hMailServer forum

RvdH

User-submitted tutorials

RvdH

https://spamassassin.apache.org/news.html

RvdH

RvdH

SorenR wrote: You have a problem with the "disconnect.exe"...

Windows smartscreen filter? Tried to see if it's blocked?

the source of disconnect is pasted here, it doesn't take any other parameters as IP1 [IP2 [IP3 [IPn]]]

RvdH

palinka wrote: ↑
2020-01-30 18:21
RvdH wrote: ↑
2020-01-30 17:02
Can you pm the source to me so i could have a look?

I am a bit surprised to see 16 matches and lookups, especially because a hardcoded limit of 15 is defined in the code
Code: Select all
const int maxURLsToProcess = 15;
0-15 = 16 iterations.

RvdH

Can you pm the source to me so i could have a look?

I am a bit surprised to see 16 matches and lookups, especially because a hardcoded limit of 15 is defined in the code

Code: Select all

const int maxURLsToProcess = 15;

RvdH

@RvdH I updated hmailServer almost the same email came again without ")". "DEBUG" 1116 "2020-01-30 13:22:53.636" "SURBL: Execute" "DEBUG" 1116 "2020-01-30 13:22:53.636" "SURBL: Found URL: webbdagarna.se" "DEBUG" 1116 "2020-01-30 13:22:53.636" "SURBL: Found URL: trippus.se" "DEBUG" 1116 "2020-01-30 ...

RvdH

@tunis

If your signature is right you are still using 5.6.x, right?
I have a 5.6.8-B2494.24 build (at the usual place) using the above regex if you like to give it a test run

RvdH

Please stay on topic, this post is about SURBL url detection I think the 'best' regex i have come up and tested is: (?:(?>https?)?(?>:\/\/|\%3A\%2F\%2F))(?:www\.)?([a-z0-9\-\.\=\r\n]+) To have a perfect regex seems impossible, as the are so many possibilities with formatting, encoding, line-breaks i...

RvdH

Base64 Encoded maybe?

This regex ain't never gonna be 100% i think, to much quirks

RvdH

This regex thingy is keeping me awake :) Instead of defining every character that is NOT allowed, like: (?:https?:\/\/)(?:[^@\s]+@)?(?:www\.)?([^\?:#<>\s{}[\]()\/\\'\"]+) https://regexr.com/4t4u3 Wouldn't it be easier to specify what characters are allowed? (eg: alphanumeric, dot and dash) (?:https?...

RvdH

I checked the email and all links are like this one. href="https://dmd.idg.se/x/c/?LU.RbsMgDPyVvtCnqQ0hbMokq2q3L1gf9jgRQAldDJEDivb1DLLJtnQn_3w6DbLNCB3vmz7PILnseSbgont_EXmCKcZlfT2ft207kR3srLwZHJmTDnhJEb90WmNAJm.bwuT7v.BJtsd9qXBRbvTwaYfBqFGRV6xt7jHo7ynMWHAtVlvcH6kA.1Mv1vhgb4JdO.KBCndlFgojKUQb999rSKQt...

RvdH

OK, as it seems BOOST needs some weird extra escaping But i would say, using a regex like: (?:https?:\\/\\/)([^\\?&><\\[\$#\\\\ \\\"'\\/\$\\]]*) would solve the issues, see example here: https://regexr.com/4t4ap Could the X-Spam-Report (bad) formatting also be caused by a malformed regex? It appe...

RvdH

OK, as it seems BOOST needs some weird extra escaping

But i would say, using a regex like: (?:https?:\\/\\/)([^\\?&><\\[\$#\\\\ \\\"'\\/\$\\]]*) would solve the issues, see example here: https://regexr.com/4t4ap

RvdH

What HMS version?

I think te regex used to detect URL's for SURBL checking is faulty,
https://github.com/hmailserver/hmailser ... BL.cpp#L43

Or does BOOST use some weird/custom regex?

RvdH

adrianmihai83, are you sure your mailserver isn't acting as an open relay? Or maybe a single account is hijacked?
Normally the Internet range should require 'Require SMTP authentication' for 'local to local'

RvdH

Dravion wrote: ↑
2020-01-16 23:07
TLSv1.3 was added in hMailServer 5.7 x64 which made serveral code changes necessary. This means OpenSSL
series 1.1.x is required.

Also available in 5.6.8 - Build 2494 (latest official beta)

RvdH

Do not reverse the IP, you are trying to make a PTR lookup

Code: Select all

$IP = '221.120.216.98'
$DNS = New-Object -ComObject DNSLibrary.DNSResolver
$PTR = $DNS.PTR("$IP")
Write-Host $PTR

Code: Select all

lhr63.pie.net.pk

RvdH

Or maybe it is just a isolated test box in their corporate network to monitor, study and learn malware/virus behavior

RvdH

:oops: :oops: :oops: Sorry guys, seems my original command worked just fine once i added access & read/write permission for IUSR on 'C:\Windows\system32\config\systemprofile\.spamassassin' the complete commands are: $config['markasjunk_spam_cmd'] = '"C:\Program Files\JAM Software\SpamAssassin for Wi...

