blocking specific From patterns

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
charleso
Normal user
Normal user
Posts: 32
Joined: 2016-09-22 15:45

blocking specific From patterns

Post by charleso » 2019-01-28 15:43

I just successfully migrated a few users from SmarterMail on shared hosting to my dedicated hMailServer, and lo and behold i got hit by a ton of spam :(

Luckily there is pattern to this: The spammer(s) are embeding trash email addressing within legitimate email domains on my server.

For example: Received: from rapidsecureguard.com (static.vnpt.vn [14.169.213.129]) , where rapidsecureguard.com is a valid domain on my server.

Please is there a script to block this, and similar.

Thanks.

Code: Select all

{0DA599D1-4B63-4C6B-B15D-D57D17362937}.EML
Received: from rapidsecureguard.com (static.vnpt.vn [14.169.213.129]) 
by mail.paperlesssolutionsltd.com.ng with ESMTPSA 
(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) 
; Mon, 28 Jan 2019 13:38:15 +0100 
From: Sharon Maestri 
To: naswar , owners , dolores , Ozark Swing Society Members , RentToOwn , spindancer , Sue Condren , Jim , tbell , Terry Condren 
Subject: That's why everybody talks about it 
Date: Mon, 28 Jan 2019 05:38:15 -0700 
Message-ID: 
MIME-Version: 1.0 
Content-Type: multipart/alternative; 
boundary="----=_NextPart_000_71DC_7203A838.686FB1E0" 
X-Mailer: Microsoft Outlook 16.0 
Thread-Index: ARokO1Y6TW41b2U1bXMzYmZoYnRzNw== 
Content-Language: en-us 

This is a multipart message in MIME format. 

------=_NextPart_000_71DC_7203A838.686FB1E0 
Content-Type: text/plain; 
charset="us-ascii" 
Content-Transfer-Encoding: 7bit 

http://notice.9tronix.com 





Sharon Maestri 




------=_NextPart_000_71DC_7203A838.686FB1E0 
Content-Type: text/html; 
charset="us-ascii" 
Content-Transfer-Encoding: quoted-printable 


xmlns:o=3D"urn:schemas-microsoft-com:office:office" = 
xmlns:w=3D"urn:schemas-microsoft-com:office:word" = 
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" = 
xmlns=3D"http://www.w3.org/TR/REC-html40">
http-equiv=3DContent-Type content=3D"text/html; = 
charset=3Dus-ascii">
(filtered medium)">
/* Font Definitions */ 
@font-face 
{font-family:"Cambria Math"; 
panose-1:2 4 5 3 5 4 6 3 2 4;} 
@font-face 
{font-family:Calibri; 
panose-1:2 15 5 2 2 2 4 3 2 4;} 
/* Style Definitions */ 
p.MsoNormal, li.MsoNormal, div.MsoNormal 
{margin:0cm; 
margin-bottom:.0001pt; 
font-size:11.0pt; 
font-family:"Calibri",sans-serif; 
mso-fareast-language:EN-US;} 
a:link, span.MsoHyperlink 
{mso-style-priority:99; 
color:#0563C1; 
text-decoration:underline;} 
a:visited, span.MsoHyperlinkFollowed 
{mso-style-priority:99; 
color:#954F72; 
text-decoration:underline;} 
span.EmailStyle17 
{mso-style-type:personal-compose; 
font-family:"Calibri",sans-serif; 
color:windowtext;} 
..MsoChpDefault 
{mso-style-type:export-only; 
font-family:"Calibri",sans-serif; 
mso-fareast-language:EN-US;} 
@page WordSection1 
{size:612.0pt 792.0pt; 
margin:2.0cm 42.5pt 2.0cm 3.0cm;} 
div.WordSection1 
{page:WordSection1;} 
-->





link=3D"#0563C1" vlink=3D"#954F72">
class=3DMsoNormal> 
href=3D"http://notice.9tronix.com/">http://notice.9tronix.com
class=3DMsoNormal> 
class=3DMsoNormal> 
lang=3DEN-US = 
style=3D'mso-fareast-language:EN-US'>Sharon Maestri
class=3DMsoNormal> 
------=_NextPart_000_71DC_7203A838.686FB1E0-- 

