How to block SMTP attacks for sending multiple mails...

Forum for things that doesn't really have anything to do with hMailServer. Such as php.ini, beer, etc etc.
Post Reply
ves
New user
New user
Posts: 7
Joined: 2017-09-09 09:18

How to block SMTP attacks for sending multiple mails...

Post by ves » 2019-06-25 09:48

Hi all,
I'm getting hit by some spammers that try to send several mails to my server to not existing mailboxes (trying to guess the right ones)

SMTPD" 7896 52740 "2019-06-25 00:58:41.666" "185.222.211.13" "SENT: 550 Unknown user"

Does someone had same situation and is there a script that can be connected to Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage) and block the sender IP (via standard hmailserver auto ban service) ?

Thanks is advance and sorry if my request is duplicated with other posts - I tried to search - but I didn't find exact answer (I found similar - but seems not working in my case) - here are the full logs for information

"SMTPD" 7884 52812 "2019-06-25 07:34:53.089" "185.222.211.13" "SENT: 220 mail.mydomain.com ESMTP"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.021" "185.222.211.13" "RECEIVED: EHLO hosting-by.nstorage.org"
"SMTPD" 7840 52812 "2019-06-25 07:34:54.025" "185.222.211.13" "SENT: 250-mail.mydomain.com[nl]250-SIZE 50480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.583" "185.222.211.13" "RECEIVED: MAIL FROM:<0rw056rs1oqitd@vkd.cz>"
"SMTPD" 7884 52812 "2019-06-25 07:34:54.594" "185.222.211.13" "SENT: 250 OK"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.618" "185.222.211.13" "RECEIVED: RCPT TO:<francois@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.635" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.639" "185.222.211.13" "RECEIVED: RCPT TO:<falecom@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.652" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.656" "185.222.211.13" "RECEIVED: RCPT TO:<jana@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.669" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.672" "185.222.211.13" "RECEIVED: RCPT TO:<sven@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.681" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.683" "185.222.211.13" "RECEIVED: RCPT TO:<ar@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.691" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.693" "185.222.211.13" "RECEIVED: RCPT TO:<sabine@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.701" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.703" "185.222.211.13" "RECEIVED: RCPT TO:<martina@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.708" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.710" "185.222.211.13" "RECEIVED: RCPT TO:<eli@mydomain.com>"
"SMTPD" 7884 52812 "2019-06-25 07:34:55.714" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.716" "185.222.211.13" "RECEIVED: RCPT TO:<dominique@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.720" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.722" "185.222.211.13" "RECEIVED: RCPT TO:<shelly@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.726" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.728" "185.222.211.13" "RECEIVED: RCPT TO:<lynne@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.733" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.734" "185.222.211.13" "RECEIVED: RCPT TO:<lea@mydomain.com>"
"SMTPD" 7856 52812 "2019-06-25 07:34:55.739" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.740" "185.222.211.13" "RECEIVED: RCPT TO:<smtp@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.745" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.746" "185.222.211.13" "RECEIVED: RCPT TO:<123456@mydomain.com>"
"SMTPD" 7840 52812 "2019-06-25 07:34:55.751" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.752" "185.222.211.13" "RECEIVED: RCPT TO:<parts@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.756" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.758" "185.222.211.13" "RECEIVED: RCPT TO:<dick@mydomain.com>"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.762" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 7868 52812 "2019-06-25 07:34:55.764" "185.222.211.13" "RECEIVED: RCPT TO:<florence@mydomain.com>"

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How to block SMTP attacks for sending multiple mails...

Post by mattg » 2019-06-25 11:23

In Protocols >> SMTP >> RFC compliance

what do you have for 'Maximum number of invalid commands'?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3192
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to block SMTP attacks for sending multiple mails...

Post by SorenR » 2019-06-25 12:08

185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:

Code: Select all

'
'   COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "VerySecretPassword"

Function IsSnowShoe(strIP) : IsSnowShoe = False
   Dim a, strLookup
   a = Split(strIP, ".")
   With CreateObject("DNSLibrary.DNSResolver")
      strLookup = .DNSLookup(a(3) & "." & a(2) & "." & a(1) & "." & a(0) & ".zen.spamhaus.org")
   End With
   If (InStr(1, strLookup, "127.0.0.3", 1) > 0) Then IsSnowShoe = True
End Function

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
   '
   '   sType can be one of the following;
   '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
   '
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   On Error Resume Next
   Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
   If Err.Number = 9 Then
      With oApp.Settings.SecurityRanges.Add
         .Name = "(" & sReason & ") " & sIPAddress
         .LowerIP = sIPAddress
         .UpperIP = sIPAddress
         .Priority = 20
         .Expires = True
         .ExpiresTime = DateAdd(sType, iDuration, Now())
         .Save
      End With
      AutoBan = True
   End If
   On Error Goto 0
   Set oApp = Nothing
End Function

Function LPad(str, length, pad)
   LPad = Left(CStr(str) & String(length, pad), length)
End Function

Sub OnClientConnect(oClient)
   '
   '   SnowShoe SPAM detection, BAN for 1 month.
   '
   If IsSnowShoe(oClient.IPAddress) Then
      EventLog.Write( LPad("SnowShoe", 15, " ") & vbTab & oClient.IPAddress )
      Call AutoBan(oClient.IPAddress, "SnowShoe", 1, "m")
      Result.Value = 1
      Exit Sub
   End If
End Sub
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

ves
New user
New user
Posts: 7
Joined: 2017-09-09 09:18

Re: How to block SMTP attacks for sending multiple mails...

Post by ves » 2019-06-25 12:31

mattg wrote:
2019-06-25 11:23
In Protocols >> SMTP >> RFC compliance

what do you have for 'Maximum number of invalid commands'?
:( - 100
I never look here :( I was thinning that default is something like 5-10
What do you will recommend as value ? I'm thinking that 5 should be ok ?

ves
New user
New user
Posts: 7
Joined: 2017-09-09 09:18

Re: How to block SMTP attacks for sending multiple mails...

Post by ves » 2019-06-25 12:37

SorenR wrote:
2019-06-25 12:08
185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:
Thanks,
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months :-)
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated :-)
Anyway - many thanks for the script - I will use if there is no other easy solution.

User avatar
SorenR
Senior user
Senior user
Posts: 3192
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to block SMTP attacks for sending multiple mails...

Post by SorenR » 2019-06-25 12:53

ves wrote:
2019-06-25 12:37
SorenR wrote:
2019-06-25 12:08
185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:
Thanks,
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months :-)
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated :-)
Anyway - many thanks for the script - I will use if there is no other easy solution.
If you manage to build a script to read the SMTP log you can use the AutoBan function in the example to ban the IP address.

I don't know why but for some reason the Unix tail -f keep popping up ;-)

EDIT: Have a look at this https://stujordan.wordpress.com/2012/09 ... -vbscript/
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
SorenR
Senior user
Senior user
Posts: 3192
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to block SMTP attacks for sending multiple mails...

Post by SorenR » 2019-06-25 13:24

Playing with the tail.vbs script from the link above ... bloody genious and uses virtually no resources.

Could not make it run at first but when I added drive and path to the file it works as intended !!
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

ves
New user
New user
Posts: 7
Joined: 2017-09-09 09:18

Re: How to block SMTP attacks for sending multiple mails...

Post by ves » 2019-06-25 19:29

SorenR wrote:
2019-06-25 12:53
ves wrote:
2019-06-25 12:37
SorenR wrote:
2019-06-25 12:08
185.222.211.13 is on the SpamHaus SnowShoe SPAM list (https://www.spamhaus.org/faq/section/Glossary#233) so may I suggest this to begin with...

The script below may not catch all of them but it's a start and something we can build on. The script is a subset of my own Eventhandler script.

The COM object used for DNS lookups is made by RvdH who also maintain the hMailServer code with extended Event triggers: https://www.hmailserver.com/forum/viewt ... 28#p196628

And the script part looks like this:
Thanks,
I forgot to add that I prefer solutions that are not depend from external sources, my idea was to write a script that on 3-5 attempts to ban IP with the default rules (for me ban is with duration 3 months :-)
What I'm missing is how to cash in memory list with IP's and access them via VB script - I was thinking to write a windows or web service for that - but seems too complicated :-)
Anyway - many thanks for the script - I will use if there is no other easy solution.
If you manage to build a script to read the SMTP log you can use the AutoBan function in the example to ban the IP address.

I don't know why but for some reason the Unix tail -f keep popping up ;-)

EDIT: Have a look at this https://stujordan.wordpress.com/2012/09 ... -vbscript/

A very good idea - 10x for link I will try to make it and if is working - I will post it here.

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How to block SMTP attacks for sending multiple mails...

Post by mattg » 2019-06-26 01:01

ves wrote:
2019-06-25 12:31
What do you will recommend as value ? I'm thinking that 5 should be ok ?
I run with 5 on my production machines
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ves
New user
New user
Posts: 7
Joined: 2017-09-09 09:18

Re: How to block SMTP attacks for sending multiple mails...

Post by ves » 2019-07-01 13:14

mattg wrote:
2019-06-26 01:01
ves wrote:
2019-06-25 12:31
What do you will recommend as value ? I'm thinking that 5 should be ok ?
I run with 5 on my production machines
I changed to 5 too - but seems this does't help :( ?
Is it sure that 550 Unknown user is related to this option.

User avatar
SorenR
Senior user
Senior user
Posts: 3192
Joined: 2006-08-21 15:38
Location: Denmark

Re: How to block SMTP attacks for sending multiple mails...

Post by SorenR » 2019-07-01 13:28

ves wrote:
2019-07-01 13:14
mattg wrote:
2019-06-26 01:01
ves wrote:
2019-06-25 12:31
What do you will recommend as value ? I'm thinking that 5 should be ok ?
I run with 5 on my production machines
I changed to 5 too - but seems this does't help :( ?
Is it sure that 550 Unknown user is related to this option.
Probably not as it is not an invalid command ... The user just don't exist.

One other thing you could do is to create a "catch-all" account. The "550 Unknown user" will go away and you will have a mailbox to use as a "HoneyTrap". A simple script to extract the IP address and issue an AutoBan on the IP address. :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How to block SMTP attacks for sending multiple mails...

Post by mattg » 2019-07-08 09:36

ves wrote:
2019-07-01 13:14
mattg wrote:
2019-06-26 01:01
ves wrote:
2019-06-25 12:31
What do you will recommend as value ? I'm thinking that 5 should be ok ?
I run with 5 on my production machines
I changed to 5 too - but seems this does't help :( ?
Is it sure that 550 Unknown user is related to this option.
Just saw this is fixed in RvdH's builds that I use

https://github.com/hmailserver/hmailserver/issues/160
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ves
New user
New user
Posts: 7
Joined: 2017-09-09 09:18

Re: How to block SMTP attacks for sending multiple mails...

Post by ves » 2019-07-10 13:42

mattg wrote:
2019-07-08 09:36
ves wrote:
2019-07-01 13:14
mattg wrote:
2019-06-26 01:01

I run with 5 on my production machines
I changed to 5 too - but seems this does't help :( ?
Is it sure that 550 Unknown user is related to this option.
Just saw this is fixed in RvdH's builds that I use

https://github.com/hmailserver/hmailserver/issues/160
I just checked one of my installations - I'm with version 5.6.8 and seems this doesn't work :(. So I will go on parsing log files and ban.

User avatar
Dravion
Senior user
Senior user
Posts: 1435
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: How to block SMTP attacks for sending multiple mails...

Post by Dravion » 2019-07-10 14:13

Maybe this can help you out with your Problem
https://www.hmailserver.com/forum/viewt ... 81#p213281

User avatar
mattg
Moderator
Moderator
Posts: 20144
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: How to block SMTP attacks for sending multiple mails...

Post by mattg » 2019-07-10 14:55

ves wrote:
2019-07-10 13:42
I'm with version 5.6.8 and seems this doesn't work
Correct

I use a custom build, this is not available in the main releases
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ves
New user
New user
Posts: 7
Joined: 2017-09-09 09:18

Re: How to block SMTP attacks for sending multiple mails...

Post by ves » 2019-07-11 07:40

Dravion wrote:
2019-07-10 14:13
Maybe this can help you out with your Problem
https://www.hmailserver.com/forum/viewt ... 81#p213281
Wow - thanks - you save me some days - I was planning to do almost the same

Post Reply