Up until last weekend I was hit by mails from e.g. "magnetophoneg.datinginformer2.ru". The common theme for the HELO here was "(*.datinginformer(**.ru" where (* is almost a real word and (** is a number and this was also the [From:] domain in the mails.
There was a small deviation from the above where HELO would be "(*" and match part of the [From:] domain.
Code: Select all
"171.207.237.145" "SENT: 220 mx.acme.inc ESMTP"
"171.207.237.145" "RECEIVED: HELO magnetophoneg.datinginformer2.ru"
"171.207.237.145" "SENT: 250 Hello."
"171.207.237.145" "RECEIVED: MAIL FROM:<bedmakerp@magnetophoneg.datinginformer2.ru>"
"171.207.237.145" "SENT: 250 OK"
"171.207.237.145" "RECEIVED: RCPT TO:<xyz@acme.inc>"
"171.207.237.145" "SENT: 451 Please try again later."
"171.207.237.145" "RECEIVED: QUIT"
"171.207.237.145" "SENT: 221 goodbye"
"84.215.146.232" "SENT: 220 mx.acme.inc ESMTP"
"84.215.146.232" "RECEIVED: HELO invalidishw"
"84.215.146.232" "SENT: 250 Hello."
"84.215.146.232" "RECEIVED: MAIL FROM:<bearabley@invalidishw.datinginformer2.ru>"
"84.215.146.232" "SENT: 250 OK"
"84.215.146.232" "RECEIVED: RCPT TO:<xyz@acme.inc>"
"84.215.146.232" "SENT: 451 Please try again later."
"84.215.146.232" "RECEIVED: QUIT"
"84.215.146.232" "SENT: 221 goodbye"
Code: Select all
"171.248.203.30" "SENT: 220 mx.acme.inc ESMTP"
"171.248.203.30" "RECEIVED: EHLO vnnic.net.vn"
"171.248.203.30" "SENT: 250-mx.acme.inc[nl]250 SIZE"
"171.248.203.30" "RECEIVED: MAIL From:<zutuzje@vnnic.net.vn>"
"171.248.203.30" "SENT: 250 OK"
"171.248.203.30" "RECEIVED: RCPT To:<xyz@acme.inc>"
"171.248.203.30" "SENT: 451 Please try again later."
Code: Select all
"118.161.240.104" "SENT: 220 mx.acme.inc ESMTP"
"118.161.240.104" "RECEIVED: HELO 87.58.176.150"
"118.161.240.104" "SENT: 250 Hello."
"118.161.240.104" "RECEIVED: MAIL FROM: <z2007tw@yahoo.com.tw>"
"118.161.240.104" "SENT: 250 OK"
"118.161.240.104" "RECEIVED: RCPT TO: <gk49fawn@yahoo.com.tw>"
"118.161.240.104" "SENT: 550 Delivery is not allowed to this address."
Code: Select all
"118.101.61.187" "SENT: 220 mx.acme.inc ESMTP"
"118.101.61.187" "RECEIVED: HELO foragersx"
"118.101.61.187" "SENT: 250 Hello."
"118.101.61.187" "RECEIVED: MAIL FROM:<scrutablet@foragersx.newmsgforyou4.net>"
"118.101.61.187" "SENT: 250 OK"
"118.101.61.187" "RECEIVED: RCPT TO:<xyz@acme.inc>"
"118.101.61.187" "SENT: 451 4.7.1 Service unavailable - try again later."
"118.101.61.187" "RECEIVED: QUIT"
"118.101.61.187" "SENT: 221 goodbye"
#####
You may notice some changes in my logs - it's a work in progress, currently on version 5.4.2.
I have added a trigger "Sub OnHELO(oClient)" which is called right after HELO/EHLO is received from sender and should help me clean up my logfiles

Code: Select all
Sub AutoBan(sIPAddress, sReason, iDuration, sType)
Dim oApp
Set oApp = CreateObject("hMailServer.Application")
Call oApp.Authenticate( #ADMIN# , #PASSWD# )
With oApp.Settings.SecurityRanges.Add
.Name = "(" & sReason & ") " & sIPAddress
.LowerIP = sIPAddress
.UpperIP = sIPAddress
.Priority = 20
.Expires = True
.ExpiresTime = DateAdd(sType, iDuration, Now())
.Save
End With
EventLog.Write(sIPAddress & Chr(34) & vbTab & Chr(34) & sReason)
End Sub
Sub OnHELO(oClient)
If (Left(oClient.IPAddress, 9) = "192.168.0") Then Exit Sub
Dim BanIP : BanIP = False
If oClient.HELO = "87.58.176.150" Then BanIP = True
If (InStr(oClient.HELO, "datinginformer") > 0) Then BanIP = True
If (InStr(oClient.HELO, "newmsgforyou") > 0) Then BanIP = True
If (InStr(oClient.HELO, ".") = 0) Then BanIP = True
If (Right(oClient.HELO, 3) = ".vn") Then BanIP = True
If BanIP Then Call AutoBan(oClient.IPAddress, oClient.HELO, 1, "ww")
End Sub
Sub OnSMTPData(oClient, oMessage)
If (InStr(oMessage.FromAddress, "datinginformer") > 0) Then Call AutoBan(oClient.IPAddress, oClient.HELO, 1, "ww")
If (InStr(oMessage.FromAddress, "newmsgforyou") > 0) Then Call AutoBan(oClient.IPAddress, oClient.HELO, 1, "ww")
End Sub