User avatar
jimimaseye
Moderator
Moderator
Posts: 8077
Joined: 2011-09-08 17:48

Re: blocking specific From patterns

Post by jimimaseye » 2019-01-28 20:42

Your settings are allowing this. run this and post the results: viewtopic.php?f=20&t=30914

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

charleso
Normal user
Normal user
Posts: 32
Joined: 2016-09-22 15:45

Re: blocking specific From patterns

Post by charleso » 2019-01-28 23:27

This is my Diagnostic result:

Code: Select all

2019-01-28   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - ebxxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - edxxxxxxx.com                  Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain3.com" - gsxxxx.com                     Enabled: True
      |- "Alias1.com" - maxx.gsxxxx.com
      |- "Alias2.com" - wwx.gsxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain4.com" - hoxxxxxxxxxxxxx.com            Enabled: True
      |- "Alias3.com" - maxx.hoxxxxxxxxxxxxx.com
      |- "Alias4.com" - wwx.hoxxxxxxxxxxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain5.com" - paxxxxxxxxxxxxxxxxxxx.com.ng   Enabled: True
      |- "Alias5.com" - maxx.paxxxxxxxxxxxxxxxxxxx.com.ng
      |- "Alias6.com" - wwx.paxxxxxxxxxxxxxxxxxxx.com.ng

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain6.com" - plxxxxxxxxxxxxxxxxxxxx.co.za   Enabled: True
      |- "Alias7.com" - maxx.plxxxxxxxxxxxxxxxxxxxx.co.za
      |- "Alias8.com" - wex.plxxxxxxxxxxxxxxxxxxxx.co.za

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting: !! ENABLED BUT NOT ACTIVATED!! 

   "Domain7.com" - plxxxxxxxxxxxxxxxxxxxx.com     Enabled: True
      |- "Alias9.com" - maxx.plxxxxxxxxxxxxxxxxxxxx.com
      |- "Alias10.com" - wwx.plxxxxxxxxxxxxxxxxxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain8.com" - raxxxxxxxxxxxxxx.com           Enabled: True
      |- "Alias11.com" - maxx.raxxxxxxxxxxxxxx.com
      |- "Alias12.com" - wex.raxxxxxxxxxxxxxx.com

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

GLOBAL RULES
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: LOCAL

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    - False
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:     True

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External -  True              External To External -  True


------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:      3
                              Minutes Before Reset:           60  (1.00 hours, 0.04 days)
                              Minutes to Autoban:          43200  (720.00 hours, 30.00 days)

No problems were found in the IP range configuration.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  4 Mins: 60   Plain Text:        False  Bind: 
                     Host: Alias5.com          Empty sender:       True  Batch recipients:   100
Max Msg Size:102400  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:  False  Delivered-To hdr: False
                                                                         Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  5       Use SPF:            True - 3    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:  False        Port:                 783
  Add X-HmailServer-Subject: False    Verify DKIM:       False        Use SA score:        True

