Page 1 of 1

Another wierd attack

Posted: 2019-08-25 03:27
by mattg
I have someone or something trying

info@
admin@
noreply@
contact@
postmaster@
reply@

For each of my domains, including some domains that had their DNS records removed a couple of months back

Tries from 1 IP gets banned.
Tries from another IP gets banned.

Still trying (days later)

Re: Another wierd attack

Posted: 2019-08-25 05:51
by katip
i had the same attack between June 17-23.

biuro
contact
contato
domainman
mail
mailer-daemon
marketing
newsletter
noreply
no-reply
office
reply
sales
service
support
webmaster

214 times during that period to each of them.
connecting IP: 185.222.211.12 and 13
each try in 1 single lot.

(never ever had any of that accounts in my system)

Re: Another wierd attack

Posted: 2019-10-15 08:47
by jim.bus
Believe I mentioned in some of my other Topic posts that I was getting maybe something similar for about a week or so.

A connection to hMailServer would come in on Port 25 and attempt to send (RCPT TO ABC@Domain.COM) a massive amount of difference email ids as though it was one gigantic Distribution List meaning they came in on just one connection and after what were a massive amount of RCPT TO commands just drop the connection.

Re: Another wierd attack

Posted: 2019-10-15 11:06
by mattg
what version are you using jim.bus ?

Re: Another wierd attack

Posted: 2019-10-15 11:45
by Dravion
You can checkout thid Utility but its a early Testrelease. There is a known bug, if you have tons of Attackers.For now, it requires you to press stop and Start button again after a while.

https://www.hmailserver.com/forum/viewt ... 21&t=34145

Re: Another wierd attack

Posted: 2019-10-15 12:28
by jim.bus
mattg wrote:
2019-10-15 11:06
what version are you using jim.bus ?
Version 5.6.7-B2425.

So far the attack hasn't reoccurred and hMailServer of course took care of the attack and didn't allow logging on. From what was happening, it looked like maybe someone trying to guess what IDs were on my Email Server so they could probably subsequently then try guessing the Password. They seemed to concentrate on one or maybe two domains at a time. I believer in one instance they actually started on a real ID or they found a Real ID. Someone I communicate with apparently got hacked themselves and the Hackers do have one of my Email IDs out there but not the Password. Mostly I just see it occasionally when someone send junk/malware email to me which potentially carries a malicious link.

By the way the email alert for your Posting to this topic came to me again with an http link and not an https link so the logon and connection to this Forum Topic is not secured. Just in case you are interested.

Re: Another wierd attack

Posted: 2019-10-15 13:13
by palinka
I've been getting bot net "attacks" recently where there is a coordinated attempt of a dozen or so connections over the course of a minute. It's immediately noticeable because they all use the same HELO. So far they've all been on port 25. They get rejected and firewall banned.
Screenshot_20191015-070704_Brave.jpg

Re: Another wierd attack

Posted: 2019-10-15 13:44
by mattg
jim.bus wrote:
2019-10-15 12:28
Version 5.6.7-B2425.
#5 here >> viewtopic.php?f=10&t=30193&start=180#p213193

Also fixed in the new ALPHA 5.7 that I am running