Block attack based on Greeting not having effect

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Block attack based on Greeting not having effect

Post by Jorgo » 2019-12-27 18:29

First of all, please bear with me as I am practically a noob when it comes to programming. That said, I have tried a script which is supposed to auto ban attackers when they use weird identification in their HELO/EHLO but it seems to have no effect (no ban is resulting). This is the script (substituted my password):

Code: Select all

Function Lookup(strRegEx, strMatch)
    With CreateObject("VBScript.RegExp")
       .Global = False
       .Pattern = strRegEx
       .IgnoreCase = True
       Lookup = .Test(strMatch)
    End With
End Function


Sub OnHELO(oClient)
      '
      ' Exclude local LAN from test
      '
      If (Left(oClient.IPAddress, 10) = "192.168.1.") Then Exit Sub
      If (Left(oClient.IPAddress, 9) = "127.0.0.1") Then Exit Sub

      strRegEx = "(127\.0\.0\.1|mail\.jorgo\.org|mydomain|User|scanner\.sslsonar\.org|zg-0911)"
      If (Lookup(strRegEx, oClient.HELO) = True) Then
          '
          ' Validate HELO/EHLO greeting
          '
          Result.Value = 2
          Result.Message = "5.7.1 Your access to this mail system has been rejected due to the sending\n" &_
                           "      MTA's poor reputation. If you believe that this failure is in error,\n" &_
                           "      please contact the intended recipient via alternate means."
          EventLog.Write(HELO & vbTab & oClient.IPAddress & vbTab & oClient.Port)
          Call AutoBan(oClient.IPAddress, "HELO " & oClient.HELO, 2, "d")
      End If
End Sub
    
'
' sType can be one of the following:
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Sub AutoBan(sIPAddress, sReason, iDuration, sType)
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMINISTRATOR, MYPASSWORD)
    With LockFile(oApp.Settings.Directories.TempDirectory & "\autoban.lck")
       On Error Resume Next
       oApp.Settings.SecurityRanges.Refresh
       If (oApp.Settings.SecurityRanges.ItemByName("Auto-ban: (" & sReason & ") " & sIPAddress) Is Nothing) Then
          With oApp.Settings.SecurityRanges.Add
             .Name = "Auto-ban: (" & sReason & ") " & IPAddress
             .LowerIP = sIPAddress
             .UpperIP = sIPAddress
             .Priority = 20
             .Expires = True
             .ExpiresTime = DateAdd(sType, iDuration, Now())
             .Save
          End With
       End If
       On Error Goto 0
       .Close
    End With
End Sub
I guess ADMINISTRATOR needs no replacing... and sType and iDuration values are read from the database?
I've already added

[Settings]
DisableAUTHList=25

to hmailserver.ini so no real harm can be done there but I would still like to ban them. Connection attempts look like this:

Code: Select all

"TCPIP"	728	"2019-12-27 17:23:50.013"	"TCP - 193.56.28.68 connected to 192.168.1.185:25."
"SMTPD"	728	11	"2019-12-27 17:23:50.014"	"193.56.28.68"	"SENT: 220 xxlspeed.spdns.de ESMTP"
"SMTPD"	10100	11	"2019-12-27 17:23:50.059"	"193.56.28.68"	"RECEIVED: EHLO User"
"SMTPD"	10100	11	"2019-12-27 17:23:50.059"	"193.56.28.68"	"SENT: 250-xxlspeed.spdns.de[nl]250-SIZE 20480000[nl]250 HELP"
"SMTPD"	6176	11	"2019-12-27 17:23:50.114"	"193.56.28.68"	"RECEIVED: RSET"
"SMTPD"	6176	11	"2019-12-27 17:23:50.115"	"193.56.28.68"	"SENT: 250 OK"
"SMTPD"	728	11	"2019-12-27 17:23:50.158"	"193.56.28.68"	"RECEIVED: AUTH LOGIN"
"SMTPD"	728	11	"2019-12-27 17:23:50.159"	"193.56.28.68"	"SENT: 504 Authentication not enabled."
"SMTPD"	4460	11	"2019-12-27 17:23:50.202"	"193.56.28.68"	"RECEIVED: QUIT"
"SMTPD"	4460	11	"2019-12-27 17:23:50.203"	"193.56.28.68"	"SENT: 221 goodbye"
Can you spot anything in the code which I need to remedy? Thanks in advance!

