Another wierd attack

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 20224
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Another wierd attack

Post by mattg » 2019-08-25 03:27

I have someone or something trying

info@
admin@
noreply@
contact@
postmaster@
reply@

For each of my domains, including some domains that had their DNS records removed a couple of months back

Tries from 1 IP gets banned.
Tries from another IP gets banned.

Still trying (days later)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
katip
Senior user
Senior user
Posts: 690
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Another wierd attack

Post by katip » 2019-08-25 05:51

i had the same attack between June 17-23.

biuro
contact
contato
domainman
mail
mailer-daemon
marketing
newsletter
noreply
no-reply
office
reply
sales
service
support
webmaster

214 times during that period to each of them.
connecting IP: 185.222.211.12 and 13
each try in 1 single lot.

(never ever had any of that accounts in my system)
Katip
--
HMS 5.7.0-B2428-LTS-64-bit, MySQL 5.7.24, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Another wierd attack

Post by jim.bus » 2019-10-15 08:47

Believe I mentioned in some of my other Topic posts that I was getting maybe something similar for about a week or so.

A connection to hMailServer would come in on Port 25 and attempt to send (RCPT TO ABC@Domain.COM) a massive amount of difference email ids as though it was one gigantic Distribution List meaning they came in on just one connection and after what were a massive amount of RCPT TO commands just drop the connection.

User avatar
mattg
Moderator
Moderator
Posts: 20224
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Another wierd attack

Post by mattg » 2019-10-15 11:06

what version are you using jim.bus ?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1466
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: Another wierd attack

Post by Dravion » 2019-10-15 11:45

You can checkout thid Utility but its a early Testrelease. There is a known bug, if you have tons of Attackers.For now, it requires you to press stop and Start button again after a while.

https://www.hmailserver.com/forum/viewt ... 21&t=34145

User avatar
jim.bus
Senior user
Senior user
Posts: 304
Joined: 2011-05-28 11:49
Location: US

Re: Another wierd attack

Post by jim.bus » 2019-10-15 12:28

mattg wrote:
2019-10-15 11:06
what version are you using jim.bus ?
Version 5.6.7-B2425.

So far the attack hasn't reoccurred and hMailServer of course took care of the attack and didn't allow logging on. From what was happening, it looked like maybe someone trying to guess what IDs were on my Email Server so they could probably subsequently then try guessing the Password. They seemed to concentrate on one or maybe two domains at a time. I believer in one instance they actually started on a real ID or they found a Real ID. Someone I communicate with apparently got hacked themselves and the Hackers do have one of my Email IDs out there but not the Password. Mostly I just see it occasionally when someone send junk/malware email to me which potentially carries a malicious link.

By the way the email alert for your Posting to this topic came to me again with an http link and not an https link so the logon and connection to this Forum Topic is not secured. Just in case you are interested.

palinka
Senior user
Senior user
Posts: 1190
Joined: 2017-09-12 17:57

Re: Another wierd attack

Post by palinka » 2019-10-15 13:13

I've been getting bot net "attacks" recently where there is a coordinated attempt of a dozen or so connections over the course of a minute. It's immediately noticeable because they all use the same HELO. So far they've all been on port 25. They get rejected and firewall banned.
Screenshot_20191015-070704_Brave.jpg

User avatar
mattg
Moderator
Moderator
Posts: 20224
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Another wierd attack

Post by mattg » 2019-10-15 13:44

jim.bus wrote:
2019-10-15 12:28
Version 5.6.7-B2425.
#5 here >> viewtopic.php?f=10&t=30193&start=180#p213193

Also fixed in the new ALPHA 5.7 that I am running
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply