Check incoming connections with AbuseIPDB

[RvdH]

@SorenR, where is the latest and greatest autoban function?

Not sure if it's the latest, but it's still the greatest:

https://www.hmailserver.com/forum/viewt ... 66#p209546

[palinka]

Code: Select all

' strIP, A valid IPv4 or IPv6 address. (required)
' strCategories, comma separated string with integer values (required)
' few examples:
'  7	-	Phishing
' 11	-	Email Spam
' 14	-	Port Scan
' 15	-	Hacking
' 17	-	Spoofing
' 18	-	Brute-Force
' 20	-	Exploited Host
' strCommment, Related information (optional: server logs, timestamps, etc.)

Multiple strCategories can be listed? I'm thinking 18/20 and 11/20 are often combined. The "tell" is a dynamic/pool PTR as helo.

[RvdH]

Multiple strCategories can be listed? I'm thinking 18/20 and 11/20 are often combined. The "tell" is a dynamic/pool PTR as helo.

Yup, comma separated, eg: "18,20" or "11,20"

[palinka]

Awesome. Going to try it out later today.

[SorenR]

@fjansen04
Make sure you only call ReportToAbuseIPDB(ip address, etc, etc) for that IP address once in a 15 minute timespan, it is a limit by AbuseIPDB.
The 2nd line is apparently a report of the same ip address within this 15 minute timespan an therefor it gives the: Too Many Request error

Could be useful to combine it with SorenR's autoban function, at least autoban the IP for 15 minutes (I use a 1 day autoban)
@SorenR, where is the latest and greatest autoban function?

Here... Plus some bonus material

Code: Select all

'******************************************************************************************************************************
'********** AutoBan stuff                                                                                            **********
'******************************************************************************************************************************

Function AutoBan(sIPAddress, sReason, iDuration, sType) : AutoBan = False
    '
    '   sType can be one of the following;
    '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
    '
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    With LockFile(TEMPDIR & "\autoban.lck")
        On Error Resume Next
        Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & sIPAddress)
        If Err.Number = 9 Then
            With oApp.Settings.SecurityRanges.Add
                .Name = "(" & sReason & ") " & sIPAddress
                .LowerIP = sIPAddress
                .UpperIP = sIPAddress
                .Priority = 20
                .Expires = True
                .ExpiresTime = DateAdd(sType, iDuration, Now())
                .Save
            End With
            AutoBan = True
            Result.Value = 1
        End If
        On Error GoTo 0
        .Close
    End With
    Set oApp = Nothing
End Function

Function LockFile(strPath)
    Const Append = 8
    Const Unicode = -1
    Dim i
    On Error Resume Next
    With CreateObject("Scripting.FileSystemObject")
        For i = 0 To 30
            Err.Clear
            Set LockFile = .OpenTextFile(strPath, Append, True, Unicode)
            If (Not Err.Number = 70) Then Exit For
            Wait(1)
        Next
    End With
    If (Err.Number = 70) Then
        EventLog.Write( "ERROR: EventHandlers.vbs" )
        EventLog.Write( "File " & strPath & " is locked and timeout was exceeded." )
        Err.Clear
    ElseIf (Err.Number <> 0) Then
        EventLog.Write( "ERROR: EventHandlers.vbs : Function LockFile" )
        EventLog.Write( "Error       : " & Err.Number )
        EventLog.Write( "Error (hex) : 0x" & Hex(Err.Number) )
        EventLog.Write( "Source      : " & Err.Source )
        EventLog.Write( "Description : " & Err.Description )
        Err.Clear
    End If
    On Error GoTo 0
End Function

Function Wait(sec)
    With CreateObject("WScript.Shell")
        .Run "powershell Start-Sleep -Milliseconds " & Int(sec * 1000), 0, True
    End With
End Function

'******************************************************************************************************************************
'********** IP is already banned? (for use via POPFetch or Incoming Relay)                                           **********
'******************************************************************************************************************************

Function isIPBanned(oClient) : isIPBanned = False
    Dim a, strIP, strLowerIP, strUpperIP, strRegEx
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    strIP = INET_NTOA(oClient.IPAddress)
    For a = 0 To oApp.Settings.SecurityRanges.Count-1
        If (oApp.Settings.SecurityRanges.Item(a).Priority = 20) Then
            strLowerIP = INET_NTOA(oApp.Settings.SecurityRanges.Item(a).LowerIP)
            strUpperIP = INET_NTOA(oApp.Settings.SecurityRanges.Item(a).UpperIP)
            If (strUpperIP >= strIP) And (strIP >= strLowerIP) Then
                isIPBanned = True
                Set oApp = Nothing
                Exit Function
            End If
        End If
    Next
    Set oApp = Nothing
End Function

Function INET_NTOA(strIP)
    Dim a, i, N : N = 0
    a = Split(strIP, ".")
    For i = 0 To UBound(a)
        N = N + CLng(a(i)) * (256 ^ (3 - i))
    Next
    INET_NTOA = N
End Function

'******************************************************************************************************************************
'********** CIDR stuff 51.15.0.0/15                                                                                  **********
'******************************************************************************************************************************

Function CIDRBan(CIDR, sReason, iDuration, sType) : CIDRBan = False
    '
    '   sType can be one of the following;
    '   "yyyy" Year, "m" Month, "d" Day, "h" Hour, "n" Minute, "s" Second
    '
    Dim oApp : Set oApp = CreateObject("hMailServer.Application")
    Call oApp.Authenticate(ADMIN, PASSWORD)
    With LockFile(TEMPDIR & "\cidrban.lck")
        On Error Resume Next
        Dim oSecurityRange : Set oSecurityRange = oApp.Settings.SecurityRanges.ItemByName("(" & sReason & ") " & CIDR)
        If Err.Number = 9 Then
            With oApp.Settings.SecurityRanges.Add
                .Name = "(" & sReason & ") " & CIDR
                .LowerIP = CIDR2IP(CIDR, False)
                .UpperIP = CIDR2IP(CIDR, True)
                .Priority = 20
                .Expires = True
                .ExpiresTime = DateAdd(sType, iDuration, Now())
                .Save
            End With
            CIDRBan = True
            Result.Value = 1
        End If
        On Error GoTo 0
        .Close
    End With
    Set oApp = Nothing
End Function

Function CIDR2IP(CIDR, high)
    Const highs = "11111111111111111111111111111111"
    Const lows  = "00000000000000000000000000000000"
    Dim byte0, byte1, byte2, byte3, mask, bytes, rangelow, rangehigh, iplow, iphigh
    byte0 = Dec2Bin(Split(CIDR, ".")(0))
    byte1 = Dec2Bin(Split(CIDR, ".")(1))
    byte2 = Dec2Bin(Split(CIDR, ".")(2))
    byte3 = Dec2Bin(Split(Split(CIDR, ".")(3), "/")(0))
    mask = Split(Split(CIDR, ".")(3), "/")(1)
    bytes = byte0 & byte1 & byte2 & byte3
    rangelow = Left(bytes, mask) & Right(lows, 32 - mask)
    rangehigh = Left(bytes, mask) & Right(highs, 32 - mask)
    iplow = Bin2IP(Left(bytes, mask) & Right(lows, 32 - mask))
    iphigh = Bin2IP(Left(bytes, mask) & Right(highs, 32 - mask))
    If high Then
        CIDR2IP = iphigh
    Else
        CIDR2IP = iplow
    End If
End Function

'
'   Expecting input like 00000000000000000000000000000000
'
Function Bin2IP(strbin)
    Dim ip0, ip1, ip2, ip3
    ip0 = Bin2Dec(Mid(strbin, 1, 8))
    ip1 = Bin2Dec(Mid(strbin, 9, 8))
    ip2 = Bin2Dec(Mid(strbin, 17, 8))
    ip3 = Bin2Dec(Mid(strbin, 25, 8))
    'combines all of the bytes into a single string
    Bin2IP = ip0 & "." & ip1 & "." & ip2 & "." & ip3
End Function

'
'   Expecting input like 00010101
'
Function Bin2Dec(strbin)
    Dim length, dec, x, binval, temp
    length = Len(strbin)
    dec = 0
    For x = 1 To length
        binval = 2 ^ (length - x)
        temp = Mid(strbin, x, 1)
        If temp = "1" Then dec = dec + binval
    Next
    Bin2Dec = dec
End Function

'
'   Expecting input 0 thru 255
'
Function Dec2Bin(dec)
    Const maxpower = 7
    Const length = 8
    Dim bin, x, m
    bin = ""
    x = cLng(dec)
    For m = maxpower To 0 Step -1
        If x And (2 ^ m) Then
            bin = bin + "1"
        Else
            bin = bin + "0"
        End If
    Next
    Dec2Bin = bin
End Function

[fjansen04]

@RvdH

The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.

[RvdH]

@RvdH

The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.

Even with autoban enabled i get the "Too Many Request"error from time to time, some try to hammer in

Code: Select all

8252	"2020-03-31 12:41:39.432"	"INFO: ReportToAbuseIPDB: Unauthorized connection attempt from IP address 198.108.67.48 on port 465"
6876	"2020-03-31 12:41:39.463"	"WARN: AbuseIPDB Error: Too Many Requests"
9052	"2020-03-31 12:41:40.415"	"WARN: AbuseIPDB Error: Too Many Requests"
6248	"2020-03-31 12:41:41.382"	"WARN: AbuseIPDB Error: Too Many Requests"
8264	"2020-03-31 12:41:41.382"	"WARN: AbuseIPDB Error: Too Many Requests"
5864	"2020-03-31 12:41:41.523"	"WARN: AbuseIPDB Error: Too Many Requests"

I don't use abuseipdb check/report on port 25 you better can rely om spamhaus for those
i only use abuseipdb check/report on the client ports (143, 465, 587, 993, 995) in combination with a GEO Check and Autoban

You can also turn off error logging in the ReportToAbuseIPDB function, only in that case you won't see any (other)errors as well

[fjansen04]

Yes, I'll leave port 25 out. Authentication is already disabled on 25.

[palinka]

@RvdH

The offending IP connected twice in 6 seconds trying to submit spam, but was rejected twice by Spamhaus.
I have no idea how to implement autoban for that type of connections.

Even with autoban enabled i get the "Too Many Request"error from time to time, some try to hammer in

I ran into that situation with my firewall ban project. Now every ban/reject goes like this:
1) call your disconnect.exe
2) autoban 1 hour
3) call firewall ban

What I found is that sometimes there are simultaneous connections caused by waiting for the first connection to be fully tested against whatever filters you have. By the time its done making its way through your filters, several other new connections from the same IP flood in and THOSE are not affected by the autoban you just called. Disconnect.exe wipes them all out and allows autoban to do its job. Autoban ONLY prevents the connection - once the connection is made, its too late for autoban to do anything.

[RvdH]

Disconnect.exe is called from within my Autoban procedure, i am using an older version, the sub version and not the function (bool) version SorenR has created after
I don't see much value to do a firewall ban, simply ban them for a few hours or even a day, these are all automated (exploited)systems anyway, they simply keep coming back
With autoban expiring daily (mostly) i also keep reporting offending ip's to blocklist.de and now abuseipdb and by doing so helping others

The 'WARN: AbuseIPDB Error: Too Many Requests' message doesn't bother me that much, i know what it means

My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316

FYI: Reports for port 3389 are send using another program

[palinka]

My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316

I'd be WAAAAYYY below that since I already banned a good portion of the spamming world. They don't get second chances with me.

FYI: Reports for port 3389 are send using another program

Good idea! I already parse the firewall log as part of my firewall ban project, so adding this is a no-brainer. Thanks.

[RvdH]

My limits are increased after registering a domain and reporting IP's, the daily report/lookup limit is now 5000
https://www.abuseipdb.com/user/40316

I'd be WAAAAYYY below that since I already banned a good portion of the spamming world. They don't get second chances with me.

You misunderstood me, of course once you ban them for a longer time.... but what if you disable that firewall ban for a week or month, then you are back at normal rates
Therefor i said, a firewall ban kinda useless/overkill (for me and my usage) and besides that i cannot report misbehaving IP's using firewall ban

FYI: Reports for port 3389 are send using another program

Good idea! I already parse the firewall log as part of my firewall ban project, so adding this is a no-brainer. Thanks.

I use this service: https://github.com/DigitalRuby/IPBan

[palinka]

and besides that i cannot report misbehaving IP's using firewall ban

That's for sure!

Actually not entirely. There's always new bot infections. One of the benefits of my project is the database that goes with it. Makes it easy to find patterns. I've noticed waves of spammers that I assume are new bot infections. Right now we're in a lull, which I'm assuming has to do with fewer corporate workstations being turned on while people are working at home.

You can check out the demo if you want: https://firewallban.dynu.net/

I use this service: https://github.com/DigitalRuby/IPBan

I'll check it out. But... I forgot I have port 3389 closed at the router firewall (access ony via VPN and even then only on a custom port ). So mail ports only for me. My crappy ISP supplied router doesn't support any kind of scripting.

[RvdH]

My data submitted to AbuseIPDB is gathered from 3 different systems, my home setup (only hmailserver, RDP is locked by firewall) our companies/work hmailserver instance (only hmailserver, RDP is locked by firewall) and a work development server (no hmailserver, only RDP to connect from home, or when doing client visits)

[fjansen04]

The server I am testing this script on, is low usage so I'm not getting anywhere near the AbuseIPDB limits. Therefore I kept port 25 included after all.

This server is also functioning as backup mx. What I don't understand is that when a perfectly legit message is submitted to be relayed to the primary mx, the originally connecting IP is reported to AbuseIPDB. It even reported a Google IP.

[RvdH]

The server I am testing this script on, is low usage so I'm not getting anywhere near the AbuseIPDB limits. Therefore I kept port 25 included after all.

This server is also functioning as backup mx. What I don't understand is that when a perfectly legit message is submitted to be relayed to the primary mx, the originally connecting IP is reported to AbuseIPDB. It even reported a Google IP.

Dude, for real?
When do you call ReportToAbuseIPDB? You only should call it when you are sure it is a misbehaving IP, therefor the best way is to combine it with some GEO check.... if a Chinese server try to authenticate against client (IMAP/POP3) ports i can tell for sure this is a infected/misbehaving system as we don't have Chinese clients

If you call it for every incoming connection even legit servers get reported, as you told it to do so!
Please post code snippet when you called ReportToAbuseIPDB to review

[fjansen04]

You're absolutely right.
I will reset everything according to your specs.

[palinka]

Code: Select all

		.SetMaxConfidenceScore(40)

Quick question: First, I assume this means no IP with confidence score < 40 returns TRUE. Correct?

Also, I have no experience with this yet. Is > 40 a good number to work with? Should it be closer to 100 for rejection?

[palinka]

By the way, I got it working with powershell.

Code: Select all

$IP = "77.40.2.198"

$URICheck = "https://api.abuseipdb.com/api/v2/check"
$URIReport = "https://api.abuseipdb.com/api/v2/report"

$Header = @{
	'Key' = 'supersecretkey;
	'Accept' = 'application/json';
}

$BodyCheck = @{
	'ipAddress' = $IP;
	'maxAgeInDays' = '90';
	'verbose' = '';
}

$BodyReport = @{
	'ip' = $IP;
	'categories' = '18,20';
	'comment' = '.mari-el.ru Spam Factory';
} | ConvertTo-JSON 

<# check #>
$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore

<# report #>
$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore

Not sure what I plan to use it for yet. Bases are pretty much covered with your thing in hMailServer.

[RvdH]

Code: Select all

		.SetMaxConfidenceScore(40)

Quick question: First, I assume this means no IP with confidence score < 40 returns TRUE. Correct?

Correct

Code: Select all

        public bool BlockEndpoint(string ipAddress)
        {
            return GetConfidenceScore(ipAddress) >= _maxScore;
        }

Also, I have no experience with this yet. Is > 40 a good number to work with? Should it be closer to 100 for rejection?

Me neither...but looks like 40 is a good starting point

[RvdH]

By the way, I got it working with powershell.

Code: Select all

$IP = "77.40.2.198"

$URICheck = "https://api.abuseipdb.com/api/v2/check"
$URIReport = "https://api.abuseipdb.com/api/v2/report"

$Header = @{
	'Key' = 'supersecretkey;
	'Accept' = 'application/json';
}

$BodyCheck = @{
	'ipAddress' = $IP;
	'maxAgeInDays' = '90';
	'verbose' = '';
}

$BodyReport = @{
	'ip' = $IP;
	'categories' = '18,20';
	'comment' = '.mari-el.ru Spam Factory';
} | ConvertTo-JSON 

<# check #>
$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore

<# report #>
$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8' 
$AbuseIPDB.data.abuseConfidenceScore

Not sure what I plan to use it for yet. Bases are pretty much covered with your thing in hMailServer.

Cool

I am now working on a AbuseIPDB-IIS-Module

[palinka]

Cleaned up the powershell.

Code: Select all

<#

.SYNOPSIS
	AbuseIPDBCheckOrReport.ps1: AbuseIPDB.com Check or Report IP

.DESCRIPTION
	AbuseIPDBCheckOrReport.ps1: Powershell script to check or report IP at AbuseIPDB.com

.FUNCTIONALITY
	1) Checks IP -> Returns status, abuseConfidenceScore
	2) Reports IP -> Returns status, abuseConfidenceScore

.PARAMETER IP
	Specifies the IP address to be checked or reported.
	
.PARAMETER Categories
	Specifies the categories of reported IPs. !REQUIRED FOR REPORT IP! See https://www.abuseipdb.com/categories for full list.

.PARAMETER Comment
	Specifies the comments to be included with reported IP. Parameter optional.
	
.NOTES


.EXAMPLE
	Check IP:
		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210"
		$CheckIP.Status
		$CheckIP.Confidence

	Report IP:
		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210" "11"
		$CheckIP.Status
		$CheckIP.Confidence

		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "77.40.61.210" "11" "spammer"
		$CheckIP.Status
		$CheckIP.Confidence

	Report IP with error:
		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "127.0.0.2" "11"
		$CheckIP.Status
		$CheckIP.Confidence

		$CheckIP = & C:\path\to\AbuseIPDBCheckOrReport.ps1 "127.0.0.2" "11" "spammer"
		$CheckIP.Status
		$CheckIP.Confidence

#>

Param(
	[Parameter(Mandatory=$True)]
	[ValidatePattern("((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))")]
	[String]$IP,

	[Parameter(Mandatory=$False)]
	[AllowEmptyString()]
	[String]$Categories,

	[Parameter(Mandatory=$False)]
	[AllowEmptyString()]
	[String]$Comment
)

$Error.Clear()

<###   USER VARIABLES   ###>
$APIKey = "supersecretkey"

$Header = @{
	'Key' = $APIKey;
}

If (([string]::IsNullOrEmpty($Categories)) -and ([string]::IsNullOrEmpty($Categories))){