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2019-12-27 18:56

EventLog.Write(HELO & vbTab & oClient.IPAddress & vbTab & oClient.Port)
I presume this is supposed to be "oClient.HELO" since there is no variable called "HELO" :roll:

Did you remove the "ERROR" lines in the output?

You'd better get your reading glasses... sType and iDuration are passed in the call to AutoBan.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2019-12-27 19:04

I changed that one line to

Code: Select all

          EventLog.Write(oClient.HELO & vbTab & oClient.IPAddress & vbTab & oClient.Port)
Still no ban, and no errors are written to the log. The Attacker tries every 6 minutes so I have lots of tries to test :-)
So, do I have to insert actual values here

Code: Select all

.ExpiresTime = DateAdd(sType, iDuration, Now())
like

Code: Select all

.ExpiresTime = DateAdd(m, 1, Now())
? Again, excuse me for asking stupid questions.

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2019-12-28 00:13

Jorgo wrote:
2019-12-27 19:04
I changed that one line to

Code: Select all

          EventLog.Write(oClient.HELO & vbTab & oClient.IPAddress & vbTab & oClient.Port)
Still no ban, and no errors are written to the log. The Attacker tries every 6 minutes so I have lots of tries to test :-)
So, do I have to insert actual values here

Code: Select all

.ExpiresTime = DateAdd(sType, iDuration, Now())
like

Code: Select all

.ExpiresTime = DateAdd(m, 1, Now())
? Again, excuse me for asking stupid questions.
1)
strRegEx string use of parantheses fixed.

2)
ADMINISTRATOR is a constant = "Administrator"
PASSWORD is a constant = "hMailserver Administrator password"

3)
Call AutoBan(oClient.IPAddress, "HELO " & oClient.HELO, 2, "d")
means 2 days...

You should use
Call AutoBan(oClient.IPAddress, "HELO " & oClient.HELO, 1, "m")
I never really expected it would be that hard to understand when I made these functions... You are the first!

4) This should be functioning code. You have mixed revisions of code that could never work together.
REMEMBER! You must use a version of hMailServer modified by RvdH to include the "Sub OnHELO(oClient)" trigger OR the latest 5.7 64bit alpha version of hMailServer.

Code: Select all

'
'   COM authentication
'
Private Const ADMINISTRATOR = "Administrator"
Private Const MYPASSWORD = "hMailServer Administrator Password"

Function Wait(sec)
    With CreateObject("WScript.Shell")
        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
    End With
End Function

Function LockFile(strPath)
    Const Append = 8
    Const Unicode = -1
    Dim i
    On Error Resume Next
    With CreateObject("Scripting.FileSystemObject")
        For i = 0 To 30
            Err.Clear
            Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
            If (Not Err.Number = 70) Then Exit For
            Wait(1)
        Next
    End With
    If (Err.Number = 70) Then
        EventLog.Write( "ERROR: EventHandlers.vbs" )
        EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
        Err.Clear
    ElseIf (Err.Number <> 0) Then
        EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
        EventLog.Write( "Error       : " & Err.Number )
        EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
        EventLog.Write( "Source      : " & Err.Source )
        EventLog.Write( "Description : " & Err.Description )
        Err.Clear
    End If
    On Error Goto 0
End Function

Function Lookup(strRegEx, strMatch) : Lookup = False
    If strRegEx = "" Then Exit Function
    With CreateObject("VBScript.RegExp")
        .Pattern = strRegEx
        .Global = False
        .MultiLine = True
        .IgnoreCase = True
        If .Test(strMatch) Then Lookup = True
    End With
End Function

