Port 143 attack

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 19994
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Port 143 attack

Post by mattg » 2018-09-10 04:41

Via Script I autoban international connections to all ports but port 25, and have SMTP AUth disabled on port 25

I track the number of autobans of different types at a set time overnight, every night, via Scheduled Task

On 14 Aug my numbers were (and consistently to this point)
Port 110 = 14
Port 143 = 53
Port 465 = 8
Port 587 = 2
Port 993 = 10
Port 995 = 6
Custom port = 28 (note these get a 365 day ban, others above all get 7 days)
Port 25 AUTH attempt = 5

I also track and autoban
No AUTH but supposedly from a local sender = 4
Banned for sending me high range SPAM (Score more than 15) = 43
Using a common hackers EHLO = 13




Last night my numbers look like
Port 110 = 8
Port 143 = 715
Port 465 = 6
Port 587 = 8
Port 993 = 20
Port 995 = 8
Custom port = 31 (note these get a 365 day ban, others above all get 7 days)
Port 25 AUTH attempt = 5

No AUTH but supposedly from a local sender = 0
Banned for sending me high range SPAM (Score more than 15) = 41
Using a common hackers EHLO = 8

All pretty normal except for port 143 and 993

That's an extra 670 attempts per week, and that's been in two distinct stages. Big increase from ~160 to ~670 in last few days.

Almost a hundred different IPs attempt per day presently to try an log in to my server using an IMAP connection from overseas.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-09-10 07:09

Nice catch!

Most of my AutoBan's are put on standby and replaced with "Go Away" messages to keep logs clean.
I'll reinstate some of them and see what I can catch.

I'm only open to 25, 465 and 993 anyways, so it won't be that much.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: Port 143 attack

Post by jimimaseye » 2018-09-10 08:52

I think my camouflage* is still quite efficient. Average 3 per day and are only IMAP and SMTP connections. ~50% = IMAP).

Untitled.png
(using Sorens 'GeoAutoban' - blocks ALL attempted connections outside of GB and FR. All bans for 7 days.)

Interesting to see the rogue JAPAN source amongst the usual suspects.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 795
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Port 143 attack

Post by RvdH » 2018-09-11 10:41

Is that all?
Image :)

New botnet? I think about 60% of these entries originate from Brazil hammering port 25... i don't have port 143 open for the outside world, only port 993 (SSL)

all.de.bl.blocklist.de seems to do a good job blocking these on OnClientConnect
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 795
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Port 143 attack

Post by RvdH » 2018-09-11 12:43

Crap, crap....1855 and counting :shock:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: Port 143 attack

Post by jimimaseye » 2018-09-11 13:54

RvdH wrote:
2018-09-11 10:41
Is that all?
I don't have Autoban for port 25 so my figures will be considerably smaller (as you can see). That and the 20 second response delay and with my camouflage*....
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 795
Joined: 2008-06-27 14:42
Location: Netherlands

Re: Port 143 attack

Post by RvdH » 2018-09-11 15:25

I removed the autoban on port 25 for now, i got 2000+ ipban entries about an hour ago and it kept growing....now i simply disconnect them if listed in all.de.bl.blocklist.de
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
Dravion
Senior user
Senior user
Posts: 1411
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Port 143 attack

Post by Dravion » 2018-09-11 20:33

Keep in mind, VBScript isnt ideal for massbanning IPs.
Any VBScript needs to be compiled and executed on every event.
If a attacker knows how you to doit, he can simply overnuke your Server just by sending tons of mails which triggers the event until
hMailserver.exe or the CPU/RAM Ressources are exhausted (Service of Denial Attack)

A better solution is using the Windows-Firewall or a external Cloud-Firewall like Cloudflare to protect your public hMailServer for DOS, DDOS
and Bruteforce Attacks.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-27 11:15

Someone is having a blast :mrgreen:

Last weekend I was up 950 banned attempts on port 993 and a few on 465. I only have 25 (NO AUTH), 465 and 993 open to the world. Sunday I deleted all and all week I was lingering around 2 or 3. This morning 750+

I only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
I have webmail access when traveling.

I ban this type of connection for 1 day only, to keep list down and attacks seldom last for days anyways.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-27 19:26

SorenR wrote:
2018-10-27 11:15
Someone is having a blast :mrgreen:

Last weekend I was up 950 banned attempts on port 993 and a few on 465. I only have 25 (NO AUTH), 465 and 993 open to the world. Sunday I deleted all and all week I was lingering around 2 or 3. This morning 750+

I only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
I have webmail access when traveling.

