IMAP "attack" by a very slow bot-net

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-06 00:14

In the wake of the reduced SPAM activities, I have seen a rising number of AutoBan's on my users.

While investigating, I implemented a simple lock. I'm in Denmark, my family is in Denmark, my Server is in Denmark. ERGO... I only allow Danish IP address access.

Well, with modifications. Port 25 SMTP I have set in hmailserver.ini to NOT allow login, so this is safe for everyone to use... PLUS I should be able to receive emails from the rest of the world :wink:

While trolling the 'net for similar observations I came across this one. Different OS and different server but SIMILAR problem!

https://steve.tty.org.uk/2017/05/08/a-v ... w-bot-net/

My initial observations:
1- The same IPAddress connect every 20'ish minute
2- Try 1: IMAP login <user>@<domain>
3- Try 2: IMAP login <user>
4- IPAddress may try different users from "session to session"
5- Different IPAddresses from all over the globe may try the same <user>
6- Since it is a low frequency connection, it is difficult for AutoBan to catch the problem, so they can try forever ... :shock:


There are two Quick-Fix'es to the problem.

1: hMailAdmin: Enable Auto-Ban.
Max invalid logon: 1 (maybe 2 if you are a kind person)
Minutes before reset: 1440
Minutes to auto-ban: 10080

This will slowly start to fill up your Auto-Ban list ... :roll:

2: My own Quick-Fix "bolt on the door"

Code: Select all

   Sub OnClientConnect(oClient)
      '
      ' Exclude local LAN from test
      '
      If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub

      '
      ' Only allow login from DK (208)
      ' Lookup appropriate code here -> https://www.iso.org/obp/ui/
      '
      Dim strRegEx : strRegEx = "(999|208)"
      If (oClient.Port <> 25) Then
         If Not Lookup(strRegEx, NerdLookup(oClient.IPAddress)) Then
            Result.Value = 1
            Exit Sub
         End If
      End If
   End Sub

   '
   ' System Scripting Runtime COM object ("SScripting.IPNetwork")
   ' http://www.netal.com/ssr.htm
   ' Binary -> http://www.netal.com/software/ssr15.zip
   '
   ' http://countries.nerd.dk/isolist.txt
   '
   Function NerdLookup(strIP)
      Dim a
      a = Split(strIP, ".")
      With CreateObject("SScripting.IPNetwork")
         strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
      End With
      If strIP = "" Then
         NerdLookup = "999"
      Else
         a = Split(strIP, ".")
         NerdLookup = CStr(a(2)*256 + a(3))
      End If
   End Function

   Function Lookup(strRegEx, strMatch)
      With CreateObject("VBScript.RegExp")
         .Global = False
         .Pattern = strRegEx
         .IgnoreCase = True
         If .Test(strMatch) Then
            Lookup = True
         Else
            Lookup = False
         End If
      End With
   End Function
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-06 11:48

Further to my findings - almost 12 hours of harvesting :wink:

OK, so my "Quick-Fix" got expanded with logging capabilities :mrgreen:

Code: Select all

3288    "2017-06-05 23:24:58.694"       "IMAPS  91.195.103.44   EU      Russian Federation"
2748    "2017-06-05 23:27:13.086"       "IMAPS  5.188.11.11     EU      Russian Federation"
2748    "2017-06-05 23:52:40.950"       "IMAPS  58.242.102.155  AS      China"
2748    "2017-06-05 23:56:14.171"       "IMAPS  88.43.218.170   EU      Italy"
2748    "2017-06-06 00:06:38.257"       "IMAPS  221.3.189.234   AS      China"
2748    "2017-06-06 00:43:57.302"       "IMAPS  221.228.242.13  AS      China"
2748    "2017-06-06 00:48:33.899"       "IMAPS  42.115.2.162    AS      Vietnam"
2748    "2017-06-06 01:04:42.708"       "IMAPS  218.22.135.190  AS      China"
2748    "2017-06-06 01:14:44.169"       "IMAPS  14.205.4.52     AS      China"
2748    "2017-06-06 01:20:01.564"       "IMAPS  103.217.88.34   AS      India"
2748    "2017-06-06 01:26:16.600"       "IMAPS  210.82.28.41    AS      China"
2748    "2017-06-06 01:46:30.006"       "IMAPS  60.212.42.56    AS      China"
2748    "2017-06-06 01:50:28.274"       "IMAPS  111.206.163.56  AS      China"
2748    "2017-06-06 01:56:23.826"       "IMAPS  119.10.67.232   AS      China"
2748    "2017-06-06 01:59:53.422"       "IMAPS  61.185.242.195  AS      China"
2748    "2017-06-06 02:04:08.332"       "IMAPS  218.106.153.152 AS      China"
2748    "2017-06-06 03:11:16.118"       "IMAPS  222.191.233.238 AS      China"
2748    "2017-06-06 03:15:19.605"       "IMAPS  211.118.26.122  AS      Korea, Republic of"
2748    "2017-06-06 03:17:38.920"       "IMAPS  218.29.6.9      AS      China"
2748    "2017-06-06 03:37:17.732"       "IMAPS  125.89.129.82   AS      China"
344     "2017-06-06 03:40:38.281"       "IMAPS  114.69.233.82   AS      India"
344     "2017-06-06 03:42:32.204"       "IMAPS  222.101.93.2    AS      Korea, Republic of"
3976    "2017-06-06 05:02:13.969"       "IMAPS  60.173.114.254  AS      China"
3976    "2017-06-06 05:08:36.224"       "IMAPS  59.48.100.222   AS      China"
3976    "2017-06-06 05:11:04.132"       "IMAPS  61.136.93.122   AS      China"
3976    "2017-06-06 05:52:27.632"       "IMAPS  60.30.5.5       AS      China"
3976    "2017-06-06 05:54:55.228"       "IMAPS  61.136.82.164   AS      China"
3976    "2017-06-06 06:11:19.131"       "IMAPS  222.175.49.22   AS      China"
3976    "2017-06-06 06:15:36.166"       "IMAPS  118.182.212.231 AS      China"
3976    "2017-06-06 06:28:37.051"       "IMAPS  119.254.80.142  AS      China"
3976    "2017-06-06 06:36:46.994"       "IMAPS  111.75.162.114  AS      China"
3976    "2017-06-06 06:41:38.092"       "IMAPS  61.53.66.4      AS      China"
3976    "2017-06-06 07:09:11.660"       "IMAPS  123.160.246.27  AS      China"
3976    "2017-06-06 07:11:19.599"       "IMAPS  222.172.14.124  AS      China"
3976    "2017-06-06 07:13:48.585"       "IMAPS  175.44.132.171  AS      China"
3976    "2017-06-06 07:16:57.806"       "IMAPS  121.28.82.194   AS      China"
3976    "2017-06-06 07:20:48.263"       "IMAPS  218.108.16.154  AS      China"
3976    "2017-06-06 07:34:19.007"       "IMAPS  60.173.79.120   AS      China"
3976    "2017-06-06 07:36:37.587"       "IMAPS  220.180.21.251  AS      China"
3976    "2017-06-06 07:51:30.880"       "IMAPS  222.242.107.7   AS      China"
3976    "2017-06-06 07:57:27.494"       "IMAPS  92.42.13.16     EU      Russian Federation"
3976    "2017-06-06 08:20:07.824"       "IMAPS  206.219.17.55   AS      Korea, Republic of"
3976    "2017-06-06 08:21:51.356"       "IMAPS  212.154.161.148 AS      Kazakhstan"
3976    "2017-06-06 08:25:06.093"       "IMAPS  95.181.179.186  EU      Russian Federation"
4028    "2017-06-06 09:08:21.611"       "IMAPS  188.234.219.143 EU      Russian Federation"
4028    "2017-06-06 09:11:21.691"       "IMAPS  200.68.59.84    SA      Chile"
4028    "2017-06-06 09:13:32.224"       "IMAPS  222.189.41.46   AS      China"
4028    "2017-06-06 09:22:48.372"       "IMAPS  61.138.246.86   AS      China"
4028    "2017-06-06 09:26:15.968"       "IMAPS  195.208.166.170 EU      Russian Federation"
4028    "2017-06-06 09:29:18.830"       "IMAPS  218.94.137.82   AS      China"
3140    "2017-06-06 10:06:27.827"       "IMAPS  89.218.84.214   AS      Kazakhstan"
3140    "2017-06-06 10:08:38.782"       "IMAPS  123.7.178.228   AS      China"
1968    "2017-06-06 10:28:46.157"       "IMAPS  14.45.111.165   AS      Korea, Republic of"
1968    "2017-06-06 10:42:01.151"       "IMAPS  221.178.227.10  AS      China"
1968    "2017-06-06 10:46:48.968"       "IMAPS  110.249.218.124 AS      China"
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-06 15:12

Striking results.

It seems those Chinese and Russians give Communist states a bad name. :-)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-06-06 16:04

I believe the return value from a nerds.dk unknown/unlisted IP is: 127.0.255.1 and not an empty string (255*256+1 = 65281)

Example: dig 90.101.248.213.zz.countries.nerd.dk A

Code: Select all

; <<>> DiG 9.11.0-P1 <<>> 90.101.248.213.zz.countries.nerd.dk A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57572
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b59b5f7f8b9a4cc0a00a7a195936b490038e328a6af6f11c (good)
;; QUESTION SECTION:
;90.101.248.213.zz.countries.nerd.dk. IN        A

;; ANSWER SECTION:
90.101.248.213.zz.countries.nerd.dk. 2099 IN A  127.0.255.1

;; AUTHORITY SECTION:
.                       59382   IN      NS      i.root-servers.net.
.                       59382   IN      NS      c.root-servers.net.
.                       59382   IN      NS      f.root-servers.net.
.                       59382   IN      NS      m.root-servers.net.
.                       59382   IN      NS      k.root-servers.net.
.                       59382   IN      NS      g.root-servers.net.
.                       59382   IN      NS      j.root-servers.net.
.                       59382   IN      NS      d.root-servers.net.
.                       59382   IN      NS      b.root-servers.net.
.                       59382   IN      NS      l.root-servers.net.
.                       59382   IN      NS      a.root-servers.net.
.                       59382   IN      NS      e.root-servers.net.
.                       59382   IN      NS      h.root-servers.net.

;; Query time: 46 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 06 15:56:32 W. Europe Daylight Time 2017
;; MSG SIZE  rcvd: 319

btw there is typo in your code: End Sub should be Exit Sub
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-06 16:25

RvdH wrote:I believe the return value from a nerds.dk unknown/unlisted IP is: 127.0.255.1 and not an empty string (255*256+1 = 65281)

Example: dig 90.101.248.213.zz.countries.nerd.dk A

Code: Select all

; <<>> DiG 9.11.0-P1 <<>> 90.101.248.213.zz.countries.nerd.dk A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57572
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b59b5f7f8b9a4cc0a00a7a195936b490038e328a6af6f11c (good)
;; QUESTION SECTION:
;90.101.248.213.zz.countries.nerd.dk. IN        A

;; ANSWER SECTION:
90.101.248.213.zz.countries.nerd.dk. 2099 IN A  127.0.255.1

;; AUTHORITY SECTION:
.                       59382   IN      NS      i.root-servers.net.
.                       59382   IN      NS      c.root-servers.net.
.                       59382   IN      NS      f.root-servers.net.
.                       59382   IN      NS      m.root-servers.net.
.                       59382   IN      NS      k.root-servers.net.
.                       59382   IN      NS      g.root-servers.net.
.                       59382   IN      NS      j.root-servers.net.
.                       59382   IN      NS      d.root-servers.net.
.                       59382   IN      NS      b.root-servers.net.
.                       59382   IN      NS      l.root-servers.net.
.                       59382   IN      NS      a.root-servers.net.
.                       59382   IN      NS      e.root-servers.net.
.                       59382   IN      NS      h.root-servers.net.

;; Query time: 46 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 06 15:56:32 W. Europe Daylight Time 2017
;; MSG SIZE  rcvd: 319

btw there is typo in your code: End Sub should be Exit Sub
Guilty on both accounts :oops:

It was something I pulled in from an archive of mine... However I can't edit my post.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-06 16:27

SorenR wrote:
RvdH wrote: btw there is typo in your code: End Sub should be Exit Sub
It was something I pulled in from an archive of mine... However I can't edit my post.
Ive just changed it (to "Exit Sub") for you.

If you need anything else changing on it then let me know.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-06-06 16:35

Mmm...something strange, sometimes multiple values are returned as well, take a look at output below

Code: Select all

; <<>> DiG 9.11.0-P1 <<>> 41.81.132.24.zz.countries.nerd.dk A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61468
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: da9cb16d1d713c4cbd18ed205936bd5b0dee56cf5d2dbb90 (good)
;; QUESTION SECTION:
;41.81.132.24.zz.countries.nerd.dk. IN  A

;; ANSWER SECTION:
41.81.132.24.zz.countries.nerd.dk. 2099 IN A    127.0.255.1
41.81.132.24.zz.countries.nerd.dk. 2099 IN A    127.0.2.16

;; AUTHORITY SECTION:
.                       57131   IN      NS      a.root-servers.net.
.                       57131   IN      NS      g.root-servers.net.
.                       57131   IN      NS      b.root-servers.net.
.                       57131   IN      NS      i.root-servers.net.
.                       57131   IN      NS      d.root-servers.net.
.                       57131   IN      NS      l.root-servers.net.
.                       57131   IN      NS      k.root-servers.net.
.                       57131   IN      NS      f.root-servers.net.
.                       57131   IN      NS      c.root-servers.net.
.                       57131   IN      NS      m.root-servers.net.
.                       57131   IN      NS      h.root-servers.net.
.                       57131   IN      NS      j.root-servers.net.
.                       57131   IN      NS      e.root-servers.net.

;; Query time: 46 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jun 06 16:34:03 W. Europe Daylight Time 2017
;; MSG SIZE  rcvd: 333
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-06 16:58

RvdH wrote:Mmm...something strange, sometimes multiple values are returned as well, take a look at output below
Yes, he may have a bug in the configuration...

I've converted to use something like this as I was missing data... The solution I have implemented is just short of 500 lines of code and still in Alpha test 8)

Code: Select all

   * Start of code *
            Include("C:\hMailServer\Events\VbsJson.vbs")
            Dim ReturnCode, oGeoip, Json : Set Json = New VbsJson
            On Error Resume Next
            With CreateObject ("Msxml2.XMLHTTP.3.0")
               .Open "GET", "http://www.geoplugin.net/json.gp?ip=" & oClient.IPAddress, False
               .Send
               Set oGeoip = Json.Decode(.responseText)
               ReturnCode = .Status
            End With
            On Error Goto 0
            If (ReturnCode <> 200 ) Then
               EventLog.Write("<OnClientConnect.error> www.geoplugin.net lookup failed, error code: " & ReturnCode & " on IP address " & oClient.IPAddress)
               Exit Sub
            End If
            Dim strPort : strPort = Mid("SMTP IMAP SMTPSSUBM IMAPS", InStr("25   143  465  587  993  ", oClient.Port), 5)
            EventLog.Write(Trim(strPort) & vbTab & oClient.IPAddress & vbTab & oGeoip("geoplugin_continentCode") & vbTab & oGeoip("geoplugin_countryName"))
   * End of code *

   Function Include(sInstFile)
      Dim f, s, oFSO
      Set oFSO = CreateObject("Scripting.FileSystemObject")
      On Error Resume Next
      If oFSO.FileExists(sInstFile) Then
         Set f = oFSO.OpenTextFile(sInstFile)
         s = f.ReadAll
         f.Close
         ExecuteGlobal s
      End If
      On Error Goto 0
      Set f = Nothing
      Set oFSO = Nothing
   End Function

Abd this is the file that gets included:
VbsJson.7z
(2.14 KiB) Downloaded 95 times
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

AndreL
Normal user
Normal user
Posts: 31
Joined: 2016-06-07 15:42

Re: IMAP "attack" by a very slow bot-net

Post by AndreL » 2017-06-07 20:45

After a check, I also discovered those bot-net attacks.

Here below the beta script I put place.
It's based on a mysql database loaded with that info: http://lite.ip2location.com/database/ip-country
Check is local and very fast.

Connection from CN and RU are rejected in a first phase.

NB: no trace of that status in the hmailserser log file: is that normal ? (I'm not totally sure that the connection is rejected)

Example of ouput in the event log:
"** Refuse connection from 111.160.4.90 CN 993"
"* Connection from 91.187.93.52 AD 993"
"* Connection from 197.217.64.159 AO 993"

Code: Select all

Function Dot2LongIP(MyDottedIP)
    Dim DottedIP
   
    DottedIP = Cstr(MyDottedIP)
    arrDec = Split(DottedIP,".",-1,1)
    if (UBound(arrDec) = 3) Then
      intResult = 16777216*arrDec(0)+65536*arrDec(1)+256*arrDec(2)+arrDec(3)
    Else
      intResul t= 0
    End If
    Dot2LongIP = intResult
End Function

Sub OnClientConnect(oClient)
      Result.Value = 0
      ' Exclude local LAN from test
      If (Left(oClient.IPAddress, 8) = "192.168.") Then Exit Sub
      If (Left(oClient.IPAddress, 9) = "127.0.0.1") Then Exit Sub
      
    '  From external network
    ' connect to Mysql
    connstr = "driver={MySQL ODBC 5.3 Unicode Driver}; server=localhost; database=ip2location; *****"
    Set conn = CreateObject("ADODB.Connection")
    conn.open connstr
    Set rs = CreateObject("ADODB.Recordset")
    set cmd = createobject("ADODB.Command")
    cmd.activeconnection = conn
    ipint= Dot2LongIP(oClient.IPAddress)  
    cmd.commandtext = "SELECT country_code FROM ip2location_db1 WHERE " & ipint & " <= ip_to LIMIT 1"
    set rs = cmd.execute(i)
    country = rs("country_code")  
 
    if (inStr("RU CN BE",country) <= 0) then
       ' Trace connection from other country than BE or CN and RU. Maybe some other to add 
        eventlog.write("* Connection from " & oClient.IPAddress & " " & country & " " &oClient.Port)
    end if

    if (inStr("RU CN",country) > 0) then
        ' Refuse connection
        eventlog.write("** Refuse connection from " & oClient.IPAddress & " " & country & " " &oClient.Port)
        Result.Value = 1
    end if
 
    
    rs.close
    set rs = nothing
    set cmd = nothing
    Set conn = nothing
End Sub

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-10 23:57

Ok, so I cleared my everything and started from scratch... My code looks nowhere like previous but lets leave that for now...