Sub OnHELO(oClient)
      '
      ' Exclude local LAN from test
      '
      If (Left(oClient.IPAddress, 10) = "192.168.1.") Then Exit Sub
      If (Left(oClient.IPAddress, 9) = "127.0.0.1") Then Exit Sub

      strRegEx = "(127\.0\.0\.1)|(mail\.jorgo\.org)|(mydomain)|(User)|(scanner\.sslsonar\.org)|(zg-0911)"
      If (Lookup(strRegEx, oClient.HELO) = True) Then
          '
          ' Validate HELO/EHLO greeting
          '
          Result.Value = 2
          Result.Message = "5.7.1 Your access to this mail system has been rejected due to the sending\n" &_
                           "      MTA's poor reputation. If you believe that this failure is in error,\n" &_
                           "      please contact the intended recipient via alternate means."
          EventLog.Write(oClient.HELO & vbTab & oClient.IPAddress & vbTab & oClient.Port)
          Call AutoBan(oClient.IPAddress, "HELO " & oClient.HELO, 1, "m")
      End If
End Sub
    
'
' sType can be one of the following:
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Sub AutoBan(sIPAddress, sReason, iDuration, sType)
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMINISTRATOR, MYPASSWORD)
    With LockFile(oApp.Settings.Directories.TempDirectory & "\autoban.lck")
       On Error Resume Next
       oApp.Settings.SecurityRanges.Refresh
       If (oApp.Settings.SecurityRanges.ItemByName("Auto-ban: (" & sReason & ") " & sIPAddress) Is Nothing) Then
          With oApp.Settings.SecurityRanges.Add
             .Name = "Auto-ban: (" & sReason & ") " & IPAddress
             .LowerIP = sIPAddress
             .UpperIP = sIPAddress
             .Priority = 20
             .Expires = True
             .ExpiresTime = DateAdd(sType, iDuration, Now())
             .Save
          End With
       End If
       On Error Goto 0
       .Close
    End With
End Sub
And YES... I initially wrote the OnHELO trigger for my 5.4.2 hMailServer AND the vbs code around it like the script code above.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2019-12-28 02:02

SorenR wrote:
2019-12-28 00:13
I never really expected it would be that hard to understand when I made these functions... You are the first!
I come from a completely different discipline than mathematics, I'm much better at interpreting the law than programming code. Here I learn best from examples and I am very grateful for your explanations. I was able to make it work by updating to the latest x64 version and now everything works as expected.

Thanks again for your updated code and should you ever need legal expertise in data protection or IT matters maybe I can return the favour! :D

palinka
Senior user
Senior user
Posts: 1562
Joined: 2017-09-12 17:57

Re: Block attack based on Greeting not having effect

Post by palinka » 2019-12-28 03:09

SorenR wrote:
2019-12-28 00:13
Call AutoBan(oClient.IPAddress, "HELO " & oClient.HELO, 1, "m")
I never really expected it would be that hard to understand when I made these functions... You are the first!
Well, not exactly the first. :mrgreen:

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2019-12-28 04:37

Jorgo wrote:
2019-12-28 02:02
SorenR wrote:
2019-12-28 00:13
I never really expected it would be that hard to understand when I made these functions... You are the first!
I come from a completely different discipline than mathematics, I'm much better at interpreting the law than programming code. Here I learn best from examples and I am very grateful for your explanations. I was able to make it work by updating to the latest x64 version and now everything works as expected.

Thanks again for your updated code and should you ever need legal expertise in data protection or IT matters maybe I can return the favour! :D
Glad that it worked for you in the end. You mention law ... EU law?
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2019-12-28 12:47

Yup.

