mailboxvalidator.com

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

mailboxvalidator.com

Post by RvdH » 2021-05-01 17:23

Today i noticed hundreds of connection attempts, originating from domain mailboxvalidator.com

Code: Select all

"SMTPD"	8472	14728	"2021-05-01 15:46:57.359"	"149.56.101.37"	"SENT: 220 mail.domain.com ESMTP"
"SMTPD"	2136	14728	"2021-05-01 15:46:57.454"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	2136	14728	"2021-05-01 15:46:57.625"	"149.56.101.37"	"SENT: 250 Hello."
"SMTPD"	2136	14728	"2021-05-01 15:46:57.719"	"149.56.101.37"	"RECEIVED: MAIL FROM:<support@mailboxvalidator.com>"
"SMTPD"	2136	14728	"2021-05-01 15:46:57.735"	"149.56.101.37"	"SENT: 250 OK"
"SMTPD"	8472	14728	"2021-05-01 15:46:57.828"	"149.56.101.37"	"RECEIVED: RCPT TO:<genevie.gloria.mungoland@domain.com>"
"SMTPD"	8472	14728	"2021-05-01 15:46:57.828"	"149.56.101.37"	"SENT: 550 Unknown user"
"SMTPD"	9136	14728	"2021-05-01 15:46:57.922"	"149.56.101.37"	"RECEIVED: QUIT"
"SMTPD"	9136	14728	"2021-05-01 15:46:57.922"	"149.56.101.37"	"SENT: 221 goodbye"
Their website claims:
Secure and reliable email validation service to check for invalid email addresses. It connects to the mail server and checks whether the mailbox exists or not. It reduces email bounce rate & costs. It increases conversion rate & sender reputation.
But if you ask me, this is just a nasty email address harvester, and i ban it from more harvesting from now on, added OnSMTPData for mail coming from backup-mx

Code: Select all

Sub OnHELO(oClient)
	REM https://www.mailboxvalidator.com/
	strRegEx = "^.*(mailboxvalidator\.com)$"
	If Lookup(strRegEx, oClient.HELO) Then
		Result.Value = 1
		Call Disconnect(oClient.IPAddress)
	End if
End Sub

Sub OnSMTPData(oClient, oMessage)
	REM https://www.mailboxvalidator.com/
	strRegEx = "\@(.+\.)?mailboxvalidator\.com"
	If Lookup(strRegEx, oMessage.FromAddress) Then
		Result.Value = 1
		Call Disconnect(oClient.IPAddress)
	End if
End Sub

Function Lookup(strRegEx, strMatch)
	If strRegEx = "" Then Exit Function
	With CreateObject("VBScript.RegExp")
		.Global = False
		.Pattern = strRegEx
		.IgnoreCase = True
		Lookup = .Test(strMatch)
	End With
End Function
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 17:31

Mmm, although OnSMTPData is to late to block them i think, as this triggers after

Code: Select all

"SMTPD"	4168	16827	"2021-05-01 17:29:38.857"	"xxx-xxx-xxx-xxx"	"RECEIVED: RCPT TO:<something@domain.com>"
"SMTPD"	4168	16827	"2021-05-01 17:29:38.857"	"xxx-xxx-xxx-xxx"	"SENT: 250 OK"
"SMTPD"	4168	16827	"2021-05-01 17:29:38.857"	"xxx-xxx-xxx-xxx"	"RECEIVED: QUIT"
"SMTPD"	4168	16827	"2021-05-01 17:29:38.857"	"xxx-xxx-xxx-xxx"	"SENT: 221 goodbye"
No disconnect but AutoBan then it seems...

Code: Select all

Sub OnHELO(oClient)
	REM https://www.mailboxvalidator.com/
	strRegEx = "^.*(mailboxvalidator\.com)$"
	If Lookup(strRegEx, oClient.HELO) Then
		Call AutoBan(oClient.IPAddress, oClient.HELO, 1, "d")
	End if
End Sub
Last edited by RvdH on 2021-05-01 17:42, edited 3 times in total.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 17:38

I think we need an new Event Handler Søren, OnSMTPTo(oClient, oMessage) :mrgreen:
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 17:47

I just now noticed, the IP address ended up being detected/blocked by Søren's IDS.... only a bit too late (IDS handler runs every minute)
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: mailboxvalidator.com

Post by SorenR » 2021-05-01 18:09

"RECEIVED: HELO mailboxvalidator.com"
oClient.HELO is available in OnHELO()

"RECEIVED: MAIL FROM:<support@mailboxvalidator.com>"
oMessage.FromAddress is available in OnSMTPData()


Both oClient.HELO and oMessage.FromAddress contain "mailboxvalidator.com"

You need to check both subs when you get mail via a BackupMX. I generally bypass all script code in OnClientConnect and OnHELO when connection is from BackupMX ... I trust my BackupMX ;-)

However ...