Since "2017-06-08 18:16:09.526" (GMT+2) I now have 261 blocked IP addresses

Code: Select all

China                            182
Russian Federation                14
Korea, Republic of                 9
United States                      9
India                              4
France                             3
Mexico                             3
South Africa                       3
Taiwan                             3
Antigua and Barbuda                2
Argentina                          2
Bangladesh                         2
Kazakhstan                         2
Spain                              2
Algeria                            1
Andorra                            1
Belgium                            1
Bulgaria                           1
Canada                             1
Costa Rica                         1
Ecuador                            1
Israel                             1
Italy                              1
Japan                              1
Lao People's Democratic Republic   1
Macau                              1
Malaysia                           1
Moldova, Republic of               1
Pakistan                           1
Romania                            1
Singapore                          1
Thailand                           1
Trinidad and Tobago                1
Ukraine                            1
Venezuela                          1
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-12 00:31

401 ...

Code: Select all

China                            275
Russian Federation                18
United States                     14
Korea, Republic of                13
India                              6
Argentina                          4
Italy                              4
Mexico                             4
Spain                              4
Antigua and Barbuda                3
France                             3
Kazakhstan                         3
South Africa                       3
Taiwan                             3
Vietnam                            3
Bangladesh                         2
Costa Rica                         2
Czech Republic                     2
Lao People's Democratic Republic   2
Malaysia                           2
Pakistan                           2
Singapore                          2
Thailand                           2
Trinidad and Tobago                2
Ukraine                            2
Algeria                            1
Andorra                            1
Angola                             1
Belgium                            1
Botswana                           1
Bulgaria                           1
Canada                             1
Chile                              1
Colombia                           1
Cote D'Ivoire                      1
Dominican Republic                 1
Ecuador                            1
Egypt                              1
Israel                             1
Japan                              1
Macau                              1
Moldova, Republic of               1
Poland                             1
Romania                            1
Sweden                             1
Venezuela                          1
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: IMAP "attack" by a very slow bot-net

Post by mattg » 2017-06-12 03:02

My similar script is sitting steady at 14 after being at 200 for many weeks
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-14 01:00

527 ... :roll:

7 day ban ... Wonder what it will stabilize at ...
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-06-14 14:18

RvdH wrote:I believe the return value from a nerds.dk unknown/unlisted IP is: 127.0.255.1 and not an empty string (255*256+1 = 65281)

Example: dig 90.101.248.213.zz.countries.nerd.dk A

I have to correct myself, 127.0.255.1 seems to be "eu"

Code: Select all

; <<>> DiG 9.11.0-P1 <<>> 90.101.248.213.zz.countries.nerd.dk TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56766
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: e0729ae2264abb5a7c886afe594129649d64e4a71114b1b2 (good)
;; QUESTION SECTION:
;90.101.248.213.zz.countries.nerd.dk. IN        TXT

;; ANSWER SECTION:
90.101.248.213.zz.countries.nerd.dk. 2099 IN TXT "eu"

;; Query time: 46 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 14 14:17:40 W. Europe Daylight Time 2017
;; MSG SIZE  rcvd: 107

Code: Select all

; <<>> DiG 9.11.0-P1 <<>> 41.81.132.24.zz.countries.nerd.dk TXT
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40819
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a313e8e00709a562ee531b4559412c8bf0fd788e826c2e42 (good)
;; QUESTION SECTION:
;41.81.132.24.zz.countries.nerd.dk. IN  TXT

;; ANSWER SECTION:
41.81.132.24.zz.countries.nerd.dk. 2099 IN TXT  "eu"
41.81.132.24.zz.countries.nerd.dk. 2099 IN TXT  "nl"

;; Query time: 46 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jun 14 14:31:07 W. Europe Daylight Time 2017
;; MSG SIZE  rcvd: 120
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-14 16:11

mattg wrote:My similar script is sitting steady at 14 after being at 200 for many weeks
My code have evolved to this ...

Preemptive multitasking with queue management and data record locking. 8) :mrgreen:

Code: Select all

   ' COM authentication
   Private Const ADMIN = "Administrator"
   Private Const PASSWORD = "VERY SECRET"

   Include("C:\hMailServer\Events\VbsJson.vbs")

   Sub OnClientConnect(oClient)
      Dim strRegEx

      '
      ' Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
      '
      If (oClient.Port <> 25) Then
         Dim oGeoip, Json : Set Json = New VbsJson
         Dim strPort : strPort = Trim(Mid("SMTP IMAP SMTPSSUBM IMAPS", InStr("25   143  465  587  993  ", oClient.Port), 5))
         On Error Resume Next
         With CreateObject("Msxml2.ServerXMLHTTP.6.0")
            .Open "GET", "http://www.geoplugin.net/json.gp?ip=" & oClient.IPAddress, False
            .Send
            Set oGeoip = Json.Decode(.responseText)
            If (.Status = 200 ) Then
               strRegEx = "(DK|GL|FO)" ' <===== Denmark, Greenland, Faroe Islands
               If (Lookup(strRegEx, oGeoip("geoplugin_countryCode")) = False) Then
                  EventLog.Write(strPort & vbTab & oClient.IPAddress & vbTab & oGeoip("geoplugin_continentCode") & vbTab & oGeoip("geoplugin_countryName"))
                  Call AutoBan(oClient.IPAddress, "OO-" & strPort & "-" & oGeoip("geoplugin_countryCode"), 7, "d")
                  Result.Value = 1
               End If
            Else
               EventLog.Write("<OnClientConnect.error> www.geoplugin.net lookup failed, error code: " & .Status & " on IP address " & oClient.IPAddress)
            End If
         End With
         On Error Goto 0
      End If
   End Sub

'###
'### Support functions
'###

   Function Include(sInstFile)
      Dim f, s, oFSO
      Set oFSO = CreateObject("Scripting.FileSystemObject")
      On Error Resume Next
      If oFSO.FileExists(sInstFile) Then
         Set f = oFSO.OpenTextFile(sInstFile)
         s = f.ReadAll
         f.Close
         ExecuteGlobal s
      End If
      On Error Goto 0
      Set f = Nothing
      Set oFSO = Nothing
   End Function

   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "timeout /T " & Int(sec), 0, True
'        .Run "sleep -m " & Int(sec * 1000), 0, True
'        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
      End With
   End Function

   Function LockFile(strPath)
      Const Append = 8
      Const Unicode = -1
      With CreateObject("Scripting.FileSystemObject")
         Dim oFile, i
         For i = 0 To 30
            On Error Resume Next
            Set oFile = .OpenTextFile(strPath, Append, True, Unicode)
            If (Not Err.Number = 70) Then
               Set LockFile = oFile
               On Error Goto 0
               Exit For
            End If
            On Error Goto 0
            Wait(1)
         Next
      End With
      Set oFile = Nothing
      If (Err.Number = 70) Then
         EventLog.Write("ERROR: EventHandlers.vbs")
         EventLog.Write("File " & strPath & " is locked and timeout was exceeded.")
         Err.Clear
      ElseIf (Err.Number <> 0) Then
         EventLog.Write("ERROR: EventHandlers.vbs : Function LockFile")
         EventLog.Write("Error       : " & Err.Number)
         EventLog.Write("Error (hex) : 0x" & Hex(Err.Number))
         EventLog.Write("Source      : " & Err.Source)
         EventLog.Write("Description : " & Err.Description)
         Err.Clear
      End If
   End Function

   Function Lookup(strRegEx, strMatch)
      With CreateObject("VBScript.RegExp")
         .Global = False
         .Pattern = strRegEx
         .IgnoreCase = True
         If .Test(strMatch) Then
            Lookup = True
         Else
            Lookup = False
         End If
      End With
   End Function

   '
   ' sType can be one of the following;
   ' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
   '
   Sub AutoBan(sIPAddress, sReason, iDuration, sType)
      Dim oApp : Set oApp = CreateObject("hMailServer.Application")
      Call oApp.Authenticate(ADMIN, PASSWORD)
      With LockFile("c:\hmailserver\temp\autoban.lck")
         On Error Resume Next
         oApp.Settings.SecurityRanges.Refresh
         If (oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing) Then
            With oApp.Settings.SecurityRanges.Add
               .Name = "(" & sReason & ") " & IPAddress
               .LowerIP = sIPAddress
               .UpperIP = sIPAddress
               .Priority = 20
               .Expires = True
               .ExpiresTime = DateAdd(sType, iDuration, Now())
               .Save
            End With
         End If
         On Error Goto 0
         .Close
      End With
   End Sub
This is the VBScript Class that the code include:
VbsJson.7z
(2.14 KiB) Downloaded 80 times
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-06-14 20:45

Dns based lookup are much faster, why exactly did you switch to use "Msxml2.ServerXMLHTTP.6.0"?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-14 21:06

RvdH wrote:Dns based lookup are much faster, why exactly did you switch to use "Msxml2.ServerXMLHTTP.6.0"?
First of all... https://blog.srpcs.com/picking-the-corr ... tp-object/ 8)

Second, The level of detail is much greater and I don't have to maintain a GeoIP database to get it. :wink:

Third, Traffic is low - 16 hits so far today.

