hMailserver hacked?

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
ffvvvv2
New user
New user
Posts: 22
Joined: 2008-05-27 19:26

hMailserver hacked?

Post by ffvvvv2 » 2020-05-04 09:19

Hello!
We are using hMailserver 4.4.2-B277.
It's too old, I know, but it works fine.
Last time we found a problem: someone
starts to send spam and phishing from our server.
But one starnge thing: spam sends fron one-two
of our accounts and I not see any data about
authorisation in logs.
In april, I found a IP-address of sender in file .eml
I create a IP-range with this IP, and I wrote
to provider of IP.
And now the attack repeated!
May be any ideas about settings of hMailserver?
Sorry for my BAD English!

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailserver hacked?

Post by RvdH » 2020-05-04 09:27

  1. Can you post a piece of the SMTPD logfile were the attacker sends the mail(s)?
  2. run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: hMailserver hacked?

Post by jimimaseye » 2020-05-04 09:32

RvdH wrote:
2020-05-04 09:27
[*] run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
(I'm not sure the script will work completely with his hideously old version. This should be interesting.)
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailserver hacked?

Post by RvdH » 2020-05-04 09:36

jimimaseye wrote:
2020-05-04 09:32
RvdH wrote:
2020-05-04 09:27
[*] run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
(I'm not sure the script will work completely with his hideously old version. This should be interesting.)
lol, fingers crossed :mrgreen:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

ffvvvv2
New user
New user
Posts: 22
Joined: 2008-05-27 19:26

Re: hMailserver hacked?

Post by ffvvvv2 » 2020-05-04 09:47

RvdH wrote:
2020-05-04 09:27
  1. Can you post a piece of the SMTPD logfile were the attacker sends the mail(s)?
  2. run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
"TCPIP" 5732 "2020-05-04 08:17:31.320" "Created accept socket 1472 on listening socket 1076"
"SMTPD" 5732 42119 "2020-05-04 08:17:31.320" "5.167.54.210" "SENT: 220 SOFT Corporation"
"SMTPD" 5732 42119 "2020-05-04 08:17:31.570" "5.167.54.210" "RECEIVED: HELO User"
"SMTPD" 5732 42119 "2020-05-04 08:17:31.570" "5.167.54.210" "SENT: 250 Hello."
"SMTPD" 5732 42119 "2020-05-04 08:17:31.820" "5.167.54.210" "RECEIVED: RSET"
"SMTPD" 5732 42119 "2020-05-04 08:17:31.820" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.054" "5.167.54.210" "RECEIVED: MAIL FROM:<nwo9@soft-corp.ru>"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.070" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.320" "5.167.54.210" "RECEIVED: RCPT TO:<info@unbent.uk>"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.320" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.570" "5.167.54.210" "RECEIVED: RCPT TO:<les2sc@yandex.com>"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.570" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.820" "5.167.54.210" "RECEIVED: RCPT TO:<lescadding@gmail.com>"
"SMTPD" 5732 42119 "2020-05-04 08:17:32.820" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.085" "5.167.54.210" "RECEIVED: RCPT TO:<obitaxsony@gmail.com>"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.085" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.351" "5.167.54.210" "RECEIVED: RCPT TO:<obitaxsony@hotmail.com>"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.351" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.601" "5.167.54.210" "RECEIVED: RCPT TO:<obitaxsony@yahoo.com>"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.601" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.867" "5.167.54.210" "RECEIVED: DATA"
"SMTPD" 5732 42119 "2020-05-04 08:17:33.867" "5.167.54.210" "SENT: 354 OK, send."
"SMTPD" 5732 42119 "2020-05-04 08:17:34.507" "5.167.54.210" "SENT: 250 Queued (0.593 seconds)"
"APPLICATION" 3044 "2020-05-04 08:17:34.507" "SMTPDeliverer - Message 11118588: Delivering message from nwo9@soft-corp.ru to info@unbent.uk, les2sc@yandex.com, lescadding@gmail.com, obitaxsony@gmail.com, obitaxsony@hotmail.com, obitaxsony@yahoo.com. File: C:\Program Files\hMailServer\Data\{3F1E4486-F92A-4595-9705-072DA7ACC40C}.eml"
"SMTPD" 5732 42119 "2020-05-04 08:17:34.773" "5.167.54.210" "RECEIVED: QUIT"
"SMTPD" 5732 42119 "2020-05-04 08:17:34.773" "5.167.54.210" "SENT: 221 goodbye"
"TCPIP" 5732 "2020-05-04 08:17:34.773" "Disconnecting socket 2144 for session 42119"

ffvvvv2
New user
New user
Posts: 22
Joined: 2008-05-27 19:26

Re: hMailserver hacked?