I have this function that I call from OnAcceptMessage() that will extract original HELO and IPADDR.

Code: Select all

Function setEnvelope(oClient, oMessage)
    Dim i, a, strTo, strOriginalTo, strIP, strRegEx, oMatch, oMatchCollection
    If Lookup("from " & BACKUPMX, oMessage.HeaderValue("Received")) Then
        For i = 0 To oMessage.Headers.Count-1
            If (oMessage.Headers(i).Name = "Received") Then
                If Lookup("by " & BACKUPMX & " with", oMessage.Headers(i).Value) Then
                    a = Split( oMessage.Headers(i).Value, " " )
                    oMessage.HeaderValue("X-Envelope-HELO") = Trim(a(1))
                    strRegEx = "(?:\[)((?:[0-9]{1,3}\.){3}[0-9]{1,3})(?:\])"
                    Set oMatchCollection = oLookup(strRegEx, oMessage.Headers(i).Value, False)
                    For Each oMatch In oMatchCollection
                        If oMatch.SubMatches.Count > 0 Then
                            oMessage.HeaderValue("X-Envelope-IP") = oMatch.SubMatches(0)
                        Else
                            oMessage.HeaderValue("X-Envelope-IP") = ""
                        End If
                    Next
                    Exit For
                End If
            End If
        Next
    Else
        oMessage.HeaderValue("X-Envelope-HELO") = Trim(oClient.HELO)
        oMessage.HeaderValue("X-Envelope-IP") = Trim(oClient.IPAddress)
    End If
    For i = 0 To oMessage.Recipients.Count-1
        If (i = 0) Then
            strTo = oMessage.Recipients(i).Address
            strOriginalTo = oMessage.Recipients(i).OriginalAddress
        Else
            strTo = strTo & ", " & oMessage.Recipients(i).Address
            strOriginalTo = strOriginalTo & ", " & oMessage.Recipients(i).OriginalAddress
        End If
    Next
    oMessage.HeaderValue("X-Envelope-To") = strTo
    oMessage.HeaderValue("X-Envelope-OriginalTo") = strOriginalTo
    oMessage.HeaderValue("X-Envelope-From") = oMessage.FromAddress
    oMessage.Save
    Set oMatch = Nothing
    Set oMatchCollection = Nothing
End Function
On the other hand ... My BackupMX is sitting next to my hMailServer on the shelf so I can run a subset of my Eventhandler on it. AutoBan works across both servers via a homemade REST API and they also share a few database tables. They also share the LAN but have different default gateways and ISP's.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 18:16

The point is they never try to send a message so they never reach OnAcceptMessage()
they just verify SENT: 250 OK is send after RCPT TO: mail@adres is received as it seems (they send QUIT command immediately after that)

I do use your Function isAutoBan(oMessage) to block blocked ip addresses that come thru through backup MX

So to be able to really target such "service" i think really something like OnSMTPRCPT is needed....but now i noticed it eventually triggered IDS I'm not so sure if it worth it
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 20:45

Just thinking out loud... what if we could trigger a event on "Unknown user"?
Then we possibly would be able to script something like Søren's IDS or adopt it to IDS to catch/block senders that trigger the "Unknown user" more then X times in a period of time

