We wish to capture emails from unauthorized senders

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
BuyStockInIBM
New user
New user
Posts: 27
Joined: 2014-11-25 23:39

We wish to capture emails from unauthorized senders

Post by BuyStockInIBM » 2020-06-06 21:07

Attempts to send emails to a distribution list from an unauthorized sender are blocked and logged to the hMailServer log. The blocked emails are not sent to the catch-all or mirror accounts. We can analyze the logs to harvest the email address of the unauthorized sender. My organization would like to capture these unauthorized emails so they can be analyzed, rather than just deleting them. Can anyone let me know how this can be best accomplished using hMailServer? Thanks in advance.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8584
Joined: 2011-09-08 17:48

Re: We wish to capture emails from unauthorized senders

Post by jimimaseye » 2020-06-06 21:16

BuyStockInIBM wrote:
2020-06-06 21:07
Attempts to send emails to a distribution list from an unauthorized sender are blocked and logged to the hMailServer log.
Let's start with this: how?

Also please show a log snippet of an authorized email being captured.

We will then be able to advise once we have better understanding of existing methods.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

BuyStockInIBM
New user
New user
Posts: 27
Joined: 2014-11-25 23:39

Re: We wish to capture emails from unauthorized senders

Post by BuyStockInIBM » 2020-06-07 22:16

The how is the normal way hMailServer does things. Emails from authorized senders are sent to the distribution list as well as the mirror account. That's how we capture them. Anyway, here is the log you requested. I edited it for security:

"SMTPD" 2020 954613 "2020-06-05 05:00:00.674" "192.168.10.23" "SENT: 220 listserve.BigCompany.com"
"SMTPD" 2020 954613 "2020-06-05 05:00:00.674" "192.168.10.23" "RECEIVED: EHLO API-EQ-EXC02.api.int"
"SMTPD" 2020 954613 "2020-06-05 05:00:00.674" "192.168.10.23" "SENT: 250-listserve.BigCompany.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 2020 954613 "2020-06-05 05:00:00.674" "192.168.10.23" "RECEIVED: MAIL FROM:<John@BigCompany.com> SIZE=5772"
"TCPIP" 2020 "2020-06-05 05:00:00.705" "DNS lookup: 26.10.120.10.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP" 2020 "2020-06-05 05:00:00.767" "DNS lookup: 26.10.120.10.bl.spamcop.net, 0 addresses found: (none), Match: False"
"SMTPD" 2020 954613 "2020-06-05 05:00:00.877" "192.168.10.23" "SENT: 250 OK"
"SMTPD" 2040 954613 "2020-06-05 05:00:00.877" "192.168.10.23" "RECEIVED: RCPT TO:<TestList@listserve.BigCompany.com>"
"SMTPD" 2040 954613 "2020-06-05 05:00:00.923" "192.168.10.23" "SENT: 250 OK"
"SMTPD" 2036 954613 "2020-06-05 05:00:00.923" "192.168.10.23" "RECEIVED: DATA"
"SMTPD" 2036 954613 "2020-06-05 05:00:00.923" "192.168.10.23" "SENT: 354 OK, send."
"SMTPD" 1848 954613 "2020-06-05 05:00:00.955" "192.168.10.23" "SENT: 250 Queued (0.000 seconds)"
"SMTPD" 2040 954613 "2020-06-05 05:00:00.955" "192.168.10.23" "RECEIVED: QUIT"
"APPLICATION" 1916 "2020-06-05 05:00:00.955" "SMTPDeliverer - Message 615120: Delivering message from John@BigCompany.com to Jill@BigCompany.com, George@BigCompany.com, William@BigCompany.com, Patricia@cox.net, Margret@BigCompany.com, Steve@BigCompany.com, Paul@BigCompany.com. File: C:\Program Files (x86)\hMailServer\Data\{111E0901-2FAF-40B8-9122-2045C49B2B94}.eml"
"SMTPD" 2040 954613 "2020-06-05 05:00:00.955" "192.168.10.23" "SENT: 221 goodbye"

User avatar
jimimaseye
Moderator
Moderator
Posts: 8584
Joined: 2011-09-08 17:48

Re: We wish to capture emails from unauthorized senders

Post by jimimaseye » 2020-06-07 23:09

Sorry, i meant to ask how you block Unauthorised? The log shown above simply shows an inbound email to a distribution list. Where is the 'authorised' bit?

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

BuyStockInIBM
New user
New user
Posts: 27
Joined: 2014-11-25 23:39

Re: We wish to capture emails from unauthorized senders

Post by BuyStockInIBM » 2020-06-08 00:38

All of our lists are closed lists. Only members of a list can send to it and receive from it. Obviously, the catch-all account received messages sent to non-existent lists and the mirror gets copies of all emails sent to lists from authorized senders.

Post Reply