Post by ffvvvv2 » 2020-05-04 09:53

jimimaseye wrote:
2020-05-04 09:32
RvdH wrote:
2020-05-04 09:27
[*] run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
(I'm not sure the script will work completely with his hideously old version. This should be interesting.)
Error in line 31

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailserver hacked?

Post by RvdH » 2020-05-04 10:04

5.167.54.*** is you? (mail.soft-corp.ru)

I think you should require SMTP authentication for local to external on IP Range 5.167.54.*** immediately (if you have this ip configured as IP range)
Anything on mail.soft-corp.ru (5.167.54.***) now can send mail unauthenticated, so if you have system with malware behind 5.167.54.*** you are screwed
Basically you are an open relay for anything sending from 5.167.54.***.

I also suggest to do a full virus/malware scan on the system(s) behind 5.167.54.***
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
mattg
Moderator
Moderator
Posts: 21103
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailserver hacked?

Post by mattg » 2020-05-04 10:23

version from 2008 - wow!!!
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

ffvvvv2
New user
New user
Posts: 22
Joined: 2008-05-27 19:26

Re: hMailserver hacked?

Post by ffvvvv2 » 2020-05-04 11:17

> 5.167.54.*** is you? (mail.soft-corp.ru)

Yes, it's a external IP of our server

> I think you should require SMTP authentication for local to external on IP Range 5.167.54.*** immediately (if you have this ip configured as IP range)
> Anything on mail.soft-corp.ru (5.167.54.***) now can send mail unauthenticated, so if you have system with malware behind 5.167.54.*** you are screwed
> Basically you are an open relay for anything sending from 5.167.54.***.

> I also suggest to do a full virus/malware scan on the system(s) behind 5.167.54.***

I've attached files of ip ranges (there are another ranges).
Attachments
internet.JPG
5-167.JPG

ffvvvv2
New user
New user
Posts: 22
Joined: 2008-05-27 19:26

Re: hMailserver hacked?

Post by ffvvvv2 » 2020-05-04 11:23

Last attack was form ip 64.227.10.70 (I found this ip in .eml files).
May be, anyone mask ip-address?
May be anyone use ip rnage 127.0.0.1?

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailserver hacked?

Post by RvdH » 2020-05-04 11:27

ffvvvv2 wrote:
2020-05-04 11:23
Last attack was form ip 64.227.10.70 (I found this ip in .eml files).
May be, anyone mask ip-address?
May be anyone use ip rnage 127.0.0.1?
I doubt that, probably you have a malware infection somewhere sending out spam using the 5.167.54.*** IP Range
In the 5.167.54.*** IP Range, under Require Authentication for deliveries at least check "To Remote account"

If the malware is smart enough they probably will know/find hte password in no time, but at least then you will know what account/system is compromised
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

ffvvvv2
New user
New user
Posts: 22
Joined: 2008-05-27 19:26

Re: hMailserver hacked?

Post by ffvvvv2 » 2020-05-04 11:43

RvdH wrote:
2020-05-04 11:27
ffvvvv2 wrote:
2020-05-04 11:23
Last attack was form ip 64.227.10.70 (I found this ip in .eml files).
May be, anyone mask ip-address?
May be anyone use ip rnage 127.0.0.1?
I doubt that, probably you have a malware infection somewhere sending out spam using the 5.167.54.*** IP Range
In the 5.167.54.*** IP Range, under Require Authentication for deliveries at least check "To Remote account"

If the malware is smart enough they probably will know/find hte password in no time, but at least then you will know what account/system is compromised
5.167.54.*** - it's our ip-address.
If malware using the 5.167.54.*** IP Range - that's mean malware from our server or from computer of LAN?
I'm sure - there no malware in our LAN.
Last attack was from ip 64.227.10.70 (found in e-mails) - this ip from another country.
Last attack stops after I create IP-range with this ip and without any permissions.

