Multiple China IPs Appeared in Log

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
thomas10
Normal user
Normal user
Posts: 91
Joined: 2013-10-30 03:13

Multiple China IPs Appeared in Log

Post by thomas10 » 2021-05-18 06:24

Hi Guys,

When I checked the hmail log, I found out that there are a lot of IPs from China have been trying over and over again and ended up authentication failed. Each IP will keep on sending around 20 minutes. I have tried to block those IPs but those IPs kept on changing and trying, resulted my log file size become very big.
I have:-
- Tried turn on greylisting but still the same issue.
- Block IP under IP Range can block the encountered IPs but not the new one, meaning I need to block over and over again.

Currently found that the IPs are starting with 114.x.x.x, 117.x.x.x, 180.x.x.x, 49.x.x.x, 58.x.x.x

Is there any way to tackle this issue? We have China colleagues and customers so block the entire range doesn't seem to be a good choice.
Below is sample of one of the IP that was trying from 12.04am till 12.24am. The log between this timing is very long too so I crop only some part of it.
Appreciated your reply.

Code: Select all

"TCPIP"	1432	"2021-05-18 00:04:46.660"	"TCP - 49.75.214.30 connected to 
{Edited}"
"SMTPD"	1432	101002	"2021-05-18 00:04:46.660"	"49.75.214.30"	"SENT: 220 
{Edited}"
"SMTPD"	3044	101002	"2021-05-18 00:04:46.863"	"49.75.214.30"	"RECEIVED: EHLO 
jddif"
"SMTPD"	3044	101002	"2021-05-18 00:04:46.863"	"49.75.214.30"	"SENT: 
{Edited} [nl]250-SIZE[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	4540	101002	"2021-05-18 00:04:47.097"	"49.75.214.30"	"RECEIVED: AUTH 
LOGIN"
"SMTPD"	4540	101002	"2021-05-18 00:04:47.097"	"49.75.214.30"	"SENT: 334 
VXNlcm5hbWU6"
"SMTPD"	3900	101002	"2021-05-18 00:04:47.331"	"49.75.214.30"	"RECEIVED: 
Y2hlbndlaQ=="
"SMTPD"	3900	101002	"2021-05-18 00:04:47.331"	"49.75.214.30"	"SENT: 334 
UGFzc3dvcmQ6"
"SMTPD"	3044	101002	"2021-05-18 00:04:47.970"	"49.75.214.30"	"RECEIVED: ***"
"SMTPD"	3044	101002	"2021-05-18 00:04:47.970"	"49.75.214.30"	"SENT: 535 
Authentication failed. Restarting authentication process."
"SMTPD"	4540	101002	"2021-05-18 00:04:48.189"	"49.75.214.30"	"RECEIVED: EHLO 
nkzhz"
"SMTPD"	4540	101002	"2021-05-18 00:04:48.189"	"49.75.214.30"	"SENT: 
{Edited} [nl]250-SIZE[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	3900	101002	"2021-05-18 00:04:48.423"	"49.75.214.30"	"RECEIVED: AUTH 
LOGIN"
"SMTPD"	3900	101002	"2021-05-18 00:04:48.423"	"49.75.214.30"	"SENT: 334 
VXNlcm5hbWU6"
"SMTPD"	3044	101002	"2021-05-18 00:04:48.657"	"49.75.214.30"	"RECEIVED: 
Y2hlbndlaQ=="
"SMTPD"	3044	101002	"2021-05-18 00:04:48.657"	"49.75.214.30"	"SENT: 334 
UGFzc3dvcmQ6"
"SMTPD"	1432	101002	"2021-05-18 00:04:48.891"	"49.75.214.30"	"RECEIVED: ***"
"SMTPD"	1432	101002	"2021-05-18 00:04:48.891"	"49.75.214.30"	"SENT: 535 
Authentication failed. Restarting authentication process."
"SMTPD"	3900	101002	"2021-05-18 00:04:49.671"	"49.75.214.30"	"RECEIVED: EHLO 
tndsj"
"SMTPD"	3900	101002	"2021-05-18 00:04:49.671"	"49.75.214.30"	"SENT: 
{Edited} [nl]250-SIZE[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	3044	101002	"2021-05-18 00:04:49.905"	"49.75.214.30"	"RECEIVED: AUTH 
LOGIN"
"SMTPD"	3044	101002	"2021-05-18 00:04:49.905"	"49.75.214.30"	"SENT: 334 
VXNlcm5hbWU6"
"SMTPD"	1432	101002	"2021-05-18 00:04:50.139"	"49.75.214.30"	"RECEIVED: 
Y2hlbndlaQ=="
"SMTPD"	1432	101002	"2021-05-18 00:04:50.139"	"49.75.214.30"	"SENT: 334 
UGFzc3dvcmQ6"
"SMTPD"	3900	101002	"2021-05-18 00:04:50.357"	"49.75.214.30"	"RECEIVED: ***"
"SMTPD"	3900	101002	"2021-05-18 00:04:50.357"	"49.75.214.30"	"SENT: 535 
Authentication failed. Restarting authentication process."
"SMTPD"	1432	101002	"2021-05-18 00:04:50.576"	"49.75.214.30"	"RECEIVED: EHLO 
vieyv"
"SMTPD"	1432	101002	"2021-05-18 00:04:50.576"	"49.75.214.30"	"SENT: 
{Edited}[nl]250-SIZE[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"

"SMTPD"	1432	101002	"2021-05-18 00:04:50.778"	"49.75.214.30"	"RECEIVED: AUTH 
LOGIN"
"SMTPD"	1432	101002	"2021-05-18 00:04:50.778"	"49.75.214.30"	"SENT: 334 
VXNlcm5hbWU6"
"SMTPD"	4540	101002	"2021-05-18 00:04:51.012"	"49.75.214.30"	"RECEIVED: 
Y2hlbndlaQ=="
"SMTPD"	4540	101002	"2021-05-18 00:04:51.012"	"49.75.214.30"	"SENT: 334 
UGFzc3dvcmQ6"
"SMTPD"	3900	101002	"2021-05-18 00:04:51.215"	"49.75.214.30"	"RECEIVED: ***"
"SMTPD"	3900	101002	"2021-05-18 00:04:51.215"	"49.75.214.30"	"SENT: 535 
Authentication failed. Restarting authentication process."
"SMTPD"	1432	101002	"2021-05-18 00:04:51.418"	"49.75.214.30"	"RECEIVED: EHLO 
jdwxw"
"SMTPD"	1432	101002	"2021-05-18 00:04:51.418"	"49.75.214.30"	"SENT: 
{Edited} [nl]250-SIZE[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	4540	101002	"2021-05-18 00:04:51.652"	"49.75.214.30"	"RECEIVED: AUTH 
LOGIN"
"SMTPD"	4540	101002	"2021-05-18 00:04:51.652"	"49.75.214.30"	"SENT: 334 
VXNlcm5hbWU6"
"SMTPD"	3900	101002	"2021-05-18 00:04:51.886"	"49.75.214.30"	"RECEIVED: 
Y2hlbndlaQ=="
"SMTPD"	3900	101002	"2021-05-18 00:04:51.886"	"49.75.214.30"	"SENT: 334 
UGFzc3dvcmQ6"
"SMTPD"	1432	101002	"2021-05-18 00:04:52.089"	"49.75.214.30"	"RECEIVED: ***"
"SMTPD"	1432	101002	"2021-05-18 00:04:52.104"	"49.75.214.30"	"SENT: 535 
Authentication failed. Restarting authentication process."
"SMTPD"	4540	101002	"2021-05-18 00:04:52.822"	"49.75.214.30"	"RECEIVED: EHLO 
oygda"
"SMTPD"	4540	101002	"2021-05-18 00:04:52.822"	"49.75.214.30"	"SENT: 
{Edited} [nl]250-SIZE[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	3900	101002	"2021-05-18 00:04:53.025"	"49.75.214.30"	"RECEIVED: AUTH 
LOGIN"
"SMTPD"	3900	101002	"2021-05-18 00:04:53.025"	"49.75.214.30"	"SENT: 334 
VXNlcm5hbWU6"
"SMTPD"	3044	101002	"2021-05-18 00:04:53.259"	"49.75.214.30"	"RECEIVED: 
Y2hlbndlaQ=="
"SMTPD"	3044	101002	"2021-05-18 00:04:53.274"	"49.75.214.30"	"SENT: 334 
UGFzc3dvcmQ6"
"SMTPD"	3900	101002	"2021-05-18 00:04:53.493"	"49.75.214.30"	"RECEIVED: ***"
"SMTPD"	3900	101002	"2021-05-18 00:04:53.493"	"49.75.214.30"	"SENT: 535 
Authentication failed. Restarting authentication process."
"SMTPD"	1432	101002	"2021-05-18 00:04:53.680"	"49.75.214.30"	"RECEIVED: EHLO 
ixgqo"
"SMTPD"	1432	101002	"2021-05-18 00:04:53.680"	"49.75.214.30"	"SENT: 
{Edited} [nl]250-SIZE[nl]250-AUTH LOGIN PLAIN[nl]250 HELP"
"SMTPD"	3044	101002	"2021-05-18 00:04:53.883"	"49.75.214.30"	"RECEIVED: AUTH 
LOGIN"
"SMTPD"	3044	101002	"2021-05-18 00:04:53.883"	"49.75.214.30"	"SENT: 334 
VXNlcm5hbWU6"
"SMTPD"	3044	101002	"2021-05-18 00:04:54.101"	"49.75.214.30"	"RECEIVED: 
Y2hlbndlaQ=="
"SMTPD"	3044	101002	"2021-05-18 00:04:54.101"	"49.75.214.30"	"SENT: 334 
UGFzc3dvcmQ6"
"SMTPD"	3900	101002	"2021-05-18 00:04:54.351"	"49.75.214.30"	"RECEIVED: ***"
"SMTPD"	3900	101002	"2021-05-18 00:04:54.351"	"49.75.214.30"	"SENT: 535 
Authentication failed. Restarting authentication process."
"SMTPD"	3044	101002	"2021-05-18 00:04:54.569"	"49.75.214.30"	"RECEIVED: EHLO 
axrml"


