IMAP "attack" by a very slow bot-net
While investigating, I implemented a simple lock. I'm in Denmark, my family is in Denmark, my Server is in Denmark. ERGO... I only allow Danish IP address access.
Well, with modifications. Port 25 SMTP I have set in hmailserver.ini to NOT allow login, so this is safe for everyone to use... PLUS I should be able to receive emails from the rest of the world
While trolling the 'net for similar observations I came across this one. Different OS and different server but SIMILAR problem!
https://steve.tty.org.uk/2017/05/08/a-v ... w-bot-net/
My initial observations:
1- The same IPAddress connect every 20'ish minute
2- Try 1: IMAP login <user>@<domain>
3- Try 2: IMAP login <user>
4- IPAddress may try different users from "session to session"
5- Different IPAddresses from all over the globe may try the same <user>
6- Since it is a low frequency connection, it is difficult for AutoBan to catch the problem, so they can try forever ...
There are two Quick-Fix'es to the problem.
1: hMailAdmin: Enable Auto-Ban.
Max invalid logon: 1 (maybe 2 if you are a kind person)
Minutes before reset: 1440
Minutes to auto-ban: 10080
This will slowly start to fill up your Auto-Ban list ...
2: My own Quick-Fix "bolt on the door"
Code: Select all
Sub OnClientConnect(oClient) ' ' Exclude local LAN from test ' If (Left(oClient.IPAddress, 10) = "192.168.0.") Then Exit Sub ' ' Only allow login from DK (208) ' Lookup appropriate code here -> https://www.iso.org/obp/ui/ ' Dim strRegEx : strRegEx = "(999|208)" If (oClient.Port <> 25) Then If Not Lookup(strRegEx, NerdLookup(oClient.IPAddress)) Then Result.Value = 1 Exit Sub End If End If End Sub ' ' System Scripting Runtime COM object ("SScripting.IPNetwork") ' http://www.netal.com/ssr.htm ' Binary -> http://www.netal.com/software/ssr15.zip ' ' http://countries.nerd.dk/isolist.txt ' Function NerdLookup(strIP) Dim a a = Split(strIP, ".") With CreateObject("SScripting.IPNetwork") strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk") End With If strIP = "" Then NerdLookup = "999" Else a = Split(strIP, ".") NerdLookup = CStr(a(2)*256 + a(3)) End If End Function Function Lookup(strRegEx, strMatch) With CreateObject("VBScript.RegExp") .Global = False .Pattern = strRegEx .IgnoreCase = True If .Test(strMatch) Then Lookup = True Else Lookup = False End If End With End Function