I'm change password of admin account, thanks for advice!

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailserver hacked?

Post by RvdH » 2020-05-04 12:03

The log you posted here says the (offending) sending ip is 5.167.54.*** or you just pasted some log, but not the log i asked for
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

ffvvvv2
New user
New user
Posts: 22
Joined: 2008-05-27 19:26

Re: hMailserver hacked?

Post by ffvvvv2 » 2020-05-04 23:16

RvdH wrote:
2020-05-04 12:03
The log you posted here says the (offending) sending ip is 5.167.54.*** or you just pasted some log, but not the log i asked for
I'm not sure and I make a test.
From my ip 80.80.x.x I send mail from admin@soft-corp.ru to other address.
Below is smtp log (sorry, I enable debug logs):
But I can't find ip of sender (80.80.x.x)
I think, this version of HMS don't write sender's ip in logs.
Howewer, I see difference between two logs: in first log (malware) there are no authorization
=========================================================================================================================================
"DEBUG" 4332 "2020-05-04 23:48:57.431" "Socket::~Socket(ID: 45787)"
"TCPIP" 4332 "2020-05-04 23:49:35.119" "Created accept socket 2168 on listening socket 1076"
"DEBUG" 4332 "2020-05-04 23:49:35.119" "Socket::Socket(ID: 45788)"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.119" "5.167.54.210" "SENT: 220 SOFT Corporation"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.150" "5.167.54.210" "RECEIVED: EHLO [192.168.1.9]"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.150" "5.167.54.210" "SENT: 250-hmailserver[nl]250-SIZE 51200000[nl]250 AUTH LOGIN PLAIN"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.197" "5.167.54.210" "RECEIVED: AUTH PLAIN .......
"SMTPD" 4332 45788 "2020-05-04 23:49:35.197" "5.167.54.210" "SENT: 235 authenticated."
"SMTPD" 4332 45788 "2020-05-04 23:49:35.228" "5.167.54.210" "RECEIVED: MAIL FROM:<admin@soft-corp.ru> SIZE=422"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.244" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.275" "5.167.54.210" "RECEIVED: RCPT TO:<ffvvvv@mail.ru>"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.275" "5.167.54.210" "SENT: 250 OK"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.306" "5.167.54.210" "RECEIVED: DATA"
"DEBUG" 4332 "2020-05-04 23:49:35.322" "TransparentTransmissionBuffer::Initialize()"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.322" "5.167.54.210" "SENT: 354 OK, send."
"DEBUG" 4332 "2020-05-04 23:49:35.353" "ScriptServer:FireEvent"
"DEBUG" 4332 "2020-05-04 23:49:35.369" "ScriptServer:~FireEvent"
"DEBUG" 4332 "2020-05-04 23:49:35.369" "PMADO:SaveObject()"
"DEBUG" 4332 "2020-05-04 23:49:35.369" "Adding message to database. File: C:\Program Files\hMailServer\Data\{22F27D21-F448-4901-8EBE-1FD9DC13E8B8}.eml"
"DEBUG" 4332 "2020-05-04 23:49:35.369" "PMADO:~SaveObject()"
"DEBUG" 4332 "2020-05-04 23:49:35.369" "Message added. File: C:\Program Files\hMailServer\Data\{22F27D21-F448-4901-8EBE-1FD9DC13E8B8}.eml"
"DEBUG" 4332 "2020-05-04 23:49:35.369" "Application::SubmitPendingEmail()"
"DEBUG" 4332 "2020-05-04 23:49:35.369" "Application::~SubmitPendingEmail()"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.369" "5.167.54.210" "SENT: 250 Queued (0.032 seconds)"
"DEBUG" 3044 "2020-05-04 23:49:35.384" "SD::DeliverMessage"
"APPLICATION" 3044 "2020-05-04 23:49:35.384" "SMTPDeliverer - Message 11119236: Delivering message from admin@soft-corp.ru to ffvvvv@mail.ru. File: C:\Program Files\hMailServer\Data\{22F27D21-F448-4901-8EBE-1FD9DC13E8B8}.eml"
"DEBUG" 3044 "2020-05-04 23:49:35.384" "CustomVirusScanner::Scan()"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.447" "5.167.54.210" "RECEIVED: QUIT"
"SMTPD" 4332 45788 "2020-05-04 23:49:35.447" "5.167.54.210" "SENT: 221 goodbye"
"TCPIP" 4332 "2020-05-04 23:49:35.447" "Disconnecting socket 1956 for session 45788"
"DEBUG" 4332 "2020-05-04 23:49:35.447" "Socket::~Socket(ID: 45788)"
"DEBUG" 3044 "2020-05-04 23:49:35.572" "CustomVirusScanner::Scan() - C:\clamav\clamdscan.exe --config-file=C:\clamav\clamd.conf "C:\Program Files\hMailServer\Data\{22F27D21-F448-4901-8EBE-1FD9DC13E8B8}.eml" - Returned 0"
"DEBUG" 3044 "2020-05-04 23:49:35.572" "CustomVirusScanner::~Scan()"
"DEBUG" 3044 "2020-05-04 23:49:35.572" "RuleApplier::ApplyRules"