RvdH

Hello, sorry, outgoing emails are NOT anonymized by this filtering! :?: FROM:, TO:, AUTHENTICATED: and so on are still present, but some useless and often non standard header informations are removed. And, main reason, removing hints about mailer, security proxies aso. reduce helpful informations f...

RvdH

1: Create a symbolic link... mklink /D "C:\Program Files\JAM Software\SpamAssassin for Windows" "C:\SpamAssassin" 2: Edit the config.php $config['markasjunk_spam_cmd'] = 'C:\SpamAssassin\sa-learn.exe --spam %f -D 2>&1'; $config['markasjunk_ham_cmd'] = 'C:\SpamAssassin\sa-learn.exe --ham %f -D 2>&1'...

RvdH

$config['markasjunk_spam_cmd'] = 'C:\Program Files\JAM Software\SpamAssassin for Windows\sa-learn.exe --spam %f -D 2>&1'; $config['markasjunk_ham_cmd'] = 'C:\Program Files\JAM Software\SpamAssassin for Windows\sa-learn.exe --ham %f -D 2>&1'; Yeah, i found that debug info elsewhere as well....but it...

RvdH

The old markasjunk2 plugin is now part off the new Roundcube 1.4.x distribution (named markasjunk) I was trying to get this plugin working, with sa-learn (using cmd_learn driver) $config['markasjunk_learning_driver'] = 'cmd_learn'; $config['markasjunk_debug'] = true; (this makes a \logs\markasjunk.l...

RvdH

I really wonder why anyone would try to use this release? ....there is absolutely nothing in it that isn't the latest beta build except for the updated boost libraries...there is absolutely no added functionalities....please explain, why bother? https://build.hmailserver.com/viewLog.html?buildId=802...

RvdH

Anyone got an idea why BOOST 1.70.0 is preferred over the latest version? Who says BOOST 1.70.0 is preferred over the latest version? Maybe simply because those newer releases are released after the latest commits done by martin? (he merged some pull request since, and upgraded openssl but nothing ...

RvdH

Are SURBL queries blocking? Could they introduce a delay of 30 seconds, enough to trigger a TCP receive timeout? Nah, SURBL check are done by SpamAssassin, none enabled in hmailserver itself.... and btw, it's a 30 minutes delay until the timeout, not 30 seconds PS: If possible, run Wireshark in cas...

RvdH

Option Explicit Public Const ADMIN = "Administrator" Public Const PASSWORD = "PUT_YOUR_PASSWORD_HERE" 'Password for hMailServer Administrator Dim fso, file Const ForWriting = 2 Set fso = CreateObject("Scripting.FileSystemObject") set file = fso.OpenTextFile("C:\BlockedAttachments.tmp", ForWriting, ...

RvdH

To make it more confusing, this one came thru without a glitch... but then again, apart from similar HELO (i am monitoring troublesome host by their HELO message) this ip doesn't seem designated to Adobe "SMTPD" 6376 124993 "2019-11-20 15:19:30.215" "62.210.194.156" "SENT: 220 mail.domain.com ESMTP"...

RvdH

Nope, no wait()

Or at least not directly within OnSMTPData, I use that lockfile function in OnHELO for AddGreyList(oClient.IPAddress, oClient.HELO) for my dynamic greywhitelisting function, but even that function is not triggered on those domains

RvdH

Some MTAs are configured for sending only while other MTAs are configured for inbound only mail. I talking about our own hmailserver instance that is allowed to send and receive I have dozens of log entries like the above designating from Adobe owned servers trying to send to our hmailserver instan...

RvdH

These are just 2 examples i see regularly....but this is going on for a few months. I assume these are simply marketing e-mails In OnSMTPData i have no more then the check(s) that block mail when the message is not sent from the authenticated account/domain (eg: only checks are for authenticated use...

RvdH

I have been busy monitoring SMTPD connections that seem to have trouble receiving mail right our hmailserver instance sends the DATA command to the external (sending) server, below an example: "SMTPD" 6376 119919 "2019-11-20 09:34:08.238" "66.117.17.55" "SENT: 220 mail.domain.com ESMTP" "SMTPD" 1064...

RvdH

Ruser wrote: ↑
2019-11-15 15:01

RvdH wrote: ↑
2019-11-15 13:11
cached DNS lookup result maybe?
i set google DNS in computer settings:
Ruser wrote: ↑
2019-11-15 10:28
static ip=192.168.0.172, dns=8.8.8.8
where cache? my router "mikrotik", ISP?
i try router off/on...

Code: Select all

ipconfig /flushdns

RvdH

Could it be because of 'SURBL detection properly fails to detect url's ending with a query string issue #108' in < 5.7.0 builds?

Perhaps you could try my custom build, that should fix above issue

5.6.8-B2494.22.7z: (969.3 KiB) Downloaded 34 times

RvdH

multi.surbl.org lists domain cb-killer.ru as a spammer, not hmailserver
hmailserver only checks the domain against multi.surbl.org

[EDIT]
I see your point... doing the lookup with http://www.surbl.org/surbl-analysis the result is: cb-killer.ru is NOT listed

Weird...cached DNS lookup result maybe?