Fourth ... Because I can. :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-06-15 12:26

I have made my own DNSLookup component, this one returns all A-records, I modified the script to split the results and sort them.
This split & sort will prevent that "eu" (127.0.255.1) is returned before "nl" (127.0.2.16).

Code: Select all

' http://countries.nerd.dk/isolist.txt
Function NerdLookup(strIP)
	Dim a
	a = Split(strIP, ".")
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
	End With
	strIP=Split(strIP,VbCrLf)
	If IsArray(strIP) then
		strIP = SortArray(strIP)
	End if
	If Len(strIP(1)) = 0 Then
		NerdLookup = "999"
	Else
		a = Split(strIP(1), ".")
		NerdLookup = CStr(a(2)*256 + a(3))
	End If
End Function

' SortArray - sort a string or numeric array
function SortArray(arrShort)
	dim i, j, temp
	for i = UBound(arrShort) - 1 To 0 Step -1
		for j= 0 to i
			if arrShort(j)>arrShort(j+1) then
				temp=arrShort(j+1)
				arrShort(j+1)=arrShort(j)
				arrShort(j)=temp
			end if
		next
	next
	SortArray = arrShort
end function
This component I wrote is also capable to do TXT-record lookups, the NerdLookup(strIP) function then could be modified something like this:

Code: Select all

'  the regex would become something like:
' ^(nl|be|lu|fr|es|de|us|n\/a)$
Function NerdLookup(strIP)
	Dim a, x
	a = Split(strIP, ".")
	dim countryCode : countryCode  = Empty
	dim countryCodeAlt : countryCodeAlt = "n/a"
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
	End With
	a=Split(strIP ,VbCrLf)
	For x = 0 To (UBound(a) - LBound(a))
		If Len(a(x)) > 0 then
			if a(x) <> "eu" then 
				countryCode = a(x)
			else
				countryCodeAlt = a(x)		
			end if
		end if
	Next
	If Len(countryCode) > 0 then
		NerdLookup = countryCode
	Else
		NerdLookup = countryCodeAlt
	End if
End Function
Some test:

Code: Select all

' eu
WScript.Echo(NerdLookup("213.248.101.90"))
' nl
WScript.Echo(NerdLookup("188.206.102.42"))
' nl, eu
WScript.Echo(NerdLookup("24.132.81.41"))
' be
WScript.Echo(NerdLookup("91.183.226.212"))
' cn
WScript.Echo(NerdLookup("218.89.38.239"))
Download (Component works on both 32bit and 64bit Windows OS's)

Download component
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-15 16:48

Soren

Whats the difference between:

Code: Select all

Function WaitTimer(sec)
   Dim t
   t = Timer
   Do While ((Timer - t) < sec) Xor (Timer < t)
   Loop
End Function
(what you use)

and

Code: Select all

   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "timeout /T " & Int(sec), 0, True
      End With
   End Function
(what I currently use)

? Which is better and why?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-06-15 17:05

Code: Select all

Function WaitTimer(sec)
   Dim t
   t = Timer
   Do While ((Timer - t) < sec) Xor (Timer < t)
   Loop
End Function
That one above did not work properly for me...returned wrong seconds, I switched to the other
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-15 18:16

Code: Select all

Function WaitTimer(sec)
   Dim t
   t = Timer
   Do While ((Timer - t) < sec) Xor (Timer < t)
   Loop
End Function
That one was abandoned "eons" ago as there were problems with Windows newer than XP and also the handling of Midnight ... I believe the first time I posted the "new" version was little over 1 year ago.

viewtopic.php?p=186687#p186687

The current one should cater for more Windows versions and environments.

Code: Select all

   Function Wait(sec)
      With CreateObject("WScript.Shell")
         .Run "timeout /T " & Int(sec), 0, True
'        .Run "sleep -m " & Int(sec * 1000), 0, True
'        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
      End With
   End Function
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-15 18:24

SorenR wrote:

Code: Select all

                  EventLog.Write(strPort & vbTab & oClient.IPAddress & vbTab & oGeoip("geoplugin_continentCode") & vbTab & oGeoip("geoplugin_countryName"))
It was confusing the hell out of me. I couldnt understand why UK was returning "EU" in the event log. Took ages before I saw you were reporting the CONTINENT code and then struggled to find the list of country codes. (I thought the UK was "UK" but it isnt - it turns out to be "GB"). Where would one find the list do you think?

(Anyway Ive just implemented just to see what number I get. Curiosity has beaten me.)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-15 18:38

jimimaseye wrote:
SorenR wrote:

Code: Select all

                  EventLog.Write(strPort & vbTab & oClient.IPAddress & vbTab & oGeoip("geoplugin_continentCode") & vbTab & oGeoip("geoplugin_countryName"))
It was confusing the hell out of me. I couldnt understand why UK was returning "EU" in the event log. Took ages before I saw you were reporting the CONTINENT code and then struggled to find the list of country codes. (I thought the UK was "UK" but it isnt - it turns out to be "GB"). Where would one find the list do you think?

(Anyway Ive just implemented just to see what number I get. Curiosity has beaten me.)
Well, it gets even more confusing after Brexit :mrgreen:

geoplugin_countryCode = "GB"
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-15 22:38

What is the meaning of SUBM as in "SMTP IMAP SMTPSSUBM IMAPS" (port 587)?


By the way, I changed the hardcoded references to the filenames to that matching of the environment settings

ie,

instead of
Include("C:\hMailServer\Events\VbsJson.vbs")

I put

Include(obApp.Settings.Directories.EventDirectory & "\VbsJson.vbs")

(also for the tempdirectory)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-16 01:19

jimimaseye wrote:What is the meaning of SUBM as in "SMTP IMAP SMTPSSUBM IMAPS" (port 587)?
"Submission" is the normal name for port 587...

Nice catch with "obApp.Settings.Directories.EventDirectory" but there is no need, it does not move around and it is one COM call less. :mrgreen:

Did you do the same with

Code: Select all

With LockFile("c:\hmailserver\temp\autoban.lck")
in Sub AutoBan ??
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-16 08:02

Yep.

I think that the less hard coded paths there are the better.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-16 10:01

I also need to add exemption code for localhost and LAN ip address connections - otherwise it's blocking all email clients too. (127.0.0.1 and 192.168.* do not resolve to a country code and therefore get banned).
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: RE: Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-16 11:55

jimimaseye wrote:I also need to add exemption code for localhost and LAN ip address connections - otherwise it's blocking all email clients too. (127.0.0.1 and 192.168.* do not resolve to a country code and therefore get banned).
Ah yes... forgot those... i have them as "if match ip pattern then exit sub" just before this check.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-16 17:42

Like this (this is mine):

Code: Select all

Sub OnClientConnect(oClient)
   If Lookup("127\.0\.0\.1|192\.168\." , oClient.ipaddress) = False then  '<- exempt my known LAN
      If (oClient.Port = 25) Then call wait(20)    '<- do the 20 second delay for port 25
      Call GeoAutoban(oClient)                      '<- check the port and origin
   End if
End Sub


Function GeoAutoban(oClient)
   ' COM authentication
   Const ADMIN = "Administrator"
   Const PASSWORD = "secret"
   Dim obApp : Set obApp = CreateObject("hMailServer.Application")
   Call obApp.Authenticate(ADMIN, PASSWORD)

   Include(obApp.Settings.Directories.EventDirectory & "\VbsJson.vbs")
   Dim strRegEx

   If (oClient.Port <> 25) then
      Dim oGeoip, Json : Set Json = New VbsJson
.
.
.
   End If
End Function

Sub AutoBan(sIPAddress, sReason, iDuration, sType)
   Const ADMIN = "Administrator"
   Const PASSWORD = "secret"
   Dim obApp : Set obApp = CreateObject("hMailServer.Application")
   Call obApp.Authenticate(ADMIN, PASSWORD)
   TempStore = obApp.Settings.Directories.TempDirectory