	$URICheck = "https://api.abuseipdb.com/api/v2/check"
	$BodyCheck = @{
		'ipAddress' = $IP;
		'maxAgeInDays' = '90';
		'verbose' = '';
	}
	Try {
		$AbuseIPDB = Invoke-RestMethod -Method GET $URICheck -Header $Header -Body $BodyCheck -ContentType 'application/json; charset=utf-8' 
		$StatusNum = "200"
		$ConfidenceScore = $AbuseIPDB.data.abuseConfidenceScore
	}
	Catch {
		$ErrorMessage = $_.Exception.Message
		[regex]$RegexErrorNum = "\d{3}"
		$StatusNum = ($RegexErrorNum.Matches($ErrorMessage)).Value	
	}

} Else {

	$URIReport = "https://api.abuseipdb.com/api/v2/report"
	$BodyReport = @{
		'ip' = $IP;
		'categories' = $Categories;
		'comment' = $Comment;
	} | ConvertTo-JSON 

	Try {
		$AbuseIPDB = Invoke-RestMethod -Method POST $URIReport -Header $Header -Body $BodyReport -ContentType 'application/json; charset=utf-8' 
		$StatusNum = "200"
		$ConfidenceScore = $AbuseIPDB.data.abuseConfidenceScore
	}
	Catch {
		$ErrorMessage = $_.Exception.Message
		[regex]$RegexErrorNum = "\d{3}"
		$StatusNum = ($RegexErrorNum.Matches($ErrorMessage)).Value	
	}
}

$Response = @{
	'Status' = $StatusNum;
	'Confidence' = $ConfidenceScore;
}
Return $Response

GitHub: https://github.com/palinkas-jo-reggelt/ ... eck-Report

[mikernet]

I've been doing AbuseIPDB checks for a while and it works great but I have a slight issue which relates to logging/diagnostics. When emails from someone aren't coming through it is very difficult to check if it is due to AbuseIPDB since the email domain is not tagged with the IP block.

I think it would be much better if the connection was "tagged" as abusive in OnClientConnect but allowed to continue the first time until the sending domain/email was identified so it could be added to the banned IP info. Thoughts on the best way to achieve this?

[RvdH]

Not sure what you are trying to accomplish, is it relevant at all and additionally is there any reason to monitor the address it sends To/From if it's coming thru a server tagged abuseipdb?

You always could shift the ListedInAbuseIPDB(strIP) check down the events handled, for example to OnSMTPData(oClient, oMessage) if you like to access the FromAddress header
Or even later, in Sub OnAcceptMessage(oClient, oMessage) if you like to access the From/To fields

Personally i would always combine this with a Autoban, to stop hammering/retrying

[mikernet]

Clearly had a brainfart...of course I can just do the check there instead of splitting it up.

It is relevant if you are trying to help someone diagnose why your email server isn't accepting emails from them. Sometimes the sending IP address changes, sometimes they use multiple services to send mail and it is difficult to pin down an IP address, etc. It's good information to have. If you aren't getting email from domain XYZ.com then you can just search your banned IP info for that domain to see if that's the cause.

[palinka]

Clearly had a brainfart...of course I can just do the check there instead of splitting it up.

It is relevant if you are trying to help someone diagnose why your email server isn't accepting emails from them. Sometimes the sending IP address changes, sometimes they use multiple services to send mail and it is difficult to pin down an IP address, etc. It's good information to have. If you aren't getting email from domain XYZ.com then you can just search your banned IP info for that domain to see if that's the cause.

Maybe you should LOG everything in a way that's easily searchable.

[palinka]

I am now working on a AbuseIPDB-IIS-Module

I just finished a powershell instance for apache. It tails the access log and checks against abuseipdb.com for bad hombres. I'll throw it up on GitHub after I clean it up.

[mikernet]

Maybe you should LOG everything in a way that's easily searchable.

