How to block SMTP attacks for sending multiple mails...

[ves]

Hi all,
I'm getting hit by some spammers that try to send several mails to my server to not existing mailboxes (trying to guess the right ones)

SMTPD" 7896 52740 "2019-06-25 00:58:41.666" "185.222.211.13" "SENT: 550 Unknown user"

Does someone had same situation and is there a script that can be connected to Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage) and block the sender IP (via standard hmailserver auto ban service) ?

Thanks is advance and sorry if my request is duplicated with other posts - I tried to search - but I didn't find exact answer (I found similar - but seems not working in my case) - here are the full logs for information

"SMTPD" 7884 52812 "2019-06-25 07:34:53.089" "185.222.211.13" "SENT: 220 mail.mydomain.com ESMTP"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.021" "185.222.211.13" "RECEIVED: EHLO hosting-by.nstorage.org"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.025" "185.222.211.13" "SENT: 250-mail.mydomain.com[nl]250-SIZE 50480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.583" "185.222.211.13" "RECEIVED: MAIL FROM:<0rw056rs1oqitd@vkd.cz>"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.594" "185.222.211.13" "SENT: 250 OK"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.618" "185.222.211.13" "RECEIVED: RCPT TO:<francois@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.635" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.639" "185.222.211.13" "RECEIVED: RCPT TO:<falecom@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.652" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.656" "185.222.211.13" "RECEIVED: RCPT TO:<jana@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.669" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.672" "185.222.211.13" "RECEIVED: RCPT TO:<sven@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.681" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.683" "185.222.211.13" "RECEIVED: RCPT TO:<ar@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.691" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.693" "185.222.211.13" "RECEIVED: RCPT TO:<sabine@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.701" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.703" "185.222.211.13" "RECEIVED: RCPT TO:<martina@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.708" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.710" "185.222.211.13" "RECEIVED: RCPT TO:<eli@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.714" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.716" "185.222.211.13" "RECEIVED: RCPT TO:<dominique@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.720" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.722" "185.222.211.13" "RECEIVED: RCPT TO:<shelly@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.726" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.728" "185.222.211.13" "RECEIVED: RCPT TO:<lynne@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.733" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.734" "185.222.211.13" "RECEIVED: RCPT TO:<lea@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.739" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.740" "185.222.211.13" "RECEIVED: RCPT TO:<smtp@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.745" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.746" "185.222.211.13" "RECEIVED: RCPT TO:<123456@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.751" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.752" "185.222.211.13" "RECEIVED: RCPT TO:<parts@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.756" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.758" "185.222.211.13" "RECEIVED: RCPT TO:<dick@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.762" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.764" "185.222.211.13" "RECEIVED: RCPT TO:<florence@mydomain.com>"

[mattg]

In Protocols >> SMTP >> RFC compliance

what do you have for 'Maximum number of invalid commands'?

[SorenR]

185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:

Code: Select all

'
'   COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "VerySecretPassword"

Function IsSnowShoe(strIP) : IsSnowShoe = False
   Dim a, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zen.spamhaus.org")
   End With
   If (InStr(1, strLookup, "127.0.0.3", 1) > 0) Then IsSnowShoe = True
End Function

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
   '
   '   sType can be one of the following;
   '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
   '
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   On Error Resume Next
   Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
   If Err.Number = 9 Then
      With oApp.Settings.SecurityRanges.Add
         .Name = "(" & sReason & ") " & sIPAddress
         .LowerIP = sIPAddress
         .UpperIP = sIPAddress
         .Priority = 20
         .Expires = True
         .ExpiresTime = DateAdd(sType, iDuration, Now())
         .Save
      End With
      AutoBan = True
   End If
   On Error Goto 0
   Set oApp = Nothing
End Function

Function LPad(str, length, pad)
   LPad = Left(CStr(str) & String(length, pad), length)
End Function

Sub OnClientConnect(oClient)
   '
   '   SnowShoe SPAM detection, BAN for 1 month.
   '
   If IsSnowShoe(oClient.IPAddress) Then
      EventLog.Write( LPad("SnowShoe", 15, " ") & vbTab & oClient.IPAddress )
      Call AutoBan(oClient.IPAddress, "SnowShoe", 1, "m")
      Result.Value = 1
      Exit Sub
   End If
End Sub

[ves]

In Protocols >> SMTP >> RFC compliance

what do you have for 'Maximum number of invalid commands'?

- 100
I never look here I was thinning that default is something like 5-10
What do you will recommend as value ? I'm thinking that 5 should be ok ?

[ves]

185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:

Thanks,
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated
Anyway - many thanks for the script - I will use if there is no other easy solution.

[SorenR]

185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:

Thanks,
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated
Anyway - many thanks for the script - I will use if there is no other easy solution.

If you manage to build a script to read the SMTP log you can use the AutoBan function in the example to ban the IP address.

I don't know why but for some reason the Unix tail -f keep popping up

EDIT: Have a look at this https://stujordan.wordpress.com/2012/09 ... -vbscript/

[SorenR]

Playing with the tail.vbs script from the link above ... bloody genious and uses virtually no resources.

Could not make it run at first but when I added drive and path to the file it works as intended !!

[ves]

185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:

Thanks,
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated
Anyway - many thanks for the script - I will use if there is no other easy solution.

If you manage to build a script to read the SMTP log you can use the AutoBan function in the example to ban the IP address.

I don't know why but for some reason the Unix tail -f keep popping up

EDIT: Have a look at this https://stujordan.wordpress.com/2012/09 ... -vbscript/

A very good idea - 10x for link I will try to make it and if is working - I will post it here.

[mattg]

What do you will recommend as value ? I'm thinking that 5 should be ok ?

I run with 5 on my production machines

[ves]

What do you will recommend as value ? I'm thinking that 5 should be ok ?

I run with 5 on my production machines

I changed to 5 too - but seems this does't help ?
Is it sure that 550 Unknown user is related to this option.

[SorenR]

What do you will recommend as value ? I'm thinking that 5 should be ok ?

I run with 5 on my production machines

I changed to 5 too - but seems this does't help ?
Is it sure that 550 Unknown user is related to this option.

Probably not as it is not an invalid command ... The user just don't exist.

One other thing you could do is to create a "catch-all" account. The "550 Unknown user" will go away and you will have a mailbox to use as a "HoneyTrap". A simple script to extract the IP address and issue an AutoBan on the IP address.

[mattg]

What do you will recommend as value ? I'm thinking that 5 should be ok ?

I run with 5 on my production machines

I changed to 5 too - but seems this does't help ?
Is it sure that 550 Unknown user is related to this option.

Just saw this is fixed in RvdH's builds that I use

https://github.com/hmailserver/hmailserver/issues/160

[ves]

I run with 5 on my production machines

I changed to 5 too - but seems this does't help ?
Is it sure that 550 Unknown user is related to this option.

Just saw this is fixed in RvdH's builds that I use

https://github.com/hmailserver/hmailserver/issues/160

I just checked one of my installations - I'm with version 5.6.8 and seems this doesn't work . So I will go on parsing log files and ban.

[Dravion]

Maybe this can help you out with your Problem
https://www.hmailserver.com/forum/viewt ... 81#p213281

[mattg]

I'm with version 5.6.8 and seems this doesn't work

Correct

I use a custom build, this is not available in the main releases

[ves]

Maybe this can help you out with your Problem
https://www.hmailserver.com/forum/viewt ... 81#p213281

Wow - thanks - you save me some days - I was planning to do almost the same