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block attack based on Greeting not having effect

Post by mattg » 2019-12-29 01:21

ALSO,

I find that with ONHelo sometimes the sending server has no greeting, when there is no security on the connection (SSL/TLS), but when asked to secure a connection via StartTLS, that the sending server THEN sends a greeting
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2019-12-29 03:31

mattg wrote:
2019-12-29 01:21
ALSO,

I find that with ONHelo sometimes the sending server has no greeting, when there is no security on the connection (SSL/TLS), but when asked to secure a connection via StartTLS, that the sending server THEN sends a greeting
Not good... No greeting with EHLO/HELO is non-compliant behavior and should be rejected on the spot.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8309
Joined: 2011-09-08 17:48

Re: Block attack based on Greeting not having effect

Post by jimimaseye » 2019-12-29 12:02

But, although technically non- compliant to RFC, the sender and connecting server may be genuine and rejecting it may mean lost valuable emails. The sender may not be aware of the cause of his rejection and not be associated to the admin of the sending server. Given that is is compliant once TLS is established would it not be prudent to ignore? (We know the world of email is full of non compliance. Eg, Just see how many servers rejects rfc compliant email addresses with a "+" or "-" in it).

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 1562
Joined: 2017-09-12 17:57

Re: Block attack based on Greeting not having effect

Post by palinka » 2019-12-29 15:46

mattg wrote:
2019-12-29 01:21
ALSO,

I find that with ONHelo sometimes the sending server has no greeting, when there is no security on the connection (SSL/TLS), but when asked to secure a connection via StartTLS, that the sending server THEN sends a greeting
I have never once seen this and this is something I track closely with my firewall ban project - and through my logging. One of my filters validates helo ("HELO-Inv")
Screenshot_20191229-084243_Brave.jpg
I agree with Soren. Empty helo = rejectionable event.

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2019-12-29 22:18

Well....

Code: Select all

S: 220 smtp.server.com Simple Mail Transfer Service Ready
C: EHLO client.example.com
S: 250-smtp.server.com Hello client.example.com
S: 250-SIZE 1000000
S: 250-AUTH LOGIN PLAIN CRAM-MD5
S: 250-STARTTLS
S: 250 HELP
C: STARTTLS
S: 220 TLS go ahead
C: EHLO client.example.com
S: 250-smtp.server.com Hello client.example.com
S: 250-SIZE 1000000
S: 250-AUTH LOGIN PLAIN CRAM-MD5
S: 250 HELP
Tell me HOW the connecting server can know in advance to use TLS thus it does not need to send a RFC compliant EHLO <greeting> at initial contact...

No greeting, no cookie!
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
jimimaseye
Moderator
Moderator
Posts: 8309
Joined: 2011-09-08 17:48

Re: Block attack based on Greeting not having effect

Post by jimimaseye » 2019-12-29 22:25

Perhaps matt meant that the EHLO word was received but no domain or ip address following?

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2019-12-29 22:37

jimimaseye wrote:
2019-12-29 22:25
Perhaps matt meant that the EHLO word was received but no domain or ip address following?

[Entered by mobile. Excuse my spelling.]
I got that much, it's still non-compliant regardless of TLS in any way or shape.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block attack based on Greeting not having effect

Post by mattg » 2019-12-30 01:03

My comment was more about the OnHELO not recording the HELO, rather than the server not sending a HELO

I've been looking in my logs
No recent examples that I can see

viewtopic.php?f=2&t=32833&hilit=greylis ... st#p205051
That was July 2018

Just looking through my old logs, I re-started recording OnHELO responses about then and can't see a single instance of HELO not being recorded. I can't see when I was previously recording the OnHELO results, but was obviously a long time before that.

I'm thinking my experience of not seeing a value at OnHELO may have been when I first started using that, long long ago. I expect that in it's current form, OnHELO works as expected.

I found this trying to implement on-the-fly greylist >> whitelisting for large mail senders like gMail, office365 etc
https://www.hmailserver.com/forum/viewt ... 21&t=29238

It looks like back then (Feb 2016) I was using OnSMTPdata before OnHELO was implemented, so I really may have remembered this incorrectly. Looks like this is WHY OnHELO was developed.