That's kind of the point. Can't log the email/domain if you cut off the connection before you get that info...

[palinka]

Maybe you should LOG everything in a way that's easily searchable.

That's kind of the point. Can't log the email/domain if you cut off the connection before you get that info...

IP is better than nothing if there's a reason associated with it.

You could also increase the confidence score closer to 100 to be sure its not rejecting false positives.

[mikernet]

I already have the IP. What I was posting about was also getting the domain. As indicated above, we've already solved that issue so I'm not really sure where this is going.

[palinka]

I already have the IP. What I was posting about was also getting the domain. As indicated above, we've already solved that issue so I'm not really sure where this is going.

Check out the demo for my logging project and you'll see.

https://firewallban.dynu.net/accrej/

[tonyquart]

Hi all,

I use the website www.AbuseIPDB.com quite a lot for looking up malicious IP addresses.
I've also created some code that will query the AbuseIPDB API and evaluate the response to reject the connection if reported more than 10 times in the last 30 days.
Please note that you need register at AbuseIPDB to obtain an API key.
Use at your own discretion...

Good luck!

EDIT: UPDATED WORKING VERSION FOLLOWS IN THE SECOND POST. (mod.)

Code: Select all

Sub OnClientConnect(oClient)
'Variables
   ClientIp       = oClient.IpAddress                 'Connecting remote IP address
   ClientPort     = oClient.Port                      'Port it is connecting to
   DetectPort     = 25                                'Variable port to check
   LocalHost      = "127.0.0.1"                       'Variable for LocalHost IP address
   APIkey         = "GetYourOwn"                      'API key (get your own at AbuseIPDB.Com)
   APIDays        = 30                                'Variable AbuseIPDB history in days
   APICount       = 10                                'Variable threshold to use for rejecting connections
   
'Check IP Address with AbuseIPDB API
   If ClientPort = DetectPort and ClientIp <> LocalHost Then
      Set objXMLHTTP = CreateObject("msxml2.xmlhttp.6.0")
      objXMLHTTP.Open "GET", "https://www.abuseipdb.com/check/" & ClientIp & "/json", False
      objXMLHTTP.setRequestHeader "Content-Type", "application/json"
      objXMLHTTP.Send "key=" & APIKey & "&days=" & APIDays
      ResponseText = objXMLHTTP.responseText

'Evaluate response (quick & dirty JSON 'parsing')
      If ResponseText <> "[]" and InStr(Replace(ResponseText, chr(34),""),"isWhitelisted:true") = 0 then
         RecordCount = CountString(ResponseText, ClientIp)
'Reject connection and write eventlog
         If RecordCount > APICount Then
            Result.Value = 1
            EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " rejected (reported " & RecordCount & " times)")
'Accept connection and write warning in eventlog
         Else
            Result.Value = 0
            EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " warning  (reported " & RecordCount & " times)")
         End If
      End If
'Accept connection because IP address is reported but whitelisted at AbuseIPDB
      If ResponseText <> "[]" and InStr(Replace(ResponseText, chr(34),""),"isWhitelisted:true") <> 0 then
         Result.Value = 0
         RecordCount = CountString(ResponseText, ClientIp)
         EventLog.Write ("AbuseIPDB: IP Address " & ClientIp & " whitelisted (reported " & RecordCount & " times)")
      End If
      Set objXMLHTTP = Nothing
   End If
End Sub

Public Function CountString(VariableString, SearchString)
   CountString = 0
      For x = 1 to len(VariableString) - len(SearchString)
         If Mid(VariableString,x,len(SearchString)) = SearchString then
            CountString = CountString +1
         End If
      Next
End Function

Does abuseipdb still works great now? Or are there any better options to lookup malicious IPs? I got a recommendation from a friend of mine about this website ip-address-lookup-v4.com, but I haven't tried it yet. Anyone have used this website to look up an IP?

[fjansen04]

Yes, I'm using RvdH's version of the script, and it is quite effective.

