03-17 17:14:15.308" "213.169.153.235" "RECEIVED: EHLO garrya.mediadier.eu"
"SMTPD" 3976 421 "2017-03-17 17:14:15.308" "213.169.153.235" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 3976 421 "2017-03-17 17:14:15.371" "213.169.153.235" "RECEIVED: QUIT"
"SMTPD" 3976 421 "2017-03-17 17:14:15.371" "213.169.153.235" "SENT: 221 goodbye"
"SMTPD" 3976 422 "2017-03-17 17:14:35.168" "213.169.153.235" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 3976 422 "2017-03-17 17:14:35.246" "213.169.153.235" "RECEIVED: EHLO garrya.mediadier.eu"
"SMTPD" 3976 422 "2017-03-17 17:14:35.246" "213.169.153.235" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 3976 422 "2017-03-17 17:14:35.324" "213.169.153.235" "RECEIVED: QUIT"
"SMTPD" 3976 422 "2017-03-17 17:14:35.324" "213.169.153.235" "SENT: 221 goodbye"
"SMTPD" 3976 423 "2017-03-17 17:15:19.231" "213.169.153.237" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 3976 423 "2017-03-17 17:15:19.293" "213.169.153.237" "RECEIVED: EHLO buntine.mediadier.eu"
"SMTPD" 3976 423 "2017-03-17 17:15:19.293" "213.169.153.237" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 3976 423 "2017-03-17 17:15:19.371" "213.169.153.237" "RECEIVED: QUIT"
"SMTPD" 3976 423 "2017-03-17 17:15:19.371" "213.169.153.237" "SENT: 221 goodbye"

"SMTPD" 3976 424 "2017-03-17 17:15:39.262" "213.169.153.237" "SENT: 220 mx.acme.inc ESMTP" <=====<<<<< BANNED !

"SMTPD" 3976 425 "2017-03-17 17:16:47.122" "213.169.153.238" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 3976 425 "2017-03-17 17:16:47.200" "213.169.153.238" "RECEIVED: EHLO extruct.mediadier.eu"
"SMTPD" 3976 425 "2017-03-17 17:16:47.200" "213.169.153.238" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 3976 425 "2017-03-17 17:16:47.278" "213.169.153.238" "RECEIVED: QUIT"
"SMTPD" 3976 425 "2017-03-17 17:16:47.278" "213.169.153.238" "SENT: 221 goodbye"
"SMTPD" 3412 426 "2017-03-17 17:16:47.153" "213.169.152.86" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 3412 426 "2017-03-17 17:16:47.215" "213.169.152.86" "RECEIVED: EHLO caffetannic.jackpotcity-danmark.com"
"SMTPD" 3412 426 "2017-03-17 17:16:47.215" "213.169.152.86" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 3412 426 "2017-03-17 17:16:47.294" "213.169.152.86" "RECEIVED: QUIT"
"SMTPD" 3412 426 "2017-03-17 17:16:47.294" "213.169.152.86" "SENT: 221 goodbye"

"SMTPD" 4084 427 "2017-03-17 17:17:07.216" "213.169.152.86" "SENT: 220 mx.acme.inc ESMTP" <=====<<<<< BANNED !

"SMTPD" 3412 428 "2017-03-17 17:17:07.247" "213.169.153.238" "SENT: 220 mx.acme.inc ESMTP" <=====<<<<< BANNED !

"SMTPD" 4084 445 "2017-03-17 17:24:55.140" "213.169.153.235" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4084 445 "2017-03-17 17:24:55.219" "213.169.153.235" "RECEIVED: EHLO garrya.mediadier.eu"
"SMTPD" 4084 445 "2017-03-17 17:24:55.219" "213.169.153.235" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4084 445 "2017-03-17 17:24:55.297" "213.169.153.235" "RECEIVED: QUIT"
"SMTPD" 4084 445 "2017-03-17 17:24:55.297" "213.169.153.235" "SENT: 221 goodbye"

"SMTPD" 4084 449 "2017-03-17 17:25:15.203" "213.169.153.235" "SENT: 220 mx.acme.inc ESMTP" <=====<<<<< BANNED !
[/code]
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-03-17 20:01

Demonstrating the effectiveness of your IDS system, right?

Presumably even though banned they still connect and you send a "SENT: 220 mx.acme.inc ESMTP" to them before halting the comms?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 20:20

jimimaseye wrote:Demonstrating the effectiveness of your IDS system, right?

Presumably even though banned they still connect and you send a "SENT: 220 mx.acme.inc ESMTP" to them before halting the comms?
The single line (with the arrow) was the one that triggered the ban...

This is my IP Range list with the banned entries.
Attachments
IDS-Ban.jpg
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-03-17 20:25

Looks good. If you can make 'generalise' the script (tailor it for all types of databases) then we could make a comprehensive HOW TO guide and add it to the virtual "Additional recommended AntiSpam Features by Scripting" chapter in the forum (along with the 20 second delay, the autowhitelisting, and the GEO-LOCATION blocking).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 21:31

jimimaseye wrote:Looks good. If you can make 'generalise' the script (tailor it for all types of databases) then we could make a comprehensive HOW TO guide and add it to the virtual "Additional recommended AntiSpam Features by Scripting" chapter in the forum (along with the 20 second delay, the autowhitelisting, and the GEO-LOCATION blocking).
This version is using Jet 4.0 (Access DB), the final version will be using SQLite - I think... For simplicity.

Anyways... I'll let it run for a few days to see if anything crops up.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-03-17 21:34

SorenR wrote: This version is using Jet 4.0 (Access DB), the final version will be using SQLite - I think... For simplicity.

Anyways... I'll let it run for a few days to see if anything crops up.
Why not try to just incorporate it in to the existing hmailserver database in use (creating an extra table)? This script from martin: viewtopic.php?f=20&t=13890 does exactly that (perhaps you can get pointers from that script).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 22:33

jimimaseye wrote:
SorenR wrote: This version is using Jet 4.0 (Access DB), the final version will be using SQLite - I think... For simplicity.

Anyways... I'll let it run for a few days to see if anything crops up.
Why not try to just incorporate it in to the existing hmailserver database in use (creating an extra table)? This script from martin: viewtopic.php?f=20&t=13890 does exactly that (perhaps you can get pointers from that script).
I know the script. The object ExecuteSQLWithReturn can only return the uniqueID of the record so it's useless for this purpose.

The idea is to use something lightweigth and if it breaks it does not damage the existing database.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 23:00

I know Sqlite2X is more than 10 years old but I like the simplicity...

http://dimzon541.narod.ru/sqlitex/

Code: Select all

dim sql,i, r
set sql=CreateObject("SqLite2X.SqLiteConnection")
sql.ConnectToDb("c:\testdb.db")

'for i=0 to 10000
'   sql.ExecSqlStatement("insert into x(a,b) values(" & i & ",'ax" & i & "')" )
'next

'sql.ExecSqlStatement("create table x(a,b)")
'sql.ExecSqlStatement("select * from x" )

set r = sql.ExecSqlQuery("select a,b, 'a;c' as sss, datetime('now') from x where a=111" )

'msgbox typeName(r)

msgbox r.GetCSV(false)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-03-17 23:06

I thought there was an execute statement in the database object that simply applies the desired sql command. (Im out right now so can't look at the object or test).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-17 23:17

jimimaseye wrote:I thought there was an execute statement in the database object that simply applies the desired sql command. (Im out right now so can't look at the object or test).
There is... The showstopper is that it cannot extract a value from a query, only the ID (index pointer) of the row in the table.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-03-17 23:20

Ah. Bummer.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-25 00:42

jimimaseye wrote:Ah. Bummer.
Are you still being hammered by rougue servers ??

I have the SQLite version ready. I must say ... SQLite is brilliant ! :mrgreen:

- 3 connection attempts within (maximum) 90 minutes without actually sending an email and the 4'th attempt will result in banning.
- A registration is only valid for 30 minutes unless updated by a new connection.
- If a connection result in an email delivery, the registration is deleted.
- Registrations older than 1 hour is deleted automatically whenever there is something to delete.
- If SQLite database is missing the script will create new.

The SQLite database have 'ipaddress' with a UNIQUE constraint and by using 'INSERT OR IGNORE INTO ids' followed by a 'UPDATE ids WHERE' statement the script cater for multiple concurrent connections from the same source.


[code]Option Explicit

' ******************************************************************************************************************************
' ********** Settings **********
' ******************************************************************************************************************************

' SQLite3 driver and tools to be installed:
'
' sqliteodbc.exe or sqliteodbc_w64.exe from http://www.ch-werner.de/sqliteodbc/
' sqlitestudio-3.1.1.zip from https://sqlitestudio.pl/index.rvt?act=download
'

' COM authentication
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "Secret" ' <=========<<<<<

' ******************************************************************************************************************************
' ********** General Functions **********
' ******************************************************************************************************************************

Function Wait(sec)
With CreateObject("WScript.Shell")
.Run "timeout /T " & Int(sec), 0, True
' .Run "sleep -m " & Int(sec * 1000), 0, True
' .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
End With
End Function

Function LockFile(strPath)
Const Append = 8
Const Unicode = -1
With CreateObject("Scripting.FileSystemObject")
Dim oFile, i
For i = 0 To 30
On Error Resume Next
Set oFile = .OpenTextFile(strPath, Append, True, Unicode)
If (Not Err.Number = 70) Then
Set LockFile = oFile
On Error Goto 0
Exit For
End If
On Error Goto 0
Wait(1)
Next
End With
Set oFile = Nothing
If (Err.Number = 70) Then
EventLog.Write("ERROR: EventHandlers.vbs")
EventLog.Write("File " & strPath & " is locked and timeout was exceeded.")
Err.Clear
ElseIf (Err.Number <> 0) Then
EventLog.Write("ERROR: EventHandlers.vbs : Function LockFile")
EventLog.Write("Error : " & Err.Number)
EventLog.Write("Error (hex) : 0x" & Hex(Err.Number))
EventLog.Write("Source : " & Err.Source)
EventLog.Write("Description : " & Err.Description)
Err.Clear
End If
End Function

' ******************************************************************************************************************************
' ********** Subroutines **********
' ******************************************************************************************************************************

' FUNCTION: Add IPAddresses to Ban list.
' PARAMETERS: sIPAddress = IPAddress of server to ban.
' sReason = Reason for banning server - will show in hMailServer GUI (IP Ranges).
' iDuration = Duration of ban as specified by sType.
' sType = "yyyy" Year | "m" Month | "d" Day | "h" Hour | "n" Minute | "s" Second
'
' e.g. Ban spammer for 6 months for sending false marriage proposals.
' --> AutoBan(123.456.789, "Sending marriage proposals", 6, "m") <--

Sub AutoBan(sIPAddress, sReason, iDuration, sType)
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
With LockFile("%tmp%\autoban.lck")
On Error Resume Next
oApp.Settings.SecurityRanges.Refresh
If (oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing) Then
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & IPAddress
.LowerIP = sIPAddress
.UpperIP = sIPAddress
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
End If
On Error Goto 0
.Close
End With
End Sub

' ******************************************************************************************************************************
' ********** hMailServer IDS Code **********
' ******************************************************************************************************************************

' FUNCTION: Monitor SMTP connections in order to identify and ban resource hogs.
' CONSTANTS: sDBFile = Path-to and filename-of SQLite Database.
' iHits = Number of occurances before banning the IPAddress.
' tMinutes = Minutes since last update of record before discarding record.
' iVerbose = 0 - silent, 1 - verbose, 2 - debug

Const sDBFile = "C:\hMailServer\Temp\ids.db3" ' <=========<<<<<
Const iHits = 3 ' <=========<<<<<
Const tMinutes = 30 ' <=========<<<<<
Const iVerbose = 1 ' <=========<<<<<

Function IDSCreateDB(sDB)
Dim oConn
If iVerbose > 0 Then EventLog.Write("IDS :: Create database " & sDB)
Set oConn = CreateObject("ADODB.Connection")
oConn.Open "DRIVER={SQLite3 ODBC Driver};Database="& sDB & ";LongNames=0;Timeout=1000;NoTXN=0;SyncPragma=NORMAL;StepAPI=0;"
If iVerbose > 0 Then EventLog.Write("IDS :: Create table 'ids'")
oConn.Execute "CREATE TABLE ids (" &_
"id INTEGER PRIMARY KEY AUTOINCREMENT," &_
"timestamp DATETIME," &_
"ipaddress VARCHAR (192) UNIQUE," &_
"hits INTEGER" &_
");"
End Function

Function IDSDelete(sIPAddress)
Dim oConn, oRecord
Set oConn = CreateObject("ADODB.Connection")
oConn.Open "DRIVER={SQLite3 ODBC Driver};Database="& sDBFile & ";LongNames=0;Timeout=1000;NoTXN=0;SyncPragma=NORMAL;StepAPI=0;"
If iVerbose > 0 Then EventLog.Write("IDS :: " & sIPAddress & " :: Delete Record")
oConn.Execute "DELETE FROM ids WHERE ipaddress = '" & sIPAddress & "';"
oConn.Execute "DELETE FROM ids WHERE timestamp < DATETIME('NOW','-1 HOUR','LOCALTIME');"
End Function

Function IDSCheck(sIPAddress)
Dim oConn, oRecord
Set oConn = CreateObject("ADODB.Connection")
oConn.Open "DRIVER={SQLite3 ODBC Driver};Database="& sDBFile & ";LongNames=0;Timeout=1000;NoTXN=0;SyncPragma=NORMAL;StepAPI=0;"
IDSCheck = False
If iVerbose > 0 Then EventLog.Write("IDS :: " & sIPAddress & " :: Check IPAddress")
On Error Resume Next
Set oRecord = oConn.Execute("SELECT * FROM ids WHERE ipaddress='" & sIPAddress & "';")
If (Err.Number = 0) Then
If iVerbose > 1 Then EventLog.Write("IDS :: " & sIPAddress & " :: DEBUG :: 'SELECT * ...' Err.Number " & Err.Number)
If iVerbose > 1 Then EventLog.Write("IDS :: " & sIPAddress & " :: DEBUG :: 'SELECT * ...' oRecord.EOF " & oRecord.EOF)
If Not oRecord.EOF Then
On Error Goto 0
If iVerbose > 1 Then EventLog.Write("IDS :: " & sIPAddress & " :: DEBUG :: Timestamp " & oRecord("timestamp"))
If iVerbose > 1 Then EventLog.Write("IDS :: " & sIPAddress & " :: DEBUG :: Hits " & oRecord("hits"))
If (oRecord("hits") > iHits) Then
IDSDelete(sIPAddress)
IDSCheck = True
Else
If (DateDiff("n", oRecord("timestamp"), Now()) > tMinutes) Then
' IPAddress is known - but too old
If iVerbose > 0 Then EventLog.Write("IDS :: " & sIPAddress & " :: Old Record, Reset")
oConn.Execute "UPDATE ids SET hits=1,timestamp=DATETIME('NOW','LOCALTIME') WHERE IPAddress='" & sIPAddress & "';"
Else
' IPAddress is known - bump counter
If iVerbose > 0 Then EventLog.Write("IDS :: " & sIPAddress & " :: Increment Hits")
oConn.Execute "UPDATE ids SET hits=(hits+1),timestamp=DATETIME('NOW','LOCALTIME') WHERE IPAddress='" & sIPAddress & "';"
End If
End If
oRecord.Close
Else
On Error Goto 0
' IPAddress is NEW!
If iVerbose > 0 Then EventLog.Write("IDS :: " & sIPAddress & " :: New Record")
' FYI: Small trick to bypass error from UNIQUE constraint on IPAddress. Needed to compensate for multiple concurrent connects.
oConn.Execute "INSERT OR IGNORE INTO ids (timestamp,ipaddress,hits) VALUES (DATETIME('NOW','LOCALTIME'),'" & sIPAddress & "'," & 0 & ");"
oConn.Execute "UPDATE ids SET hits=(hits+1),timestamp=DATETIME('NOW','LOCALTIME') WHERE IPAddress='" & sIPAddress & "';"
End If
On Error Goto 0
Else
On Error Goto 0
' OOPS No database !
IDSCreateDB(sDBFile)
End If
oConn.Close
End Function

' ******************************************************************************************************************************
' ********** hMailServer Triggers **********
' ******************************************************************************************************************************

Sub OnClientConnect(oClient)
If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
If (oClient.Port = 25) Then
Wait(20)
EventLog.Write("IDS Check IPAddress: " & oClient.IPAddress)
If IDSCheck(oClient.IPAddress) Then
If Verbose > 0 Then EventLog.Write("IDS :: " & oClient.IPAddress & " :: AutoBan Server")
Call AutoBan(oClient.IPAddress, "IDS", 2, "d")
End If
End If
End Sub

' Sub OnHELO(oClient)
' End Sub

' ********** SPAM test: DNSBlackLists, HeloHost, MXRecords, SPF

Sub OnSMTPData(oClient, oMessage)
If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub
If (oClient.Port = 25) Then
IDSDelete(oClient.IPAddress)
End If
End Sub

' ********** SPAM test: SURBL, DKIM, SpamAssassin

' Sub OnAcceptMessage(oClient, oMessage)
' End Sub

' ********** Saving EML to DATA

' Sub OnDeliveryStart(oMessage)
' End Sub

' ********** Antivirus check, Global rules

' Sub OnDeliverMessage(oMessage)
' End Sub

' ********** Local rules, Message delivered to recipient(s)

' Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
' End Sub

' Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
' End Sub

' Sub OnBackupFailed(sReason)
' End Sub

' Sub OnBackupCompleted()
' End Sub

' Sub OnError(iSeverity, iCode, sSource, sDescription)
' End Sub

' ******************************************************************************************************************************
' ********** hMailServer Rules **********
' ******************************************************************************************************************************
[/code]

Disclaimer

All of the scripts, languages, programs, links and content in this post are for self help only. They are not intended to diagnose or cure any problem you might have. What you do to your computer(s), server(s), and VMs is not my fault. I merely am here to show you what I have done in the past and what has worked for me. Everything in this post is for academic purposes only and is not intended to make your life easier. If, by some chance, you ruin something while doing anything in my post, it’s 100% your fault for doing it in the first place and I cannot and will not be held responsible for any trouble you might have.

Any names, places, addresses, or anything else listed in any type of file in this post or any of my posts on this site in general are 100% coincidental and they mean absolutely no offense. Also, this post and all of its opinions and information are not endorsed by anybody and they do not reflect the opinion of my employer.

I am a 100% an independent writer / blogger / instructor. I don’t represent anyone or anything except myself and the products that I recommend in here are awesome because I think they are awesome and that’s about it. If you don’t think they are awesome, it’s not my fault. Most of the stuff I recommend is free, and if it’s not free it probably has some type of trial available (which if it does, I suggest you try it first).

Just because I am proponent of Open Source / GNU software doesn’t mean that I deny non-free software. If you are one of those “Open Source Only or Die” people, I am sorry, but my feeling is that to deny non-free software is like denying that rated R movies exist to a 16 year old.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-03-25 00:49

SorenR wrote:Are you still being hammered by rougue servers ??
You mean like this:
"SMTPD" 3332 759 "2017-03-24 00:00:33.168" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 788 "2017-03-24 00:09:55.112" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 816 "2017-03-24 00:19:19.146" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 843 "2017-03-24 00:28:43.165" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 875 "2017-03-24 00:38:08.183" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 903 "2017-03-24 00:47:30.143" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 928 "2017-03-24 00:56:56.205" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 959 "2017-03-24 01:06:25.124" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 982 "2017-03-24 01:15:52.216" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1024 "2017-03-24 01:25:17.187" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1044 "2017-03-24 01:34:45.215" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1072 "2017-03-24 01:44:15.147" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1101 "2017-03-24 01:53:41.209" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1134 "2017-03-24 01:55:54.153" "59.60.28.232" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1139 "2017-03-24 02:03:09.186" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1163 "2017-03-24 02:12:36.200" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1185 "2017-03-24 02:22:04.182" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1218 "2017-03-24 02:31:30.166" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1246 "2017-03-24 02:41:00.160" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1276 "2017-03-24 02:50:36.191" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1318 "2017-03-24 03:00:04.141" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1335 "2017-03-24 03:09:32.120" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1364 "2017-03-24 03:19:00.195" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1394 "2017-03-24 03:28:28.208" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1421 "2017-03-24 03:37:52.133" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1450 "2017-03-24 03:47:19.132" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1477 "2017-03-24 03:56:44.134" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1504 "2017-03-24 04:06:13.143" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1535 "2017-03-24 04:15:40.157" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1564 "2017-03-24 04:25:07.218" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1607 "2017-03-24 04:34:35.199" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1623 "2017-03-24 04:35:03.139" "59.60.28.232" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1627 "2017-03-24 04:44:05.209" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1656 "2017-03-24 04:53:33.159" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1685 "2017-03-24 05:03:00.181" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1710 "2017-03-24 05:12:26.166" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1741 "2017-03-24 05:21:54.147" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 4944 1789 "2017-03-24 05:28:02.199" "177.11.51.69" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1770 "2017-03-24 05:28:02.199" "177.11.51.69" "SENT: 220 Ourmail SMTP"
"SMTPD" 3088 1770 "2017-03-24 05:28:02.433" "177.11.51.69" "RECEIVED: EHLO mail.mydomain.net"
"SMTPD" 3088 1770 "2017-03-24 05:28:02.433" "177.11.51.69" "SENT: 250-mydomain.net[nl]250-SIZE 26214000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2244 1789 "2017-03-24 05:28:02.448" "177.11.51.69" "RECEIVED: EHLO mail.mydomain.net"
"SMTPD" 2244 1789 "2017-03-24 05:28:02.448" "177.11.51.69" "SENT: 250-mydomain.net[nl]250-SIZE 26214000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 4664 1770 "2017-03-24 05:28:02.667" "177.11.51.69" "RECEIVED: RSET"
"SMTPD" 4664 1770 "2017-03-24 05:28:02.667" "177.11.51.69" "SENT: 250 OK"
"SMTPD" 3332 1789 "2017-03-24 05:28:02.698" "177.11.51.69" "RECEIVED: RSET"
"SMTPD" 3332 1789 "2017-03-24 05:28:02.698" "177.11.51.69" "SENT: 250 OK"
"SMTPD" 2244 1770 "2017-03-24 05:28:02.916" "177.11.51.69" "RECEIVED: MAIL FROM:<oiklzopid@mydomain.net>"
"SMTPD" 4944 1789 "2017-03-24 05:28:02.947" "177.11.51.69" "RECEIVED: MAIL FROM:<hhaewoxv@gmail.net>"
"SMTPD" 4944 1789 "2017-03-24 05:28:07.596" "177.11.51.69" "SENT: 550 Rejected by cbl.abuseat.org"
"APPLICATION" 4944 "2017-03-24 05:28:07.596" "hMailServer SpamProtection rejected RCPT (Sender: hhaewoxv@gmail.net, IP:177.11.51.69, Reason: Rejected by cbl.abuseat.org)"
"SMTPD" 2244 1770 "2017-03-24 05:28:07.596" "177.11.51.69" "SENT: 550 Rejected by cbl.abuseat.org"
"APPLICATION" 2244 "2017-03-24 05:28:07.596" "hMailServer SpamProtection rejected RCPT (Sender: oiklzopid@mydomain.net, IP:177.11.51.69, Reason: Rejected by cbl.abuseat.org)"
"SMTPD" 4824 1770 "2017-03-24 05:28:07.830" "177.11.51.69" "RECEIVED: RCPT TO:<star.pop3@yahoo.net.br>"
"SMTPD" 4824 1770 "2017-03-24 05:28:07.830" "177.11.51.69" "SENT: 503 must have sender first."
"SMTPD" 4664 1789 "2017-03-24 05:28:07.846" "177.11.51.69" "RECEIVED: RCPT TO:<star.pop3@yahoo.net.br>"
"SMTPD" 4664 1789 "2017-03-24 05:28:07.846" "177.11.51.69" "SENT: 503 must have sender first."
"SMTPD" 2244 1770 "2017-03-24 05:28:08.064" "177.11.51.69" "RECEIVED: MAIL FROM:<oiklzopid@mydomain.net>"
"SMTPD" 2244 1770 "2017-03-24 05:28:08.080" "177.11.51.69" "SENT: 550 Rejected by cbl.abuseat.org"
"APPLICATION" 2244 "2017-03-24 05:28:08.080" "hMailServer SpamProtection rejected RCPT (Sender: oiklzopid@mydomain.net, IP:177.11.51.69, Reason: Rejected by cbl.abuseat.org)"
"SMTPD" 3332 1789 "2017-03-24 05:28:08.095" "177.11.51.69" "RECEIVED: MAIL FROM:<hhaewoxv@gmail.net>"
"SMTPD" 3332 1789 "2017-03-24 05:28:08.095" "177.11.51.69" "SENT: 550 Rejected by hostkarma"
"APPLICATION" 3332 "2017-03-24 05:28:08.095" "hMailServer SpamProtection rejected RCPT (Sender: hhaewoxv@gmail.net, IP:177.11.51.69, Reason: Rejected by hostkarma)"
"SMTPD" 4944 1770 "2017-03-24 05:28:08.329" "177.11.51.69" "RECEIVED: RCPT TO:<star.pop3@hotmail.net>"
"SMTPD" 4944 1770 "2017-03-24 05:28:08.329" "177.11.51.69" "SENT: 503 must have sender first."
"SMTPD" 4664 1789 "2017-03-24 05:28:08.345" "177.11.51.69" "RECEIVED: RCPT TO:<star.pop3@hotmail.net>"
"SMTPD" 4664 1789 "2017-03-24 05:28:08.345" "177.11.51.69" "SENT: 503 must have sender first."
"SMTPD" 4824 1770 "2017-03-24 05:28:08.563" "177.11.51.69" "RECEIVED: MAIL FROM:<oiklzopid@mydomain.net>"
"SMTPD" 4824 1770 "2017-03-24 05:28:08.563" "177.11.51.69" "SENT: 550 Rejected by cbl.abuseat.org"
"APPLICATION" 4824 "2017-03-24 05:28:08.563" "hMailServer SpamProtection rejected RCPT (Sender: oiklzopid@mydomain.net, IP:177.11.51.69, Reason: Rejected by cbl.abuseat.org)"
"SMTPD" 2244 1789 "2017-03-24 05:28:08.595" "177.11.51.69" "RECEIVED: MAIL FROM:<hhaewoxv@gmail.net>"
"SMTPD" 2244 1789 "2017-03-24 05:28:08.595" "177.11.51.69" "SENT: 550 Rejected by hostkarma"
"APPLICATION" 2244 "2017-03-24 05:28:08.595" "hMailServer SpamProtection rejected RCPT (Sender: hhaewoxv@gmail.net, IP:177.11.51.69, Reason: Rejected by hostkarma)"
"SMTPD" 3332 1770 "2017-03-24 05:28:08.797" "177.11.51.69" "RECEIVED: RCPT TO:<magic.teste2@bol.net.br>"
"SMTPD" 3332 1770 "2017-03-24 05:28:08.797" "177.11.51.69" "SENT: 503 must have sender first."
"SMTPD" 4824 1789 "2017-03-24 05:28:08.844" "177.11.51.69" "RECEIVED: RCPT TO:<magic.teste2@bol.net.br>"
"SMTPD" 4824 1789 "2017-03-24 05:28:08.844" "177.11.51.69" "SENT: 503 must have sender first."
"SMTPD" 2244 1791 "2017-03-24 05:28:41.152" "177.11.51.69" "SENT: 220 Ourmail SMTP"
"SMTPD" 4944 1790 "2017-03-24 05:28:41.152" "177.11.51.69" "SENT: 220 Ourmail SMTP"
"SMTPD" 2244 1792 "2017-03-24 05:31:22.207" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 2244 1802 "2017-03-24 05:40:51.124" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 2244 1831 "2017-03-24 05:50:18.138" "62.172.145.50" "SENT: 220 Ourmail SMTP"
.
.
.
That'll be yes then. (Only theyre not even attempting to respond with HELO now).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-03-25 01:04

SorenR wrote:Disclaimer

All of the scripts, languages, programs, links and content in this post are for self help only. They are not intended to diagnose or cure any problem you might have. What you do to your computer(s), server(s), and VMs is not my fault. I merely am here to show you what I have done in the past and what has worked for me. Everything in this post is for academic purposes only and is not intended to make your life easier. If, by some chance, you ruin something while doing anything in my post, it’s 100% your fault for doing it in the first place and I cannot and will not be held responsible for any trouble you might have.

Any names, places, addresses, or anything else listed in any type of file in this post or any of my posts on this site in general are 100% coincidental and they mean absolutely no offense. Also, this post and all of its opinions and information are not endorsed by anybody and they do not reflect the opinion of my employer.

I am a 100% an independent writer / blogger / instructor. I don’t represent anyone or anything except myself and the products that I recommend in here are awesome because I think they are awesome and that’s about it. If you don’t think they are awesome, it’s not my fault. Most of the stuff I recommend is free, and if it’s not free it probably has some type of trial available (which if it does, I suggest you try it first).

Just because I am proponent of Open Source / GNU software doesn’t mean that I deny non-free software. If you are one of those “Open Source Only or Die” people, I am sorry, but my feeling is that to deny non-free software is like denying that rated R movies exist to a 16 year old.
Effing Awesome mate. :mrgreen: :mrgreen: :mrgreen:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-25 01:06

jimimaseye wrote:
SorenR wrote:Are you still being hammered by rougue servers ??
You mean like this:
"SMTPD" 3332 759 "2017-03-24 00:00:33.168" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 788 "2017-03-24 00:09:55.112" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 816 "2017-03-24 00:19:19.146" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 843 "2017-03-24 00:28:43.165" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 875 "2017-03-24 00:38:08.183" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 903 "2017-03-24 00:47:30.143" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 928 "2017-03-24 00:56:56.205" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 959 "2017-03-24 01:06:25.124" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 982 "2017-03-24 01:15:52.216" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1024 "2017-03-24 01:25:17.187" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1044 "2017-03-24 01:34:45.215" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1072 "2017-03-24 01:44:15.147" "62.172.145.50" "SENT: 220 Ourmail SMTP"
"SMTPD" 3332 1101 "2017-03-24 01:53:41.209" "62.172.145.50" "SENT: 220 Ourmail SMTP"
.
.
.
That'll be yes then. (Only theyre not even attempting to respond with HELO now).
Ah yes... The HELO disappeared with the 20 second wait... :oops:

Have a look at the script, it should kill the rest of them.

I took the script offline last night and cleared by ban list... This is with the 20 second delay in place - some of them are just that more persistent.

[code]"SMTPD" 1192 1 "2017-03-24 00:01:08.368" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 1 "2017-03-24 00:01:08.431" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 1192 1 "2017-03-24 00:01:08.431" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 1 "2017-03-24 00:01:08.493" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 1192 1 "2017-03-24 00:01:08.493" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 1192 2 "2017-03-24 00:01:28.118" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 2916 2 "2017-03-24 00:01:28.196" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 2916 2 "2017-03-24 00:01:28.196" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 2916 2 "2017-03-24 00:01:28.259" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 2916 2 "2017-03-24 00:01:28.259" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 1192 3 "2017-03-24 00:07:34.199" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 3 "2017-03-24 00:07:34.261" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 1192 3 "2017-03-24 00:07:34.261" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 3 "2017-03-24 00:07:34.324" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 1192 3 "2017-03-24 00:07:34.324" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 1192 4 "2017-03-24 00:07:54.199" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 4 "2017-03-24 00:07:54.261" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 1192 4 "2017-03-24 00:07:54.277" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 4 "2017-03-24 00:07:54.324" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 1192 4 "2017-03-24 00:07:54.324" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 1192 5 "2017-03-24 00:08:44.215" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 5 "2017-03-24 00:08:44.277" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 1192 5 "2017-03-24 00:08:44.277" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 5 "2017-03-24 00:08:44.340" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 1192 5 "2017-03-24 00:08:44.340" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 1192 6 "2017-03-24 00:09:04.184" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 6 "2017-03-24 00:09:04.262" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 1192 6 "2017-03-24 00:09:04.262" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 6 "2017-03-24 00:09:04.324" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 1192 6 "2017-03-24 00:09:04.324" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 1192 7 "2017-03-24 00:11:48.216" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 7 "2017-03-24 00:11:48.263" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 1192 7 "2017-03-24 00:11:48.279" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 7 "2017-03-24 00:11:48.325" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 1192 7 "2017-03-24 00:11:48.325" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 1192 8 "2017-03-24 00:12:08.122" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 8 "2017-03-24 00:12:08.185" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 1192 8 "2017-03-24 00:12:08.201" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 8 "2017-03-24 00:12:08.263" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 1192 8 "2017-03-24 00:12:08.263" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 1192 9 "2017-03-24 00:18:14.125" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 9 "2017-03-24 00:18:14.218" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 1192 9 "2017-03-24 00:18:14.234" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 9 "2017-03-24 00:18:14.312" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 1192 9 "2017-03-24 00:18:14.312" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 1192 10 "2017-03-24 00:18:34.172" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 10 "2017-03-24 00:18:34.234" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 1192 10 "2017-03-24 00:18:34.250" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 10 "2017-03-24 00:18:34.312" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 1192 10 "2017-03-24 00:18:34.312" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 1192 11 "2017-03-24 00:19:25.156" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 11 "2017-03-24 00:19:25.219" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 1192 11 "2017-03-24 00:19:25.219" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 11 "2017-03-24 00:19:25.281" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 1192 11 "2017-03-24 00:19:25.281" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 1192 12 "2017-03-24 00:19:45.172" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 12 "2017-03-24 00:19:45.266" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 1192 12 "2017-03-24 00:19:45.282" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 12 "2017-03-24 00:19:45.375" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 1192 12 "2017-03-24 00:19:45.375" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 1192 13 "2017-03-24 00:22:28.173" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 13 "2017-03-24 00:22:28.236" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 1192 13 "2017-03-24 00:22:28.251" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 13 "2017-03-24 00:22:28.298" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 1192 13 "2017-03-24 00:22:28.298" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 1192 14 "2017-03-24 00:22:52.127" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 1192 14 "2017-03-24 00:22:52.189" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 1192 14 "2017-03-24 00:22:52.189" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 1192 14 "2017-03-24 00:22:52.252" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 1192 14 "2017-03-24 00:22:52.252" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 17 "2017-03-24 00:28:54.113" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 17 "2017-03-24 00:28:54.176" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 4076 17 "2017-03-24 00:28:54.191" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 17 "2017-03-24 00:28:54.238" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 4076 17 "2017-03-24 00:28:54.238" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 4076 18 "2017-03-24 00:29:14.129" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 18 "2017-03-24 00:29:14.191" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 4076 18 "2017-03-24 00:29:14.207" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 18 "2017-03-24 00:29:14.270" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 4076 18 "2017-03-24 00:29:14.270" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 4076 19 "2017-03-24 00:30:05.176" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 19 "2017-03-24 00:30:05.239" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 19 "2017-03-24 00:30:05.254" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 19 "2017-03-24 00:30:05.317" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 19 "2017-03-24 00:30:05.317" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 20 "2017-03-24 00:30:25.114" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 20 "2017-03-24 00:30:25.176" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 20 "2017-03-24 00:30:25.176" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 20 "2017-03-24 00:30:25.239" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 20 "2017-03-24 00:30:25.239" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 21 "2017-03-24 00:33:12.209" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 21 "2017-03-24 00:33:12.271" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 21 "2017-03-24 00:33:12.271" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 21 "2017-03-24 00:33:12.334" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 21 "2017-03-24 00:33:12.334" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 22 "2017-03-24 00:33:32.131" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 22 "2017-03-24 00:33:32.177" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 22 "2017-03-24 00:33:32.193" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 22 "2017-03-24 00:33:32.240" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 22 "2017-03-24 00:33:32.256" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 23 "2017-03-24 00:39:34.180" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 23 "2017-03-24 00:39:34.242" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 4076 23 "2017-03-24 00:39:34.242" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 23 "2017-03-24 00:39:34.305" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 4076 23 "2017-03-24 00:39:34.305" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 4076 24 "2017-03-24 00:39:54.133" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 25 "2017-03-24 00:40:45.212" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 25 "2017-03-24 00:40:45.274" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 25 "2017-03-24 00:40:45.274" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 25 "2017-03-24 00:40:45.337" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 25 "2017-03-24 00:40:45.337" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 26 "2017-03-24 00:41:05.196" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 27 "2017-03-24 00:43:52.197" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 27 "2017-03-24 00:43:52.260" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 27 "2017-03-24 00:43:52.275" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 27 "2017-03-24 00:43:52.338" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 27 "2017-03-24 00:43:52.338" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 28 "2017-03-24 00:44:12.150" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 28 "2017-03-24 00:44:12.213" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 28 "2017-03-24 00:44:12.213" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 28 "2017-03-24 00:44:12.291" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 28 "2017-03-24 00:44:12.291" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 64 "2017-03-24 00:54:32.170" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 348 64 "2017-03-24 00:54:32.248" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 348 64 "2017-03-24 00:54:32.248" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 348 64 "2017-03-24 00:54:32.311" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 348 64 "2017-03-24 00:54:32.311" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 65 "2017-03-24 00:54:52.186" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 65 "2017-03-24 00:54:52.233" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 65 "2017-03-24 00:54:52.248" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 65 "2017-03-24 00:54:52.295" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 65 "2017-03-24 00:54:52.295" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 66 "2017-03-24 01:01:25.188" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 66 "2017-03-24 01:01:25.251" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 66 "2017-03-24 01:01:25.313" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 66 "2017-03-24 01:01:25.376" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 66 "2017-03-24 01:01:25.376" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 67 "2017-03-24 01:01:45.126" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 67 "2017-03-24 01:01:45.173" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 67 "2017-03-24 01:01:45.188" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 67 "2017-03-24 01:01:45.235" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 67 "2017-03-24 01:01:45.235" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 68 "2017-03-24 01:05:12.205" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 68 "2017-03-24 01:05:12.252" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 68 "2017-03-24 01:05:12.268" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 68 "2017-03-24 01:05:12.315" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 68 "2017-03-24 01:05:12.315" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 69 "2017-03-24 01:05:32.127" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 69 "2017-03-24 01:05:32.190" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 69 "2017-03-24 01:05:32.205" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 69 "2017-03-24 01:05:32.268" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 69 "2017-03-24 01:05:32.268" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 70 "2017-03-24 01:10:14.145" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 70 "2017-03-24 01:10:14.207" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 4076 70 "2017-03-24 01:10:14.332" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 70 "2017-03-24 01:10:14.395" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 4076 70 "2017-03-24 01:10:14.395" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 4076 71 "2017-03-24 01:10:34.176" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 71 "2017-03-24 01:10:34.254" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 4076 71 "2017-03-24 01:10:34.254" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 71 "2017-03-24 01:10:34.317" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 4076 71 "2017-03-24 01:10:34.317" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 4076 72 "2017-03-24 01:12:05.192" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 72 "2017-03-24 01:12:05.270" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 72 "2017-03-24 01:12:05.270" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 72 "2017-03-24 01:12:05.333" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 72 "2017-03-24 01:12:05.333" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 73 "2017-03-24 01:12:25.146" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 73 "2017-03-24 01:12:25.224" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 73 "2017-03-24 01:12:25.224" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 73 "2017-03-24 01:12:25.286" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 73 "2017-03-24 01:12:25.286" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 74 "2017-03-24 01:15:52.178" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 74 "2017-03-24 01:15:52.241" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 74 "2017-03-24 01:15:52.287" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 74 "2017-03-24 01:15:52.350" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 74 "2017-03-24 01:15:52.350" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 75 "2017-03-24 01:16:12.131" "213.169.154.164" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 75 "2017-03-24 01:16:12.194" "213.169.154.164" "RECEIVED: EHLO intermittencies.servalead.eu"
"SMTPD" 4076 75 "2017-03-24 01:16:12.209" "213.169.154.164" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 75 "2017-03-24 01:16:12.256" "213.169.154.164" "RECEIVED: QUIT"
"SMTPD" 4076 75 "2017-03-24 01:16:12.256" "213.169.154.164" "SENT: 221 goodbye"
"SMTPD" 4076 76 "2017-03-24 01:20:55.149" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 76 "2017-03-24 01:20:55.227" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 4076 76 "2017-03-24 01:20:55.243" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 76 "2017-03-24 01:20:55.289" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 4076 76 "2017-03-24 01:20:55.289" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 4076 77 "2017-03-24 01:21:15.196" "213.169.154.162" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 77 "2017-03-24 01:21:15.258" "213.169.154.162" "RECEIVED: EHLO libs.outlinelead.eu"
"SMTPD" 4076 77 "2017-03-24 01:21:15.274" "213.169.154.162" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 77 "2017-03-24 01:21:15.336" "213.169.154.162" "RECEIVED: QUIT"
"SMTPD" 4076 77 "2017-03-24 01:21:15.336" "213.169.154.162" "SENT: 221 goodbye"
"SMTPD" 4076 78 "2017-03-24 01:22:46.134" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 78 "2017-03-24 01:22:46.196" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 78 "2017-03-24 01:22:46.446" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 78 "2017-03-24 01:22:46.525" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 78 "2017-03-24 01:22:46.525" "213.169.154.166" "SENT: 221 goodbye"
"SMTPD" 4076 79 "2017-03-24 01:23:06.118" "213.169.154.166" "SENT: 220 mx.acme.inc ESMTP"
"SMTPD" 4076 79 "2017-03-24 01:23:06.181" "213.169.154.166" "RECEIVED: EHLO macabreness.servalead.eu"
"SMTPD" 4076 79 "2017-03-24 01:23:06.181" "213.169.154.166" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"SMTPD" 4076 79 "2017-03-24 01:23:06.243" "213.169.154.166" "RECEIVED: QUIT"
"SMTPD" 4076 79 "2017-03-24 01:23:06.243" "213.169.154.166" "SENT: 221 goodbye"
[/code]
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-03-25 01:13