I ban this type of connection for 1 day only, to keep list down and attacks seldom last for days anyways.
1976 Autoban IP Ranges ... :roll:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-27 21:17

2199 Autoban IP Ranges ... :roll:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: Port 143 attack

Post by jimimaseye » 2018-10-27 21:23

Snowshoe?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-27 21:39

jimimaseye wrote:
2018-10-27 21:23
Snowshoe?
Nope... IMAPS on port 993.

Code: Select all

"TCPIP"	2504		"2018-10-27 22:00:38.840"	"TCP - 185.27.61.160 connected to 192.168.0.5:993."
"DEBUG"	2504		"2018-10-27 22:00:38.840"	"ScriptServer::FireEvent-OnClientConnect"
"DEBUG"	2504		"2018-10-27 22:00:38.918"	"ScriptServer:~FireEvent"
"DEBUG"	2504		"2018-10-27 22:00:38.918"	"Creating session 462"
"IMAPD"	2504	462	"2018-10-27 22:00:43.184"	"185.27.61.160"	"SENT: * OK IMAPrev1"
"IMAPD"	2504	462	"2018-10-27 22:00:47.558"	"185.27.61.160"	"RECEIVED: 1 capability"
"IMAPD"	2504	462	"2018-10-27 22:00:47.558"	"185.27.61.160"	"SENT: * CAPABILITY IMAP4 IMAP4rev1 CHILDREN SORT ACL NAMESPACE RIGHTS=texk[nl]1 OK CAPABILITY completed"
"TCPIP"	2504		"2018-10-27 22:00:48.668"	"TCP - 187.95.32.226 connected to 192.168.0.5:993."
"DEBUG"	2504		"2018-10-27 22:00:48.668"	"ScriptServer::FireEvent-OnClientConnect"
"DEBUG"	2504		"2018-10-27 22:00:48.699"	"ScriptServer:~FireEvent"
"DEBUG"	2504		"2018-10-27 22:00:48.699"	"Creating session 463"
"IMAPD"	2504	462	"2018-10-27 22:00:50.511"	"185.27.61.160"	"RECEIVED: 2 login password@acme.inc ***"
"IMAPD"	2504	462	"2018-10-27 22:00:50.511"	"185.27.61.160"	"SENT: 2 NO Invalid user name or password."
"DEBUG"	148		"2018-10-27 22:00:51.965"	"Ending session 462"
"IMAPD"	2504	463	"2018-10-27 22:00:52.840"	"187.95.32.226"	"SENT: * OK IMAPrev1"
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-27 22:54

Modified my IDS code to capture these events. Standard deny connection and after 3 attempts issue AutoBan.

If there is only one attempt from each IP address ,as it looks like right now, the IP Range list can get extremely long for no real reason.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 19994
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Port 143 attack

Post by mattg » 2018-10-27 22:56

That's got to be a well coordinated, planned attack.
What motivates these idiots to do this stuff, and my guess is that means that they have at least 2200 machines under their control that don't know that they are being used...

Presumably there is a central machine organising this, and setting the next machine to target you, changing the username and password as they go, OR do you think this is just a DDOS?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-27 23:37

mattg wrote:
2018-10-27 22:56
That's got to be a well coordinated, planned attack.
What motivates these idiots to do this stuff, and my guess is that means that they have at least 2200 machines under their control that don't know that they are being used...

Presumably there is a central machine organising this, and setting the next machine to target you, changing the username and password as they go, OR do you think this is just a DDOS?
I left it open and monitored it for 5 minutes and the usename did not change. Occationally one slips through with a code 999 or is allowed per condition. I find them in IP Ranges after 2 invalid logins as "Auto-ban: password@acme.inc". What's so special about "password@*" that you would have such a user ??

