Advisory To Inform Of Phishing Attempts New To My Experience

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
User avatar
jim.bus
Senior user
Senior user
Posts: 521
Joined: 2011-05-28 11:49
Location: US

Advisory To Inform Of Phishing Attempts New To My Experience

Post by jim.bus » 2019-08-20 00:16

I was looking through my hMailServer Log and noticed some new (to me) peculiar activity (log entries).

The Log entries looked as though someone at a computer inside what appeared to be a US Based company website was directly sending Commands to my hMailServer (ex. "RECEIVED: MAIL FROM:<spammer@192.168.5.220>" after having connected to hMailServer on port 25. Note the Domain Name is a Local Network IP Address in the US Based Company. This IP Address then tries repeatedly with various forms of the RCPT TO Command to send email to hMailServer such as "RECEIVED: RCPT TO:<spammee@ 'My Public IPv4 Address'>". To me this pattern of commands looks like someone in real time sitting at their computer issuing commands to my hMailServer. hMailServer rejected all the commands due to Authentication being required. Note the except from my Log Entries are what exactly appeared in the log except for my Public IPv4 Address which I did not display in this post.

This is just an advisory for anyone interested to make note of as this is a little different manner of phishing new to me not that I monitor my logs all the time to be able to tell if this isn't some old way of doing phishing.

Post Reply