How to block SMTP attacks for sending multiple mails...
How to block SMTP attacks for sending multiple mails...
Hi all,
I'm getting hit by some spammers that try to send several mails to my server to not existing mailboxes (trying to guess the right ones)
SMTPD" 7896 52740 "2019-06-25 00:58:41.666" "185.222.211.13" "SENT: 550 Unknown user"
Does someone had same situation and is there a script that can be connected to Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage) and block the sender IP (via standard hmailserver auto ban service) ?
Thanks is advance and sorry if my request is duplicated with other posts - I tried to search - but I didn't find exact answer (I found similar - but seems not working in my case) - here are the full logs for information
"SMTPD" 7884 52812 "2019-06-25 07:34:53.089" "185.222.211.13" "SENT: 220 mail.mydomain.com ESMTP"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.021" "185.222.211.13" "RECEIVED: EHLO hosting-by.nstorage.org"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.025" "185.222.211.13" "SENT: 250-mail.mydomain.com[nl]250-SIZE 50480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.583" "185.222.211.13" "RECEIVED: MAIL FROM:<0rw056rs1oqitd@vkd.cz>"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.594" "185.222.211.13" "SENT: 250 OK"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.618" "185.222.211.13" "RECEIVED: RCPT TO:<francois@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.635" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.639" "185.222.211.13" "RECEIVED: RCPT TO:<falecom@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.652" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.656" "185.222.211.13" "RECEIVED: RCPT TO:<jana@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.669" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.672" "185.222.211.13" "RECEIVED: RCPT TO:<sven@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.681" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.683" "185.222.211.13" "RECEIVED: RCPT TO:<ar@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.691" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.693" "185.222.211.13" "RECEIVED: RCPT TO:<sabine@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.701" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.703" "185.222.211.13" "RECEIVED: RCPT TO:<martina@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.708" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.710" "185.222.211.13" "RECEIVED: RCPT TO:<eli@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.714" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.716" "185.222.211.13" "RECEIVED: RCPT TO:<dominique@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.720" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.722" "185.222.211.13" "RECEIVED: RCPT TO:<shelly@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.726" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.728" "185.222.211.13" "RECEIVED: RCPT TO:<lynne@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.733" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.734" "185.222.211.13" "RECEIVED: RCPT TO:<lea@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.739" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.740" "185.222.211.13" "RECEIVED: RCPT TO:<smtp@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.745" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.746" "185.222.211.13" "RECEIVED: RCPT TO:<123456@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.751" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.752" "185.222.211.13" "RECEIVED: RCPT TO:<parts@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.756" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.758" "185.222.211.13" "RECEIVED: RCPT TO:<dick@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.762" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.764" "185.222.211.13" "RECEIVED: RCPT TO:<florence@mydomain.com>"
I'm getting hit by some spammers that try to send several mails to my server to not existing mailboxes (trying to guess the right ones)
SMTPD" 7896 52740 "2019-06-25 00:58:41.666" "185.222.211.13" "SENT: 550 Unknown user"
Does someone had same situation and is there a script that can be connected to Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage) and block the sender IP (via standard hmailserver auto ban service) ?
Thanks is advance and sorry if my request is duplicated with other posts - I tried to search - but I didn't find exact answer (I found similar - but seems not working in my case) - here are the full logs for information
"SMTPD" 7884 52812 "2019-06-25 07:34:53.089" "185.222.211.13" "SENT: 220 mail.mydomain.com ESMTP"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.021" "185.222.211.13" "RECEIVED: EHLO hosting-by.nstorage.org"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.025" "185.222.211.13" "SENT: 250-mail.mydomain.com[nl]250-SIZE 50480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.583" "185.222.211.13" "RECEIVED: MAIL FROM:<0rw056rs1oqitd@vkd.cz>"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.594" "185.222.211.13" "SENT: 250 OK"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.618" "185.222.211.13" "RECEIVED: RCPT TO:<francois@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.635" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.639" "185.222.211.13" "RECEIVED: RCPT TO:<falecom@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.652" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.656" "185.222.211.13" "RECEIVED: RCPT TO:<jana@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.669" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.672" "185.222.211.13" "RECEIVED: RCPT TO:<sven@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.681" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.683" "185.222.211.13" "RECEIVED: RCPT TO:<ar@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.691" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.693" "185.222.211.13" "RECEIVED: RCPT TO:<sabine@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.701" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.703" "185.222.211.13" "RECEIVED: RCPT TO:<martina@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.708" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.710" "185.222.211.13" "RECEIVED: RCPT TO:<eli@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.714" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.716" "185.222.211.13" "RECEIVED: RCPT TO:<dominique@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.720" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.722" "185.222.211.13" "RECEIVED: RCPT TO:<shelly@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.726" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.728" "185.222.211.13" "RECEIVED: RCPT TO:<lynne@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.733" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.734" "185.222.211.13" "RECEIVED: RCPT TO:<lea@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.739" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.740" "185.222.211.13" "RECEIVED: RCPT TO:<smtp@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.745" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.746" "185.222.211.13" "RECEIVED: RCPT TO:<123456@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.751" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.752" "185.222.211.13" "RECEIVED: RCPT TO:<parts@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.756" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.758" "185.222.211.13" "RECEIVED: RCPT TO:<dick@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.762" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.764" "185.222.211.13" "RECEIVED: RCPT TO:<florence@mydomain.com>"
Re: How to block SMTP attacks for sending multiple mails...
In Protocols >> SMTP >> RFC compliance
what do you have for 'Maximum number of invalid commands'?
what do you have for 'Maximum number of invalid commands'?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: How to block SMTP attacks for sending multiple mails...
185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...
The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.
The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628
And the script part looks like this:
The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.
The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628
And the script part looks like this:
Code: Select all
'
' COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "VerySecretPassword"
Function IsSnowShoe(strIP) : IsSnowShoe = False
Dim a, strLookup
a = Split(strIP, ".")
With CreateObject("DNSLibrary.DNSResolver")
strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zen.spamhaus.org")
End With
If (InStr(1, strLookup, "127.0.0.3", 1) > 0) Then IsSnowShoe = True
End Function
Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
'
' sType can be one of the following;
' "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
'
Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
On Error Resume Next
Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
If Err.Number = 9 Then
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & sIPAddress
.LowerIP = sIPAddress
.UpperIP = sIPAddress
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
AutoBan = True
End If
On Error Goto 0
Set oApp = Nothing
End Function
Function LPad(str, length, pad)
LPad = Left(CStr(str) & String(length, pad), length)
End Function
Sub OnClientConnect(oClient)
'
' SnowShoe SPAM detection, BAN for 1 month.
'
If IsSnowShoe(oClient.IPAddress) Then
EventLog.Write( LPad("SnowShoe", 15, " ") & vbTab & oClient.IPAddress )
Call AutoBan(oClient.IPAddress, "SnowShoe", 1, "m")
Result.Value = 1
Exit Sub
End If
End Sub
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: How to block SMTP attacks for sending multiple mails...
Thanks,SorenR wrote: ↑2019-06-25 12:08185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...
The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.
The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628
And the script part looks like this:
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months

What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated

Anyway - many thanks for the script - I will use if there is no other easy solution.
Re: How to block SMTP attacks for sending multiple mails...
If you manage to build a script to read the SMTP log you can use the AutoBan function in the example to ban the IP address.ves wrote: ↑2019-06-25 12:37Thanks,SorenR wrote: ↑2019-06-25 12:08185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...
The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.
The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628
And the script part looks like this:
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months![]()
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated![]()
Anyway - many thanks for the script - I will use if there is no other easy solution.
I don't know why but for some reason the Unix tail -f keep popping up

EDIT: Have a look at this https://stujordan.wordpress.com/2012/09 ... -vbscript/
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: How to block SMTP attacks for sending multiple mails...
Playing with the tail.vbs script from the link above ... bloody genious and uses virtually no resources.
Could not make it run at first but when I added drive and path to the file it works as intended !!
Could not make it run at first but when I added drive and path to the file it works as intended !!
SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: How to block SMTP attacks for sending multiple mails...
SorenR wrote: ↑2019-06-25 12:53If you manage to build a script to read the SMTP log you can use the AutoBan function in the example to ban the IP address.ves wrote: ↑2019-06-25 12:37Thanks,SorenR wrote: ↑2019-06-25 12:08185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...
The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.
The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628
And the script part looks like this:
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months![]()
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated![]()
Anyway - many thanks for the script - I will use if there is no other easy solution.
I don't know why but for some reason the Unix tail -f keep popping up
EDIT: Have a look at this https://stujordan.wordpress.com/2012/09 ... -vbscript/
A very good idea - 10x for link I will try to make it and if is working - I will post it here.
Re: How to block SMTP attacks for sending multiple mails...
I run with 5 on my production machines
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: How to block SMTP attacks for sending multiple mails...
Probably not as it is not an invalid command ... The user just don't exist.
One other thing you could do is to create a "catch-all" account. The "550 Unknown user" will go away and you will have a mailbox to use as a "HoneyTrap". A simple script to extract the IP address and issue an AutoBan on the IP address.

SørenR.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.
Re: How to block SMTP attacks for sending multiple mails...
Just saw this is fixed in RvdH's builds that I use
https://github.com/hmailserver/hmailserver/issues/160
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: How to block SMTP attacks for sending multiple mails...
I just checked one of my installations - I'm with version 5.6.8 and seems this doesn't workmattg wrote: ↑2019-07-08 09:36Just saw this is fixed in RvdH's builds that I use
https://github.com/hmailserver/hmailserver/issues/160

Re: How to block SMTP attacks for sending multiple mails...
Maybe this can help you out with your Problem
https://www.hmailserver.com/forum/viewt ... 81#p213281
https://www.hmailserver.com/forum/viewt ... 81#p213281
Re: How to block SMTP attacks for sending multiple mails...
Correct
I use a custom build, this is not available in the main releases
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation
https://www.hmailserver.com/documentation
Re: How to block SMTP attacks for sending multiple mails...
Wow - thanks - you save me some days - I was planning to do almost the sameDravion wrote: ↑2019-07-10 14:13Maybe this can help you out with your Problem
https://www.hmailserver.com/forum/viewt ... 81#p213281