Concept, quick and dirty copied from OnSMTPDATA trigger

Code: Select all

      if (!recipientOK)
      {
         SendErrorResponse_(550, "Unknown user");

         if (Configuration::Instance()->GetUseScriptServer())
         {
            std::shared_ptr<ScriptObjectContainer> pContainer = std::shared_ptr<ScriptObjectContainer>(new ScriptObjectContainer);
            std::shared_ptr<ClientInfo> pClientInfo = std::shared_ptr<ClientInfo>(new ClientInfo);

            pClientInfo->SetUsername(username_);
            pClientInfo->SetIPAddress(GetIPAddressString());
            pClientInfo->SetPort(GetLocalEndpointPort());
            pClientInfo->SetHELO(helo_host_);
            pClientInfo->SetIsAuthenticated(isAuthenticated_);

            pContainer->AddObject("HMAILSERVER_CLIENT", pClientInfo, ScriptObject::OTClient);
            pContainer->AddObject("HMAILSERVER_MESSAGE", current_message_, ScriptObject::OTMessage);
            String sEventCaller = "OnRecipientUnknown(HMAILSERVER_CLIENT, HMAILSERVER_MESSAGE)";
            ScriptServer::Instance()->FireEvent(ScriptServer::EventOnRecipientUnknown, sEventCaller, pContainer);
         }

         return;
      }
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: mailboxvalidator.com

Post by SorenR » 2021-05-01 22:01

Perhaps redefine "OnDeliveryFailure()" ??

"OnEventFailure(oMessage, sRecipient, sErrorMessage)"

1: Unknown account
2: Message delivery cancelled during virus scanning
3: Message delivery cancelled during global rules
4: Message delivery cancelled during OnDeliverMessage-event
5: Delivery timeout
6: Recipient does not exist
7: Cannot resolve domain
...
X: ... ?
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 22:23

SorenR wrote:
2021-05-01 22:01
Perhaps redefine "OnDeliveryFailure()" ??

"OnEventFailure(oMessage, sRecipient, sErrorMessage)"

1: Unknown account
2: Message delivery cancelled during virus scanning
3: Message delivery cancelled during global rules
4: Message delivery cancelled during OnDeliverMessage-event
5: Delivery timeout
6: Recipient does not exist
7: Cannot resolve domain
...
X: ... ?
OnDeliveryFailure? Therefor the message first have to be accepted, and that (still) is the point....that is not the case here
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: mailboxvalidator.com

Post by SorenR » 2021-05-01 22:39

RvdH wrote:
2021-05-01 22:23
SorenR wrote:
2021-05-01 22:01
Perhaps redefine "OnDeliveryFailure()" ??

"OnEventFailure(oMessage, sRecipient, sErrorMessage)"

1: Unknown account
2: Message delivery cancelled during virus scanning
3: Message delivery cancelled during global rules
4: Message delivery cancelled during OnDeliverMessage-event
5: Delivery timeout
6: Recipient does not exist
7: Cannot resolve domain
...
X: ... ?
OnDeliveryFailure? Therefor the message first have to be accepted, and that (still) is the point....that is not the case here
Rename it to "OnEventFailure()" or something like that and make it trigger at any time during message handling ...
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 22:43

SorenR wrote:
2021-05-01 22:39
RvdH wrote:
2021-05-01 22:23
SorenR wrote:
2021-05-01 22:01
Perhaps redefine "OnDeliveryFailure()" ??

"OnEventFailure(oMessage, sRecipient, sErrorMessage)"

1: Unknown account
2: Message delivery cancelled during virus scanning
3: Message delivery cancelled during global rules
4: Message delivery cancelled during OnDeliverMessage-event
5: Delivery timeout
6: Recipient does not exist
7: Cannot resolve domain
...
X: ... ?
OnDeliveryFailure? Therefor the message first have to be accepted, and that (still) is the point....that is not the case here
Rename it to "OnEventFailure()" or something like that and make it trigger at any time during message handling ...
message handling? As said, we don't have a message at that stage....the message is rejected as the user is unknown
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 22:47

@matt :lol: :wink:

Code: Select all

"SMTPD"	5016	78	"2021-05-01 22:44:54.851"	"149.56.101.37"	"SENT: 220 mail.domain.com ESMTP"
"SMTPD"	8892	78	"2021-05-01 22:44:54.944"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	8892	78	"2021-05-01 22:44:55.085"	"149.56.101.37"	"SENT: 554 Oooops LOL"
"SMTPD"	5016	89	"2021-05-01 22:45:02.783"	"149.56.101.37"	"SENT: 220 mail.mail.domain.com ESMTP"
"SMTPD"	10668	89	"2021-05-01 22:45:02.861"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	10668	89	"2021-05-01 22:45:02.970"	"149.56.101.37"	"SENT: 554 Oooops LOL"
"SMTPD"	5016	93	"2021-05-01 22:45:06.424"	"149.56.101.37"	"SENT: 220 mail.mail.domain.com ESMTP"
"SMTPD"	6632	93	"2021-05-01 22:45:06.518"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	6632	93	"2021-05-01 22:45:06.642"	"149.56.101.37"	"SENT: 554 Hasta la vista, Baby"
"SMTPD"	10668	96	"2021-05-01 22:45:09.373"	"149.56.101.37"	"SENT: 220 mail.domain.com ESMTP"
"SMTPD"	6632	96	"2021-05-01 22:45:09.451"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	6632	96	"2021-05-01 22:45:09.560"	"149.56.101.37"	"SENT: 554 Have you tried switching it off and then on again"
"SMTPD"	10668	97	"2021-05-01 22:45:10.084"	"149.56.101.37"	"SENT: 220 mail.domain.com ESMTP"
"SMTPD"	6632	97	"2021-05-01 22:45:10.162"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	6632	97	"2021-05-01 22:45:10.271"	"149.56.101.37"	"SENT: 554 I'm sorry Jim, I can't do that"
"SMTPD"	5016	102	"2021-05-01 22:45:14.390"	"149.56.101.37"	"SENT: 220 mail.domain.com ESMTP"
"SMTPD"	10404	102	"2021-05-01 22:45:14.484"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	10404	102	"2021-05-01 22:45:14.593"	"149.56.101.37"	"SENT: 554 It's hard to have a battle of wits with someone who is half armed"
"SMTPD"	5016	104	"2021-05-01 22:45:20.802"	"149.56.101.37"	"SENT: 220 mail.domain.com ESMTP"
"SMTPD"	4636	104	"2021-05-01 22:45:20.896"	"149.56.101.37"	"RECEIVED: HELO mailboxvalidator.com"
"SMTPD"	4636	104	"2021-05-01 22:45:21.021"	"149.56.101.37"	"SENT: 554 Oooops LOL"
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: mailboxvalidator.com

Post by SorenR » 2021-05-01 22:49

oMessage object has been created with "MAiL FROM" so we have a message.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-01 22:53

SorenR wrote:
2021-05-01 22:49
oMessage object has been created with "MAiL FROM" so we have a message.
Wanna make a bet? I say $100 we have no 'complete' oMessage object
If most of the oMessage object is not available in OnSMTPData (as it is not send to us yet) it surely won't be available right before, and RCPT To is required before DATA
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: mailboxvalidator.com

Post by mattg » 2021-05-02 07:06

RvdH wrote:
2021-05-01 22:47
@matt :lol: :wink:
Thanks, added that domain name to my OnHELO
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
RvdH
Senior user
Senior user
Posts: 3235
Joined: 2008-06-27 14:42
Location: The Netherlands

Re: mailboxvalidator.com

Post by RvdH » 2021-05-02 09:10

@matt
Yes, this mailboxvalidator.com is easily stopped on OnHELO (as long they keep using this EHLO/HELO command)

But sometimes it's not that easy to block e-mailadres harvesters/spammers like this, eg:

Code: Select all

"SMTPD"	10700	9108	"2021-05-02 08:53:59.603"	"5.188.206.163"	"SENT: 220 mail.domain.com ESMTP"
"SMTPD"	7820	9108	"2021-05-02 08:53:59.947"	"5.188.206.163"	"RECEIVED: EHLO [5.188.206.171]"
"DEBUG"	7820	"2021-05-02 08:53:59.947"	"Executing event OnHELO"
"DEBUG"	7820	"2021-05-02 08:53:59.993"	"Event completed"
"SMTPD"	7820	9108	"2021-05-02 08:53:59.993"	"5.188.206.163"	"SENT: 250-mail.domain.com[nl]250-SIZE 51200000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	5016	9108	"2021-05-02 08:54:00.337"	"5.188.206.163"	"RECEIVED: MAIL FROM:<o8wh9vpuhonfml@kdeliciamj.com.br>"
"SMTPD"	5016	9108	"2021-05-02 08:54:00.790"	"5.188.206.163"	"SENT: 250 OK"
"SMTPD"	10700	9108	"2021-05-02 08:54:01.040"	"5.188.206.163"	"RECEIVED: RCPT TO:<info@domain.com>"
"SMTPD"	10700	9108	"2021-05-02 08:54:01.055"	"5.188.206.163"	"SENT: 250 OK"
"SMTPD"	10700	9108	"2021-05-02 08:54:01.055"	"5.188.206.163"	"RECEIVED: RCPT TO:<admin@domain.com>"
"SMTPD"	10700	9108	"2021-05-02 08:54:01.055"	"5.188.206.163"	"SENT: 550 Unknown user"
"DEBUG"	10700	"2021-05-02 08:54:01.055"	"Executing event OnRecipientUnknown"
"DEBUG"	10700	"2021-05-02 08:54:01.086"	"Event completed"
"SMTPD"	7820	9108	"2021-05-02 08:54:01.086"	"5.188.206.163"	"RECEIVED: RCPT TO:<contact@domain.com>"
"SMTPD"	7820	9108	"2021-05-02 08:54:01.086"	"5.188.206.163"	"SENT: 550 Unknown user"
"DEBUG"	7820	"2021-05-02 08:54:01.086"	"Executing event OnRecipientUnknown"
"DEBUG"	7820	"2021-05-02 08:54:01.118"	"Event completed"
"SMTPD"	8936	9108	"2021-05-02 08:54:01.118"	"5.188.206.163"	"RECEIVED: RCPT TO:<sales@domain.com>"
"SMTPD"	8936	9108	"2021-05-02 08:54:01.118"	"5.188.206.163"	"SENT: 550 Unknown user"
"DEBUG"	8936	"2021-05-02 08:54:01.118"	"Executing event OnRecipientUnknown"
"DEBUG"	8936	"2021-05-02 08:54:01.133"	"Event completed"
"SMTPD"	10700	9108	"2021-05-02 08:54:01.133"	"5.188.206.163"	"RECEIVED: RCPT TO:<adam@domain.com>"
"SMTPD"	10700	9108	"2021-05-02 08:54:01.133"	"5.188.206.163"	"SENT: 550 Unknown user"
"DEBUG"	10700	"2021-05-02 08:54:01.133"	"Executing event OnRecipientUnknown"
"DEBUG"	10700	"2021-05-02 08:54:01.164"	"Event completed"
"SMTPD"	7820	9108	"2021-05-02 08:54:01.164"	"5.188.206.163"	"RECEIVED: RCPT TO:<mail@domain.com>"
"SMTPD"	7820	9108	"2021-05-02 08:54:01.164"	"5.188.206.163"	"SENT: 550 Unknown user"
"DEBUG"	7820	"2021-05-02 08:54:01.164"	"Executing event OnRecipientUnknown"
"DEBUG"	7820	"2021-05-02 08:54:01.196"	"Event completed"
"SMTPD"	8936	9108	"2021-05-02 08:54:01.196"	"5.188.206.163"	"RECEIVED: RCPT TO:<office@domain.com>"
"SMTPD"	8936	9108	"2021-05-02 08:54:01.196"	"5.188.206.163"	"SENT: Too many invalid commands. Bye!"
"DEBUG"	8936	"2021-05-02 08:54:01.196"	"Executing event OnTooManyInvalidCommands"
"DEBUG"	8936	"2021-05-02 08:54:01.227"	"Event completed"
"DEBUG"	8936	"2021-05-02 08:54:01.227"	"Deleting message file."
I'm running experiments with OnRecipientUnknown() and OnTooManyInvalidCommands() Experimental Events Handlers :mrgreen:

OnRecipientUnknown() triggers, obviously, on every "Unknown user" command
OnTooManyInvalidCommands() triggers after te value defined in "Maximum number of invalid commands" under "RFC compliance" in Settings -> Protocols -> SMTP
Disconnect client after too many invalid commands
Using this setting you can disconnect clients which sends to many invalid commands. For example, some spammers try to send email to a lot of different addresses on your server, hoping that your server will accept at least one of them. Using this option, you can automatically disconnect clients that tries to do this.
CIDR to RegEx: d-fault.nl/cidrtoregex
DNS Lookup: d-fault.nl/dnstools
DKIM Generator: d-fault.nl/dkimgenerator
DNSBL Lookup: d-fault.nl/dnsbllookup
GEOIP Lookup: d-fault.nl/geoiplookup

Post Reply