Stop intruder

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Stop intruder

Post by PeterChan » 2019-06-20 16:00

Hi,
It is currently bad to find out that other people were making use of my domain to send out messages like

2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru lucas@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru beth@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru dean@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru victoria@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0
2019-06-20 17:03:17 3n899f3lvn2en@artist-oil.ru alexandra@a.co 185.222.211.13 127.0.0.1 SMTP ? 550 0

such User account were never appear within my AD. How to stop this? I did already create proper SPF record on the domain (and Namecheap.com did confirm to me that SPF record was working fine) but the intruder was still working on my domain!

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-20 16:02

They are all 550 rejections

No mail being sent there

(Do you have other logging options enabled other than AWStats? AWStats logs aren't really good for troubleshooting)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 03:50

Thanks. All 550 events are rejections, right?
"DEBUG" 3812 "2019-06-21 08:35:23.921" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.921" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.921" "185.222.211.13" "RECEIVED: RCPT TO:<cheryl@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.937" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.937" "185.222.211.13" "RECEIVED: RCPT TO:<fernanda@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.952" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3796 36 "2019-06-21 08:35:23.952" "185.222.211.13" "RECEIVED: RCPT TO:<luis@a.co>"
"DEBUG" 3796 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3796 36 "2019-06-21 08:35:23.968" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.968" "185.222.211.13" "RECEIVED: RCPT TO:<will@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.968" "AWStats::LogDeliveryFailure"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 36 "2019-06-21 08:35:23.984" "185.222.211.13" "RECEIVED: RCPT TO:<carl@a.co>"
"DEBUG" 3812 "2019-06-21 08:35:23.984" "AWStats::LogDeliveryFailure"
Do you mean to enable other log?

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-21 06:04

yes all 550 are rejections

SMTP + debug is OK to troubleshoot later
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 06:12

Can you tell me meaning of "RECEIVED: RCPT TO:<offers@a.co>", to the below?
"DEBUG" 3772 "2019-06-21 11:42:57.870" "AWStats::LogDeliveryFailure"
"SMTPD" 3772 41 "2019-06-21 11:42:57.870" "185.222.211.13" "SENT: 550 Unknown user"
"SMTPD" 3812 41 "2019-06-21 11:42:57.870" "185.222.211.13" "RECEIVED: RCPT TO:<offers@a.co>"

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-21 08:07

Sure

Your SMTP Daemon (incoming SMTP connection) @ time '2019-06-21 11:42:57.870' received a instruction from IP '185.222.211.13'

The instruction as received was 'RCPT TO:<offers@a.co>'

This is saying that we would like to send our email to 'offers@a.co"

You server responds with SENT at the next line (next line down - not shown) that says '550 Unknown User'
This means your mail is rejected as we don't know have a mailbox by that name to receive your message
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 08:30

Thanks a lot!
It means IP 185.222.211.13 is repeatedly annoying my server, by giving "rubbish" commands, right?

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-21 11:03

yes

autoban, with a maximum number of bad commands being set would block those

run this and post the results >> viewtopic.php?f=20&t=30914
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-21 11:17

Thanks a lot!
What is the purpose of the relevant party, who ridiculously are repeatedly running jobs for doing such "BAD" routines? Does it mean they're trying to steal any "potential" resources for doing their jobs?

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-22 01:13

That's just what SPAMmers do.

Not quite as bad as those who actively try to hack systems, or bring down systems by over abuse (DOS attacks and DDOS attacks), but yes certainly still a huge waste of resources.

I reckon that I spend far more time fighting spam and blocking attacks than anything else admin related on my servers. There are some sophisticated attackers out there, and most of those are just looking for a server that they can exploit to send out SPAM, or to steal email credentials so that they can scam users.

I'm sure that there are some who beat my attempts at blocking them.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-22 02:12

Mattg,
Thanks a lot!
How would it be easy to totally block their try from "checking/validating (or attempting to steal)" against the server? Did you ever succeed in doing this?

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-22 06:50

PeterChan wrote:
2019-06-22 02:12
Did you ever succeed in doing this?
no

I just keep fine tuning my systems
It is hard to allow genuine users through, but only block malicious users.

Some things that I do
- not allow PORT 25 AUTH at all
- Force all connections to ONLY use only TLSv1.2 when the connection is secured
- Force all connections that AUTH to be secure
- drop and ban all IMAP and POP3 connections that don't originate in Australia (my server is in Australia)
- ban all high spam score IPs
- ban all IPs that 'look' like they are scamming / hacking / trying stuff

and more
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 11:32

mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-22 13:32

Mattg,
Thanks a lot!
How to force all connections to ONLY use TLSv1.2 when the connection is secured?

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-06-22 13:54

palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
SpamAssassin is like our children, you have teach it what is good and what is bad. If you only teach it what is good you'll end up with a Bayesian database like our current generation pf young people - completely unable to deal with "bad", who gets offended by anyone and anything, converts civil disobediance to hashtags and shitstorms and who believe pretty much anything that is written on the Internet to be true.

PS. You being an American. Were you aware that statistically all "Great Presidents" in the USA started a war?
Perhaps you should listen to your wife and get out before you are drafted. :wink: Despite what you hear in the news, "Socialist" Europe is a pretty solid place to live. We all drive Audi, Mercedes and BMW and use Huawei phones as they are superior. :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 14:23

SorenR wrote:
2019-06-22 13:54
Perhaps you should listen to your wife and get out before you are drafted. :wink:
1) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination) :D
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool. :mrgreen:
7) ^^ still off topic :lol:

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 14:30

palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-06-22 17:38

palinka wrote:
2019-06-22 14:30
palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
I just realized that could be interpreted as sarcastic when it's not meant to be. What i meant was i never considered banning ips based on SA scores insofar as "ban" means not reject or redirect a message, but rather send to autoban or firewall ban or some other permenant/semi-permanent means of preventing connection. There could be lots of false positives because spam also gets sent from legitimate, high reputation servers.
Can I just say on behalf of myself and my generation (60+) of Danish IT geeks and Motorheads (US version ;-) ), you made a short and to the point observation. What's to be offended about that?
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-22 17:53

SorenR wrote:
2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Ace of spades :mrgreen:

User avatar
jimimaseye
Moderator
Moderator
Posts: 10060
Joined: 2011-09-08 17:48

Re: Stop intruder

Post by jimimaseye » 2019-06-22 18:02

SorenR wrote:
2019-06-22 17:38
Noun. motorhead (plural motorheads) (US, Canada, slang) A car enthusiast. (Britain, slang) A heavy user of amphetamines.
Trippy!! 🕺👽🤯
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-23 00:18

palinka wrote:
2019-06-22 17:53
Ace of spades :mrgreen:
Yep, I'm going with the rock band too
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-23 02:31

palinka wrote:
2019-06-22 11:32
mattg wrote:
2019-06-22 06:50
- ban all high spam score IPs
That's an interesting one i hadn't considered before.
In an effort to stop some backscatter, I accept all spam, without rejection.

If the spamscore is high, I ban the IP and delete the message
If the spamscore is medium (in the range where it might be SPAM or might be HAM from a poorly managed server), I send it to a spam@ account for review

I have seen SPAM score up to 199 on my system
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-23 12:04

Good day Mattg,
How to ban one IP from "approaching" our server?

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-23 12:44

PeterChan wrote:
2019-06-23 12:04
Good day Mattg,
How to ban one IP from "approaching" our server?
One method - Firewall Ban :mrgreen:

Warning - still in alpha stage. Pretty close to beta.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-24 00:56

Or ban at the edge of your network with a firewall appliance or in your modem / router
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-24 12:09

On below URL

http://hmailserver.com/forum/viewtopic.php?f=9&t=34082

it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-24 12:31

PeterChan wrote:
2019-06-24 12:09
On below URL

http://hmailserver.com/forum/viewtopic.php?f=9&t=34082

it is done for MYSQL database. Does it mean we can re-write it for MSSQL, right?
Yes. But i couldn't say how much work that would be. For the basic stuff - meaning the powershell script and EventHandlers.vbs - it would be pretty easy, but there are so many database calls in the webadmin that it could be a lot of work to untangle. Or maybe it works right out of the box. I literally have no idea. I only know that i can't and won't be doing it.