[SorenR]

Could somebody please update the original script by Po-in to the new AbuseIPdb API v2?

Thanks!

Well... Not an update of Po-in's script but just to show how it works. The v2 API is quite different both in web calling and how to interpret the JSON data. Also, it won't work pre Windows Server 2008 due to TLS1.0/SSL3.0 is not supported anymore.

Code: Select all

Option Explicit

Include("C:\hMailServer\Events\VbsJson.vbs")


Function Include(sInstFile)
    Dim f, s, fso
    Set fso = CreateObject("Scripting.FileSystemObject")
    On Error Resume Next
    If fso.FileExists(sInstFile) Then
        Set f = fso.OpenTextFile(sInstFile)
        s = f.ReadAll
        f.Close
        ExecuteGlobal s
    End If
    On Error GoTo 0
    Set f = Nothing
    Set fso = Nothing
End Function


Function oAbuseIPDB(strIP, ByRef ReturnCode)
    Dim oXML, json
    Const SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS = 13056
    Const APIKEY = "v2 ApiKey"
    Const DAYS = 90
    Set json = New VbsJson
    ' On Error Resume Next
    Set oXML = CreateObject("Msxml2.ServerXMLHTTP.6.0")
    oXML.open "GET", "https://api.abuseipdb.com/api/v2/check?ipAddress=" & strIP & "&maxAgeInDays=" & DAYS & "&verbose", False
    oXML.setOption(2) = SXH_SERVER_CERT_IGNORE_ALL_SERVER_ERRORS
    oXML.setRequestHeader "Key", ApiKey
    oXML.setRequestHeader "Accept", "application/json"
    oXML.send
    Set oAbuseIPDB = json.Decode(oXML.responsetext)
    ReturnCode = oXML.Status
    ' On Error Goto 0
    If (ReturnCode <> 200 ) Then WScript.Echo( "<error> api.ipgeolocation.io lookup failed, error code: " & ReturnCode & " on IP address " & strIP )
End Function


Dim oAbuseIP, oData, oReport, Category, ReturnCode

Set oAbuseIP = oAbuseIPDB("118.25.6.39", ReturnCode)
Set oData = oAbuseIP("data")

WScript.Echo "****"
WScript.Echo "IP address           " & oData("ipAddress")
WScript.Echo "totalReports         " & oData("totalReports")
WScript.Echo "abuseConfidenceScore " & oData("abuseConfidenceScore")
WScript.Echo "lastReportedAt       " & oData("lastReportedAt")
WScript.Echo

For Each oReport In oData("reports")
    WScript.Echo "reportedAt " & oReport("reportedAt")
    For Each Category In oReport("categories")
        WScript.Echo "categories " & Category
    Next
    WScript.Echo
Next

WScript.Echo "****"

WScript.Quit 0

This is the layout of the JSON data...

Code: Select all

  {
    "data": {
      "ipAddress": "118.25.6.39",
      "isPublic": true,
      "ipVersion": 4,
      "isWhitelisted": false,
      "abuseConfidenceScore": 100,
      "countryCode": "CN",
      "countryName": "China",
      "usageType": "Data Center/Web Hosting/Transit",
      "isp": "Tencent Cloud Computing (Beijing) Co. Ltd",
      "domain": "tencent.com",
      "hostnames": [],
      "totalReports": 1,
      "numDistinctUsers": 1,
      "lastReportedAt": "2018-12-20T20:55:14+00:00",
      "reports": [
        {
          "reportedAt": "2018-12-20T20:55:14+00:00",
          "comment": "Dec 20 20:55:14 srv206 sshd[13937]: Invalid user oracle from 118.25.6.39",
          "categories": [
            18,
            22
          ],
          "reporterId": 1,
          "reporterCountryCode": "US",
          "reporterCountryName": "United States"
        }
      ]
    }
  }
  

[palinka]

Cool json, bro.