(Fun excuse to see how far back my logs go - I have logs going back to December 2011)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2019-12-30 02:58

@SorenR
Could the code you posted be changed to ban the whole subnet of a presumed spammer/attacker? Right now it only bans the specific IP adress but I've seen some instances where the same thing repeats from another adress in the same /24 subnet. Expanding the ban to the whole /24 subnet as a preemptive strike would be nice and keep the ban list smaller....

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2019-12-30 04:28

Jorgo wrote:
2019-12-30 02:58
@SorenR
Could the code you posted be changed to ban the whole subnet of a presumed spammer/attacker? Right now it only bans the specific IP adress but I've seen some instances where the same thing repeats from another adress in the same /24 subnet. Expanding the ban to the whole /24 subnet as a preemptive strike would be nice and keep the ban list smaller....

Code: Select all

Call BanClassC(oClient.IPAddress)

Function BanClassC(sIPAddress) : BanClassC = False
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMINISTRATOR, MYPASSWORD)
    Dim a : a = Split(sIPAddress, ".")
    Dim strBan : strBan = "( Class C Network ) " & a(0) & "." & a(1) & "." & a(2) & ".0 - " & a(0) & "." & a(1) & "." & a(2) & ".255"
    On Error Resume Next
    Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName(strBan)
    If Err.Number = 9 Then
        With oApp.Settings.SecurityRanges.Add
            .Name = strBan
            .LowerIP = a(0) & "." & a(1) & "." & a(2) & ".0"
            .UpperIP = a(0) & "." & a(1) & "." & a(2) & ".255"
            .Priority = 20
            .Expires = True
            .ExpiresTime = DateAdd("m", 1, Now())
            .Save
        End With
        BanClassC = True
    End If
    On Error Goto 0
    Set oApp = Nothing
End Function
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1562
Joined: 2017-09-12 17:57

Re: Block attack based on Greeting not having effect

Post by palinka » 2019-12-30 04:55

Jorgo wrote:
2019-12-30 02:58
@SorenR
Could the code you posted be changed to ban the whole subnet of a presumed spammer/attacker? Right now it only bans the specific IP adress but I've seen some instances where the same thing repeats from another adress in the same /24 subnet. Expanding the ban to the whole /24 subnet as a preemptive strike would be nice and keep the ban list smaller....
You could try this: http://hmailserver.com/forum/viewtopic.php?f=20&t=34599

It doesn't ban entire ranges, which could end up in false positives, but rather uses HELO domain presented to determine spamminess. It works well with a certain type of brand new spammers (not yet listed by spamhaus, etc.)

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2020-01-06 11:51

I just found out that blocking 127.0.0.1 in HELO is not a good idea, since my own smartphone software (K9-Mail) uses this greeting...

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2020-01-06 16:00

Jorgo wrote:
2020-01-06 11:51
I just found out that blocking 127.0.0.1 in HELO is not a good idea, since my own smartphone software (K9-Mail) uses this greeting...
Perhaps you should spend some time figuring out WHY your phone identifies itself as 127.0.0.1 as this is clearly VERY wrong!

RFC says "EHLO" SP ( Domain / address-literal ) CRLF

"Domain" is the client FQDN. Sometimes the workstation hostname is used and a non-compliant hostname can be handled using a whitelist.
"address-literal" uses four small decimal integers separated by dots and enclosed by brackets such as [123.255.37.2]

IF a usable FQDN (or hostname) is not obtainable, the greeting should contain "[<client ip address>]" to stay RFC compliant.

127.0.0.1 is generally regarded as a source of SPAM as it is a NON-routable IP address and thus cannot be the origin of an IP packet sent to a remote IP address.

It seems the devs of K9 are illiterate or simply stupid...

https://github.com/k9mail/k-9/issues/1399
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2020-01-18 19:12

Today I've seen this:

Code: Select all

"SMTPD"	4420	119	"2020-01-18 15:39:30.541"	"223.71.167.164"	"RECEIVED: EHLO []"
How would I add an empty EHLO to the regEx String?