PeterChan
Normal user
Normal user
Posts: 88
Joined: 2018-06-23 15:45

Re: Stop intruder

Post by PeterChan » 2019-06-27 03:46

Hi,
I want to know what it does do, per below log details?
"DEBUG" 3820 "2019-06-27 09:07:47.898" "Creating session 397"
"TCPIP" 3820 "2019-06-27 09:07:47.906" "TCP - 3.94.116.70 connected to 113.255.213.124:25."
"DEBUG" 3820 "2019-06-27 09:07:47.914" "TCP connection started for session 396"
"SMTPD" 3820 396 "2019-06-27 09:07:47.917" "3.94.116.70" "SENT: 220 WIN-APIUFD1NJEU ESMTP"
"SMTPD" 3784 396 "2019-06-27 09:07:48.212" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3784 396 "2019-06-27 09:07:48.215" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 3800 396 "2019-06-27 09:07:48.478" "3.94.116.70" "RECEIVED: STARTTLS"
"SMTPD" 3800 396 "2019-06-27 09:07:48.482" "3.94.116.70" "SENT: 220 Ready to start TLS"
"DEBUG" 3784 "2019-06-27 09:07:48.487" "Performing SSL/TLS handshake for session 396. Verify certificate: False"
"TCPIP" 3820 "2019-06-27 09:07:49.030" "TCPConnection - TLS/SSL handshake completed. Session Id: 396, Remote IP: 3.94.116.70, Version: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384, Bits: 256"
"SMTPD" 3820 396 "2019-06-27 09:07:49.371" "3.94.116.70" "RECEIVED: EHLO scanner.sslsonar.org"
"SMTPD" 3820 396 "2019-06-27 09:07:49.375" "3.94.116.70" "SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"DEBUG" 3784 "2019-06-27 09:07:59.629" "The read operation failed. Bytes transferred: 0 Remote IP: 3.94.116.70, Session: 396, Code: 335544539, Message: short read"
"DEBUG" 3784 "2019-06-27 09:07:59.634" "Ending session 396"

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-27 13:13

That looks to me like a system that checks your Security, and not sends mail

The OTHER server seems to have dropped the connection
And the name of the other server makes me think it is scanning ssl certificates
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-06-27 16:56

My thoughts too. I had a similar visit by shodan.io ... Interesting search engine :mrgreen:

https://www.shodan.io/search?query=hmailserver
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-06-28 05:14

WOW

We asked Martin to take the name hmailserver out of the SMTP greeting some 10 years back I reckon.
Anyone still showing that is on a really old version

Seems like a security risk to me, but seeing the number of recent results it's clear that hmailserver just keeps working
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-06-28 12:09

Takes a lickin' and keeps on tickin'..

Sheesh... hmailserver is probably the most stable software written for windows EVER.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-03 14:19

Well... This is one way to stop the intruder... :wink: The Russian IL-20M (COOT-A) "just cruising around" :roll:

Danish F-16 is besides being a member of the strategic air defense also a member of the national air defense show group. Thus it is showing it's true colours :mrgreen:

Picture is dated October 1'st 2019 and is from the outer limits of the Danish airspace. The F-16 is pretty but dangerous - the stingers are live and the message is clear; "Go home or go down in flames!"
Attachments
71083775_2751115734900826_2164279817690677248_n.jpg
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-03 14:24

SorenR wrote:
2019-10-03 14:19
The F-16 is pretty but dangerous - the stingers are live and the message is clear; "Go home or ...."
We'll board you and pillage you! Hey, we're Vikings after all! :mrgreen:

User avatar
jim.bus
Senior user
Senior user
Posts: 1571
Joined: 2011-05-28 11:49
Location: US

Re: Stop intruder

Post by jim.bus » 2019-10-04 13:49

I've been seeing the types of attacks PeterChan is getting to.

The first set pf Log Entries where the IP Address was just sending RCPT TO commands, I figured the IP Address was just trying to see if it could get a hit on an Email ID being found on your Server. Once that Email ID came back as a successful hit then the IP Address could try guessing the Password then Log On to that Email Account. I was told by one of the regulars here that it probably was a bot and would probably stop. It did after some days finally stop. It kept sending these connections about every minute

The scanner.sslsonar.org set of Log Entries I saw in my Logs a couple of days ago, too.

Not too long ago, I saw a website that apparently periodically does Port Scans. The Port Scanner was MASSCAN. I just banned the IP Address permanently.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
jim.bus
Senior user
Senior user
Posts: 1571
Joined: 2011-05-28 11:49
Location: US

Re: Stop intruder

Post by jim.bus » 2019-10-04 13:58

palinka wrote:
2019-06-22 14:23
SorenR wrote:
2019-06-22 13:54
Perhaps you should listen to your wife and get out before you are drafted. :wink:
1) I'm too old to be drafted
2) I already volunteered and served in the United States Marines
3) The next war won't be between countries, it will be within countries and the draft won't matter - you'll be drafted by survival
4) I always listen to my wife because she's really intelligent and perceptive (and beautiful - I'm a lucky guy to have that combination) :D
5) off topic
6) my firewall ban is coming along nicely. I have some pretty good changes i hope to push out today if i can find time between mountain biking with my son and relaxing in the pool. :mrgreen:
7) ^^ still off topic :lol:
Hey, I kinda thought you must be located somewhere near my Time Zone as your Time Stamps on your Forum Postings were all somewhat near my own Local Time. So my guess was right you were US.

When I found junkemailfilter.com for MX Backup Email Service, I was a bit surprised they were located about 30-45 minute drive from me not to mention ASUS US Corporate Office is located in the same vicinity to. When I needed to have warranty work done on my ASUS Router, instead of sending it to the support center in I believe it was Jefferson Indiana, I had hear one of the Support people refer to the Engineer at ASUS by his first name. So I called up their office here asked for him by his first name and told them he worked with the Routers and they put me right through to him and he said they readily accepted the stuff from us Locals there so I took it there and got faster service with less hassles.

By the way I'm always telling people that hMailServer is my best application as it never crashes and I've been using it for around 8 years.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-04 14:05

Oh it crashes. You just have to find a way to force it. :mrgreen:

User avatar
jim.bus
Senior user
Senior user
Posts: 1571
Joined: 2011-05-28 11:49
Location: US

Re: Stop intruder

Post by jim.bus » 2019-10-04 14:19

palinka wrote:
2019-10-04 14:05
Oh it crashes. You just have to find a way to force it. :mrgreen:
I know a way to make it fail but I don't think it crashes. You can make it not work by Restoring your Backed up settings and not restarting hMailServer first but I don't think it crashes. I figure you can make it crash but I never do anything sophisticated enough that would make it crash which I figure I would probably have to do some Custom Scripts to make it crash and the only thing I have done is to modify the Backup Script to to put my Password into it so not much chance of crashing hMailServer.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-04 14:22

jim.bus wrote:
2019-10-04 13:49
I've been seeing the types of attacks PeterChan is getting to.

The first set pf Log Entries where the IP Address was just sending RCPT TO commands, I figured the IP Address was just trying to see if it could get a hit on an Email ID being found on your Server. Once that Email ID came back as a successful hit then the IP Address could try guessing the Password then Log On to that Email Account. I was told by one of the regulars here that it probably was a bot and would probably stop. It did after some days finally stop. It kept sending these connections about every minute

The scanner.sslsonar.org set of Log Entries I saw in my Logs a couple of days ago, too.

Not too long ago, I saw a website that apparently periodically does Port Scans. The Port Scanner was MASSCAN. I just banned the IP Address permanently.
Somewere burried in these forums you can find my IDS script code ... 3 connects without actually sending mail will put the IP address on my blocklist - No mercy :mrgreen:

1- IPaddress is registered in database during OnClientConnect (SMTP ports only). Counter is incremented if exists.
2- IPAddress is unregistered in database during OnAcceptMessage.

3- External "handler" scan database every minute for high counters and add IPaddress to blocklist.

Does not affect performance of hMailServer, will only use CPU cycles.
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-04 15:14

SorenR wrote:
2019-10-04 14:22
3 connects without actually sending mail will put the IP address on my blocklist - No mercy :mrgreen:

...

Does not affect performance of hMailServer, will only use CPU cycles.
You allow 2 unencumbered? I would call that extremely merciful. Your ancestors would never have allowed 2 attempts. In fact, after the first, they would have found the offending server, burned the entire village down and stolen their cattle. You are a peaceful man. :lol:

Also, I agree that loading up autoban entries has no effect on performance - except for one thing: viewing IP ranges takes several seconds to load with a few thousand entries. Worse on phpadmin since they're presented in a single list without paging.

Come to think of it, merging your IDS into my firewall ban sounds like a really good idea. I will do that this weekend.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-04 17:24

palinka wrote:
2019-10-04 15:14
SorenR wrote:
2019-10-04 14:22
3 connects without actually sending mail will put the IP address on my blocklist - No mercy :mrgreen:

...

Does not affect performance of hMailServer, will only use CPU cycles.
You allow 2 unencumbered? I would call that extremely merciful. Your ancestors would never have allowed 2 attempts. In fact, after the first, they would have found the offending server, burned the entire village down and stolen their cattle. You are a peaceful man. :lol:

Also, I agree that loading up autoban entries has no effect on performance - except for one thing: viewing IP ranges takes several seconds to load with a few thousand entries. Worse on phpadmin since they're presented in a single list without paging.

Come to think of it, merging your IDS into my firewall ban sounds like a really good idea. I will do that this weekend.
When things go wild here I have maybe 150 entries in my autoban list, more than that and you deffo need to sweet talk your firewall.

I also use the 20 sec delay during SMTP conversations I sometimes see connections break but that's due to senders misconfiguration and having a short temper ;-) 2'nd time (for some reason) it usually works OR they go direct for my Backup-MX ... :roll:

Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database...

Eventhandlers.vbs

Code: Select all

'******************************************************************************************************************************
'********** hMailServer IDS Client Code (MySQL)                                                                      **********
'******************************************************************************************************************************
'
'   Global Constants
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "VeRySeCrEtPaSsWoRd"
Private Const idsTable = "hm_ids"
Private Const idsHits = 2
Private Const idsMinutes = 180
'
'   hm_ids      CREATE TABLE hm_ids (
'                 idsid     int(11)      NOT NULL AUTO_INCREMENT,
'                 timestamp datetime     DEFAULT NULL,
'                 ipaddress varchar(192) NOT NULL,
'                 port      int(11)      DEFAULT NULL,
'                 hits      int(11)      DEFAULT NULL,
'                 PRIMARY KEY (idsid),
'                 UNIQUE KEY idsid (idsid),
'                 UNIQUE KEY ipaddress (ipaddress)
'               ) ENGINE=InnoDB DEFAULT CHARSET=latin1
'
Function idsAddIP(sIPAddress, iPort)
    Dim strSQL, oDB : Set oDB = GetDatabaseObject
    strSQL = "INSERT INTO " & idsTable & " (timestamp,ipaddress,port,hits) VALUES (NOW(),'" & sIPAddress & "'," & iPort & ",1) ON DUPLICATE KEY UPDATE hits=(hits+1),timestamp=NOW();"
    Call oDB.ExecuteSQL(strSQL)
    Set oDB = Nothing
End Function

Function idsDelIP(sIPAddress)
    Dim strSQL, oDB : Set oDB = GetDatabaseObject
    strSQL = "DELETE FROM " & idsTable & " WHERE ipaddress = '" & sIPAddress & "';"
    Call oDB.ExecuteSQL(strSQL)
    Set oDB = Nothing
End Function

Function GetDatabaseObject()
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    Set GetDatabaseObject = oApp.Database
    Set oApp = Nothing
End Function

'******************************************************************************************************************************
'********** hMailServer Triggers                                                                                     **********
'******************************************************************************************************************************

Sub OnClientConnect(oClient)
    '
    '   Check all SMTP traffic
    '
    If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
End Sub

Sub OnAcceptMessage(oClient, oMessage)
    '
    '   Cleanup IDS registry
    '
    Call idsDelIP(oClient.IPAddress)
End Sub
Handler.vbs

Code: Select all

Option Explicit

'******************************************************************************************************************************
'********** Settings                                                                                                 **********
'******************************************************************************************************************************

'
'   COM authentication
'
Private Const ADMIN = "Administrator"
Private Const PASSWORD = "MySeCrEtPaSsWoRd"

'
'   Misc. settings
'
Private Const TEMPDIR  = "C:\hMailServer\Temp"

'
'   MySQL
'
Private Const DBNAME = "hmailserver"
Private Const DBUID = "script"
Private Const DBPW = "NotTellingYou!"
Private Const idsTable = "hm_ids"
Private Const idsHits = 3
Private Const idsMinutes = 180
Dim idsDBDrv : idsDBDrv = "DRIVER={MySQL ODBC 5.3 Unicode Driver};Database="&DBNAME&";Uid="&DBUID&";Pwd="&DBPW&";FOUND_ROWS=1;"