Code: Select all

   '
   ' Only allow non-SMTP connect from "Rigsfællesskabet"/"Naalagaaffeqatigiit"/"Ríkisfelagsskapurin" = The Danish Realm.
   ' 999 = N/A, 208 = Denmark, 304 = Greenland, 234 = Faroe Islands
   '
      If (oClient.Port <> 25) Then
      If InStr("|999|208|304|234|", NerdLookup(oClient.IPAddress)) = 0 Then
         If IDSPortMon(oClient.IPAddress, oClient.Port) Then
            Result.Value = 1
            strPort = Trim(Mid("SMTP IMAP SMTPSSUBM IMAPS", InStr("25   143  465  587  993  ", oClient.Port), 5))
            Call AutoBan(oClient.IPAddress, "PORTBLOCK - " & strPort, 1, "d")
            EventLog.Write( "Call AutoBan(" & oClient.IPAddress & ", PORTBLOCK - " & strPort & ", 1, d)" )
            Exit Sub
         Else
            Result.Value = 1
         End If
      End If
   End If
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: Port 143 attack

Post by jimimaseye » 2018-10-28 00:20

SorenR wrote:
2018-10-27 23:37
I left it open and monitored it for 5 minutes and the usename did not change. Occationally one slips through with a code 999 or is allowed per condition. I find them in IP Ranges after 2 invalid logins as "Auto-ban: password@acme.inc". What's so special about "password@*" that you would have such a user ??
I think this is an ill written malware script - sort of malfunctioning, if you will.

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19994
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Port 143 attack

Post by mattg » 2018-10-28 02:32

so same password, 2200+ different IP addresses, all port 993

Are they all trying the same password?
How can you test? Wireshark perhaps

I think if the same password then a coordinated DDOS from lots of IPs, if a different password is tried then I think a coordinated attempt to compromise your server.

I can't see that this is a single malware script that is running (or malfunctioning) because of the 2200+ IPs involved.

Is the actual logon tried really 'password@'? I thought perhaps you were just using that as an example...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-28 06:33

The user is named "password", that's why it is so weird.
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-28 07:20

So... in the period from 2018-10-27 22:46:17 to 2018-10-28 00:56:08 I found 29 of 394 came back a 2'nd time. It's been quiet since 1 AM.

So, when to autoban? 2'nd or 3'rd attempt? Clearly banning on 1'st attempt is a dead end - performance wise :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-28 18:12

SorenR wrote:
2018-10-28 07:20
So... in the period from 2018-10-27 22:46:17 to 2018-10-28 00:56:08 I found 29 of 394 came back a 2'nd time. It's been quiet since 1 AM.

So, when to autoban? 2'nd or 3'rd attempt? Clearly banning on 1'st attempt is a dead end - performance wise :wink:
2018-10-27 22:46:17 to 2018-10-28 17:07:58 ... 1703 hits, 101 came back a 2'nd time and 5 got banned (hits>2).

IP Ranges have 4 Auto-Ban on "password@acme.inc" and 3 new Auto-Ban on "jamin@acme.inc" ( 1 from my own ISP and two 999's from Kosovo ).
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: Port 143 attack

Post by jimimaseye » 2018-10-28 18:18

You not able to change your ip address?
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-28 18:20

jimimaseye wrote:
2018-10-28 18:18
You not able to change your ip address?
Not an option, I pay money for it to stay fixed and it has been the same since 2006 :mrgreen:

Alternative is to close access to 993 and 465 for 12 hours if hit rate exceeds 10 hits/min ... or something like that 8)
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-10-28 21:39

Port 993 and 465 now officially closed until further notice :evil:

It's interfering with streaming F1 in Mexico ... :mrgreen:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: Port 143 attack

Post by jimimaseye » 2018-10-28 22:51

SorenR wrote:
2018-10-28 21:39
It's interfering with streaming F1 in Mexico ... :mrgreen:
And that is out of order.

Well done.

Signed

VERY happy. (4th)
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Dravion
Senior user
Senior user
Posts: 1411
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Port 143 attack

Post by Dravion » 2018-10-29 11:41

This is not a hMailServer only Problem. I run a few Mailservers with Postfix and Dovecot on Linux and i get failed login attemps from all over
the planet all the time while running a strict local on server Firewall (iptables) and a Hoster DDOS-Protection Firewall in front of it.