User avatar
mattg
Moderator
Moderator
Posts: 21532
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Multiple China IPs Appeared in Log

Post by mattg » 2021-05-18 06:59

A few things

#1 That is hMailserver doing it's job (rejecting malicious attempts)
#2 turn your SMTP >> maximum number of invalid commands down to 3
#3 don't assume that all IPs that match what you say are from China or are malicious. One of my IPs would match that list

You could also turn off AUTH for port 25, if you can get all of your users to submit mail via port 587 or 465, and just leave port 25 for receiving outside mail to your server
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

thomas10
Normal user
Normal user
Posts: 91
Joined: 2013-10-30 03:13

Re: Multiple China IPs Appeared in Log

Post by thomas10 » 2021-05-18 08:22

mattg wrote:
2021-05-18 06:59
A few things

#1 That is hMailserver doing it's job (rejecting malicious attempts)
#2 turn your SMTP >> maximum number of invalid commands down to 3
#3 don't assume that all IPs that match what you say are from China or are malicious. One of my IPs would match that list

You could also turn off AUTH for port 25, if you can get all of your users to submit mail via port 587 or 465, and just leave port 25 for receiving outside mail to your server
Hi Matt,

Lovely, the max number of invalid command was greyed due to the Disconnect client after too many invalid commands is Unticked. Perhaps will try that.
Another question, how do you think about the autoban feature, yes this will ban certain IP that has too many invalid logon attempt. But is it possible to ban the IP of a genuine email, meaning a false positive? :oops:

User avatar
jimimaseye
Moderator
Moderator
Posts: 9183
Joined: 2011-09-08 17:48

Re: Multiple China IPs Appeared in Log

Post by jimimaseye » 2021-05-18 08:43

thomas10 wrote:
2021-05-18 08:22
But is it possible to ban the IP of a genuine email, meaning a false positive?
No... unless you are trying to set up an email client as new and forgot the password (a highly unlikely situation) or you use a webmail service and haven't set the ip range correctly. https://www.hmailserver.com/documentati ... ce_autoban

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

thomas10
Normal user
Normal user
Posts: 91
Joined: 2013-10-30 03:13

Re: Multiple China IPs Appeared in Log

Post by thomas10 » 2021-05-19 03:44

jimimaseye wrote:
2021-05-18 08:43
thomas10 wrote:
2021-05-18 08:22
But is it possible to ban the IP of a genuine email, meaning a false positive?
No... unless you are trying to set up an email client as new and forgot the password (a highly unlikely situation) or you use a webmail service and haven't set the ip range correctly. https://www.hmailserver.com/documentati ... ce_autoban

[Entered by mobile. Excuse my spelling.]
ok. Will try for the "Disconnect client after too many invalid commands" & "Maximum number of invalid commands" first. For this part, if the client was disconnected after too many invalid command, how long will it be disconnected? Because I don't see any timer to state there. :oops:

User avatar
jimimaseye
Moderator
Moderator
Posts: 9183
Joined: 2011-09-08 17:48

Re: Multiple China IPs Appeared in Log

Post by jimimaseye » 2021-05-19 08:45

Read the link.
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

vidiot
New user
New user
Posts: 9
Joined: 2015-03-16 21:18

Re: Multiple China IPs Appeared in Log

Post by vidiot » 2021-05-19 20:20

You may be interested in this script: viewtopic.php?f=7&t=33447&p=208961&hili ... AN#p208961

I've run it for years, and it is effective. Eventually, on Win2012R2 at least, the firewall scope will fill up and you'll need to add another rule, but a small price to pay!

Post Reply