'
'   DRIVER={MySQL ODBC 5.3 Unicode Driver};Server=localhost;Port=3306;Database=%idsdb%;Uid=%idsuid%;Pwd=%idspwd%;Option=3;
'
'   hm_ids      CREATE TABLE hm_ids (
'                 idsid     int(11)      NOT NULL AUTO_INCREMENT,
'                 timestamp datetime     DEFAULT NULL,
'                 ipaddress varchar(192) NOT NULL,
'                 port      int(11)      DEFAULT NULL,
'                 hits      int(11)      DEFAULT NULL,
'                 PRIMARY KEY (idsid),
'                 UNIQUE KEY idsid (idsid),
'                 UNIQUE KEY ipaddress (ipaddress)
'               ) ENGINE=InnoDB DEFAULT CHARSET=latin1
'

'******************************************************************************************************************************
'********** Functions                                                                                                **********
'******************************************************************************************************************************

Function Wait(sec)
   With CreateObject("WScript.Shell")
      .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
   End With
End Function

Function LockFile(strPath)
   Const Append = 8
   Const Unicode = -1
   Dim i
   On Error Resume Next
   With CreateObject("Scripting.FileSystemObject")
      For i = 0 To 30
         Err.Clear
         Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
         If (Not Err.Number = 70) Then Exit For
         Wait(1)
      Next
   End With
   If (Err.Number = 70) Then
      EventLog.Write( "ERROR: EventHandlers.vbs" )
      EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
      Err.Clear
   ElseIf (Err.Number <> 0) Then
      EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
      EventLog.Write( "Error       : " & Err.Number )
      EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
      EventLog.Write( "Source      : " & Err.Source )
      EventLog.Write( "Description : " & Err.Description )
      Err.Clear
   End If
   On Error Goto 0
End Function

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
   '
   '   sType can be one of the following;
   '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
   '
   Dim oApp : Set oApp = CreateObject("hMailServer.Application")
   Call oApp.Authenticate(ADMIN, PASSWORD)
   With LockFile(TEMPDIR & "\autoban.lck")
      On Error Resume Next
      Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
      If Err.Number = 9 Then
         With oApp.Settings.SecurityRanges.Add
            .Name = "(" & sReason & ") " & sIPAddress
            .LowerIP = sIPAddress
            .UpperIP = sIPAddress
            .Priority = 20
            .Expires = True
            .ExpiresTime = DateAdd(sType, iDuration, Now())
            .Save
         End With
         AutoBan = True
      End If
      On Error Goto 0
      .Close
   End With
   Set oApp = Nothing
End Function

'******************************************************************************************************************************
'********** CODE                                                                                                     **********
'******************************************************************************************************************************

Dim oApp : Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate(ADMIN, PASSWORD)
Dim EventLog : Set EventLog = CreateObject("hMailServer.EventLog")

Dim oRecord, oConn : Set oConn = CreateObject("ADODB.Connection")
oConn.Open idsDBDrv

If oConn.State <> 1 Then
   EventLog.Write( "Handler - ERROR: Could not connect to database" )
   WScript.Quit 1
End If

Set oRecord = oConn.Execute("SELECT * FROM " & idsTable & " WHERE hits > " & idsHits & " AND DATE_SUB(NOW(), INTERVAL " & idsMinutes & " MINUTE) < timestamp;")
Do Until oRecord.EOF
   If AutoBan(oRecord("ipaddress"), "IDS", 7, "d") Then _
       oConn.Execute "DELETE FROM " & idsTable & " WHERE ipaddress = '" & oRecord("ipaddress") & "';"
   oRecord.MoveNext
Loop

oConn.Execute "DELETE FROM " & idsTable & " WHERE DATE_ADD(timestamp, INTERVAL 12 HOUR) < NOW();"
oConn.Close

Set oRecord = Nothing
Set EventLogX = Nothing

'******************************************************************************************************************************
'********** END                                                                                                      **********
'******************************************************************************************************************************
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-04 17:55

Cool. Yea, I have a powershell script in the firewall ban for autoexpiry, among other things.

Also, I have to do something with this: ON DUPLICATE KEY UPDATE hits=(hits+1) because I necessarily use a unique ID. Possibly, I could just add your columns to my table or create a new table just for counting IDS hits. Or query the count. I'll figure it out. But its definitely a useful addition.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-04 21:37

palinka wrote:
2019-10-04 17:55
Cool. Yea, I have a powershell script in the firewall ban for autoexpiry, among other things.