A peace of my daily Postfix SMTP (SMTP) and Dovevot (IMAP) logs:

Oct 29 10:21:44 matrix postfix-smtp.mydomain.com/smtpd[22184]: warning: unknown[185.234.219.23]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 29 10:21:44 matrix postfix-smtp.mydomain.com/smtpd[22184]: lost connection after AUTH from unknown[185.234.219.23]
Oct 29 10:21:44 matrix postfix-smtp.mydomain.com/smtpd[22184]: disconnect from unknown[185.234.219.23]
Oct 29 10:22:30 matrix postfix-smtp.mydomain.com/smtpd[22184]: connect from unknown[185.36.81.20]
Oct 29 10:22:32 matrix postfix-smtp.mydomain.com/smtpd[22184]: warning: unknown[185.36.81.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 29 10:22:32 matrix postfix-smtp.mydomain.com/smtpd[22184]: lost connection after AUTH from unknown[185.36.81.20]
Oct 29 10:22:32 matrix postfix-smtp.mydomain.com/smtpd[22184]: disconnect from unknown[185.36.81.20]
Oct 29 10:23:41 matrix postfix/anvil[25294]: statistics: max connection rate 1/120s for ([x.x.x.x]:smtp:185.36.81.20) at Oct 29 10:15:52
Oct 29 10:23:41 matrix postfix/anvil[25294]: statistics: max connection count 1 for ([x.x.x.x]:smtp:185.36.81.20) at Oct 29 10:15:52
Oct 29 10:23:41 matrix postfix/anvil[25294]: statistics: max cache size 5 at Oct 29 10:20:23
Oct 29 10:25:50 matrix postfix-smtp.mydomain.com/smtpd[22591]: connect from unknown[185.36.81.20]
Oct 29 10:25:52 matrix postfix-smtp.mydomain.com/smtpd[22591]: warning: unknown[185.36.81.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 29 10:25:52 matrix postfix-smtp.mydomain.com/smtpd[22591]: lost connection after AUTH from unknown[185.36.81.20]
Oct 29 10:25:52 matrix postfix-smtp.mydomain.com/smtpd[22591]: disconnect from unknown[185.36.81.20]
Oct 29 10:29:12 matrix postfix-smtp.mydomain.com/smtpd[22787]: connect from unknown[185.36.81.20]
Oct 29 10:29:14 matrix postfix-smtp.mydomain.com/smtpd[22787]: warning: unknown[185.36.81.20]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 29 10:29:14 matrix postfix-smtp.mydomain.com/smtpd[22787]: lost connection after AUTH from unknown[185.36.81.20]
Oct 29 10:29:14 matrix postfix-smtp.mydomain.com/smtpd[22787]: disconnect from unknown[185.36.81.20]
Oct 29 10:29:49 matrix postfix-smtp.mydomain.com/smtpd[22787]: connect from unknown[185.234.219.23]
Oct 29 10:29:52 matrix postfix-smtp.mydomain.com/smtpd[22787]: warning: unknown[185.234.219.23]: SASL LOGIN authentication failed: UGFzc3dvcmQ6
Oct 29 10:29:52 matrix postfix-smtp.mydomain.com/smtpd[22787]: lost connection after AUTH from unknown[185.234.219.23]
Oct 29 10:29:52 matrix postfix-smtp.mydomain.com/smtpd[22787]: disconnect from unknown[185.234.219.23]
Oct 29 10:31:13 matrix dovecot: imap-login: Login: user=<jano@mydomain.com>, method=PLAIN, rip=77.177.216.190, lip=188.68.62.25, mpid=22977, TLS, session=<lHnkulp5ggBNsdi+>

Even if you ban the bots, they will come back after the unbannscript resettet all the ban entries.
In this case, only a good Password policy and some moderate filtering can help. Of cause its possible to GEO-Block but its
a strange business, blocking entire regions to get rid of the few bad apples.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: Port 143 attack

Post by SorenR » 2018-11-02 17:56

It's been quiet all week, now they are at it again... "12345@acme.inc" - how inventive :mrgreen: 2009 hits so far since 2018-11-01 16:31:24 GMT+1. Current time 2018-11-02 16:57:20 GMT+1.

Anyways I found a bug in my implementation of zz.countries.nerd.dk

ISO 3166 Codes list Albania is "008" and Denmark is "208". I missed the leading zeros so a RegEx would match "8" to "208" :roll:

Code: Select all

Function NerdLookup(strIP)
   Dim a
   a = Split(strIP, ".")
   With CreateObject("SScripting.IPNetwork")
      strIP = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zz.countries.nerd.dk")
   End With
   If Left(strIP, 3) <> "127" Then
      NerdLookup = "000"
   Else
      a = Split(strIP, ".")
      NerdLookup = Right("00" & CStr(a(2)*256 + a(3)), 3)
   End If
End Function
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8070
Joined: 2011-09-08 17:48

Re: Port 143 attack

Post by jimimaseye » 2018-11-02 19:06

Doh.
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

Post Reply