IPRanges.jpg
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-04-16 14:34

One particular bot in China got a little bit over excited this morning:

[code]"SMTPD" 3056 6918 "2017-04-16 11:54:48.121" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 6918 "2017-04-16 11:54:49.103" "116.228.12.138" "RECEIVED: EHLO KOOLLOOK-HOST"
"SMTPD" 2712 6918 "2017-04-16 11:54:49.103" "116.228.12.138" "SENT: 250-mydomain.net[nl]250-SIZE 26214000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3056 6918 "2017-04-16 11:54:50.336" "116.228.12.138" "RECEIVED: QUIT"
"SMTPD" 3056 6918 "2017-04-16 11:54:50.336" "116.228.12.138" "SENT: 221 goodbye"
"SMTPD" 3268 7067 "2017-04-16 11:55:36.122" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7068 "2017-04-16 11:55:56.121" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7066 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7067 "2017-04-16 11:55:56.137" "116.228.12.138" "RECEIVED: EHLO KOOLLOOK-HOST"
"SMTPD" 3996 7067 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 250-mydomain.net[nl]250-SIZE 26214000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 1956 7064 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7063 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7062 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7061 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7060 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7058 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7057 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7056 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7065 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7055 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7052 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7051 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7050 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7054 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7053 "2017-04-16 11:55:56.137" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7048 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7049 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7044 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7046 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7043 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7047 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7045 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7042 "2017-04-16 11:55:56.152" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7073 "2017-04-16 11:56:16.198" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7075 "2017-04-16 11:56:16.198" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7067 "2017-04-16 11:56:16.198" "116.228.12.138" "RECEIVED: AUTH LOGIN"
"SMTPD" 3784 7067 "2017-04-16 11:56:16.198" "116.228.12.138" "SENT: 334 VXNlcm5hbWU6"
"SMTPD" 3800 7081 "2017-04-16 11:57:17.210" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7092 "2017-04-16 11:57:17.210" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7067 "2017-04-16 11:57:17.210" "116.228.12.138" "RECEIVED: YWNjb3VudA=="
"SMTPD" 2712 7067 "2017-04-16 11:57:17.210" "116.228.12.138" "SENT: 334 UGFzc3dvcmQ6"
"SMTPD" 3792 7089 "2017-04-16 11:57:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7088 "2017-04-16 11:57:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7090 "2017-04-16 11:57:37.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7105 "2017-04-16 11:57:57.115" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7104 "2017-04-16 11:57:57.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7100 "2017-04-16 11:57:57.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7106 "2017-04-16 11:57:57.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7107 "2017-04-16 11:57:57.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7094 "2017-04-16 11:57:57.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7112 "2017-04-16 11:58:17.192" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7113 "2017-04-16 11:58:17.192" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7114 "2017-04-16 11:58:37.207" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7115 "2017-04-16 11:58:37.207" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7117 "2017-04-16 11:58:57.113" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7116 "2017-04-16 11:59:17.112" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7118 "2017-04-16 11:59:17.112" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7119 "2017-04-16 11:59:37.127" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7120 "2017-04-16 11:59:37.127" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7108 "2017-04-16 11:59:57.141" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7083 "2017-04-16 11:59:57.141" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7087 "2017-04-16 11:59:57.141" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7121 "2017-04-16 11:59:57.141" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7111 "2017-04-16 11:59:57.141" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7109 "2017-04-16 11:59:57.141" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7099 "2017-04-16 11:59:57.141" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7122 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7091 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7110 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7086 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7079 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7082 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7078 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7070 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7072 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7076 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7069 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7093 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7085 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7084 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7077 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7071 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7074 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7080 "2017-04-16 11:59:57.157" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"APPLICATION" 2712 "2017-04-16 11:59:58.155" "DALConnection - Reconnecting to the database"
"SMTPD" 3416 7142 "2017-04-16 12:00:38.195" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7140 "2017-04-16 12:00:38.198" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7143 "2017-04-16 12:00:38.200" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7147 "2017-04-16 12:00:58.153" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7131 "2017-04-16 12:02:17.185" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7136 "2017-04-16 12:02:17.185" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7137 "2017-04-16 12:02:17.185" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7129 "2017-04-16 12:02:37.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7148 "2017-04-16 12:02:37.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7138 "2017-04-16 12:02:37.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7126 "2017-04-16 12:02:37.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7128 "2017-04-16 12:02:37.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7124 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7127 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7152 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7153 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7154 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7151 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7150 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7149 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7145 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7144 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7146 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7134 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7139 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7141 "2017-04-16 12:02:37.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7125 "2017-04-16 12:02:37.246" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7135 "2017-04-16 12:02:37.246" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7133 "2017-04-16 12:02:37.246" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7132 "2017-04-16 12:02:37.246" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7130 "2017-04-16 12:02:37.246" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7123 "2017-04-16 12:02:37.246" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7171 "2017-04-16 12:02:57.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7164 "2017-04-16 12:03:57.181" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7168 "2017-04-16 12:03:57.181" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7160 "2017-04-16 12:03:57.181" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7184 "2017-04-16 12:04:37.117" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7173 "2017-04-16 12:04:37.117" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7165 "2017-04-16 12:04:37.117" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7176 "2017-04-16 12:04:37.117" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7187 "2017-04-16 12:05:57.192" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7186 "2017-04-16 12:05:57.192" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7188 "2017-04-16 12:05:57.192" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7182 "2017-04-16 12:05:57.192" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7189 "2017-04-16 12:06:57.736" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7193 "2017-04-16 12:06:57.736" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7194 "2017-04-16 12:06:57.736" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7198 "2017-04-16 12:07:17.158" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7155 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7170 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7167 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7157 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7156 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7185 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7163 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7196 "2017-04-16 12:07:37.188" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7197 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7169 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7180 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7199 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7178 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7158 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7195 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7177 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7161 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7166 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7159 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7179 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7172 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7174 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7175 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7181 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7162 "2017-04-16 12:07:37.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7204 "2017-04-16 12:08:17.218" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7200 "2017-04-16 12:08:17.218" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7202 "2017-04-16 12:08:17.218" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7221 "2017-04-16 12:08:17.218" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7205 "2017-04-16 12:08:17.218" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7219 "2017-04-16 12:08:17.218" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7217 "2017-04-16 12:08:17.233" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7220 "2017-04-16 12:08:17.233" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7209 "2017-04-16 12:08:17.233" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7213 "2017-04-16 12:08:17.233" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7203 "2017-04-16 12:08:17.233" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7227 "2017-04-16 12:08:37.155" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7218 "2017-04-16 12:09:37.199" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7210 "2017-04-16 12:09:37.199" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7208 "2017-04-16 12:09:37.230" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7222 "2017-04-16 12:09:37.230" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7215 "2017-04-16 12:09:37.230" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7214 "2017-04-16 12:09:37.230" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7212 "2017-04-16 12:09:37.230" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7244 "2017-04-16 12:10:17.213" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7239 "2017-04-16 12:10:17.213" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7238 "2017-04-16 12:11:17.211" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7241 "2017-04-16 12:11:37.210" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7240 "2017-04-16 12:11:37.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7242 "2017-04-16 12:11:37.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7237 "2017-04-16 12:11:37.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7233 "2017-04-16 12:11:37.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7235 "2017-04-16 12:11:37.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7243 "2017-04-16 12:11:37.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7234 "2017-04-16 12:11:37.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7257 "2017-04-16 12:11:57.163" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7247 "2017-04-16 12:12:17.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7258 "2017-04-16 12:12:17.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7254 "2017-04-16 12:12:17.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7248 "2017-04-16 12:12:17.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7256 "2017-04-16 12:12:17.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7255 "2017-04-16 12:12:17.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7263 "2017-04-16 12:12:37.208" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7264 "2017-04-16 12:12:37.208" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7260 "2017-04-16 12:12:37.208" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7265 "2017-04-16 12:12:57.129" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7267 "2017-04-16 12:12:57.129" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7266 "2017-04-16 12:12:57.129" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7268 "2017-04-16 12:13:17.160" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7270 "2017-04-16 12:13:17.160" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7269 "2017-04-16 12:13:17.160" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7271 "2017-04-16 12:13:37.174" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7273 "2017-04-16 12:13:37.174" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7272 "2017-04-16 12:13:37.174" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7276 "2017-04-16 12:13:57.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7274 "2017-04-16 12:14:17.111" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7277 "2017-04-16 12:14:17.111" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7275 "2017-04-16 12:14:17.111" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7280 "2017-04-16 12:14:37.125" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7278 "2017-04-16 12:14:57.125" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7281 "2017-04-16 12:14:57.125" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7279 "2017-04-16 12:14:57.125" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7282 "2017-04-16 12:15:17.155" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7284 "2017-04-16 12:15:17.155" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7283 "2017-04-16 12:15:17.155" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7285 "2017-04-16 12:15:37.185" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7287 "2017-04-16 12:15:37.185" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7286 "2017-04-16 12:15:37.185" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7259 "2017-04-16 12:15:57.200" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7251 "2017-04-16 12:15:57.200" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7225 "2017-04-16 12:15:57.200" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7245 "2017-04-16 12:15:57.200" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7229 "2017-04-16 12:15:57.200" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7288 "2017-04-16 12:15:57.200" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7253 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7250 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7236 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7232 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7290 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7252 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7207 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7201 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7223 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7289 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7206 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7262 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7261 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7231 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7228 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7211 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7216 "2017-04-16 12:15:57.247" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7230 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7224 "2017-04-16 12:15:57.231" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7314 "2017-04-16 12:16:57.760" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7308 "2017-04-16 12:16:57.760" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7309 "2017-04-16 12:16:57.775" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7313 "2017-04-16 12:17:57.165" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7301 "2017-04-16 12:17:57.165" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7315 "2017-04-16 12:17:57.165" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7316 "2017-04-16 12:18:17.211" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7320 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7319 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7307 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7322 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7321 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7318 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7303 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7299 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7312 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7311 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7306 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7310 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7305 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7302 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7300 "2017-04-16 12:18:17.226" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7326 "2017-04-16 12:18:57.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7338 "2017-04-16 12:18:57.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7335 "2017-04-16 12:18:57.178" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7333 "2017-04-16 12:18:57.209" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7332 "2017-04-16 12:18:57.209" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7339 "2017-04-16 12:18:57.209" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7329 "2017-04-16 12:18:57.209" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7331 "2017-04-16 12:18:57.209" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7341 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7336 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7330 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7327 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7298 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7294 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7295 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7293 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7292 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7291 "2017-04-16 12:19:17.130" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7340 "2017-04-16 12:19:17.146" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7297 "2017-04-16 12:19:17.146" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7334 "2017-04-16 12:19:17.146" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7337 "2017-04-16 12:19:17.146" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7347 "2017-04-16 12:19:17.161" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7328 "2017-04-16 12:19:17.161" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7323 "2017-04-16 12:19:17.161" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7296 "2017-04-16 12:19:17.161" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7304 "2017-04-16 12:19:17.161" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7351 "2017-04-16 12:19:57.191" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7345 "2017-04-16 12:20:37.190" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7342 "2017-04-16 12:20:37.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7343 "2017-04-16 12:20:37.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7357 "2017-04-16 12:21:17.204" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7346 "2017-04-16 12:21:37.109" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7359 "2017-04-16 12:21:37.125" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7344 "2017-04-16 12:21:37.125" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7368 "2017-04-16 12:21:57.155" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7370 "2017-04-16 12:22:17.217" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7376 "2017-04-16 12:22:17.217" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7379 "2017-04-16 12:22:37.154" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7380 "2017-04-16 12:22:57.169" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7373 "2017-04-16 12:22:57.169" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7369 "2017-04-16 12:23:17.199" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7382 "2017-04-16 12:23:17.199" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7381 "2017-04-16 12:23:17.199" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7378 "2017-04-16 12:23:17.199" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7375 "2017-04-16 12:23:17.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7371 "2017-04-16 12:23:17.215" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7387 "2017-04-16 12:23:37.136" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7372 "2017-04-16 12:23:57.135" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7358 "2017-04-16 12:23:57.135" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7377 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7356 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7352 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7355 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7360 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7367 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7383 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7349 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7354 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7390 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7366 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7353 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7363 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7388 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7348 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7386 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7364 "2017-04-16 12:23:57.151" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7362 "2017-04-16 12:23:57.166" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7361 "2017-04-16 12:23:57.166" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7350 "2017-04-16 12:23:57.166" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7391 "2017-04-16 12:23:57.166" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7389 "2017-04-16 12:23:57.166" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7365 "2017-04-16 12:23:57.166" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7404 "2017-04-16 12:25:17.116" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7399 "2017-04-16 12:25:17.116" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7409 "2017-04-16 12:25:57.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7407 "2017-04-16 12:25:57.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7405 "2017-04-16 12:25:57.162" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7398 "2017-04-16 12:25:57.177" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7414 "2017-04-16 12:26:17.208" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7423 "2017-04-16 12:26:37.160" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7424 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7416 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7410 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7400 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7392 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7393 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7397 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7395 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3940 7394 "2017-04-16 12:26:57.175" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7401 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2480 7422 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7415 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3056 7425 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3796 7413 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3992 7417 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3920 7421 "2017-04-16 12:26:57.253" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3116 7403 "2017-04-16 12:26:57.253" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3792 7402 "2017-04-16 12:26:57.253" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3800 7396 "2017-04-16 12:26:57.253" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3996 7412 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3184 7411 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3892 7420 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3924 7419 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3784 7408 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3944 7406 "2017-04-16 12:26:57.206" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 1956 7436 "2017-04-16 12:27:17.112" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3804 7435 "2017-04-16 12:27:17.112" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3964 7431 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3268 7428 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3060 7432 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3984 7429 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3788 7427 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3416 7434 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 3780 7433 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"
"SMTPD" 2712 7430 "2017-04-16 12:27:17.205" "116.228.12.138" "SENT: 220 Ourmail SMTP"[/code]