Also, I have to do something with this: ON DUPLICATE KEY UPDATE hits=(hits+1) because I necessarily use a unique ID. Possibly, I could just add your columns to my table or create a new table just for counting IDS hits. Or query the count. I'll figure it out. But its definitely a useful addition.
ipaddress is UNIQUE KEY so therefore:

INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1)

is similar to:

If found(ipaddress) then
hits=hits+1
else
create record(ipaddress)
hits = 1
end if
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-04 21:52

SorenR wrote:
2019-10-04 21:37
ipaddress is UNIQUE KEY so therefore:

INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1)
Exactly. But my firewall ban requires unique key on ID to allow for duplicate IP addresses (for a few reasons). So I'll probably just prepend the column names with ids_ in order to just follow the same structure. Then, on count(ids_ipaddress) > 3, ban to firewall instead of autoban.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-04 22:18

palinka wrote:
2019-10-04 21:52
SorenR wrote:
2019-10-04 21:37
ipaddress is UNIQUE KEY so therefore:

INSERT ipaddress bla bla ON DUPLICATE KEY UPDATE hits=(hits+1)
Exactly. But my firewall ban requires unique key on ID to allow for duplicate IP addresses (for a few reasons). So I'll probably just prepend the column names with ids_ in order to just follow the same structure. Then, on count(ids_ipaddress) > 3, ban to firewall instead of autoban.
You can have more than one unique key on the same table... Why would you have duplicate IPaddresses?
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-04 22:23

SorenR wrote:
2019-10-04 22:18
You can have more than one unique key on the same table... Why would you have duplicate IPaddresses?
Because I want to see/count IPs that have been added/removed from the firewall. For example, its possible to be listed, removed, listed again, rebanned, and permanently marked safe from future rebans. Certainly this is useful for false positives. If I get a FP, I want to know why.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-04 22:41

Spammers/hackers do not stay on the same IPaddress for too long so over time you'll be "playing" with maillinglists.

History data is only usefull for legitimate services :wink:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-05 03:04

SorenR wrote:
2019-10-04 22:41
Spammers/hackers do not stay on the same IPaddress for too long so over time you'll be "playing" with maillinglists.
Actually it's been working out pretty well. I parse the firewall log to see who comes back and how many times. About half of them come back. Some just a few times, some hundreds of times. The end result, of course, is not an end of spam, but a steady decrease in the number of spammers making connections. Once in a while i see a small spike as more bots come online. Here you can see what the firewall is actually blocking. It's not a small amount for my tiny mail service. :D
20191004_210548.jpg

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-05 12:52

Here's one that is maybe more explanative. Total number of firewall drops per day on smtp ports. The trend line shows 3,189 per day as of now. It's a bit skewed by one "spammer" that turned out to be ethersoft in Japan pinging me 100k times over the course of a couple days because i had a ddns setup with their openvpn software that i abandoned. You can see the days that was happening in the large spikes. But the rest are bona fide spammers. A spammer blocked is a spammer without a chance to spam and my logs are pretty quiet thanks in large part to this. :mrgreen:
20191005_064115.jpg

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-05 16:54

SorenR wrote:
2019-10-04 17:24
Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database...
Done. A couple of minor changes, but nothing to write home about. I want to run it a few days before committing to github.

One question - what is the column "port" for? It records "0" into the db.

Code: Select all

If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
I left it there, but I don't see what use there is for it.

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-05 18:05

palinka wrote:
2019-10-05 16:54
SorenR wrote:
2019-10-04 17:24
Anyways, here's something to get you going. I presume you don't need the handler.vbs if you already have something that reads the database...
Done. A couple of minor changes, but nothing to write home about. I want to run it a few days before committing to github.

One question - what is the column "port" for? It records "0" into the db.

Code: Select all

If (InStr("|25|587|465|", oClient.Port) > 0) Then Call idsAddIP(oClient.IPAddress, 0)
I left it there, but I don't see what use there is for it.
I used it for GEO blocking on select ports but eventually removed the code from Handler.vbs - never got around to remove the column from DB. :mrgreen:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-06 01:24

SorenR wrote:
2019-10-05 18:05
I used it for GEO blocking on select ports but eventually removed the code from Handler.vbs - never got around to remove the column from DB. :mrgreen:
OK, cool. I got rid of it and ID as well. No real need for it when you have:

Code: Select all

ON DUPLICATE KEY UPDATE hits=(hits+1)

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-07 12:58

You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php :D

User avatar
SorenR
Senior user
Senior user
Posts: 6315
Joined: 2006-08-21 15:38
Location: Denmark

Re: Stop intruder

Post by SorenR » 2019-10-07 13:18

palinka wrote:
2019-10-07 12:58
You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php :D
Did you keep the 180 minute window ?

Working with AutoBan somtimes aggressive settings will kill your server performance, which is why I only look at a 180 minutes window. No point in banning someone that will send a probe every 2 days. :wink:
SørenR.

Woke is Marxism advancing through Maoist cultural revolution.

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-07 13:39

SorenR wrote:
2019-10-07 13:18
palinka wrote:
2019-10-07 12:58
You can check it out on my firewall ban demo: http://hmsfirewallbandemo.ddns.net/IDS.php :D
Did you keep the 180 minute window ?

Working with AutoBan somtimes aggressive settings will kill your server performance, which is why I only look at a 180 minutes window. No point in banning someone that will send a probe every 2 days. :wink:
Nah, they're banned for life. Unless I see that is a false positive. There's no need to autoban - these guys go straight to the firewall (>3 hits).

FPs are pretty rare and usually have a good reason. I noticed that starting a few days ago, fakebook brought new mail servers online and the HELO contained the entire IP. WTF? Don't they know that's begging to get tripped up in dynamic IP filters? And that's what happened, so i had to release them from the firewall and prevent them from getting listed again. Bad fakebook! Bad!

Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN!

I've had some debate here about how wise it might be to permanently firewall ban spammers. The truth is that 99.99% are bots living on infected corporate workstations and those IPs wil never ever become legitimate mail servers. Legit mail servers will never be firewall banned - except rare FPs - even if they occasionally send spam.

And by the way, there is 0 performance hit for having 10k (so far) firewall rules. :D

It's all good, baby! :mrgreen:

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-10-08 01:36

palinka wrote:
2019-10-07 13:39
Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN!
Except they are usually connecting from dynamic IPs, which may later end being used by a genuine sender
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-08 01:56

mattg wrote:
2019-10-08 01:36
palinka wrote:
2019-10-07 13:39
Anyway, i think the majority of IDS hits come from password guessers. There's no point in letting them back in. EXILED TO THE BARREN WASTELANDS OF THE INTERNET NEVER TO BE HEARD FROM AGAIN!
Except they are usually connecting from dynamic IPs, which may later end being used by a genuine sender
Good point, but none of my filters go that deep. I'm only checking servers, so if an ip ends up in the doghouse, and later they clean the bot infection, they're still 99.99% chance not going to be a mail server and therefore not be affected by my firewall ban. They'll be relaying mail through a mail server, not sending directly to me.

And i don't believe they're connecting from dynamic IPs. That virtually ended when ISPs started blocking port 25 outgoing. I believe (could be wrong - wouldn't be the first time) that most bots are on corporate networks that have not blocked port 25. There seem to be plenty of non maintenance maintainers out there.

User avatar
mattg
Moderator
Moderator
Posts: 22437
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Stop intruder

Post by mattg » 2019-10-08 02:00

Or perhaps using TOR
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 4461
Joined: 2017-09-12 17:57

Re: Stop intruder

Post by palinka » 2019-10-08 02:38

mattg wrote:
2019-10-08 02:00
Or perhaps using TOR
Maybe, but still, how many mall servers also act as tor exit nodes?

Anyway, the vast majority of connections i drop are geo ip based, so i wouldn't accept them no matter what the circumstances are. Even if they were bona fide legit mail servers.

User avatar
jim.bus
Senior user
Senior user
Posts: 1571
Joined: 2011-05-28 11:49
Location: US

Re: Stop intruder

Post by jim.bus » 2019-10-08 03:09

How come I keep hearing how ISPs block outgoing Port 25? I've been on two major ISPs in the 8 or more years I've been using hMailServer and neither one of them blocked Port 25 to me though one kept documenting they may do it but I never ran into it. Granted I now use a Static IP Address from my ISP but that has been only for about a year now.

Is this maybe a bit isolated to Europe and Australia, etc? I'm just curious.
If you think you understand quantum mechanics, you don't understand quantum mechanics.

Post Reply