   With LockFile(TempStore & "\autoban.lck")
      On Error Resume Next
      oApp.Settings.SecurityRanges.Refresh
      If (obApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress) Is Nothing) Then
.
.
.
   End With
End Sub
A Question on coding please: given that the hmailserver object (with user and password) is declared in the original Function 'Geoban' that calls the sub 'autoban', why do I need to declare it again in the sub 'autoban'?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

AndreL
Normal user
Normal user
Posts: 31
Joined: 2016-06-07 15:42

Re: IMAP "attack" by a very slow bot-net

Post by AndreL » 2017-06-16 18:10

Some stats (lastest 4 days)

- 2768 messages received
- 36954 TCP connections
- performance: ~10 ms in OnClientConnect

- unexpected Imap connections:

Code: Select all

CN-China 	122
US-United States	28
ES-Spain 	10
BG-Bulgaria 	7
CZ-Czech 	7
MX-Mexico 	5
RU-Russian 	3
UA-Ukraine 	3
AO-Angola 	2
AR-Argentina 	2
KR-Korea	2
TT-Trinidad 	2
VN-Viet Nam	2
ZA-South Africa	2
AD-Andorra 	1
AG-Antigua 	1
AZ-Azerbaijan 	1
BD-Bangladesh 	1
CH-Switzerland 	1
CI-Cote d'Ivoire	1
CR-Costa Rica	1
DK-Denmark 	1
HK-Hong Kong	1
HT-Haiti 	1
IL-Israel 	1
IN-India 	1
IT-Italy 	1
KZ-Kazakhstan 	1
LA-Lao 	1
MY-Malaysia 	1
PL-Poland 	1
SC-Seychelles 	1
TH-Thailand 	1
TW-Taiwan	1
	Total: 217



User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-16 19:45

jimimaseye wrote:A Question on coding please: given that the hmailserver object (with user and password) is declared in the original Function 'Geoban' that calls the sub 'autoban', why do I need to declare it again in the sub 'autoban'?
You don't, it is global if executed on a higher level but if you call AutoBan from another Sub you may need it there.

This is what I do...

Code: Select all

   Sub OnClientConnect(oClient)
      Dim strRegEx

      '
      ' Exclude Backup-MX from test
      '
      If (Left(oClient.IPAddress, 10) = "80.160.77.") Then Exit Sub

      '
      ' Exclude local LAN from test
      '
      If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub

      '
      ' Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
      '
      If (oClient.Port <> 25) Then
         Dim oGeoip, Json : Set Json = New VbsJson
         Dim strPort : strPort = Trim(Mid("SMTP IMAP SMTPSSUBM IMAPS", InStr("25   143  465  587  993  ", oClient.Port), 5))
         On Error Resume Next
         With CreateObject("Msxml2.ServerXMLHTTP.6.0")
            .Open "GET", "http://www.geoplugin.net/json.gp?ip=" & oClient.IPAddress, False
            .Send
            Set oGeoip = Json.Decode(.responseText)
            If (.Status = 200 ) Then
               strRegEx = "(DK|GL|FO)" ' <===== Denmark, Greenland, Faroe Islands
               If (Lookup(strRegEx, oGeoip("geoplugin_countryCode")) = False) Then
                  EventLog.Write(strPort & vbTab & oClient.IPAddress & vbTab & oGeoip("geoplugin_continentCode") & vbTab & oGeoip("geoplugin_countryName"))
                  Call AutoBan(oClient.IPAddress, "DK-" & strPort & "-" & oGeoip("geoplugin_countryCode"), 7, "d")
                  Result.Value = 1
               End If
            Else
               EventLog.Write("<OnClientConnect.error> www.geoplugin.net lookup failed, error code: " & .Status & " on IP address " & oClient.IPAddress)
            End If
         End With
         On Error Goto 0
      End If

      '
      ' Only test SMTP traffic
      '
      strRegEx = "(25|587|465)"
      If Lookup(strRegEx, oClient.Port) Then
         If (oClient.Port = 25) Then Wait(20)

         '
         ' IDS test for SYN flood etc.
         '
         If IDSCheck(oClient.IPAddress) Then Call AutoBan(oClient.IPAddress, "IDS", 2, "d")
      End If
   End Sub
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-16 19:47

AndreL wrote:Some stats (lastest 4 days)

- 2768 messages received
- 36954 TCP connections
- performance: ~10 ms in OnClientConnect

- unexpected Imap connections:

Code: Select all

DK-Denmark 	1
109.236.180.59 ?? :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

AndreL
Normal user
Normal user
Posts: 31
Joined: 2016-06-07 15:42

Re: IMAP "attack" by a very slow bot-net

Post by AndreL » 2017-06-17 10:50

From DK-Denmark (not that much :) ):
2017-06-13 19:08:41.086: 94.137.142.49 port 993
2017-06-17 07:25:48.131: 94.137.142.49 port 993

User avatar
jimimaseye
Moderator
Moderator
Posts: 8175
Joined: 2011-09-08 17:48

Re: IMAP "attack" by a very slow bot-net

Post by jimimaseye » 2017-06-20 11:19

Code: Select all

4528	"2017-06-15 21:03:57.395"	"status:200--SUBM	54.193.89.45	US	United States"
4208	"2017-06-16 07:43:04.182"	"status:200--IMAP	168.1.128.77	US	United States"
4984	"2017-06-17 10:47:17.078"	"status:200--IMAP	74.115.0.21	US	United States"
4392	"2017-06-17 15:54:46.814"	"status:200--sm587	66.229.70.8	US	United States"
4984	"2017-06-18 05:32:39.009"	"status:200--IMAP	66.240.236.119	US	United States"
4812	"2017-06-18 20:22:21.612"	"status:200--IMAP	141.212.122.128	US	United States"
(all since 15th June to date). You jealous?

With hindsight it seems a lot of work implementing it with practically no benefit - but it did satisfy my curiosity. :-)

(sm587 is reworded SUBM for me)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-20 14:12

jimimaseye wrote:

Code: Select all

4528	"2017-06-15 21:03:57.395"	"status:200--SUBM	54.193.89.45	US	United States"
4208	"2017-06-16 07:43:04.182"	"status:200--IMAP	168.1.128.77	US	United States"
4984	"2017-06-17 10:47:17.078"	"status:200--IMAP	74.115.0.21	US	United States"
4392	"2017-06-17 15:54:46.814"	"status:200--sm587	66.229.70.8	US	United States"
4984	"2017-06-18 05:32:39.009"	"status:200--IMAP	66.240.236.119	US	United States"
4812	"2017-06-18 20:22:21.612"	"status:200--IMAP	141.212.122.128	US	United States"
(all since 15th June to date). You jealous?

With hindsight it seems a lot of work implementing it with practically no benefit - but it did satisfy my curiosity. :-)

(sm587 is reworded SUBM for me)
For me it was either that or seeing a lot of failed logins. I only allow inbound SMTP (no auth), SMTPS and IMAPS and from the failed logins it looked as a joint effort of some sort.

It could look like it's slowing down. I currently have about 130 hosts banned so it's down about 400 since 6 days ago.

The complexity comes from the detail of logging. If we disregard the logging, it can probably be boiled down to less than 10 lines.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-06-20 20:32

Another one for the collection

Code: Select all

Sub OnClientConnect(oClient)
	If hostkarmaAuthHacker(oClient.IPAddress) Then
		' Auth hacker detection
		Result.Value = 1
		Call AutoBan(oClient.IPAddress, "authhacker (" & oClient.Port & ")", 1, "ww")
		Exit Sub
	End If	
	
	...
	
End Sub
DNSLibrary.DNSResolver

Code: Select all

' http://ipadmin.junkemailfilter.com/auth-hack.txt
Function hostkarmaAuthHacker(strIP)
	dim found : found = false
	Dim a : a = Split(strIP, ".")
	With CreateObject("DNSLibrary.DNSResolver")
		strIP = .TXT(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".hostkarma.junkemailfilter.com")
	End With
	a=Split(strIP ,VbCrLf)
	For x = 0 To (UBound(a) - LBound(a))
	  If Len(a(x)) > 0 then
		If InStr(a(x),"(authentication hacker)")>0 then
			found = True
			Exit For
		end if
	  end if
	Next
	hostkarmaAuthHacker = found
End Function
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: IMAP "attack" by a very slow bot-net

Post by mattg » 2017-06-30 03:13

I was a bit worried, I got down to 2 banned IP addresses.

Had a sustained DDOS attack this week, then when I dropped those at my firewall, I've since increased to 11 and growing autobans
I thought that I had broken my autoban settings
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-06-30 11:53

mattg wrote:I was a bit worried, I got down to 2 banned IP addresses.

Had a sustained DDOS attack this week, then when I dropped those at my firewall, I've since increased to 11 and growing autobans
I thought that I had broken my autoban settings
DDOS ???

Like this ??