It tied up resources (sockets?) for 30 minutes preventing a successful External Download (set for every 1 minute) for one of the accounts. (I received a monitor email that checks for delays between successful External Downloads).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-16 23:45

jimimaseye wrote:One particular bot in China got a little bit over excited this morning:

It tied up resources (sockets?) for 30 minutes preventing a successful External Download (set for every 1 minute) for one of the accounts. (I received a monitor email that checks for delays between successful External Downloads).
My IDS code would have killed it on the fourth connect :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-04-17 10:11

SorenR wrote: My IDS code would have killed it on the fourth connect :mrgreen:
Indeed. But here is my problem......

The autoban feature of hmailserver simply stops hmailserver responding to connections by simply refusing to answer to the incoming connection (and therefore nothing shows in the logs). What it doesnt stop is the incoming socket connection up to the server (where HMS sits). Therefore, in the light of a mini-flood which stops other things from working (which my last example above shows) simply being on the ban list wouldn't stop it from freezing my server as it did (it simply stops the connection attempts showing in the log).

This is observed by monitoring the servers tcp connections at the time (such as netstat or use TCPView for easier viewing). You will see that even though the incoming connections are on the autobanned list (and HMS is not responding to them) they are still there hammering the system until the initiating server gives up/timesout.

The Autoban feature is useful to stop genuine mail servers from sending in mails (as in: HMS: "Hello unwanted mailserver. I dont like the mail that you may be sending so therefore I am telling you to go away away - I simply dont want to communicate with you", CLI: "ok, if thats they way you want it I will not try to continue this conversation and will drop connections") and as such, being a behaving mail server (albeit unwanted), it saves resources. But in the case of such attacks (above) where it isnt a genuine 'lets play by the rules' mail server it still causes problems and effectively all we get from autobanning it is a nice clean log file.

Now here's the perverseness: at least with a log file that shows all these attempts I was able to correlate my server problems for that 30 minutes to this mini-flood of connections. If I had the IDS system in place (and the autoban was in place) I wouldnt have those log entries and I wouldnt have known that my server and network was under attack for that 30 minutes and therefore would have been left scratching my head as to why my downloads were not working any more (or network things were going generally slow). Possibly.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-17 11:26

I routinely log 'debug' and that includes lines like

"DEBUG" 5868 "2017-04-17 16:14:19.920" "Client connection from 27.152.181.217 was not accepted. Blocked either by IP range or by connection limit."

You could also custom log fairly easily....

Better solution is use the hMailserver logs to find suitable IP addresses to block at firewall. I'm still working on the right firewall for me. I have found 'smoothwall community edition' to nearly meet my needs except that the linux kernal is fairly old and I need to bake my own using the latest kernal to use the HyperV NIC drivers properly (which I haven't done yet). IPFire uses the latest kernal and drivers work great, but as a firewall it isn't as good as Smoothwall in my view. I've looked at and set up dozens of firewall systems trying to get them to work the way I want. There is a lot of sub-standard software out there.

As a test I have uploaded a list of IPs to 'drop' on both my Smoothwall and IPfire firewalls. Smoothwall works OK, it just logs 1 GB per day of errors from the system about the NIC drivers. I've found I need to reboot IPfire after updating drop IP addresses (or to start / stop timed rules) which is a complete PITA. Also IPFire doesn't do hairpinning and all LAN addresses show as the firewall IP in hMailserver logs.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-17 11:51

jimimaseye wrote:
SorenR wrote: My IDS code would have killed it on the fourth connect :mrgreen:
Indeed. But here is my problem......

The autoban feature of hmailserver simply stops hmailserver responding to connections by simply refusing to answer to the incoming connection (and therefore nothing shows in the logs). What it doesnt stop is the incoming socket connection up to the server (where HMS sits). Therefore, in the light of a mini-flood which stops other things from working (which my last example above shows) simply being on the ban list wouldn't stop it from freezing my server as it did (it simply stops the connection attempts showing in the log).

This is observed by monitoring the servers tcp connections at the time (such as netstat or use TCPView for easier viewing). You will see that even though the incoming connections are on the autobanned list (and HMS is not responding to them) they are still there hammering the system until the initiating server gives up/timesout.

The Autoban feature is useful to stop genuine mail servers from sending in mails (as in: HMS: "Hello unwanted mailserver. I dont like the mail that you may be sending so therefore I am telling you to go away away - I simply dont want to communicate with you", CLI: "ok, if thats they way you want it I will not try to continue this conversation and will drop connections") and as such, being a behaving mail server (albeit unwanted), it saves resources. But in the case of such attacks (above) where it isnt a genuine 'lets play by the rules' mail server it still causes problems and effectively all we get from autobanning it is a nice clean log file.

Now here's the perverseness: at least with a log file that shows all these attempts I was able to correlate my server problems for that 30 minutes to this mini-flood of connections. If I had the IDS system in place (and the autoban was in place) I wouldnt have those log entries and I wouldnt have known that my server and network was under attack for that 30 minutes and therefore would have been left scratching my head as to why my downloads were not working any more (or network things were going generally slow). Possibly.
What you are seeing is a SYN flood that works like a Slowloris attack. I have not found a better name for it for SMTP but the primary objective is to open, and hold open, as many TCP connections as possible. AutoBan instruct hMailServer to IGNORE anything coming from the IP Address thus NO TCP connections are held open.

If I can find a tool that can generate similar traffic (easily) I can probably do a wiretap to show it.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-17 11:56

mattg wrote:I routinely log 'debug' and that includes lines like

"DEBUG" 5868 "2017-04-17 16:14:19.920" "Client connection from 27.152.181.217 was not accepted. Blocked either by IP range or by connection limit."

You could also custom log fairly easily....
The only thing that can withstand DDOS attacks is a cloud...

Have you ever argued with the wife and then her sisters and her mother come to her rescue ?? QED ;-)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-04-17 12:39

SorenR wrote:What you are seeing is a SYN flood that works like a Slowloris attack. I have not found a better name for it for SMTP but the primary objective is to open, and hold open, as many TCP connections as possible. AutoBan instruct hMailServer to IGNORE anything coming from the IP Address thus NO TCP connections are held open.

If I can find a tool that can generate similar traffic (easily) I can probably do a wiretap to show it.
I just a did a basic test and it seems it does work the way you suggest.

1, I did 2 separate "telnet 25" sessions from my laptop to the server whilst monitoring the TCPView connections - indeed it shows the 2 connections open (whilst the sessions sits at the 220 welcome banner).

2, I then added the laptop to the ban list (as your IDS script would have done after 3 attempts).

3, I then attempted a 3rd telnet 25 session.

And yes, whilst the first 2 sessions remain at the 220 Welcome banner (and remain connected on port 25), the 3rd connection simply gets rejected and returned back to the initial prompt.

HOWEVER, what does happen is each of those failed connection still remain as a connection with a "TIME_WAIT" status.

Code: Select all

Process			PID	Prot	LocalAddress	LocalPort	RemoteAddress	RemotePort	Status										
[System Process]	0	TCP	mailserver		smtp		40.40.40.18		52284		TIME_WAIT

These still occupy memory and sockets until they timeout (after 2 minutes I think as per TCP definition) but there is nothing we can do about that as it is the mechanism of TCP. I guess this is mildly better than having a flood of connected sessions on port 25 hogging the ports indefinitely in that it is only going to be for 2 minutes and that HMS itself will no longer be having anything to do anything with them (saving resources). Presumably being standard TCP mechanism the same happens when a firewall blocks the connection too but at least that leaves the server (and LAN side) free and available and any held bottlenecks on the WAN side.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1169
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Spam attacks? Do you think you are hard done to?

Post by Dravion » 2017-04-17 12:54

What about performance?

I think this doesnt scale well and exhaust the Memory and CPU very quickly because there is much COM late binding and ADO stuff going on.
64-Bit builds of hMailserver

hMailServer-5.6.+ (HCD) https://github.com/hMailServer-ComDevs/hmailserver
hMailServer-5.6.+ (LTS) https://github.com/Dravion/hMailServer/releases

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-17 13:07

jimimaseye wrote:
SorenR wrote:What you are seeing is a SYN flood that works like a Slowloris attack. I have not found a better name for it for SMTP but the primary objective is to open, and hold open, as many TCP connections as possible. AutoBan instruct hMailServer to IGNORE anything coming from the IP Address thus NO TCP connections are held open.

If I can find a tool that can generate similar traffic (easily) I can probably do a wiretap to show it.
I just a did a basic test and it seems it does work the way you suggest.

1, I did 2 separate "telnet 25" sessions from my laptop to the server whilst monitoring the TCPView connections - indeed it shows the 2 connections open (whilst the sessions sits at the 220 welcome banner).

2, I then added the laptop to the ban list (as your IDS script would have done after 3 attempts).

3, I then attempted a 3rd telnet 25 session.

And yes, whilst the first 2 sessions remain at the 220 Welcome banner (and remain connected on port 25), the 3rd connection simply gets rejected and returned back to the initial prompt.

HOWEVER, what does happen is each of those failed connection still remain as a connection with a "TIME_WAIT" status.

Code: Select all

Process			PID	Prot	LocalAddress	LocalPort	RemoteAddress	RemotePort	Status										
[System Process]	0	TCP	mailserver		smtp		40.40.40.18		52284		TIME_WAIT

These still occupy memory and sockets until they timeout (after 2 minutes I think as per TCP definition) but there is nothing we can do about that as it is the mechanism of TCP. I guess this is mildly better than having a flood of connected sessions on port 25 hogging the ports indefinitely in that it is only going to be for 2 minutes and that HMS itself will no longer be having anything to do anything with them (saving resources). Presumably being standard TCP mechanism the same happens when a firewall blocks the connection too but at least that leaves the server (and LAN side) free and available and any held bottlenecks on the WAN side.
https://social.technet.microsoft.com/Fo ... inserverGP
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-17 16:26

Hmm....

Code: Select all

+----------------------------+----------------+-------------------+---------------+
|                            |  Windows 2003  |  Windows 2008 R2  |  RedHat 5     |
+----------------------------+----------------+-------------------+---------------+
|  TIME WAIT (seconds)       |  240           |  240              |  60           |
+----------------------------+----------------+-------------------+---------------+
|  RANGE OF EPHEMERAL PORTS  |  1024-5000     |  49152-65535      |  32768-61000  |
+----------------------------+----------------+-------------------+---------------+
I just realized that I have

HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\Tcpip\Parameters\StrictTimeWaitSeqCheck = 1
HKEY_LOCAL_MACHINE\System \CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay = 30

on my server... No idea when I set those :roll:
The server was installed on 15.12.2007 ... so it's been running for a while ... :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jim.bus
Normal user
Normal user
Posts: 142
Joined: 2011-05-28 11:49
Location: US

Re: Spam attacks? Do you think you are hard done to?

Post by jim.bus » 2017-04-18 03:02

jimimaseye wrote:
SorenR wrote: My IDS code would have killed it on the fourth connect :mrgreen:
Indeed. But here is my problem......

The autoban feature of hmailserver simply stops hmailserver responding to connections by simply refusing to answer to the incoming connection (and therefore nothing shows in the logs). What it doesnt stop is the incoming socket connection up to the server (where HMS sits). Therefore, in the light of a mini-flood which stops other things from working (which my last example above shows) simply being on the ban list wouldn't stop it from freezing my server as it did (it simply stops the connection attempts showing in the log).

