example:
HELO/EHLO: eisentraut.zachariaszels.com
MAIL FROM: eisentraut@zachariaszels.com
To catch these early i did this:
Code: Select all
Sub OnSMTPData(oClient, oMessage)
If (oMessage.FromAddress <> "") Then
If StrComp(ereg_replace(oClient.HELO, "[\@\.]", Empty, true),ereg_replace(oMessage.FromAddress, "[\@\.]", Empty, true),1)=0 Then
Eventlog.Write("OnSMTPdata: HELO " & oClient.HELO & " FROM " & oMessage.FromAddress & " (" & oClient.IPAddress& "). 542 Rejected" )
Result.Message= "5.7.1 Your access to this mail system has been rejected due to " &_
"the sending MTA's poor reputation. If you believe that this failure is " &_
"in error, please contact the intended recipient via alternate means."
Result.Value = 2
Call AutoBan(oClient.IPAddress, oMessage.FromAddress, 1, "d")
Exit Sub
End if
End if
End Sub
' Function replaces pattern with replacement
' varIgnoreCase must be TRUE (match is case insensitive) or FALSE (match is case sensitive)
' from http://www.addedbytes.com/asp/vbscript-regular-expressions/
function ereg_replace(strOriginalString, strPattern, strReplacement, varIgnoreCase)
dim objRegExp : set objRegExp = new RegExp
With objRegExp
.Pattern = strPattern
.IgnoreCase = varIgnoreCase
.Global = True
End With
ereg_replace = objRegExp.replace(strOriginalString, strReplacement)
set objRegExp = nothing
end Function
What it basically does, it strips all dots (.) and AtSign (@) and then compares if the two strings are identical, in this case the strings to be compared are both 'eisentrautzachariaszelscom' which result in a 554 rejection (and auto-ban)
"SMTPD" 6132 187452 "2019-06-08 13:13:11.886" "64.44.61.130" "SENT: 220 mail.domain.com ESMTP"
"SMTPD" 7692 187452 "2019-06-08 13:13:11.980" "64.44.61.130" "RECEIVED: EHLO eisentraut.zachariaszels.com"
"SMTPD" 7692 187452 "2019-06-08 13:13:12.027" "64.44.61.130" "SENT: 250-mail.domain.com[nl]250-SIZE 51200000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.120" "64.44.61.130" "RECEIVED: STARTTLS"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.120" "64.44.61.130" "SENT: 220 Ready to start TLS"
"SMTPD" 7692 187452 "2019-06-08 13:13:12.466" "64.44.61.130" "RECEIVED: EHLO eisentraut.zachariaszels.com"
"SMTPD" 7692 187452 "2019-06-08 13:13:12.497" "64.44.61.130" "SENT: 250-mail.domain.com[nl]250-SIZE 51200000[nl]250 HELP"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.606" "64.44.61.130" "RECEIVED: MAIL FROM:<eisentraut@zachariaszels.com>"
"SMTPD" 7572 187452 "2019-06-08 13:13:12.606" "64.44.61.130" "SENT: 250 OK"
"SMTPD" 6544 187452 "2019-06-08 13:13:12.715" "64.44.61.130" "RECEIVED: RCPT TO:<info@******.nl>"
"SMTPD" 6544 187452 "2019-06-08 13:13:12.715" "64.44.61.130" "SENT: 250 OK"
"SMTPD" 6132 187452 "2019-06-08 13:13:12.825" "64.44.61.130" "RECEIVED: DATA"
"SMTPD" 6132 187452 "2019-06-08 13:13:12.887" "64.44.61.130" "SENT: 554 5.7.1 Your access to this mail system has been rejected due to the sending MTA's poor reputation. If you believe that this failure is in error, please contact the intended recipient via alternate means."