Code: Select all

"SMTPD"	3016	3488	"2017-06-30 08:10:55.143"	"185.171.234.133"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	3016	3488	"2017-06-30 08:10:55.283"	"185.171.234.133"	"RECEIVED: EHLO s5.cpaprince.com"
"SMTPD"	3016	3488	"2017-06-30 08:10:55.518"	"185.171.234.133"	"SENT: 250-myserver.acme.inc[nl]250 SIZE"
"SMTPD"	3016	3488	"2017-06-30 08:10:58.080"	"185.171.234.133"	"RECEIVED: QUIT"
"SMTPD"	3016	3488	"2017-06-30 08:10:58.080"	"185.171.234.133"	"SENT: 221 goodbye"
"SMTPD"	3016	3489	"2017-06-30 08:12:20.113"	"185.171.234.133"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	3016	3489	"2017-06-30 08:12:20.238"	"185.171.234.133"	"RECEIVED: EHLO s5.cpaprince.com"
"SMTPD"	3016	3489	"2017-06-30 08:12:20.238"	"185.171.234.133"	"SENT: 250-myserver.acme.inc[nl]250 SIZE"
"SMTPD"	3016	3489	"2017-06-30 08:12:23.566"	"185.171.234.133"	"RECEIVED: QUIT"
"SMTPD"	3016	3489	"2017-06-30 08:12:23.566"	"185.171.234.133"	"SENT: 221 goodbye"
"SMTPD"	3016	3490	"2017-06-30 08:14:21.178"	"185.171.234.133"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	3016	3490	"2017-06-30 08:14:21.334"	"185.171.234.133"	"RECEIVED: EHLO s5.cpaprince.com"
"SMTPD"	3016	3490	"2017-06-30 08:14:21.334"	"185.171.234.133"	"SENT: 250-myserver.acme.inc[nl]250 SIZE"
"SMTPD"	3016	3490	"2017-06-30 08:14:24.412"	"185.171.234.133"	"RECEIVED: QUIT"
"SMTPD"	3016	3490	"2017-06-30 08:14:24.412"	"185.171.234.133"	"SENT: 221 goodbye"
"SMTPD"	3016	3491	"2017-06-30 08:15:20.210"	"185.171.234.133"	"SENT: 220 myserver.acme.inc ESMTP"

Code: Select all

"SMTPD"	3852	3456	"2017-06-30 07:29:52.158"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	2508	3457	"2017-06-30 07:29:55.111"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	3396	3458	"2017-06-30 07:29:56.127"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	1708	3459	"2017-06-30 07:29:57.189"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	2772	3460	"2017-06-30 07:29:58.174"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	3080	3461	"2017-06-30 07:29:59.189"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	2848	3462	"2017-06-30 07:30:00.205"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	3420	3463	"2017-06-30 07:30:01.142"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	1044	3464	"2017-06-30 07:30:02.127"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
"SMTPD"	3632	3465	"2017-06-30 07:30:03.142"	"185.15.83.186"	"SENT: 220 myserver.acme.inc ESMTP"
Both cases were handled by my IDS code. Why the second example took 10 attempts I have no clue - looking into it. The hit limit is set to "<= 3".

I currently have 20 addresses banned by IDS, 9 addresses banned for using IMAPS outside Denmark and 8 addresses banned for using SMTPS outside Denmark.

I have one user on vacation in Greece so that could explain one or two but then, I also have webmail available :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-07-17 09:09



What about this idea:


In our company some email addresses are highly frequented hacking targets as well (eg admin@, info@, ...). For these accounts we decided to append guid suffixes to their names and made alias names for receiving mails on their well known names. Any hacking attempt will be done to none existing accounts. The only problem is that these accounts never must be allowed to use auto reply because hMailserver will send the mail with the account names instead the alias names.

Of course we also block invalid logon attempts by initially 1 hour. Every 5 minutes a script is scheduled to search all autoban entries with priority 20. If the ip is from internal networks, the entry will be instantly deleted. If the tried logon is not existing or one of the secured accounts, the ban time will be increased to one year after login attempt. At the end of the script all priorities of determined entries will be decreased to 19 to prevent multiple processing. Once a day another script will parse all autoban entries with priority 19 to create statistics and reports, decreasing priority to 18 as well.

Simple, but very efficient! No need to test country or dns.

The results:
- Internally clients will be banned max 5 mins, external clients with legal addresses max 1 hour and hackers 1 year.
- Our autoban has actually levelled at 1408 ip addresses, increasing about 3-5 ip addresses a week.
- We have daily reports about newly registered banned addresses.
- Since the hackers were banned a year, the incoming spam has been reduced as well.


And finally a hint about your scripting:

Instead of writing

Code: Select all

         If .Test(strMatch) Then
            Lookup = True
         Else
            Lookup = False
         End If
you can simplyfy to

Code: Select all

            Lookup = .Test(strMatch)

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-07-17 11:50

estradis wrote:...
...
Simple, but very efficient! No need to test country or dns.

The results:
- Internally clients will be banned max 5 mins, external clients with legal addresses max 1 hour and hackers 1 year.
- Our autoban has actually levelled at 1408 ip addresses, increasing about 3-5 ip addresses a week.
- We have daily reports about newly registered banned addresses.
- Since the hackers were banned a year, the incoming spam has been reduced as well.


And finally a hint about your scripting:
I have seriously cut down on autobanning. Now I ban on "out of area" logons, when my IDS code kick in and on malformed HELO/EHLO strings. The rest of the time I simply reject connection - it's simpler, less code and use less ressources.

hMailServer is NOT a firewall and having to lookup the connecting IP in a database of 1,000's IP adresses is slow.

If anything it would be optimal to offload this to a dedicated device like a firewall.

Also, things move fast in the SPAM/Bot world and my estimate is that 7 days is by far enough to hold the bad guys away. 1 year is absolutely pointless.

And... Them gremlins are not "hackers", them are Bot's ... Not sure any of us are smart enough to fight off a real blackhat if it comes down to that.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-07-17 15:48

SorenR wrote: I have seriously cut down on autobanning. Now I ban on "out of area" logons, when my IDS code kick in and on malformed HELO/EHLO strings. The rest of the time I simply reject connection - it's simpler, less code and use less ressources.
How you can access the HELO/EHLO string?

SorenR wrote: ... having to lookup the connecting IP in a database of 1,000's IP adresses is slow.
Indeed in the beginning that was my fear too, but HMS is pretty fast even with more than 1400 database entries. (The developers did a great job!)

SorenR wrote: If anything it would be optimal to offload this to a dedicated device like a firewall.
As we already had but one day Watchuard silently updated the software and now I'm unable to automate this.

SorenR wrote: Also, things move fast in the SPAM/Bot world and my estimate is that 7 days is by far enough to hold the bad guys away. 1 year is absolutely pointless.
I agree with you. One year was only to calm down the executive board after a huge ddos attack on our services. I will configure them down slowly, after the first year is over. But now I'm curious how many addresses will be registered whithin one year.
SorenR wrote: And... Them gremlins are not "hackers", them are Bot's ... Not sure any of us are smart enough to fight off a real blackhat if it comes down to that.
Yes, your're right. We use internal bots to monitor our services as well. Wenn we talked internally about bots it was always confusing whether they are "good" or "evil". One day we had some major misunderstandings, so we decided to call all externally failures as "hackers" and the the internally failues as "user" or "agents" to make it easier for the non-tech colleguages to understand the difference. The problem when discussing outside the company is to keep in mind not to use the internal terminology. So thank you for your correction.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-07-17 17:51

estradis wrote:
SorenR wrote: I have seriously cut down on autobanning. Now I ban on "out of area" logons, when my IDS code kick in and on malformed HELO/EHLO strings. The rest of the time I simply reject connection - it's simpler, less code and use less ressources.
How you can access the HELO/EHLO string?

SorenR wrote: ... having to lookup the connecting IP in a database of 1,000's IP adresses is slow.
Indeed in the beginning that was my fear too, but HMS is pretty fast even with more than 1400 database entries. (The developers did a great job!)

SorenR wrote: If anything it would be optimal to offload this to a dedicated device like a firewall.
As we already had but one day Watchuard silently updated the software and now I'm unable to automate this.

SorenR wrote: Also, things move fast in the SPAM/Bot world and my estimate is that 7 days is by far enough to hold the bad guys away. 1 year is absolutely pointless.
I agree with you. One year was only to calm down the executive board after a huge ddos attack on our services. I will configure them down slowly, after the first year is over. But now I'm curious how many addresses will be registered whithin one year.
SorenR wrote: And... Them gremlins are not "hackers", them are Bot's ... Not sure any of us are smart enough to fight off a real blackhat if it comes down to that.
Yes, your're right. We use internal bots to monitor our services as well. Wenn we talked internally about bots it was always confusing whether they are "good" or "evil". One day we had some major misunderstandings, so we decided to call all externally failures as "hackers" and the the internally failues as "user" or "agents" to make it easier for the non-tech colleguages to understand the difference. The problem when discussing outside the company is to keep in mind not to use the internal terminology. So thank you for your correction.
Definition of "Hacker" ... https://en.wikipedia.org/wiki/Hacker
That used to be me... Solutions Architecture you know :wink:

oClient.HELO...