This is observed by monitoring the servers tcp connections at the time (such as netstat or use TCPView for easier viewing). You will see that even though the incoming connections are on the autobanned list (and HMS is not responding to them) they are still there hammering the system until the initiating server gives up/timesout.

The Autoban feature is useful to stop genuine mail servers from sending in mails (as in: HMS: "Hello unwanted mailserver. I dont like the mail that you may be sending so therefore I am telling you to go away away - I simply dont want to communicate with you", CLI: "ok, if thats they way you want it I will not try to continue this conversation and will drop connections") and as such, being a behaving mail server (albeit unwanted), it saves resources. But in the case of such attacks (above) where it isnt a genuine 'lets play by the rules' mail server it still causes problems and effectively all we get from autobanning it is a nice clean log file.

Now here's the perverseness: at least with a log file that shows all these attempts I was able to correlate my server problems for that 30 minutes to this mini-flood of connections. If I had the IDS system in place (and the autoban was in place) I wouldnt have those log entries and I wouldnt have known that my server and network was under attack for that 30 minutes and therefore would have been left scratching my head as to why my downloads were not working any more (or network things were going generally slow). Possibly.
My logs do show when an Autoban IP Address attempts to connect to hMailServer (see the log entry I get below). I believe in your statement above you indicate hMailServer wouldn't show this in the hMailServer logs (see quoted statement in Blue).

"Client connection from 89.248.171.234 was not accepted. Blocked either by IP range or by connection limit."

This IP Address was in my Autoban list and showed in my hMailServer Log.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-18 03:57

mattg wrote:I routinely log 'debug' and that includes lines like

"DEBUG" 5868 "2017-04-17 16:14:19.920" "Client connection from 27.152.181.217 was not accepted. Blocked either by IP range or by connection limit."
I believe that jimimaseye doesn't log 'debug' routinely
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-04-18 07:53

mattg wrote:
mattg wrote:I routinely log 'debug' and that includes lines like

"DEBUG" 5868 "2017-04-17 16:14:19.920" "Client connection from 27.152.181.217 was not accepted. Blocked either by IP range or by connection limit."
I believe that jimimaseye doesn't log 'debug' routinely
Exactly. Only SMTP and application is logged as I believe in a normal functioning system that is all that is necessary for day to day operations. (For me). 'Debug' has a clue in its title - I am not trying to de-bug anything as I don't have a problem. (So why should I log it).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-18 08:33

To each their own

I log everything except IMAP, as I personally find IMAP logging way too verbose for me
All of my POP3 accounts don't keep messages on the server, so my POP3 logging is minimal.

I compress all logs frequently (automatically), and they compress to a fraction of their original size. Most months are less than 20 MB
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-04-18 09:41

I also find 'baretail' (that you recommended) extremely useful especially it's highlighting feature - very good for making errors and other entries standout.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 7766
Joined: 2011-09-08 17:48

Re: Spam attacks? Do you think you are hard done to?

Post by jimimaseye » 2017-04-18 10:58

Baretail example (as I use it):

Image

Cyan, pale green and grey for usual Application, SMTPC and SMTPD entries, and harsh highlighting for all things important such as virus stripping, login failing and banning, and antispam failing.
Attachments
Untitled.png
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-18 11:12

Yep...
I have a batch script that opens baretail each day with today's hMailserver log files (even my custom ones) and my SpamAssassin logs, ClamAV logs and Freshclam and....I think I have over 100 highlight lines (28 Kb in saved file)

I shut down the baretail at 23:59:59 each night and open a new one at 0:00:00, and so it is always on (my far left hand) screen at all times. I struggle without my three screens and could honestly use six screens I reckon.

I also like the log file viewer in the remodelled web admin tool in this thread >> viewtopic.php?f=10&t=30713
It also shows a live auto-updating queue which is awesome. For the log viewer to work properly, you need to log everything though...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-28 02:14

Getting quite a few POP3 and IMAP login attempts

They don't seem to get autobanned.
I require StartTLS for POP3 and IMAP on standard ports (110 and 143), and so that drops a few.

I might have to work on a log file parser to add new entires to my Autoban list, but that has a delay effect.
I could use OnClientConnect, but I'm not sure what to test for, perhaps GeoIP restrictions for POP3 or IMAP connections...perhaps even IP ranges according to GeoIP detailed ranges

I am Autobanning with a script when the HELO is my public IP (or 'ylmf-pc') after a 20 second wait for SMTP connections, and have an autoban list that is currently well over 200 entries long

Thoughts?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-28 02:22

Here's one now

Code: Select all

"TCPIP"	7316	"2017-04-28 10:17:07.532"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:07.532"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:07.578"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:07.578"	"TCP connection started for session 1830"
"POP3D"	7316	1830	"2017-04-28 10:17:07.578"	"115.127.82.34"	"SENT: +OK POP3"
"DEBUG"	7316	"2017-04-28 10:17:07.938"	"Creating session 1837"
"TCPIP"	7316	"2017-04-28 10:17:07.938"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:07.938"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:08.000"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:08.000"	"TCP connection started for session 1836"
"POP3D"	7316	1836	"2017-04-28 10:17:08.000"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	7316	1836	"2017-04-28 10:17:08.410"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	7316	1836	"2017-04-28 10:17:08.410"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	9344	1836	"2017-04-28 10:17:08.832"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	9344	1836	"2017-04-28 10:17:08.832"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7416	"2017-04-28 10:17:08.832"	"Ending session 1836"
"DEBUG"	7316	"2017-04-28 10:17:09.240"	"Creating session 1838"
"TCPIP"	7316	"2017-04-28 10:17:09.240"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:09.240"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:09.303"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:09.303"	"TCP connection started for session 1837"
"POP3D"	7316	1837	"2017-04-28 10:17:09.303"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	7416	1837	"2017-04-28 10:17:09.711"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	7416	1837	"2017-04-28 10:17:09.711"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	7316	1837	"2017-04-28 10:17:10.117"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	7316	1837	"2017-04-28 10:17:10.117"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7416	"2017-04-28 10:17:10.117"	"Ending session 1837"
"DEBUG"	7416	"2017-04-28 10:17:10.258"	"Creating session 1839"
"DEBUG"	7316	"2017-04-28 10:17:10.523"	"Creating session 1840"
"TCPIP"	7316	"2017-04-28 10:17:10.523"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:10.523"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:10.570"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:10.570"	"TCP connection started for session 1838"
"POP3D"	7316	1838	"2017-04-28 10:17:10.570"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	9344	1838	"2017-04-28 10:17:10.980"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	9344	1838	"2017-04-28 10:17:10.980"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	7316	1838	"2017-04-28 10:17:11.386"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	7316	1838	"2017-04-28 10:17:11.386"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	5424	"2017-04-28 10:17:11.386"	"Ending session 1838"
"DEBUG"	7316	"2017-04-28 10:17:11.808"	"Creating session 1841"
"TCPIP"	7316	"2017-04-28 10:17:11.808"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:11.808"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:11.855"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:11.855"	"TCP connection started for session 1840"
"POP3D"	7316	1840	"2017-04-28 10:17:11.855"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	5424	1840	"2017-04-28 10:17:12.276"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	5424	1840	"2017-04-28 10:17:12.276"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	7316	1840	"2017-04-28 10:17:12.683"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	7316	1840	"2017-04-28 10:17:12.683"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	5424	"2017-04-28 10:17:12.683"	"Ending session 1840"
"DEBUG"	7316	"2017-04-28 10:17:13.105"	"Creating session 1842"
"TCPIP"	7316	"2017-04-28 10:17:13.105"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:13.105"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:13.151"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:13.151"	"TCP connection started for session 1841"
"POP3D"	7316	1841	"2017-04-28 10:17:13.151"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	5424	1841	"2017-04-28 10:17:13.573"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	5424	1841	"2017-04-28 10:17:13.573"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	7316	1841	"2017-04-28 10:17:13.995"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	7316	1841	"2017-04-28 10:17:13.995"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	5424	"2017-04-28 10:17:13.995"	"Ending session 1841"
"DEBUG"	7316	"2017-04-28 10:17:14.401"	"Creating session 1843"
"TCPIP"	7316	"2017-04-28 10:17:14.401"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:14.417"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:14.448"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:14.448"	"TCP connection started for session 1842"
"POP3D"	7316	1842	"2017-04-28 10:17:14.448"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	5424	1842	"2017-04-28 10:17:14.870"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	5424	1842	"2017-04-28 10:17:14.870"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	7316	1842	"2017-04-28 10:17:15.276"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	7316	1842	"2017-04-28 10:17:15.276"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	5424	"2017-04-28 10:17:15.276"	"Ending session 1842"
"DEBUG"	7316	"2017-04-28 10:17:15.700"	"Creating session 1844"
"TCPIP"	7316	"2017-04-28 10:17:15.700"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:15.700"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:15.731"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:15.747"	"TCP connection started for session 1843"
"POP3D"	7316	1843	"2017-04-28 10:17:15.747"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	5424	1843	"2017-04-28 10:17:16.147"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	5424	1843	"2017-04-28 10:17:16.147"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	9344	1843	"2017-04-28 10:17:16.568"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	9344	1843	"2017-04-28 10:17:16.568"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	9344	"2017-04-28 10:17:16.568"	"Ending session 1843"
"DEBUG"	7316	"2017-04-28 10:17:16.975"	"Creating session 1845"
"TCPIP"	7316	"2017-04-28 10:17:16.975"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:16.975"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:17.022"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:17.022"	"TCP connection started for session 1844"
"POP3D"	7316	1844	"2017-04-28 10:17:17.022"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	7316	1844	"2017-04-28 10:17:17.443"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	7316	1844	"2017-04-28 10:17:17.443"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	9344	1844	"2017-04-28 10:17:17.851"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	9344	1844	"2017-04-28 10:17:17.851"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7316	"2017-04-28 10:17:17.851"	"Ending session 1844"
"DEBUG"	7316	"2017-04-28 10:17:18.257"	"Creating session 1846"
"TCPIP"	7316	"2017-04-28 10:17:18.257"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:18.257"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:18.304"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:18.304"	"TCP connection started for session 1845"
"POP3D"	7316	1845	"2017-04-28 10:17:18.304"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	7316	1845	"2017-04-28 10:17:18.711"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	7316	1845	"2017-04-28 10:17:18.711"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	9344	1845	"2017-04-28 10:17:19.132"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	9344	1845	"2017-04-28 10:17:19.132"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7316	"2017-04-28 10:17:19.132"	"Ending session 1845"
"DEBUG"	7316	"2017-04-28 10:17:19.539"	"Creating session 1847"
"TCPIP"	7316	"2017-04-28 10:17:19.539"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:19.539"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:19.586"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:19.586"	"TCP connection started for session 1846"
"POP3D"	7316	1846	"2017-04-28 10:17:19.586"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	5424	1846	"2017-04-28 10:17:19.994"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	5424	1846	"2017-04-28 10:17:19.994"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	7316	1846	"2017-04-28 10:17:20.400"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	7316	1846	"2017-04-28 10:17:20.400"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	5424	"2017-04-28 10:17:20.400"	"Ending session 1846"
"DEBUG"	7316	"2017-04-28 10:17:20.806"	"Creating session 1848"
"TCPIP"	7316	"2017-04-28 10:17:20.806"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:20.806"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:20.853"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:20.869"	"TCP connection started for session 1847"
"POP3D"	7316	1847	"2017-04-28 10:17:20.869"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	5424	1847	"2017-04-28 10:17:21.275"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	5424	1847	"2017-04-28 10:17:21.275"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	7316	1847	"2017-04-28 10:17:21.681"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	7316	1847	"2017-04-28 10:17:21.681"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	5424	"2017-04-28 10:17:21.681"	"Ending session 1847"
"DEBUG"	7316	"2017-04-28 10:17:22.087"	"Creating session 1849"
"TCPIP"	7316	"2017-04-28 10:17:22.087"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:22.087"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:22.134"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:22.134"	"TCP connection started for session 1848"
"POP3D"	7316	1848	"2017-04-28 10:17:22.134"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	7316	1848	"2017-04-28 10:17:22.540"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	7316	1848	"2017-04-28 10:17:22.540"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	5424	1848	"2017-04-28 10:17:22.947"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	5424	1848	"2017-04-28 10:17:22.947"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7316	"2017-04-28 10:17:22.947"	"Ending session 1848"
"DEBUG"	7316	"2017-04-28 10:17:23.369"	"Creating session 1850"
"TCPIP"	7316	"2017-04-28 10:17:23.369"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:23.369"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:23.415"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:23.415"	"TCP connection started for session 1849"
"POP3D"	7316	1849	"2017-04-28 10:17:23.415"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	9344	1849	"2017-04-28 10:17:23.822"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	9344	1849	"2017-04-28 10:17:23.822"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	5424	1849	"2017-04-28 10:17:24.244"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	5424	1849	"2017-04-28 10:17:24.244"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	9344	"2017-04-28 10:17:24.244"	"Ending session 1849"
"DEBUG"	7316	"2017-04-28 10:17:24.665"	"Creating session 1851"
"TCPIP"	7316	"2017-04-28 10:17:24.665"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:24.665"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:24.712"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:24.712"	"TCP connection started for session 1850"
"POP3D"	7316	1850	"2017-04-28 10:17:24.712"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	9344	1850	"2017-04-28 10:17:25.134"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	9344	1850	"2017-04-28 10:17:25.134"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	9344	1850	"2017-04-28 10:17:25.556"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	9344	1850	"2017-04-28 10:17:25.556"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7316	"2017-04-28 10:17:25.556"	"Ending session 1850"
"DEBUG"	7316	"2017-04-28 10:17:25.962"	"Creating session 1852"
"TCPIP"	7316	"2017-04-28 10:17:25.962"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:25.962"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:26.009"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:26.009"	"TCP connection started for session 1851"
"POP3D"	7316	1851	"2017-04-28 10:17:26.009"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	9344	1851	"2017-04-28 10:17:26.415"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	9344	1851	"2017-04-28 10:17:26.415"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	5424	1851	"2017-04-28 10:17:26.822"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	5424	1851	"2017-04-28 10:17:26.822"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	9344	"2017-04-28 10:17:26.822"	"Ending session 1851"
"DEBUG"	7316	"2017-04-28 10:17:27.228"	"Creating session 1853"
"TCPIP"	7316	"2017-04-28 10:17:27.228"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:27.228"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:27.275"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:27.275"	"TCP connection started for session 1852"
"POP3D"	7316	1852	"2017-04-28 10:17:27.275"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	9344	1852	"2017-04-28 10:17:27.697"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	9344	1852	"2017-04-28 10:17:27.697"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	5424	1852	"2017-04-28 10:17:28.103"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	5424	1852	"2017-04-28 10:17:28.103"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7316	"2017-04-28 10:17:28.103"	"Ending session 1852"
"DEBUG"	7316	"2017-04-28 10:17:28.103"	"The read operation failed. Bytes transferred: 0 Remote IP: 115.127.82.34, Session: 1830, Code: 10054, Message: An existing connection was forcibly closed by the remote host"
"DEBUG"	7316	"2017-04-28 10:17:28.103"	"Ending session 1830"
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-28 17:54

mattg wrote:Here's one now

Code: Select all

"TCPIP"	7316	"2017-04-28 10:17:07.532"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:07.532"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:07.578"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:07.578"	"TCP connection started for session 1830"
"POP3D"	7316	1830	"2017-04-28 10:17:07.578"	"115.127.82.34"	"SENT: +OK POP3"
"DEBUG"	7316	"2017-04-28 10:17:07.938"	"Creating session 1837"
"TCPIP"	7316	"2017-04-28 10:17:07.938"	"TCP - 115.127.82.34 connected to 192.168.0.220:110."
"DEBUG"	7316	"2017-04-28 10:17:07.938"	"Executing event OnClientConnect"
"DEBUG"	7316	"2017-04-28 10:17:08.000"	"Event completed"
"DEBUG"	7316	"2017-04-28 10:17:08.000"	"TCP connection started for session 1836"
"POP3D"	7316	1836	"2017-04-28 10:17:08.000"	"115.127.82.34"	"SENT: +OK POP3"
"POP3D"	7316	1836	"2017-04-28 10:17:08.410"	"115.127.82.34"	"RECEIVED: USER info"
"POP3D"	7316	1836	"2017-04-28 10:17:08.410"	"115.127.82.34"	"SENT: -ERR STLS is required."
"POP3D"	9344	1836	"2017-04-28 10:17:08.832"	"115.127.82.34"	"RECEIVED: QUIT"
"POP3D"	9344	1836	"2017-04-28 10:17:08.832"	"115.127.82.34"	"SENT: +OK POP3 server saying goodbye..."
"DEBUG"	7416	"2017-04-28 10:17:08.832"	"Ending session 1836"
My IDS code could possibly do it, but not alone...

What it does; the IDS code is triggered by OnClientConnect where date/time/count/IP is stored in a SQLite DB. OnSMTPData will delete the record from the DB. If the record remain in the database, it will increment count up to 4 and then issue the AutoBan. If the last record of the IP is older than 30 minutes, count is reset to 1.
There can be no records in the DB older than 12 hours.

Problem here is there is no trigger to "confirm" a valid connection and if you compare SMTP, POP3 and IMAP connection frequency then IMAP is really taking off ...

It may be possible to set up a promiscuous mode packet sniffer using PowerShell and that way trigger a vbs script to call AutoBan ... Maybe ... :wink:
I don't know PowerShell that well.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-29 05:16

So I've had a play...
I'll have to amend it if any of my users travel internationally and check their mail.

Code: Select all

Private const g_sAdminPassword = "TopSecretPassword"                                     'CHANGE ME

sub OnClientConnect(oClient)
    If oClient.Port = 25 Then
    	Wait(20)
    Else 'oClient.port In (143,110,465,587,993,995) 
    	if Left (oclient.ipaddress,10) = "192.168.0." Then                                                 'MY LAN IP range - change as needed
		Else
	    	a = RunCommandWithOutput ("%comspec% /c nslookup -timeout=5 " & ReverseIP(oClient.ipaddress) & ".zz.countries.nerd.dk",1,0,"",0,1)
			a = Right(a,Len(a)-InStr(a,"127.")+1)
			a = Replace(a,Chr(010),"")
			a = Replace(a,Chr(013),"")
			a = Replace(a,vbCrLf,"")
			a = Replace(a,vbCr,"")
			a = Replace(a,vbLf,"")
			If a <> "127.0.0.36" Then                                 ' THIS IS AUSTRALIA change appropriately for your locale see >> http://countries.nerd.dk/isolist.txt
				eventlog.write oclient.ipaddress & " - Is from Overseas, was banned"
				Call AutobanIP(oclient.ipaddress, 2)
				Wait(10)
				Result.value = 1
			End If
		End If
	End If	
End Sub

Function ReverseIP(Address)
	Dim a, x
	a = Split(Address,".")
	ReverseIP= a(3) & "." & a(2) & "." & a(1) & "." & a(0) 
End Function


Function RunCommandWithOutput (Command, Wait, Show, OutToFile, DeleteOutput, NoQuotes)
	'Run Command similar to the command prompt, for Wait use 1 or 0. Output returned and
	'stored in a file.
	'Command = The command line instruction you wish to run.
	'Wait = 1/0; 1 will wait for the command to finish before continuing.
	'Show = 1/0; 1 will show for the command window.
	'OutToFile = The file you wish to have the output recorded to.
	'DeleteOutput = 1/0; 1 deletes the output file. Output is still returned to variable.
	'NoQuotes = 1/0; 1 will skip wrapping the command with quotes, some commands wont work
	'                if you wrap them in quotes.
	'----------------------------------------------------------------------------------------
	Dim objFile, objShell, FSO, tMyOutput, tCommand, tOutToFile, twait, tshow
	
	dim oApp
	Set oApp = CreateObject("hMailServer.Application")
	' Give this script permission to access all
	' hMailServer settings.
	Call oApp.Authenticate("Administrator", g_sAdminPassword)              

	Set objShell = CreateObject("Wscript.Shell")
	Set FSO = CreateObject("Scripting.FileSystemObject")
	'VARIABLES
	If Len("" & OutToFile) = 0 Then
		OutToFile = oApp.Settings.Directories.TempDirectory & "\temp_" & Abs(CLng("&h" & Mid(CreateObject("Scriptlet.TypeLib").Guid, 28, 8) )) & ".txt"
		DeleteOutput = 1
	End If
	tCommand = Command
	If Left(Command,1)<>"""" And NoQuotes <> 1 Then tCommand = """" & tCommand & """"
	tOutToFile = OutToFile
	If Left(OutToFile,1)<>"""" Then tOutToFile = """" & OutToFile & """"
	If Wait = 1 Then tWait = True
	If Wait <> 1 Then tWait = False
	If Show = 1 Then tShow = 1
	If Show <> 1 Then tShow = 0
	'RUN PROGRAM
	objShell.Run tCommand & ">" & tOutToFile, tShow, tWait
	'READ OUTPUT FOR RETURN
	Set objFile = FSO.OpenTextFile(OutToFile, 1)
	If Not objFile.AtEndOfStream Then
		tMyOutput = objFile.ReadAll
	End If
	objFile.Close
	Set objFile = Nothing
	'DELETE FILE AND FINISH FUNCTION
	If DeleteOutput = 1 Then
		Set objFile = FSO.GetFile(OutToFile)
		objFile.Delete
		Set objFile = Nothing
	End If
	RunCommandWithOutput = tMyOutput
	If Err.Number <> 0 Then RunCommandWithOutput = "<0>"
	Err.Clear
	On Error Goto 0
	Set objFile = Nothing
	Set objShell = Nothing
End Function

Sub AutobanIP(IPAddress, NumberOfDays)
	Dim oApp
	Set oApp = CreateObject("hMailServer.Application")

' 		Give this script permission to access all
' 		hMailServer settings.
	Call oApp.Authenticate("Administrator", g_sAdminPassword)

	Dim oSecurityRange, i, ToAdd
	ToAdd = True
	For i = 0 To oApp.Settings.SecurityRanges.Count -1
		If IPAddress = oApp.Settings.SecurityRanges.Item(i).LowerIP Then ToAdd = False
	Next
	If ToAdd  = True Then
		Set oSecurityRange = oApp.Settings.SecurityRanges.Add()
		With oSecurityRange
			.lowerip = ipaddress
			.upperip = ipaddress
			.priority = 20
			.allowdeliveryfromlocaltolocal = False
			.allowdeliveryfromlocaltoremote = False
			.allowdeliveryfromremotetolocal = False
			.allowdeliveryfromremotetoremote = False
			.allowimapconnections = False
			.allowsmtpconnections = False
			.allowpop3connections = False
			.expires = True
			.ExpiresTime = DateAdd("d", NumberOfDays, Now())
			.name = "script " & IPAddress & " - banned for " & NumberOfDays & " days"
			.save
		End With
	End If
End Sub
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-29 14:06

Mattg ... You'll still have a problem with banning concurrent connections ... Had the same problem myself so I did a compare to my scripting - and changed yours slightly :mrgreen:

There are a few external programs you need to get and install ...

Never leave home without it:
- System Scripting Runtime COM object ("SScripting.IPNetwork")
- http://www.netal.com/ssr.htm
- http://www.netal.com/software/ssr15.zip

CPorts will force disconnect a TCPIP connection. I have seen persistant connections ignoring hMailServer.
- http://www.nirsoft.net/utils/cports.html

Also... I found that adding a new SecurityRange all fields are blank.

Code: Select all

Option Explicit

   ' COM authentication
   Private Const ADMIN = "Administrator"
   Private Const PASSWORD = "Contraseña muy secreta"

   Sub OnClientConnect(oClient)
      If (oClient.Port = 25) Then
         Wait(20)
      Else                                                           ' oClient.port In (143,110,465,587,993,995) 
         If (Left(oClient.IPAddress, 10) = "192.168.0.") Then        ' MY LAN IP range - change as needed

            ' ZZZZzzz zzz zzzZZ ZZZ

         Else
            If NerdLookup(oClient.IPAddress) <> "36" Then            ' THIS IS AUSTRALIA change appropriately for your locale see >> http://countries.nerd.dk/isolist.txt
               EventLog.Write oclient.ipaddress & " - Is from Overseas, was banned"
               Call AutoBan(oClient.IPAddress, "Banned by NerdLookup", 2, "d")
               Result.value = 1
            End If
         End If
      End If   
   End Sub

   '
   ' System Scripting Runtime COM object ("SScripting.IPNetwork")
   ' http://www.netal.com/ssr.htm
   ' Binary -> http://www.netal.com/software/ssr15.zip
   '
   Function NerdLookup(strIP)
      Dim a
      a = Split(strIP, ".")
      With CreateObject("SScripting.IPNetwork")
         strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
      End With
      a = Split(strIP, ".")
      NerdLookup = CStr(a(2)*256 + a(3))                             ' ISO 3166 code
   End Function

   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "timeout /T " & Int(sec), 0, True
'        .Run "sleep -m " & Int(sec * 1000), 0, True
'        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
      End With
   End Function

   Function LockFile(strPath)
      Const Append = 8
      Const Unicode = -1
      With CreateObject("Scripting.FileSystemObject")
         Dim oFile, i
         For i = 0 To 30
            On Error Resume Next
            Set oFile = .OpenTextFile(strPath, Append, True, Unicode)
            If (Not Err.Number = 70) Then
               Set LockFile = oFile
               On Error Goto 0
               Exit For
            End If
            On Error Goto 0
            Wait(1)
         Next
      End With
      Set oFile = Nothing
      If (Err.Number = 70) Then
         EventLog.Write("ERROR: EventHandlers.vbs")
         EventLog.Write("File " & strPath & " is locked and timeout was exceeded.")
         Err.Clear
      ElseIf (Err.Number <> 0) Then
         EventLog.Write("ERROR: EventHandlers.vbs : Function LockFile")
         EventLog.Write("Error       : " & Err.Number)
         EventLog.Write("Error (hex) : 0x" & Hex(Err.Number))
         EventLog.Write("Source      : " & Err.Source)
         EventLog.Write("Description : " & Err.Description)
         Err.Clear
      End If
   End Function

   '
   ' sType can be one of the following;
   ' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
   '
   ' CPorts -> http://www.nirsoft.net/utils/cports.html
   '
   Sub AutoBan(sIPAddress, sReason, iDuration, sType)
      Dim oApp : Set oApp = CreateObject("hMailServer.Application")
      Call oApp.Authenticate(ADMIN, PASSWORD)
      With LockFile("c:\hmailserver\temp\autoban.lck")
         On Error Resume Next
         oApp.Settings.SecurityRanges.Refresh
         If (oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing) Then
            With oApp.Settings.SecurityRanges.Add
               .Name = "(" & sReason & ") " & IPAddress
               .LowerIP = sIPAddress
               .UpperIP = sIPAddress
               .Priority = 20
               .Expires = True
               .ExpiresTime = DateAdd(sType, iDuration, Now())
               .Save
            End With
         End If
         On Error Goto 0
         .Close
      End With
      With CreateObject("WScript.Shell")
         .Run "CPorts /close * * " & sIPAddress & " *", 0, True
      End With
   End Sub
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-29 23:45

Just thinking out loud :mrgreen:

Code: Select all

   Sub OnClientConnect(oClient)
      Dim strRegEx, strISO3166

      '
      ' Only test SMTP traffic
      '
      strRegEx = "(25|587|465)"
      If Lookup(strRegEx, oClient.Port) Then
         If (oClient.Port = 25) Then 
            Wait(20)
         Else

            '
            ' Test for ISO 3166
            ' https://www.iso.org/obp/ui/#search/code/
            '
            ' 208 = Denmark, 999 = Unknown
            '
            strISO3166 = NerdLookup(oClient.IPAddress)
            strRegEx = "(208|999)"                                     
            If Not Lookup(strRegEx, strISO3166) Then
               Eventlog.Write("Connection denied " & oClient.IPAddress)
               Result.Value = 1
               Exit Sub
            End If
         End If
   End Sub

   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "timeout /T " & Int(sec), 0, True
'        .Run "sleep -m " & Int(sec * 1000), 0, True
'        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
      End With
   End Function

   Function Lookup(strRegEx, strMatch)
      With CreateObject("VBScript.RegExp")
         .Global = False
         .Pattern = strRegEx
         .IgnoreCase = True
         If .Test(strMatch) Then
            Lookup = True
         Else
            Lookup = False
         End If
      End With
   End Function

   '
   ' System Scripting Runtime COM object ("SScripting.IPNetwork")
   ' http://www.netal.com/ssr.htm
   ' Binary -> http://www.netal.com/software/ssr15.zip
   '
   ' http://countries.nerd.dk/isolist.txt
   '
   Function NerdLookup(strIP)
      Dim a
      a = Split(strIP, ".")
      With CreateObject("SScripting.IPNetwork")
         strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
      End With
      If strIP = "" Then
         NerdLookup = "999" ' Oops, could not find anything or private IP Address.
      Else
         a = Split(strIP, ".")
         NerdLookup = CStr(a(2)*256 + a(3))
      End If
   End Function
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-04-30 02:03

SorenR wrote:Mattg ... You'll still have a problem with banning concurrent connections ...
I thought that I'd fixed that with the GUID in the file name - making it unique

Code: Select all

OutToFile = oApp.Settings.Directories.TempDirectory & "\temp_" & Abs(CLng("&h" & Mid(CreateObject("Scriptlet.TypeLib").Guid, 28, 8) )) & ".txt"
Also, I deliberately didn't just get the last stanza of the Nerd.dk response as some of the responses don't have a 0 second from the end

I'm going to have a good look at the ssr though, that's what I was looking for I think. Thanks
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-04-30 11:03

The problem with banning concurrent connections is that in most cases the hMailServer COM object will throw an exception and break script processing. You'll end up with a lot of errorlog files and spammers escape banning. The worst I have seen was 3 mails from same source within 1 microsecond going on every 10 minutes for almost 2 hours.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 634
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spam attacks? Do you think you are hard done to?

Post by RvdH » 2017-05-14 09:29

Inspired by SorenR's usage of System Scripting Runtime COM object ("SScripting.IPNetwork") I created a function to hold/ban connections made from compromised systems using the all.bl.blocklist.de DNSBL, http://www.blocklist.de/en/rbldns.html

Code: Select all

Function IsAuthHacker(strIP)
	Dim a : a = Split(strIP, ".")
	With CreateObject("SScripting.IPNetwork")
		strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".all.bl.blocklist.de")
	End With
	
	REM http://www.blocklist.de/en/rbldns.html
	Dim strRegEx : strRegEx = "^(127\.0\.0\.)(7|9|10|13|16|18|19)$"
	If Lookup(strRegEx, strIP) Then
		IsAuthHacker = True
	Else
		IsAuthHacker = False
	End if
End Function

Function Lookup(strRegEx, strMatch)
	With CreateObject("VBScript.RegExp")
		.Global = False
		.Pattern = strRegEx
		.IgnoreCase = True
		If .Test(strMatch) Then
			Lookup = True
		Else
			Lookup = False
		End If
	End With
End Function

Code: Select all

Sub OnClientConnect(oClient)

	
	If IsAuthHacker(oClient.IPAddress) Then
'
' Auth hacker detection
'
		Result.Value = 1
		Call AutoBan(oClient.IPAddress, "all.bl.blocklist.de (" & oClient.Port & ")", 2, "h")
		Exit Sub
	End If	
End Sub
It looks pretty effective :wink:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-05-15 12:31

Hmm...

From 23:30 last night until 12:00 today I have 114 registered connections to my server (OnClientConnect) and of these, 9 tagged as 127.0.0.9 (mail) ...

Comparable in the same timespan my SnowShoe SPAM check found 28 connection attempts ...

26 emails in total of which 5 are tagged as SPAM by SpamAssassin.

2 IP addresses have been banned by AutoBan, one for having an unwanted HELO string ( :twisted: ) and one by my IDS system.

The Internet is abnormally quiet today :mrgreen: Wonder why ?? *cough* *cough* :mrgreen:

Code: Select all

   '
   ' System Scripting Runtime COM object ("SScripting.IPNetwork")
   ' http://www.netal.com/ssr.htm
   ' Binary -> http://www.netal.com/software/ssr15.zip
   '
   Function IsSnowShoe(strIP)
      Dim a
      a = Split(strIP, ".")
      With CreateObject("SScripting.IPNetwork")
         strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".sbl.spamhaus.org")
      End With
      If (strIP = "127.0.0.3") Then
         IsSnowShoe = True
      Else
         IsSnowShoe = False
      End If
   End Function

Code: Select all

      '
      ' SnowShoe SPAM detection
      '
      If IsSnowShoe(oClient.IPAddress) Then
         Result.Value = 2
         Result.Message = "5.7.1 CODE01 Your access to this mail system has been rejected due to "  &_
                          "the sending MTA's poor reputation. If you believe that this failure is " &_
                          "in error, please contact the intended recipient via alternate means."
         Exit Sub
      End If
https://www.spamhaus.org/news/article/641?article=641
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
RvdH
Senior user
Senior user
Posts: 634
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Spam attacks? Do you think you are hard done to?

Post by RvdH » 2017-05-15 13:40

You have that one in OnSMTPData?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-05-15 14:07

RvdH wrote:You have that one in OnSMTPData?
No, OnAcceptMessage(oClient, oMessage)...

Only my IDS code use OnClientConnect and OnSMTPData, everything else I do is placed in either OnHELO or OnAcceptMessage.

Besides "manually" SPAMListing some emails, I have 7 other checks that cut further communication by forcing a Result.Value = 2 and for some of them even banning the IP address.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-06-04 01:09

For about five weeks, I've not changed my settings

I am autobanning POP3 and IMAP attempts from countries other than Australia (my country)
I am autobanning SMTP connections where they use either my public IP address or 'ylmf-pc' as the EHLO

My list of autobanned IP addressess has been sitting steady at about 200 for all of that time - today it is 35.
I suspect that the spammers have changed what they are doing again...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-06-04 01:48

I have some weird thing from Vietnam now on year 2... Simply banning everything HELO/EHLO ending on ".vn" fixes that problem. Been steady so far.
My IDS system is going haywire, 12 hosts vs. 2-3 hosts. Also right now I have a few banned where HELO/EHLO is "User" or "Localhost".
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-06-05 13:32

Now I understand what you mean....

Since 21:00 on June 2. my server has processed 2 (TWO :shock: ) SPAM mails, one tagged by SpamAssassin and one tagged by my own ruleset -> body or subject containing "iphone %number%".

Last night I introduced what you are using - any port != 25, outside Denmark is killed and banned... WOW... I never knew that I had that many users using IMAP outside Denmark :mrgreen:

I will be finetuning the procedure for the next couple of days...

I get the problem with users abroad but I have webmail - and anyways, since US and to some extend also UK are starting to claim your userid's and passwords of your devices when entering their countries it's unsafe to BYOD ...

I hear from security services that IF you are going on holiday in the US, you should buy a new phone stripped off EVERYTHING as customs (and NSA/CIA/FBI/...) will go through it - once inside you can restore a backup from your preferred cloudservice :mrgreen: 8)

Oh and if you refuse to provide passwords you will be sat on a plane home :roll:

I'm more concerned about business trips... What to do ? Chromebook and Citrix over Internet ?

http://www.businessinsider.com/can-us-b ... &IR=T&IR=T
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19460
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Spam attacks? Do you think you are hard done to?

Post by mattg » 2017-06-05 13:46

mattg wrote:My list of autobanned IP addressess has been sitting steady at about 200 for all of that time - today it is 35.
24 hours later and it is down to 18, most of the rest set to expire in next 24 hours, they were 14 day bans.

Looks like only one added today... attempted IMAP connection from the University Of Michigan College Of Engineering :roll:
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-06-05 16:39

https://securelist.com/78221/spam-and-p ... n-q1-2017/

Image

https://www.spamcop.net/spamgraph.shtml?spammonth

https://www.spamhaus.org/statistics/spammers/

Bummer, 7 of the TOP 10 WORST SPAMMERS are AMERICAN !

They should keep it to them selves ... as Trump proclaims; "America First !" ...
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jim.bus
Normal user
Normal user
Posts: 142
Joined: 2011-05-28 11:49
Location: US

Re: Spam attacks? Do you think you are hard done to?

Post by jim.bus » 2017-06-06 09:28

SorenR,

What I am reading about the Cell Phone issues travelling into the US where I live is that they are trying to do the same thing with searching your cell phone even for US Citizens. This should be a US Constitution 4th Amendment violation and 5th Amendment violation but as I understand it, US Customs Border Patrol believes it has authority to search and detain just about anyone, US Citizen or not, but get this it appears it is US Customs Border Patrol which determines it has this right. It hasn't actually to my knowledge been tested yet in court or at least not definitively.

If it proves to be something courts will allow, as it stands now, my understanding is US Customs Border Patrol maintains it has authority within 100 air miles of a Port Of Entry. 70% of US Residents live within 100 air miles of a Port Of Entry. Ports of Entries include airports for instance. This means as per reports I've read that US Customs Border Patrol maintains it has the right to search without Warrant anyone with the 100 air miles of their jurisdiction whether or not you've actually left the US and returned. Again my understanding according to reports I've read indicate they maintain they can do this as part of investigating any illegals which, for instance, you (a US Citizen) may be harboring.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-06-06 13:07

jim.bus wrote:SorenR,

What I am reading about the Cell Phone issues travelling into the US where I live is that they are trying to do the same thing with searching your cell phone even for US Citizens. This should be a US Constitution 4th Amendment violation and 5th Amendment violation but as I understand it, US Customs Border Patrol believes it has authority to search and detain just about anyone, US Citizen or not, but get this it appears it is US Customs Border Patrol which determines it has this right. It hasn't actually to my knowledge been tested yet in court or at least not definitively.

If it proves to be something courts will allow, as it stands now, my understanding is US Customs Border Patrol maintains it has authority within 100 air miles of a Port Of Entry. 70% of US Residents live within 100 air miles of a Port Of Entry. Ports of Entries include airports for instance. This means as per reports I've read that US Customs Border Patrol maintains it has the right to search without Warrant anyone with the 100 air miles of their jurisdiction whether or not you've actually left the US and returned. Again my understanding according to reports I've read indicate they maintain they can do this as part of investigating any illegals which, for instance, you (a US Citizen) may be harboring.
My "rant" against US immigration/NSA/Customs was ment as a reminder that you can do a lot with webservices, you don't need to BYOD and risk having Customs go ape over the nude pics of your wife and her younger sister on your phone ;-)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jim.bus
Normal user
Normal user
Posts: 142
Joined: 2011-05-28 11:49
Location: US

Re: Spam attacks? Do you think you are hard done to?

Post by jim.bus » 2017-06-06 22:16

SorenR,
My "rant" against US immigration/NSA/Customs was ment as a reminder that you can do a lot with webservices, you don't need to BYOD and risk having Customs go ape over the nude pics of your wife and her younger sister on your phone ;-)
Point taken but I equally was ranting/venting my views on the US Customs and Border Patrol which I feel is overstepping its bounds as do some of our legislators from accounts I've read. Plus I thought others might find it interesting to know about the information I found out on the subject as well.

User avatar
SorenR
Senior user
Senior user
Posts: 2835
Joined: 2006-08-21 15:38
Location: Denmark

Re: Spam attacks? Do you think you are hard done to?

Post by SorenR » 2017-06-07 00:27

jim.bus wrote:Point taken but I equally was ranting/venting my views on the US Customs and Border Patrol which I feel is overstepping its bounds as do some of our legislators from accounts I've read. Plus I thought others might find it interesting to know about the information I found out on the subject as well.
I experienced the wrath of US customs back in 2006, my destination was Carlsbad CA. from Copenhagen, Denmark. Well I got there OK but without my suitcase - it magically arrived the next day - in a magnum size clear plastic bag. Had to go buy a new Samsonite as Customs broke it open 'cause it was LOCKED - idiots. My f'ing favorite suitcase that had followed me on almost 2 million miles from Helsinki to Buenos Aires and from Boston to Sidney. 42 countries in 12 months. :evil:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Post Reply