RvdH

Mmmm, right

...but what is your actual question?

cb-killer.ru is a existing domain, which actually can be listed in multi.surbl.org (and apparently is)
DNSBL lookups seem fine

RvdH

Has he also changed the default internet and Localhost rages Priority Only the 'My computer' range is higher, eg: 30 instead of the 15 it was before.... 'Internet' range is still 10 Nothing changed for me - meaning I upgraded and my old settings remained the same, but the new autoban = 100 was unkn...

RvdH

The change of the 'My computer' range i kinda could understand, as a default install with previous value (15) would lockout localhost when auto-ban (20) is enabled...but once he also changed the auto-ban priority in 5.7.x the change to the 'My computer' range is redundant again I have also posted th...

RvdH

mattg wrote: ↑
2019-11-13 08:18
Has he also changed the default internet and Localhost rages Priority

Only the 'My computer' range is higher, eg: 30 instead of the 15 it was before.... 'Internet' range is still 10

RvdH

palinka wrote: ↑
2019-11-13 00:47
I guess that's the answer. Problem solved.

I know

But i am still a bit curious why martin changed that value in 5.7.x, i really can't see a reason for that and as it shows it breaks running instances...so it is a silly change in my opinion

RvdH

Autoban priority is changed in 5.7.x https://www.hmailserver.com/forum/viewtopic.php?f=7&t=34313 ONLY on the version used by that user ie Dravion's version hMailserver still sets them at 20 No, maybe your used scripts do, but hmailserver 5.7.x internally set them to 100 (eg: a faulty login via webm...

RvdH

Autoban priority is changed in 5.7.x

https://www.hmailserver.com/forum/viewt ... =7&t=34313

RvdH

No need to sign in...
http://download.microsoft.com/download/ ... o?type=ISO

RvdH

What libmysql.dll do you have? Currently hmailserver is only working with libmysql.dll 5.x and won't work with libmysql.dll 8.x

RvdH

You have a compromised account (username: hnjz), by default hmailserver allows a authenticated user to send from any emailaddress for the domains you own/host Many of us use scripts to only allow authenticated users in same domain or only from the authenticated account, below you find some examples ...

RvdH

Based on your hardware in use, a 3gb backup, should be taken care of within minutes on modern hardware, read SATA/NVME SSD...i would not worry to much about downtime If you are going to have to change DNS records i could be wise to set them TTL levels as low as you can before monday, the shorter the...

RvdH

No, you are out of luck then, mail forwarded to external email addresses through aliases and distribution list are never DKIM signed

RvdH

Yep, through INI settings as explained above

More:
https://www.hmailserver.com/forum/viewtopic.php?t=30359
https://www.hmailserver.com/forum/viewtopic.php?t=30900

RvdH

Firewall exceptions added?

RvdH

Hard to help you to find the issue without the actual domain name and/or IP address

RvdH

In 5.6.x the autoban priority is 20 so therefor the documentation is correct

You sure you are not using 5.7.x?

RvdH

For 5.7.x, simply increase (higher than 100) the priority for webmail address (probably 127.0.0.1 if ran on same server)?

Version 5.7.x is not out yet (officially), so the documentation is up to date

RvdH

No, yahoo never send a mail to gmx, so the NDR to yahoo makes no sense...

If you do not understand that, were done talking...back to school for you!
Without SRS (linked to above) we never, ever will be able to do what you want, request.....simple as that!!!

RvdH

I still believe the way you test this is all wrong, NDR are sent/should be sent to local accounts only And only NDR received by local account, forwarded to external are DKIM signed as explained on github pull request please run your test the other way around, set a forward to yahoo on test@freeze an...

RvdH

What? Why should the NDR be send back to yahoo account? That doesn't make any sense at all as the mail from yahoo -> freeze was successfully delivered...anything after that isn't to any concern to yahoo account It could, with SRS ...but this isn't supported by hmailserver (yet...or ever?) So you a p...

RvdH

I only see two external domains in the NDR...whats up with that? bhpclan@ymail.com dsgwemdiwufn@gmx.de From: mailer-daemon@freeze.ws To: bhpclan@ymail.com In the last "To:" address above i would at least expect a local domain and not a yahoo account, really don't know what you are doing, is that a r...

RvdH

I have some honeypots/spam traps in place that automatically are reported/contributed to blocklist.de DNSBL

A few usage examples
https://www.hmailserver.com/forum/viewt ... 97#p209597

scripts can easily be adapted for the more traditional honeypots (in OnSMTPData) you are referring to

RvdH

Ditch the rule, set the (freeze.ws) local host name under SMTP settings , as explained in the github pull request this makes the mailer-daemon@ address used by the mailserver freeze.png By using rule you set the From address before it reaches to code change in *.22, the change i made expects it to b...

RvdH

Ah...i think in know why it works for me, sometimes... When the NDR domain EnvelopeFrom and From address use the same domain it works But when you use a second domain, different from EnvelopeFrom it will not work I have proposed a change in the code to martin, this at least give you the ability to g...

Search found 843 matches