  Spam delete threshold: 50         Maximum message size: 1024

DNSBL ENTRIES:
   No entries

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:  False

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: False
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   Domain4.com
       Certificate: C:\Apps\Domain4.com\-\domain-crt.txt
       Private key: C:\Apps\Domain4.com\-\domain-key.txt
   PaperlessDomain5.com
       Certificate: C:\Apps\Domain5.com\-\domain-crt.txt
       Private key: C:\Apps\Domain5.com\-\domain-key.txt
   Domain6.com
       Certificate: C:\Apps\Domain4.com\-\domain-crt.txt
       Private key: C:\Apps\Domain4.com\-\domain-key.txt
   Domain8.com
       Certificate: C:\Apps\rsg\-\domain-crt.txt
       Private key: C:\Apps\rsg\-\domain-key.txt
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :  False
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:  False
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - HIGH                            
!aNULL                          - !eNULL                          - !EXPORT                         
!DES                            - !3DES                           - !MD5                            
!PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   StartTLS Optional   Cert: PaperlessDomain5.com
               0.0.0.0         / 110   / POP3   -   StartTLS Optional   Cert: PaperlessDomain5.com
               0.0.0.0         / 143   / IMAP   -   StartTLS Optional   Cert: PaperlessDomain5.com
               0.0.0.0         / 465   / SMTP   -   SSL/TLS             Cert: PaperlessDomain5.com
               0.0.0.0         / 587   / SMTP   -   SSL/TLS             Cert: PaperlessDomain5.com
               0.0.0.0         / 993   / IMAP   -   SSL/TLS             Cert: PaperlessDomain5.com
               0.0.0.0         / 995   / POP3   -   SSL/TLS             Cert: PaperlessDomain5.com
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-01-28.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-01-28.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -    True
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL

IPv6 support is available in operating system.

Backup directory C:\MailBK is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQL
Username=          sa
PasswordEncryption=1
Port=              0
Server=            .
Internal=          0

[Settings]
DisableAUTHList=25
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.95, Hmailserver Forum.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: blocking specific From patterns

Post by SorenR » 2019-01-29 00:13

This line...

Received: from rapidsecureguard.com (static.vnpt.vn [14.169.213.129]) by mail.paperlesssolutionsltd.com.ng with ESMTPSA (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256) ; Mon, 28 Jan 2019 13:38:15 +0100

HELO/EHLO greeting
Resolved hostname from IP address
IP Address of sender
Your mailserver


The UNOfficial version of hMailServer have a trigger called "Sub OnHELO(oClient)" but the trigger "Sub OnSMTPData(oClient, oMessage)" can also be used...

VBScript file .\hMailServer\Events\EventHandlers.vbs Do not forget to enable scripting in hMailAdmin -> Settings -> Advanced -> Scripts

Code: Select all

Function Lookup(strRegEx, strMatch) : Lookup = False
   With CreateObject("VBScript.RegExp")
      .Pattern = strRegEx
      .Global = False
      .MultiLine = True
      .IgnoreCase = True
      If .Test(strMatch) Then Lookup = True
   End With
End Function

Sub OnSMTPData(oClient, oMessage)
   Dim strRegEx
   '
   '   strRegEx is populated with Javascript compatible regular expressions. If (one of the) expression(s) is found
   '   in target the selection is TRUE.
   '
   '   Result.Value = 2 means terminate connection after sending message Result.Message
   '
   strRegEx = "^(rapidsecureguard\.com)$|^(acme\.inc)$)"
   If Lookup(strRegEx, oClient.HELO) Then
      Result.Value = 2
      Result.Message = "5.7.1 CODE00x Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."
      Exit Sub
   End If
End Sub
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

charleso
Normal user
Normal user
Posts: 32
Joined: 2016-09-22 15:45

Re: blocking specific From patterns

Post by charleso » 2019-01-29 00:26

Thanks for this reply, the example i gave was just one of several.

I'm looking for a general pattern i can use to eliminate cases where mails are originating from my server, but masquerading as my know domains. like in the example.

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: blocking specific From patterns

Post by SorenR » 2019-01-29 00:54

charleso wrote:
2019-01-29 00:26
Thanks for this reply, the example i gave was just one of several.

I'm looking for a general pattern i can use to eliminate cases where mails are originating from my server, but masquerading as my know domains. like in the example.
hMailAdmin --> Settings --> Anti spam [Spam tests]

The setting "Check host in the HELO command" will score connections if not FCrDNS. If you set the score high you can make hMailServer drop the connection but at the risc of loosing legit messages too.

FCrDNS is a MUST in the RFC but a lot of servers do not adhere.

If you are willing to disclose how all your domains are hosted, I may be able to whip something up :wink:
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

User avatar
mattg
Moderator
Moderator
Posts: 20000
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: blocking specific From patterns

Post by mattg » 2019-01-29 01:06

ALSO

You have some errors present in your error log
Can you please show your error log contents
C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-01-28.log - !! ERRORS PRESENT !!
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

charleso
Normal user
Normal user
Posts: 32
Joined: 2016-09-22 15:45

Re: blocking specific From patterns

Post by charleso » 2019-01-29 01:50

If you are willing to disclose how all your domains are hosted, I may be able to whip something up :wink:
Sure, it's simple hosting on IIS 10.0

Each site-name from my domain-registrar, simply has an A record mapped to my server's IP address

Then within hMailServer, I simply setup each domain ...

Is this not pretty standard? or is the simplicity of my setup partly exposing me to these attacks?

For most of the sites I create an ssl cert. I then add same cert to hMailserver and IIS.

Funny enough all this spam just started today, when for the first time I added a few sites that didn't have ssl certs...

User avatar
SorenR
Senior user
Senior user
Posts: 3169
Joined: 2006-08-21 15:38
Location: Denmark

Re: blocking specific From patterns

Post by SorenR » 2019-01-29 02:53

charleso wrote:
2019-01-29 01:50
If you are willing to disclose how all your domains are hosted, I may be able to whip something up :wink:
Sure, it's simple hosting on IIS 10.0

Each domain is simply an A record reference to my server IP address from my domain-registrar.

Then within hMailServer, I simply setup each domain ...

Is this not pretty standard? or is the simplicity of my setup partly exposing me to these attacks?

For most of the sites I add create an ssl cert. I then add same cert to hMailserver and IIS.

Funny enough all this spam just started today, when for the first time I added a few sites that didn't have ssl certs...
hMailServer as you know only support one public IP address.

Code: Select all

maildomain.com.                  IN A     1.1.1.1
maildomain.com.                  IN NS    ns.maildomain.com.
maildomain.com.                  IN MX 10 mx.maildomain.com.
maildomain.com.                  IN TXT   "v=spf1 ip4:1.1.1.3 -all"
ns.maildomain.com.               IN A     1.1.1.2
mx.maildomain.com.               IN A     1.1.1.3
_domainkey.maildomain.com.       IN TXT   "t=y;o=~;r=postmaster@maildomain.com"
key1._domainkey.maildomain.com.  IN TXT   "k=rsa; p=#########......."
_dmarc.maildomain.com.           IN TXT   "v=DMARC1; p=none; sp=none; rf=afrf; pct=100; ri=86400"

domain1.com.                     IN A     2.1.1.1
domain1.com.                     IN NS    ns.domain1.com.
domain1.com.                     IN MX 10 mx.maildomain.com.
domain1.com.                     IN TXT   "v=spf1 ip4:1.1.1.3 -all"
ns.domain1.com.                  IN A     2.1.1.2

domain2.com.                     IN A     3.1.1.1
domain2.com.                     IN NS    ns.domain2.com.
domain2.com.                     IN MX 10 mx.maildomain.com.
domain2.com.                     IN TXT   "v=spf1 ip4:1.1.1.3 -all"
ns.domain1.com.                  IN A     3.1.1.2
This also means that you have to either name your server "mx.maildomain.com" AND/OR enter "mx.maildomain.com ESMTP" in hMailAdmin --> Settings --> Protocols --> SMTP [General] : Welcome message.
Your PTR should point 1.1.1.3 to "mx.maildomain.com" for your server to become FCrDNS.

It's been a long time since I messed with the DNS records for DKIM and DMARC but you MAY have to define them per domain also...

HINT: The SPF record will do away with the imposters as per SPAM settings in hMailAdmin --> Settings --> Anti-spam [Spam tests] : Use SPF score 5 or ??
SørenR.

The quantum rule of insecurity which states that the act of observing how vulnerable a host or service is changes the insecurity level of the service.

Post Reply