Some of us are using a modified version with a new event; Sub OnHELO(oClient)
viewtopic.php?t=30193

A Mans FireWall is either Cisco or IPTables. The rest is kids stuff.
I have an old Cisco ASA 5505 to play with @ home.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-07-18 11:21

SorenR wrote: oClient.HELO...

Some of us are using a modified version with a new event; Sub OnHELO(oClient)
viewtopic.php?t=30193
oClient.HELO seems to be an undocumented function (https://www.hmailserver.com/documentati ... ect_client) or is it available only on the modified release?
SorenR wrote: A Mans FireWall is either Cisco or IPTables. The rest is kids stuff.
I have an old Cisco ASA 5505 to play with @ home.
At home I use a fully virtualized network. At work it's almost virtualized. This means, I cannot use hardware appliances, I need software appliances. Unfortunatly this also means, when I use virtual (software) appliances, I need to purchase licenses as I cannot use "used" ones.

Fortunatly Sophos offers a home license for free, limited only to 50 IP addresses which is more than enough for me! I also have all the features as the asa have, including HA, pass-through AV and malware scanning, certificate authority (interim and stand-alone), network vouchers, OTPs and of course all the basics like DHCP, DNS, QOS, SSO, etc. (Too much to list them all here.) The only module I cannot use is SMTP-Guard, but this depends on the mailserver infrastrucure is not caused by Sophos.

The firewalling will be done with iptables for IPv4 as well as for IPv6. and the pattern are checked every 15 minutes. That's more than home users usually have, isn't it?

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-07-18 16:08

estradis wrote:
SorenR wrote: oClient.HELO...

Some of us are using a modified version with a new event; Sub OnHELO(oClient)
viewtopic.php?t=30193
oClient.HELO seems to be an undocumented function (https://www.hmailserver.com/documentati ... ect_client) or is it available only on the modified release?
Nope... Been using it since 2014.

Sometimes you have to use an object browser to find all the goodies :mrgreen:

That's the difference between the "old-style hacker" and a "SuperUser" 8)
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: IMAP "attack" by a very slow bot-net

Post by mattg » 2017-07-19 02:02

There are quite a few 'undocumented' COM API method, property or function.

I'm never sure if Martin will leave them in, that's why I don't always add to the documentation.

I have added this one now
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-07-19 12:07

Downside of the com_object_client HELO property is the fact it gets populated just before the OnSMTPData event, hence the existence of the modified version with OnHELO event
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-07-19 12:47

mattg wrote:There are quite a few 'undocumented' COM API method, property or function.

I'm never sure if Martin will leave them in, that's why I don't always add to the documentation.

I have added this one now
You're the documentation master? If so, would you be so kind and take a view on https://www.hmailserver.com/documentati ... ng_onerror
OnError

Overview

This event is executed directly when the delivery of a message has started. The event is executed before any global rules are executed
...
I'm pretty sure, that this is not correct. I would say "... when an error occours. ..." and remove the part with the rules.

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-07-19 13:17

SorenR wrote:...

Sometimes you have to use an object browser to find all the goodies :mrgreen:

That's the difference between the "old-style hacker" and a "SuperUser" 8)
  1. This implies that I don't can trust to the official documentation. Until today I had no reason for it.
  2. Working in a HA environment makes you very busy when eighter one of your SAN fails or your redundant services changed to alarm status. I don't have the time to seek for undocmented stuff in hope there are any. When a problem occours, I need fast help and I trust to find them in offical documentations.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: IMAP "attack" by a very slow bot-net

Post by SorenR » 2017-07-19 14:30

estradis wrote:
SorenR wrote:...

Sometimes you have to use an object browser to find all the goodies :mrgreen:

That's the difference between the "old-style hacker" and a "SuperUser" 8)
  1. This implies that I don't can trust to the official documentation. Until today I had no reason for it.
  2. Working in a HA environment makes you very busy when eighter one of your SAN fails or your redundant services changed to alarm status. I don't have the time to seek for undocmented stuff in hope there are any. When a problem occours, I need fast help and I trust to find them in offical documentations.
1: We've known that for years... :mrgreen:
2: Well, most service centres advertise 99.99% uptime so what else do you do when there are NO alarms ??
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: IMAP "attack" by a very slow bot-net

Post by mattg » 2017-07-20 01:38

estradis wrote:You're the documentation master? If so, would you be so kind and take a view on https://www.hmailserver.com/documentati ... ng_onerror
Done

Any others?

The COM API stuff is tricky. Sometimes it is hidden for a reason (to be depreciated for one example). Sometimes it is a new API as yet undocumented.
I'm happy to adjust / add any following public discussion here.

(There are only a couple of us that have access to the documentation. Also, did you know that if you press help on any page in the GUI, you get taken to the 'correct' help page)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 817
Joined: 2008-06-27 14:42
Location: Netherlands

Re: IMAP "attack" by a very slow bot-net

Post by RvdH » 2017-07-21 12:29

@matt

Maybe it is a idea to list the oClient (and maybe oMessage as well) properties available in each of the events

example: OnClientConnect
- OClient.IPAddress
- OClient.Port

example: OnHELO
- OClient.IPAddress
- OClient.Port
- OClient.HELO


example: OnSMTPData
- OClient.IPAddress
- OClient.Port
- OClient.HELO
- OClient.Username
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-07-25 21:18

mattg wrote:
estradis wrote:You're the documentation master? If so, would you be so kind and take a view on https://www.hmailserver.com/documentati ... ng_onerror
Done

Any others?

The COM API stuff is tricky. Sometimes it is hidden for a reason (to be depreciated for one example). Sometimes it is a new API as yet undocumented.
I'm happy to adjust / add any following public discussion here.

(There are only a couple of us that have access to the documentation. Also, did you know that if you press help on any page in the GUI, you get taken to the 'correct' help page)
Thank you for correcting the documentation, but I'm not sure whether the part with the rules should stay in it. (e.g. OnDelivery... OnBackup... - what rules will be executed on them?)

And no, i didn't know. The reason for that is very simple. The server must not be allowed to get outside except on mail protocols. (It's a server, not a client.) On the testlab I havn't tried it ever. If I needed some help, I searched for it directly. Good hint!

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-07-25 21:24

SorenR wrote:
estradis wrote:
SorenR wrote:...

1: We've known that for years... :mrgreen:
2: Well, most service centres advertise 99.99% uptime so what else do you do when there are NO alarms ??
1: Seems that I should change back from head position to working level, should I? (No, never! Forget it! :mrgreen: )
2: Having one day without any alarm would it be worth to be marked red in the calendar. (There are always issues, every day, sometimes every hour. That's the reason why call centers exists.) :lol:

estradis
Normal user
Normal user
Posts: 145
Joined: 2014-09-09 10:47

Re: IMAP "attack" by a very slow bot-net

Post by estradis » 2017-08-03 13:50

To complete my previsios posts I will provide the final information as well.
estradis wrote:
SorenR wrote: Also, things move fast in the SPAM/Bot world and my estimate is that 7 days is by far enough to hold the bad guys away. 1 year is absolutely pointless.
I agree with you. One year was only to calm down the executive board after a huge ddos attack on our services. I will configure them down slowly, after the first year is over. But now I'm curious how many addresses will be registered whithin one year.
The year is now over and the amount of banned addresses are decreasing. Our top value was 1468 of banned addresses which were neighter internally nor used by autorized users. Over all the time hMailserver had no performance problems, but MySQL sometimes run out of memory. Since we have been using the huge template, there has not been any more memory problem again.

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: IMAP "attack" by a very slow bot-net

Post by mattg » 2017-08-05 09:37

RvdH wrote:@matt

Maybe it is a idea to list the oClient (and maybe oMessage as well) properties available in each of the events

example: OnClientConnect
- OClient.IPAddress
- OClient.Port

example: OnHELO
- OClient.IPAddress
- OClient.Port
- OClient.HELO


example: OnSMTPData
- OClient.IPAddress
- OClient.Port
- OClient.HELO
- OClient.Username
The thing is I'm not sure about what works and what doesn't....
(And OnHELO is not implemented as yet in official builds - but I'd like it to be)

https://www.hmailserver.com/documentati ... entconnect
https://www.hmailserver.com/documentati ... eptmessage

As a starting point

OnSMTP data won't have any message methods or properties
OnDelivered and OnDeliveryStart should be complete sets for message only with no client at all
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: IMAP "attack" by a very slow bot-net

Post by insomniac2k2 » 2017-11-21 21:52

I pondered on whether or not i should start a new thread on this topic, but this discussion seems more appropriate. So here is my question and thoughts:

I presently use spamrats and hostkharma lookups to block auth hackers. While it works great, I find that the lookups are pretty slow for busy servers. Unless I have overlooked this being done elsewhere, I believe that this would be a minor correction to speed this up drastically. So the question:

Has anyone scripted pulling these lists local on a regular refresh frequency, and then just referenced the local cached file for lookups? If not, i have to wonder if the best place to do this is in RvDH's DNS resolver? It certainly would be the cleanest place at least. it would allow to keep all existing lookup code as is. The DNS resolver would just download the list on frequency and check against the list ifExists.

Thoughts?

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: IMAP "attack" by a very slow bot-net

Post by mattg » 2017-11-22 00:51

I have both spamrats and hostkarma set up as DNS BL - would just scoring these when attempting SMTP connections work for you?

Also this stuff is so dynamic, that keeping a copy would be hard to achieve. The point of these lists are that they are live data, so I think to be effective you need to look up the source every time
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: IMAP "attack" by a very slow bot-net

Post by insomniac2k2 » 2017-11-22 20:19

That wouldn't work for me. I don't use any hmail scoring presently. I just use spamassassin and CLAMAV scoring.

While the lists are live, the incremental changes are insignificant. I'm willing to play the odds that some random IP wont connect to my servers and try to authenticate an hour before my next download of the list. I have to believe that the lookup time, bandwidth, and strain on the remote server is worth that. Plus it may help reduce the chance on getting banned for hammering lookups, etc. Just my opinion.

I'll wait for a while to see if someone has already done such a thing. If not, ill write a quick little executable to do just that. Do you happen to know if the source is available for the universal resolver?
mattg wrote:I have both spamrats and hostkarma set up as DNS BL - would just scoring these when attempting SMTP connections work for you?

Also this stuff is so dynamic, that keeping a copy would be hard to achieve. The point of these lists are that they are live data, so I think to be effective you need to look up the source every time

User avatar
mattg
Moderator
Moderator
Posts: 20305
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: IMAP "attack" by a very slow bot-net

Post by mattg » 2017-11-23 01:05

I had a quick look at the code yesterday

I think this is the place
https://github.com/hmailserver/hmailser ... solver.cpp
Through the COM API I think that Utilites.getmailserver(emailAddress as string) will get the mx record, but I'm not sure that that helps you

This is what I do to check country of connection for ports other than port 25 in OnClientConnect

Code: Select all

a = RunCommandWithOutput ("%comspec% /c nslookup -timeout=5 " & ReverseIP(oClient.ipaddress) & ".zz.countries.nerd.dk",1,0,"",0,1)

Function RunCommandWithOutput (Command, Wait, Show, OutToFile, DeleteOutput, NoQuotes)
	'custom event
	'uses functions: 
	'uses globals: g_sAdminPassword
	'called from:
	
	'Run Command similar to the command prompt, for Wait use 1 or 0. Output returned and
	'stored in a file.
	'Command = The command line instruction you wish to run.
	'Wait = 1/0; 1 will wait for the command to finish before continuing.
	'Show = 1/0; 1 will show for the command window.
	'OutToFile = The file you wish to have the output recorded to.
	'DeleteOutput = 1/0; 1 deletes the output file. Output is still returned to variable.
	'NoQuotes = 1/0; 1 will skip wrapping the command with quotes, some commands wont work
	'                if you wrap them in quotes.
	'----------------------------------------------------------------------------------------
	Dim objFile, objShell, FSO, tMyOutput, tCommand, tOutToFile, twait, tshow
	
	dim oApp
	Set oApp = CreateObject("hMailServer.Application")
	' Give this script permission to access all
	' hMailServer settings.
	Call oApp.Authenticate("Administrator", g_sAdminPassword)

	Set objShell = CreateObject("Wscript.Shell")
	Set FSO = CreateObject("Scripting.FileSystemObject")
	'VARIABLES
	If Len("" & OutToFile) = 0 Then
		OutToFile = oApp.Settings.Directories.TempDirectory & "\temp_" & Abs(CLng("&h" & Mid(CreateObject("Scriptlet.TypeLib").Guid, 28, 8) )) & ".txt"
		DeleteOutput = 1
	End If
	tCommand = Command
	If Left(Command,1)<>"""" And NoQuotes <> 1 Then tCommand = """" & tCommand & """"
	tOutToFile = OutToFile
	If Left(OutToFile,1)<>"""" Then tOutToFile = """" & OutToFile & """"
	If Wait = 1 Then tWait = True
	If Wait <> 1 Then tWait = False
	If Show = 1 Then tShow = 1
	If Show <> 1 Then tShow = 0
	'RUN PROGRAM
	objShell.Run tCommand & ">" & tOutToFile, tShow, tWait
	'READ OUTPUT FOR RETURN
	Set objFile = FSO.OpenTextFile(OutToFile, 1)
	If Not objFile.AtEndOfStream Then
		tMyOutput = objFile.ReadAll
	End If
	objFile.Close
	Set objFile = Nothing
	'DELETE FILE AND FINISH FUNCTION
	If DeleteOutput = 1 Then
		Set objFile = FSO.GetFile(OutToFile)
		objFile.Delete
		Set objFile = Nothing
	End If
	RunCommandWithOutput = tMyOutput
	If Err.Number <> 0 Then RunCommandWithOutput = "<0>"
	Err.Clear
	On Error Goto 0
	Set objFile = Nothing
	Set objShell = Nothing
End Function
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

insomniac2k2
Normal user
Normal user
Posts: 84
Joined: 2016-08-09 19:47

Re: IMAP "attack" by a very slow bot-net

Post by insomniac2k2 » 2017-11-23 04:04

My appologies. I should have been a bit more specific. I was referring to RvDH's resolver helper that is posted some posts above. I believe its still necessary in order to call hostkharma and nerds auth list.(at least that's how i'm presently configured). I was thinking that it would be a great intercept point to modify his resolver with the caching code. Although at that point, I suppose it may just be easier to write something similar and just call it directly.

I'll also have to take a look at what you posted and see if this is something that could be of use to me. Thanks for posting :)
mattg wrote:I had a quick look at the code yesterday

I think this is the place
https://github.com/hmailserver/hmailser ... solver.cpp
Through the COM API I think that Utilites.getmailserver(emailAddress as string) will get the mx record, but I'm not sure that that helps you

This is what I do to check country of connection for ports other than port 25 in OnClientConnect

Code: Select all

a = RunCommandWithOutput ("%comspec% /c nslookup -timeout=5 " & ReverseIP(oClient.ipaddress) & ".zz.countries.nerd.dk",1,0,"",0,1)

Function RunCommandWithOutput (Command, Wait, Show, OutToFile, DeleteOutput, NoQuotes)
	'custom event
	'uses functions: 
	'uses globals: g_sAdminPassword
	'called from:
	
	'Run Command similar to the command prompt, for Wait use 1 or 0. Output returned and
	'stored in a file.
	'Command = The command line instruction you wish to run.
	'Wait = 1/0; 1 will wait for the command to finish before continuing.
	'Show = 1/0; 1 will show for the command window.
	'OutToFile = The file you wish to have the output recorded to.
	'DeleteOutput = 1/0; 1 deletes the output file. Output is still returned to variable.
	'NoQuotes = 1/0; 1 will skip wrapping the command with quotes, some commands wont work
	'                if you wrap them in quotes.
	'----------------------------------------------------------------------------------------
	Dim objFile, objShell, FSO, tMyOutput, tCommand, tOutToFile, twait, tshow
	
	dim oApp
	Set oApp = CreateObject("hMailServer.Application")
	' Give this script permission to access all
	' hMailServer settings.
	Call oApp.Authenticate("Administrator", g_sAdminPassword)

	Set objShell = CreateObject("Wscript.Shell")
	Set FSO = CreateObject("Scripting.FileSystemObject")
	'VARIABLES
	If Len("" & OutToFile) = 0 Then
		OutToFile = oApp.Settings.Directories.TempDirectory & "\temp_" & Abs(CLng("&h" & Mid(CreateObject("Scriptlet.TypeLib").Guid, 28, 8) )) & ".txt"
		DeleteOutput = 1
	End If
	tCommand = Command
	If Left(Command,1)<>"""" And NoQuotes <> 1 Then tCommand = """" & tCommand & """"
	tOutToFile = OutToFile
	If Left(OutToFile,1)<>"""" Then tOutToFile = """" & OutToFile & """"
	If Wait = 1 Then tWait = True
	If Wait <> 1 Then tWait = False
	If Show = 1 Then tShow = 1
	If Show <> 1 Then tShow = 0
	'RUN PROGRAM
	objShell.Run tCommand & ">" & tOutToFile, tShow, tWait
	'READ OUTPUT FOR RETURN
	Set objFile = FSO.OpenTextFile(OutToFile, 1)
	If Not objFile.AtEndOfStream Then
		tMyOutput = objFile.ReadAll
	End If
	objFile.Close
	Set objFile = Nothing
	'DELETE FILE AND FINISH FUNCTION
	If DeleteOutput = 1 Then
		Set objFile = FSO.GetFile(OutToFile)
		objFile.Delete
		Set objFile = Nothing
	End If
	RunCommandWithOutput = tMyOutput
	If Err.Number <> 0 Then RunCommandWithOutput = "<0>"
	Err.Clear
	On Error Goto 0
	Set objFile = Nothing
	Set objShell = Nothing
End Function

Post Reply