"DEBUG" 3044 "2020-05-04 23:49:35.572" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.572" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.572" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.572" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.587" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.603" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.619" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.634" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.650" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.665" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.681" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.697" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.712" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.728" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.744" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.759" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.775" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.790" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.806" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~_ApplyRule"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "RuleApplier::~ApplyRules"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "SD::_DeliverToLocalAccounts"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "SD::~_DeliverToLocalAccounts"
"DEBUG" 3044 "2020-05-04 23:49:35.822" "SD::_DeliverToExternalAccounts"
"TCPIP" 3044 "2020-05-04 23:49:35.837" "DNS - MX Lookup: mail.ru"
"TCPIP" 3044 "2020-05-04 23:49:35.900" "DNS - MX Result: 2 IP addresses were found."
"DEBUG" 3044 "2020-05-04 23:49:35.900" "SD::_InitiateExternalConnection"
"DEBUG" 3044 "2020-05-04 23:49:35.900" "Socket::Socket(ID: 45789)"
"DEBUG" 4332 "2020-05-04 23:49:35.947" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4332 45789 "2020-05-04 23:49:35.947" "94.100.180.31" "RECEIVED: 220 mxs.mail.ru ESMTP ready "
"SMTPC" 4332 45789 "2020-05-04 23:49:35.947" "94.100.180.31" "SENT: HELO mail.soft-corp.ru"
"DEBUG" 4332 "2020-05-04 23:49:35.947" "SMTPClientConnection::~_ParseASCII() - 2"
"DEBUG" 4332 "2020-05-04 23:49:35.962" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4332 45789 "2020-05-04 23:49:35.962" "94.100.180.31" "RECEIVED: 250 mxs.mail.ru"
"SMTPC" 4332 45789 "2020-05-04 23:49:35.962" "94.100.180.31" "SENT: MAIL FROM:<admin@soft-corp.ru>"
"DEBUG" 4332 "2020-05-04 23:49:35.962" "SMTPClientConnection::~_ParseASCII() - 4"
"DEBUG" 4332 "2020-05-04 23:49:35.994" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4332 45789 "2020-05-04 23:49:35.994" "94.100.180.31" "RECEIVED: 250 2.0.0 OK"
"DEBUG" 4332 "2020-05-04 23:49:35.994" "SMTPClientConnection::~_ParseASCII() - 6"
"SMTPC" 4332 45789 "2020-05-04 23:49:35.994" "94.100.180.31" "SENT: RCPT TO:<ffvvvv@mail.ru>"
"DEBUG" 4332 "2020-05-04 23:49:36.009" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4332 45789 "2020-05-04 23:49:36.009" "94.100.180.31" "RECEIVED: 250 Go ahead"
"SMTPC" 4332 45789 "2020-05-04 23:49:36.009" "94.100.180.31" "SENT: DATA"
"DEBUG" 4332 "2020-05-04 23:49:36.009" "SMTPClientConnection::~_ParseASCII() - 7"
"DEBUG" 4332 "2020-05-04 23:49:36.040" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4332 45789 "2020-05-04 23:49:36.040" "94.100.180.31" "RECEIVED: 354 Go ahead. End your data with <CR><LF>.<CR><LF>"
"DEBUG" 4332 "2020-05-04 23:49:36.040" "SocketConnection::SendFileContents()"
"DEBUG" 4332 "2020-05-04 23:49:36.040" "TransparentTransmissionBuffer::Initialize()"
"DEBUG" 4332 "2020-05-04 23:49:36.040" "SocketConnection::SendFileContents() - E2"
"SMTPC" 4332 45789 "2020-05-04 23:49:36.040" "94.100.180.31" "SENT: [nl]."
"DEBUG" 4332 "2020-05-04 23:49:36.040" "SMTPClientConnection::~_ParseASCII() - 8"
"DEBUG" 4332 "2020-05-04 23:49:36.306" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4332 45789 "2020-05-04 23:49:36.306" "94.100.180.31" "RECEIVED: 250 OK id=1jVi1w-00041V-3A"
"SMTPC" 4332 45789 "2020-05-04 23:49:36.306" "94.100.180.31" "SENT: QUIT"
"DEBUG" 4332 "2020-05-04 23:49:36.306" "SMTPClientConnection::~_ParseASCII() - 9"
"DEBUG" 4332 "2020-05-04 23:49:36.337" "SMTPClientConnection::_ParseASCII()"
"SMTPC" 4332 45789 "2020-05-04 23:49:36.337" "94.100.180.31" "RECEIVED: 221 OK, bye"
"TCPIP" 4332 "2020-05-04 23:49:36.337" "Disconnecting socket 1448 for session 45789"
"DEBUG" 4332 "2020-05-04 23:49:36.337" "Socket::~Socket(ID: 45789)"
"DEBUG" 3044 "2020-05-04 23:49:36.337" "SD::~_InitiateExternalConnection-5"
"DEBUG" 3044 "2020-05-04 23:49:36.337" "SD::~_DeliverToExternalAccounts-1"
"DEBUG" 3044 "2020-05-04 23:49:36.337" "SD::_CollectDeliveryResult"
"DEBUG" 3044 "2020-05-04 23:49:36.337" "AWStats::LogDeliverySuccess"
"DEBUG" 3044 "2020-05-04 23:49:36.337" "SD::~_CollectDeliveryResult"
"APPLICATION" 3044 "2020-05-04 23:49:36.337" "SMTPDeliverer - Message 11119236: Message delivery thread completed."

