Fighting hackers and help to stop gsmtp powered mailers

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
nikkoid
New user
New user
Posts: 3
Joined: 2019-03-17 06:39

Fighting hackers and help to stop gsmtp powered mailers

Post by nikkoid » 2019-03-17 08:42

I have a hacker who is DDOS my server with millions of hacking attempts. I cannot bloc his IP because he is using proxies, and his local provider that is in the USA

However it is easy to spot him because of that:

Code: Select all

"74.125.133.26"	"SENT: EHLO mail.xxx.com"
"SMTPC"	4308	923762	"2019-03-17 00:00:00.270"	"74.125.131.26"	"RECEIVED: 250 2.1.0 OK q10si4479680ljc.23 - gsmtp"
"SMTPC"	4308	923762	"2019-03-17 00:00:00.350"	"74.125.131.26"	"SENT: RCPT TO:<xxxxxx@gmail.com>"
"SMTPC"	4384	923763	"2019-03-17 00:00:00.273"	"74.125.133.26"	"SENT: MAIL FROM:<>"
"SMTPC"	4604	923756	"2019-03-17 00:00:00.274"	"74.125.131.26"	"RECEIVED: 250 2.1.0 OK s14si4388567lji.137 - gsmtp"
"SMTPC"	4604	923756	"2019-03-17 00:00:00.355"	"74.125.131.26"	"SENT: RCPT TO:<xxxxxx@gmail.com>"
"SMTPC"	4532	923755	"2019-03-17 00:00:00.276"	"74.125.68.26"	"SENT: STARTTLS"


gsmtp

I would like to have a script that could block anything received from gsmtp

How to do it?

User avatar
jimimaseye
Moderator
Moderator
Posts: 7902
Joined: 2011-09-08 17:48

Re: Fighting hackers and help to stop gsmtp powered mailers

Post by jimimaseye » 2019-03-17 10:17

Those messages are connecting to gmail services (not proxies). If you were able (which you are not) to block based on gsmtp then you would be blocking ALL in bound mail from everyone that uses gmail as their provider (included hosted services). And that could be a LOT.

Anyway.....

Your log shows that you are SENDING out this spam, not receiving them. Run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914 so we can see if you are secure. Also check this https://www.hmailserver.com/documentati ... d_for_spam

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19719
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Fighting hackers and help to stop gsmtp powered mailers

Post by mattg » 2019-03-17 12:31

jimimaseye wrote:
2019-03-17 10:17
Anyway.....

Your log shows that you are SENDING out this spam, not receiving them.
Yep
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

nikkoid
New user
New user
Posts: 3
Joined: 2019-03-17 06:39

Re: Fighting hackers and help to stop gsmtp powered mailers

Post by nikkoid » 2019-03-18 19:20

Here is the diagnostic

Code: Select all

2019-03-18   Hmailserver: 5.6.7-B2425

DOMAINS

   "Domain1.com" - doxxxxxxxxxxxxxxxx.com         Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain2.com" - esxxxxx.com                    Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False

   "Domain3.com" - soxxxxxxxxxx.com               Enabled: True

SIGNATURE         LIMITS                       DKIM               ADVANCED
  Enabled: False   Max size:                0   Enabled: False   
                   Max message size:        0                      Plus addressing: False
                   Max size of accounts:    0                    
                                                                   Greylisting:     False
-----------------------------------------------------------------------------------------------

IP RANGES

IP: 127.0.0.1 - 127.0.0.1     Priority: 15     Name: My computer

  Allow connections                         Other
     SMTP:   True                              Antispam :  False
     POP3:   True                              Antivirus:  False
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       - False
     Local To External    -  True              Local To External    -  True
     External To Local    - False    
     External To External - False           


IP: 0.0.0.0 - 255.255.255.255     Priority: 10     Name: Internet

  Allow connections                         Other
     SMTP:   True                              Antispam :   True
     POP3:   True                              Antivirus:   True !! ANTIVIRUS NOT CONFIGURED !!
     IMAP:   True                              SSL/TLS:    False

  Allow Deliveries from                     Require Authentication from
     Local To Local       -  True              Local To Local       -  True
     Local To External    -  True              Local To External    -  True
     External To Local    -  True              External To Local    - False
     External To External - False           


   !!  Warning:  DEFAULT DOMAIN is SET  !! - "Domain2.com"
------------------------------------------------------
AUTOBANNED Local Addresses:
    No entries

-----------------------------------------------------------------------------------------------

AUTOBAN
  Autoban Enabled: True       Max invalid logon attempts:     10
                              Minutes Before Reset:          300  (5.00 hours, 0.21 days)
                              Minutes to Autoban:          30000  (500.00 hours, 20.83 days)

There is a total of 2 auto-ban IP ranges.
-----------------------------------------------------------------------------------------------

INCOMING RELAYS
   No entries
-----------------------------------------------------------------------------------------------

MIRRORING         Disabled
-----------------------------------------------------------------------------------------------

PROTOCOLS

SMTP
GENERAL             DELIVERY                  RFC COMPLIANCE            ADVANCED
No. Connections:  0  No Retries:  1 Mins:  1   Plain Text:         True  Bind: 144.76.75.87
                     Host: EXTERNAL.TLD        Empty sender:       True  Batch recipients:   100
Max Msg Size: 20480  Relay:-                   Incorrect endings:  True  Use STARTTLS:      True
                     (none entered)            Disc. on invalid:   True  Delivered-To hdr: False
                                               Max number commands:  20  Loop limit:           5
                                                                         Recipient hosts:     15
  Routes:
     No routes defined.

POP3
  No. Connections: 0

IMAP
 GENERAL                   PUBLIC FOLDERS                    ADVANCED
  No. Connections:   0      Public folder name: #Public       IMAP sort:  True
                                                              IMAP Quota: True
                                                              IMAP Idle:  True
                                                              IMAP ACL:   True
                                                              Delim: "."
-----------------------------------------------------------------------------------------------

ANTISPAM

GENERAL                              SPAM TESTS              Score   SPAMASSASSIN
  Spam Mark:                  8       Use SPF:            True - 5    Use Spamassassin:    True
  Add X-HmailServer-Spam:     True    Check HELO host:    True - 2    Hostname:       127.0.0.1
  Add X-HmailServer-Reason:   True    Check MX records:   True - 2    Port:                 783
  Add X-HmailServer-Subject: False    Verify DKIM:        True - 5    Use SA score:        True

  Spam delete threshold: 8         Maximum message size: 1024

DNSBL ENTRIES:
                    bl.spamcop.net      Score: 100   Result: 127.0.0.2
                combined.njabl.org      Score: 10    Result: 127.0.0.*
            b.barracudacentral.org      Score: 5     Result: 172.127.0.2

SURBL ENTRIES:
   No 'enabled' entries

GREYLISTING:
  Greylisting:   True       Defer mins: 30       Days Unused: 1      Days Used: 36
                            Bypass SPF: True     Bypass A/MX: True

Greylist WHITELIST ENTRIES:
   IP Address: 85.25.235.237

Greylist DOMAINS enabled:
  !! No active domains enabled - GREYLISTING INEFFECTIVE !!

WHITELISTING
   No entries
-----------------------------------------------------------------------------------------------

ANTIVIRUS:  No application configured.

  Block Attachments: True
               *.bat             Batch processing file
               *.cmd             Command file for Windows NT
               *.com             Command
               *.cpl             Windows Control Panel extension
               *.csh             CSH script
               *.exe             Executable file
               *.inf             Setup file
               *.lnk             Windows link file
               *.msi             Windows Installer file
               *.msp             Windows Installer patch
               *.reg             Registration key
               *.scf             Windows Explorer command
               *.scr             Windows Screen saver
-----------------------------------------------------------------------------------------------

SSL CERTIFICATES
   sonicreality
       Certificate: C:\Program Files (x86)\hMailServer\Bin\sonicreality.cert
       Private key: C:\Program Files (x86)\hMailServer\Bin\sonicreality.key
-----------------------------------------------------------------------------------------------

SSL/TLS
             SSL 3.0 :   True
             TLS 1.0 :   True
             TLS 1.1 :   True
             TLS 1.2 :   True                Verify Remote SSL/TLS Certs:   True
SslCipherList  :

ECDHE-RSA-AES128-GCM-SHA256     - ECDHE-ECDSA-AES128-GCM-SHA256   - ECDHE-RSA-AES256-GCM-SHA384     
ECDHE-ECDSA-AES256-GCM-SHA384   - DHE-RSA-AES128-GCM-SHA256       - DHE-DSS-AES128-GCM-SHA256       
kEDH+AESGCM                     - ECDHE-RSA-AES128-SHA256         - ECDHE-ECDSA-AES128-SHA256       
ECDHE-RSA-AES128-SHA            - ECDHE-ECDSA-AES128-SHA          - ECDHE-RSA-AES256-SHA384         
ECDHE-ECDSA-AES256-SHA384       - ECDHE-RSA-AES256-SHA            - ECDHE-ECDSA-AES256-SHA          
DHE-RSA-AES128-SHA256           - DHE-RSA-AES128-SHA              - DHE-DSS-AES128-SHA256           
DHE-RSA-AES256-SHA256           - DHE-DSS-AES256-SHA              - DHE-RSA-AES256-SHA              
AES128-GCM-SHA256               - AES256-GCM-SHA384               - ECDHE-RSA-RC4-SHA               
ECDHE-ECDSA-RC4-SHA             - AES128                          - AES256                          
RC4-SHA                         - HIGH                            - !aNULL                          
!eNULL                          - !EXPORT                         - !DES                            
!3DES                           - !MD5                            - !PSK;                           
-----------------------------------------------------------------------------------------------

TCPIP PORTS                                         Connection Sec
               0.0.0.0         / 25    / SMTP   -   None                
               0.0.0.0         / 110   / POP3   -   None                
               0.0.0.0         / 143   / IMAP   -   None                
-----------------------------------------------------------------------------------------------

LOGGING      Logging Enabled: True

  Paths:-
    Current:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_2019-03-18.log
    Error:    C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-03-18.log - !! ERRORS PRESENT !!
    Event:    C:\Program Files (x86)\hMailServer\Logs\hmailserver_events.log - Not present
    Awstats:  C:\Program Files (x86)\hMailServer\Logs\hmailserver_awstats.log
                        APPLICATION -    True
                        SMTP        -    True
                        POP3        -    True
                        IMAP        -    True
                        TCPIP       -    True
                        DEBUG       -    True
                        AWSTATS     -      .
-----------------------------------------------------------------------------------------------

SYSTEM TESTS

Database type: MSSQL Compact

IPv6 support is available in operating system.

Backup directory d:\emails is writable.

Relative message paths are stored in the database for all messages.

-----------------------------------------------------------------------------------------------

HMAILSERVER.INI

[Directories]
Program folder:  C:\Program Files (x86)\hMailServer\
Database folder: C:\Program Files (x86)\hMailServer\Database
Data folder:     C:\Program Files (x86)\hMailServer\Data
Log folder:      C:\Program Files (x86)\hMailServer\Logs
Temp folder:     C:\Program Files (x86)\hMailServer\Temp
Event folder:    C:\Program Files (x86)\hMailServer\Events

[Database]
Type=              MSSQLCE
Username=           
PasswordEncryption=1
Port=              0
Server=             
Internal=          1
-----------------------------------------------------------------------------------------------

Generated by HMSSettingsDiagnostics v1.95, Hmailserver Forum.

User avatar
jimimaseye
Moderator
Moderator
Posts: 7902
Joined: 2011-09-08 17:48

Re: Fighting hackers and help to stop gsmtp powered mailers

Post by jimimaseye » 2019-03-18 20:44

My guess is you have a compromised account password. Follow the link previously posted in the troubleshooting section to track it down.

Also, remove the default domain that you have set (That only makes it easier for spambots. )

[Entered by mobile. Excuse my spelling.]
HMS 5.6.6 B2383 on Win Server 2008 R2 Foundation, + 5.6.7-B2415 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 19719
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Fighting hackers and help to stop gsmtp powered mailers

Post by mattg » 2019-03-19 03:02

ALSO your error log is populated

Please show the contents of C:\Program Files (x86)\hMailServer\Logs\ERROR_hmailserver_2019-03-18.log
or a newer one if it exists
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

nikkoid
New user
New user
Posts: 3
Joined: 2019-03-17 06:39

Re: Fighting hackers and help to stop gsmtp powered mailers

Post by nikkoid » 2019-03-19 15:39

I think the problem was the password as you said.
I have changed it and the spam stopped.

I have told the user to run an anti-virus...

Thanks for your feedback

Post Reply