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2020-01-18 19:22

Jorgo wrote:
2020-01-18 19:12
Today I've seen this:

Code: Select all

"SMTPD"	4420	119	"2020-01-18 15:39:30.541"	"223.71.167.164"	"RECEIVED: EHLO []"
How would I add an empty EHLO to the regEx String?
It's not empty... It's a pair of brackets ;-)

"(\[\])"
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

palinka
Senior user
Senior user
Posts: 1562
Joined: 2017-09-12 17:57

Re: Block attack based on Greeting not having effect

Post by palinka » 2020-01-18 21:34

Jorgo wrote:
2020-01-18 19:12
Today I've seen this:

Code: Select all

"SMTPD"	4420	119	"2020-01-18 15:39:30.541"	"223.71.167.164"	"RECEIVED: EHLO []"
How would I add an empty EHLO to the regEx String?

Code: Select all

^$
Empty regex string. :D

Would not pickup "[]".

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2020-01-18 22:08

Thanks guys! Of course, having no clue I assumed that the brackets were added by the server software to show the greeting enclosed within.

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2020-01-18 23:18

palinka wrote:
2020-01-18 21:34
Jorgo wrote:
2020-01-18 19:12
Today I've seen this:

Code: Select all

"SMTPD"	4420	119	"2020-01-18 15:39:30.541"	"223.71.167.164"	"RECEIVED: EHLO []"
How would I add an empty EHLO to the regEx String?

Code: Select all

^$
Empty regex string. :D

Would not pickup "[]".
Wrong... The brackets are NOT added by hMailServer.

The RFC says brackets are ONLY used with address literals like "[223.71.167.164]"...
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Jorgo
New user
New user
Posts: 18
Joined: 2018-01-21 19:54
Location: Germany

Re: Block attack based on Greeting not having effect

Post by Jorgo » 2020-02-07 00:06

Got another idea... would I be correct in assuming that any valid greeting needs to have a period somewhere?
If so, is there a REGEX that matches a string with a period explicitly missing?

Hm... probably this one
^[^.]*$
including empty string

User avatar
mattg
Moderator
Moderator
Posts: 20554
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Block attack based on Greeting not having effect

Post by mattg » 2020-02-07 01:58

DO iPv6 Addresses have a period (.) in them, or do they have colons (:)?

I have many machines that send automated emails via scripts, via my server that simply have a local computer name as the greeting.

This would be things like 'DB-Server' in a workgroup with no automatic FQDN added to the server name.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3328
Joined: 2006-08-21 15:38
Location: Denmark

Re: Block attack based on Greeting not having effect

Post by SorenR » 2020-02-07 03:09

Jorgo wrote:
2020-02-07 00:06
Got another idea... would I be correct in assuming that any valid greeting needs to have a period somewhere?
If so, is there a REGEX that matches a string with a period explicitly missing?

Code: Select all

'
'   Validate HELO/EHLO greeting
'
Const strFQDN = "^(?=^.{1,254}$)(^(?:(?!\.|-)([a-z0-9\-\*]{1,63}|([a-z0-9\-]{1,62}[a-z0-9]))\.)+(?:[a-z]{2,})$)$"
Const strIPv4 = "^\[(?:[0-9]{1,3}\.){3}[0-9]{1,3}\]$"
Const strIPv6 = "^\[(IPv6)((?:[0-9A-Fa-f]{0,4}:){1,7}(?:(?:(>25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)|[0-9A-Fa-f]{1,4}))\]$"
strRegEx = strFQDN & "|" & strIPv4 & "|" & strIPv6
IF strRegEx is true for oClient.HELO then greeting is RFC Compliant - OK - Fine - As it should be - H.U.A.

For my own server, my explicit whitelist and the above RegEx determine if message initially is to be treated as SPAM or worse.

P.S.: I don't use IPv6.
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

Post Reply