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailserver hacked?

Post by RvdH » 2020-05-05 00:24

RvdH wrote:
2020-05-04 11:27
In the 5.167.54.*** IP Range, under Require Authentication for deliveries at least check "To Remote account"
Did you change this step? That way you always require a account password, so unauthenticated mail can not be send
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
RvdH
Senior user
Senior user
Posts: 1136
Joined: 2008-06-27 14:42
Location: Netherlands

Re: hMailserver hacked?

Post by RvdH » 2020-05-05 00:58

And whatsup with all those rules? Geez, this realy scared the crap out of me :shock:
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 3818
Joined: 2006-08-21 15:38
Location: Denmark

Re: hMailserver hacked?

Post by SorenR » 2020-05-05 01:38

RvdH wrote:
2020-05-05 00:58
And whatsup with all those rules? Geez, this realy scared the crap out of me :shock:
Rule loop count ??
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 21103
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: hMailserver hacked?

Post by mattg » 2020-05-05 01:51

ffvvvv2 wrote:
2020-05-04 23:16
I'm not sure and I make a test.
From my ip 80.80.x.x I send mail from admin@soft-corp.ru to other address.
Below is smtp log (sorry, I enable debug logs):
But I can't find ip of sender (80.80.x.x)
I think, this version of HMS don't write sender's ip in logs.
hMailserver ALWAYS writes the IP of which ever device is connecting...

I'm assuming that your router is getting in the middle, and therefore all connections to your hmailserver come from your router - ALL THE MORE reason to require AUTH from that IP.

IS there a reason that you don't update to a newer version of hMailserver?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply