HELP! MY MAIL SERVER IS HACKED!

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-01 14:56

Hi there ,
I was get mail from my datacenter:

Code: Select all

We have received a complaint via a Feedback Loop (FBL) for an email that was sent from the IP address of a server you have with us.

This complaint means the recipient of the email marked the message as spam. We are automatically forwarding this complaint on to you, for your information. You do not need to respond, but we do expect you to check the complaint and to resolve any potential issues.

Due to the way FBLs work, some complaints can be classified as false positives. In this case you do not need to take any action, but please make sure the email address of the recipient was acquired using confirmed opt-in (COI), and that there is an easy method to opt-out (unsubscribe). Please also check that you have a valid PTR (rDNS) record for the IP, and consider setting up SPF and DKIM, if not already configured.

If spam is being sent, please resolve this as soon as possible. It is important that the underlying issue that caused the spam to be sent gets fixed. Possible causes include hacked email accounts, malware infections, open proxies, malicious CMS addons/plugins, or more. Please secure the server and take steps to make sure this doesn't happen again. If the server shouldn't send any emails, consider removing any mail server software and/or blocking the appropriate ports.

Please note again that this is a notification email only, you do not need to respond.

Kind regards

Abuse Team

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen / Germany
Tel: +49 9831 5050
Fax: +49 9831 5053
www.hetzner.com

Register Court: Registergericht Ansbach, HRB 6089
CEO: Martin Hetzner, Stephan Konvickova, Günther Müller

For the purposes of this communication, we may save some of your personal data. For information on our data privacy policy, please see: www.hetzner.com/datenschutzhinweis

On 01 Oct 14:27, feedbackloop@rackspacefbl.senderscore.net wrote:
> This is a Rackspace Abuse Report for an email message received from domain mail.MYDOMAIN.com, IP 200.123.XXX.XXX, on Thu, 01 Oct 2020 01:25:20 +0000.
> 
> 
> Source: Rackspace
> Abuse-Type: complaint
> User-Agent: ReturnPathFBL/2.0
> Version: 1
> Arrival-Date: Thu, 01 Oct 2020 01:25:20 +0000
> Original-Rcpt-To: e2b10c500029157a476bbaef89a5e90b@transtaff.com
> Reported-Domain: mail.MYDOMAIN.com
> Source-Ip: 200.123.XXX.XXX
> Subscription-Link: 
> https://fbl.returnpath.net/manage/subscriptions/394809
> Feedback-Type: abuse
> Original-Mail-From: message52f7a8b5a51919@mail.MYDOMAIN.com
> 
> 
> Delivered-To: e2b10c500029157a476bbaef89a5e90b@transtaff.com
> Return-Path: <message52f7a8b5a51919@mail.MYDOMAIN.com>
> Delivered-To: e2b10c500029157a476bbaef89a5e90b@transtaff.com
> Received: from director11.mail.ord1d.rsapps.net ([172.31.255.6])
> 	by backend26.mail.ord1d.rsapps.net with LMTP
> 	id ABlkAAgwdV+kewAAq4auYw
> 	(envelope-from <message52f7a8b5a51919@mail.MYDOMAIN.com>)
> 	for <e2b10c500029157a476bbaef89a5e90b@transtaff.com>; Wed, 30 Sep 
> 2020 21:25:28 -0400
> Received: from proxy8.mail.iad3b.rsapps.net ([172.31.255.6])
> 	by director11.mail.ord1d.rsapps.net with LMTP
> 	id 2LRZAAgwdV/ZUAAAvGGmqA
> 	(envelope-from <message52f7a8b5a51919@mail.MYDOMAIN.com>)
> 	for <e2b10c500029157a476bbaef89a5e90b@transtaff.com>; Wed, 30 Sep 
> 2020 21:25:28 -0400
> Received: from smtp20.gate.iad3b ([172.31.255.6])
> 	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
> 	by proxy8.mail.iad3b.rsapps.net with LMTPS id iFrFNAcwdV8nZQAAoCsc3g
> 	(envelope-from <message52f7a8b5a51919@mail.MYDOMAIN.com>)
> 	for <e2b10c500029157a476bbaef89a5e90b@transtaff.com>; Wed, 30 Sep 
> 2020 21:25:27 -0400
> Return-Path: <message52f7a8b5a51919@mail.MYDOMAIN.com>
> X-Spam-Threshold: 95
> X-Spam-Score: 0
> X-Spam-Flag: NO
> X-Virus-Scanned: OK
> X-Orig-To: e2b10c500029157a476bbaef89a5e90b@transtaff.com
> X-Originating-Ip: [200.123.XXX.XXX]
> Authentication-Results: smtp20.gate.iad3b.rsapps.net;
> 	iprev=pass policy.iprev="200.123.XXX.XXX"; spf=neutral
> 	smtp.mailfrom="message52f7a8b5a51919@mail.MYDOMAIN.com"
> 	smtp.helo="mail.MYDOMAIN.com";
> 	dkim=none (message not signed) header.d=none; dmarc=fail (p=none;
> 	dis=none) header.from=mail.MYDOMAIN.com
> X-Suspicious-Flag: NO
> X-Classification-ID: fc0f1498-0384-11eb-8865-525400497f28-1-1
> Received: from [200.123.XXX.XXX] ([200.123.XXX.XXX:61036]
> 	helo=mail.MYDOMAIN.com)
> 	by smtp20.gate.iad3b.rsapps.net (envelope-from
> 	<message52f7a8b5a51919@mail.MYDOMAIN.com>)
> 	(ecelerity 4.2.38.62370 r(:)) with ESMTPS
> 	(cipher=DHE-RSA-AES128-GCM-SHA256)
> 	id B8/9D-03835-700357F5; Wed, 30 Sep 2020 21:25:27 -0400
> Received: from 60-248-164-129.HINET-IP.hinet.net
> 	(60-248-164-129.HINET-IP.hinet.net [60.248.164.129])
> 	by mail.MYDOMAIN.com with ESMTPA
> 	; Thu, 1 Oct 2020 04:25:23 +0300
> Date: Thu, 1 Oct 2020 01:25:20 +0000
> To: e2b10c500029157a476bbaef89a5e90b@transtaff.com
> From: John Smith <message52f7a8b5a51919@mail.MYDOMAIN.com>
> Subject: I recorded you
> Message-ID: 
> <Dd8EGJwtXGuAIxfCiYo6dDh7SmNjE2mmJT9AwMjJg@60-248-164-129.HINET-IP.hin
> et.net>
> X-Mailer: PHPMailer 6.0.7 (https://github.com/PHPMailer/PHPMailer)
> MIME-Version: 1.0
> Content-Type: multipart/alternative;
> 	boundary="b1_Dd8EGJwtXGuAIxfCiYo6dDh7SmNjE2mmJT9AwMjJg"
> Content-Transfer-Encoding: 8bit
> 
> 
> --b1_Dd8EGJwtXGuAIxfCiYo6dDh7SmNjE2mmJT9AwMjJg
> Content-Type: text/plain; charset=us-ascii
> 
> Hi!
> 
> I know that you watch very often 18+ content!
> The smart phone that you own got hacked and this gave me access to control your microphone and your camera and record you without you even knowing in the same time you masturbate! So here is the deal.. if you don`t pay me 500$ worth of Blt Coin the video with you(doing you know what) will be sent to all your contacts.
> My hidden application that is installed also had another function, to extract all your contacts from social media, phonebook list, emails and so. How about the passwords? Nope, any smartphone has a security check and they scan for what kind of activity an app can have, so stealing passwords? Not good, this can be detected! Using camera and extracting contacts without the use know? Normal stuff!
> Ok! So.. to get some coins you can Google for "Buy Blt Coin instantly" and send the coins to the next address:
> 
> Address: 1 7 q D z L g r y S 5 f 3 h q Y D c S R 3 U 5 d q c p W j n B 
> D R N
> Amount: 0.047
> 
> Very important! The Address which is CASE SENSITIVE was split with spaces, and you must to eliminate all the spaces which result in a string of 34 characters and it will start with "1" and will end with "N". Use that string with no spaces to send the coins! You have a few days!
> 
> Ok... to uninstall my sneaky app reset your device to factory settings. Search on Google for "Factory Settings Reset [your smartphone model]". Also maybe you think that I got your passwords, go ahead change them too! To stop getting vlruses... next time, your browser and your OS must to be updated regularry!
> Also maybe you will consider to quit looking to this type of videos.. it makes a mess in your brain.
> 
> 
> --b1_Dd8EGJwtXGuAIxfCiYo6dDh7SmNjE2mmJT9AwMjJg
> Content-Type: text/html; charset=us-ascii
> 
> <p>Hi!</p>
> <p></p>
> <p>I know that you watch very often 18+ content!</p> <p>The smart 
> phone that you own got hacked and this gave me access to control your 
> microphone and your camera and record you without you even knowing in 
> the same time you masturbate! So here is the deal.. if you don`t pay 
> me 500$ worth of Blt Coin the video with you(doing you know what) will 
> be sent to all your contacts.</p> <p>My hidden application that is 
> installed also had another function, to extract all your contacts from 
> social media, phonebook list, emails and so. How about the passwords? 
> Nope, any smartphone has a security check and they scan for what kind 
> of activity an app can have, so stealing passwords? Not good, this can 
> be detected! Using camera and extracting contacts without the use 
> know? Normal stuff!</p> <p>Ok! So.. to get some coins you can Google 
> for "Buy Blt Coin instantly" and send the coins to the next 
> address:</p> <p></p>
> <p>Address: <b>1 7 q D z L g r y S 5 f 3 h q Y D c S R 3 U 5 d q c p W 
> j n B D R N</b></p>
> <p>Amount: <b>0.047</b></p>
> <p></p>
> <p>Very important! The Address which is CASE SENSITIVE was split with 
> spaces, and you must to eliminate all the spaces which result in a 
> string of <b>34</b> characters and it will start with <b>"1"</b> and 
> will end with <b>"N"</b>. Use that string with no spaces to send the 
> coins! You have a few days!</p> <p></p> <p>Ok... to uninstall my 
> sneaky app reset your device to factory settings. Search on Google for 
> "Factory Settings Reset [your smartphone model]". Also maybe you think 
> that I got your passwords, go ahead change them too! To stop getting 
> vlruses... next time, your browser and your OS must to be updated 
> regularry!</p> <p>Also maybe you will consider to quit looking to this 
> type of videos.. it makes a mess in your brain.</p>
> 
> 
> 
> --b1_Dd8EGJwtXGuAIxfCiYo6dDh7SmNjE2mmJT9AwMjJg--
They use https://github.com/PHPMailer/PHPMailer

And my hmail settings here:
Image
Image
Image
Image
Image



Can you help me for how to deined that hacks


And its logs from my mail server:

Code: Select all

2020-10-01 00:00:02.632"	"Starting rescheduling."
"APPLICATION"	18928	"2020-10-01 00:00:02.634"	"SMTPDeliverer - Message 28765: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG"	18928	"2020-10-01 00:00:02.634"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	18928	"2020-10-01 00:00:02.643"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	18928	"2020-10-01 00:00:02.646"	"Message rescheduled for later delivery."
"APPLICATION"	18928	"2020-10-01 00:00:02.646"	"SMTPDeliverer - Message 28765: Message delivery thread completed."
"DEBUG"	3480	"2020-10-01 00:00:02.658"	"Creating session 25404"
"TCPIP"	3480	"2020-10-01 00:00:02.658"	"TCP - 222.255.113.53 connected to 200.123.XXX.XXX:25."
"DEBUG"	3480	"2020-10-01 00:00:02.659"	"TCP connection started for session 25401"
"SMTPD"	3480	25401	"2020-10-01 00:00:02.659"	"222.255.113.53"	"SENT: 220 fuck you idiot"
"SMTPD"	9600	25401	"2020-10-01 00:00:03.001"	"222.255.113.53"	"RECEIVED: EHLO cac-saobacdautelecom"
"SMTPD"	9600	25401	"2020-10-01 00:00:03.001"	"222.255.113.53"	"SENT: 250-mail.MYDOMAINNAME.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	3480	25401	"2020-10-01 00:00:03.340"	"222.255.113.53"	"RECEIVED: AUTH LOGIN"
"SMTPD"	3480	25401	"2020-10-01 00:00:03.340"	"222.255.113.53"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	14900	25401	"2020-10-01 00:00:03.671"	"222.255.113.53"	"RECEIVED: cG9zdG1hc3RlckBob29kYXJjaGVyeXNob3AuY29t"
"SMTPD"	14900	25401	"2020-10-01 00:00:03.671"	"222.255.113.53"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	9600	25401	"2020-10-01 00:00:04.008"	"222.255.113.53"	"RECEIVED: ***"
"SMTPD"	9600	25401	"2020-10-01 00:00:04.011"	"222.255.113.53"	"SENT: 235 authenticated."
"SMTPD"	3480	25401	"2020-10-01 00:00:04.340"	"222.255.113.53"	"RECEIVED: MAIL FROM:<messageb64416765ec63e1e73b0@mail.MYDOMAINNAME.com>"
"SMTPD"	3480	25401	"2020-10-01 00:00:04.342"	"222.255.113.53"	"SENT: 250 OK"
"SMTPD"	14900	25401	"2020-10-01 00:00:04.694"	"222.255.113.53"	"RECEIVED: RCPT TO:<steve@waltgragg.com>"
"SMTPD"	14900	25401	"2020-10-01 00:00:04.696"	"222.255.113.53"	"SENT: 250 OK"
"SMTPD"	9600	25401	"2020-10-01 00:00:05.033"	"222.255.113.53"	"RECEIVED: DATA"
"SMTPD"	9600	25401	"2020-10-01 00:00:05.033"	"222.255.113.53"	"SENT: 354 OK, send."
"DEBUG"	3480	"2020-10-01 00:00:05.709"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	12908	"2020-10-01 00:00:05.709"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	12908	"2020-10-01 00:00:05.709"	"Saving message: {FD36F725-7DCE-477B-BAFD-8F1FEC0BE320}.eml"
"DEBUG"	12908	"2020-10-01 00:00:05.725"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	12908	25401	"2020-10-01 00:00:05.725"	"222.255.113.53"	"SENT: 250 Queued (0.640 seconds)"
"DEBUG"	13572	"2020-10-01 00:00:05.728"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	18928	"2020-10-01 00:00:05.729"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	18928	"2020-10-01 00:00:05.729"	"Delivering message..."
"APPLICATION"	18928	"2020-10-01 00:00:05.729"	"SMTPDeliverer - Message 30067: Delivering message from <Empty> to message10b65627e6fb92f@mail.MYDOMAINNAME.com. File: C:\Program Files (x86)\hMailServer\Data\{8FEFE2B9-33B8-4357-907A-E2FBB593AD87}.eml"
"DEBUG"	18928	"2020-10-01 00:00:05.729"	"Applying rules"
"DEBUG"	18928	"2020-10-01 00:00:05.729"	"Applying rule piçler"
"DEBUG"	18928	"2020-10-01 00:00:05.729"	"Performing local delivery"
"DEBUG"	18928	"2020-10-01 00:00:05.730"	"Local delivery completed"
"TCPIP"	18928	"2020-10-01 00:00:05.730"	"DNS MX lookup: mail.MYDOMAINNAME.com"
"TCPIP"	18928	"2020-10-01 00:00:05.731"	"DNS - MX Result: 1 IP addresses were found."
"DEBUG"	18928	"2020-10-01 00:00:05.731"	"Starting external delivery process. Server: mail.MYDOMAINNAME.com (200.123.XXX.XXX), Port: 25, Security: 2, User name: "
"DEBUG"	18928	"2020-10-01 00:00:05.731"	"Creating session 25405"
"TCPIP"	18928	"2020-10-01 00:00:05.731"	"Connecting to 200.123.XXX.XXX:25..."
"DEBUG"	18928	"2020-10-01 00:00:05.731"	"SMTPDeliverer - Message 30067 - Connection failed: Could not connect to 200.123.XXX.XXX on port 25 since this would mean connecting to myself."
"DEBUG"	13572	"2020-10-01 00:00:05.731"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"TCPIP"	18928	"2020-10-01 00:00:05.731"	"TCPConnection - Could not connect to 200.123.XXX.XXX on port 25 since this would mean connecting to myself."
"DEBUG"	18928	"2020-10-01 00:00:05.731"	"Ending session 25405"
"DEBUG"	26604	"2020-10-01 00:00:05.732"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	26604	"2020-10-01 00:00:05.732"	"Delivering message..."
"APPLICATION"	26604	"2020-10-01 00:00:05.732"	"SMTPDeliverer - Message 30740: Delivering message from <Empty> to messageb53b8d9fedf8@mail.MYDOMAINNAME.com. File: C:\Program Files (x86)\hMailServer\Data\{A457E752-316A-4C75-A5AC-EA5DB7E7000E}.eml"
"DEBUG"	18928	"2020-10-01 00:00:05.732"	"External delivery process completed"
"DEBUG"	26604	"2020-10-01 00:00:05.732"	"Applying rules"
"DEBUG"	18928	"2020-10-01 00:00:05.732"	"Summarizing delivery result"
"DEBUG"	26604	"2020-10-01 00:00:05.732"	"Applying rule piçler"
"DEBUG"	18928	"2020-10-01 00:00:05.732"	"Summarized delivery results"
"DEBUG"	26604	"2020-10-01 00:00:05.733"	"Performing local delivery"
"DEBUG"	18928	"2020-10-01 00:00:05.733"	"SD::RescheduleDelivery_"
"DEBUG"	26604	"2020-10-01 00:00:05.733"	"Local delivery completed"
"DEBUG"	18928	"2020-10-01 00:00:05.733"	"Retrieving retry options."
"DEBUG"	18928	"2020-10-01 00:00:05.733"	"Starting rescheduling."
"APPLICATION"	18928	"2020-10-01 00:00:05.733"	"SMTPDeliverer - Message 30067: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG"	18928	"2020-10-01 00:00:05.733"	"PersistentMessage::SetNextTryTime()"
"TCPIP"	26604	"2020-10-01 00:00:05.733"	"DNS MX lookup: mail.MYDOMAINNAME.com"
"TCPIP"	26604	"2020-10-01 00:00:05.734"	"DNS - MX Result: 1 IP addresses were found."
"DEBUG"	26604	"2020-10-01 00:00:05.734"	"Starting external delivery process. Server: mail.MYDOMAINNAME.com (200.123.XXX.XXX), Port: 25, Security: 2, User name: "
"DEBUG"	13572	"2020-10-01 00:00:05.734"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	26604	"2020-10-01 00:00:05.734"	"Creating session 25406"
"TCPIP"	26604	"2020-10-01 00:00:05.734"	"Connecting to 200.123.XXX.XXX:25..."
"DEBUG"	16836	"2020-10-01 00:00:05.734"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	26604	"2020-10-01 00:00:05.735"	"SMTPDeliverer - Message 30740 - Connection failed: Could not connect to 200.123.XXX.XXX on port 25 since this would mean connecting to myself."
"DEBUG"	16836	"2020-10-01 00:00:05.735"	"Delivering message..."
"TCPIP"	26604	"2020-10-01 00:00:05.735"	"TCPConnection - Could not connect to 200.123.XXX.XXX on port 25 since this would mean connecting to myself."
"DEBUG"	26604	"2020-10-01 00:00:05.735"	"Ending session 25406"
"APPLICATION"	16836	"2020-10-01 00:00:05.735"	"SMTPDeliverer - Message 29446: Delivering message from <Empty> to message85d13fecbffa3b8@mail.MYDOMAINNAME.com. File: C:\Program Files (x86)\hMailServer\Data\{9795B22C-7A91-4196-B259-AB77C5BDC443}.eml"
"DEBUG"	26604	"2020-10-01 00:00:05.735"	"External delivery process completed"
"DEBUG"	16836	"2020-10-01 00:00:05.735"	"Applying rules"
"DEBUG"	18928	"2020-10-01 00:00:05.735"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	16836	"2020-10-01 00:00:05.736"	"Applying rule piçler"
"DEBUG"	26604	"2020-10-01 00:00:05.735"	"Summarizing delivery result"
"DEBUG"	16836	"2020-10-01 00:00:05.736"	"Performing local delivery"
"DEBUG"	26604	"2020-10-01 00:00:05.736"	"Summarized delivery results"
"DEBUG"	16836	"2020-10-01 00:00:05.736"	"Local delivery completed"
"DEBUG"	26604	"2020-10-01 00:00:05.736"	"SD::RescheduleDelivery_"
"DEBUG"	26604	"2020-10-01 00:00:05.736"	"Retrieving retry options."
"DEBUG"	13572	"2020-10-01 00:00:05.736"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"TCPIP"	16836	"2020-10-01 00:00:05.736"	"DNS MX lookup: mail.MYDOMAINNAME.com"
"DEBUG"	5400	"2020-10-01 00:00:05.737"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	26604	"2020-10-01 00:00:05.736"	"Starting rescheduling."
"APPLICATION"	26604	"2020-10-01 00:00:05.737"	"SMTPDeliverer - Message 30740: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG"	26604	"2020-10-01 00:00:05.737"	"PersistentMessage::SetNextTryTime()"
"TCPIP"	16836	"2020-10-01 00:00:05.737"	"DNS - MX Result: 1 IP addresses were found."
"DEBUG"	5400	"2020-10-01 00:00:05.737"	"Delivering message..."
"DEBUG"	16836	"2020-10-01 00:00:05.737"	"Starting external delivery process. Server: mail.MYDOMAINNAME.com (200.123.XXX.XXX), Port: 25, Security: 2, User name: "
"DEBUG"	16836	"2020-10-01 00:00:05.738"	"Creating session 25407"
"TCPIP"	16836	"2020-10-01 00:00:05.738"	"Connecting to 200.123.XXX.XXX:25..."
"DEBUG"	18928	"2020-10-01 00:00:05.738"	"Message rescheduled for later delivery."
"APPLICATION"	5400	"2020-10-01 00:00:05.738"	"SMTPDeliverer - Message 30741: Delivering message from messageb64416765ec63e1e73b0@mail.MYDOMAINNAME.com to steve@waltgragg.com. File: C:\Program Files (x86)\hMailServer\Data\{FD36F725-7DCE-477B-BAFD-8F1FEC0BE320}.eml"
"DEBUG"	16836	"2020-10-01 00:00:05.738"	"SMTPDeliverer - Message 29446 - Connection failed: Could not connect to 200.123.XXX.XXX on port 25 since this would mean connecting to myself."
"APPLICATION"	18928	"2020-10-01 00:00:05.738"	"SMTPDeliverer - Message 30067: Message delivery thread completed."
"DEBUG"	5400	"2020-10-01 00:00:05.738"	"Running ClamWin"
"TCPIP"	16836	"2020-10-01 00:00:05.738"	"TCPConnection - Could not connect to 200.123.XXX.XXX on port 25 since this would mean connecting to myself."
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"Ending session 25407"
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"External delivery process completed"
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"Summarizing delivery result"
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"Summarized delivery results"
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"SD::RescheduleDelivery_"
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"Retrieving retry options."
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"Starting rescheduling."
"APPLICATION"	16836	"2020-10-01 00:00:05.739"	"SMTPDeliverer - Message 29446: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG"	16836	"2020-10-01 00:00:05.739"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	13572	"2020-10-01 00:00:05.740"	"Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG"	18928	"2020-10-01 00:00:05.740"	"Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG"	26604	"2020-10-01 00:00:05.740"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	18928	"2020-10-01 00:00:05.740"	"Delivering message..."
"APPLICATION"	18928	"2020-10-01 00:00:05.740"	"SMTPDeliverer - Message 28776: Delivering message from message20f4f8b12868a@mail.MYDOMAINNAME.com to ujhjbvhjbcyn@emeil.com. File: C:\Program Files (x86)\hMailServer\Data\{46119352-5402-4BBB-8C8E-771DB8BD308B}.eml"
"DEBUG"	18928	"2020-10-01 00:00:05.740"	"Running ClamWin"
"DEBUG"	16836	"2020-10-01 00:00:05.741"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	26604	"2020-10-01 00:00:05.743"	"Message rescheduled for later delivery."
"APPLICATION"	26604	"2020-10-01 00:00:05.744"	"SMTPDeliverer - Message 30740: Message delivery thread completed."
"DEBUG"	16836	"2020-10-01 00:00:05.746"	"Message rescheduled for later delivery."
"APPLICATION"	16836	"2020-10-01 00:00:05.746"	"SMTPDeliverer - Message 29446: Message delivery thread completed."
"SMTPD"	3100	25401	"2020-10-01 00:00:06.082"	"222.255.113.53"	"RECEIVED: QUIT"
"SMTPD"	3100	25401	"2020-10-01 00:00:06.082"	"222.255.113.53"	"SENT: 221 goodbye"
"DEBUG"	14900	"2020-10-01 00:00:06.082"	"Ending session 25401"
"DEBUG"	3480	"2020-10-01 00:00:06.397"	"Creating session 25408"
"TCPIP"	3480	"2020-10-01 00:00:06.397"	"TCP - 64.225.43.21 connected to 200.123.XXX.XXX:25."
"DEBUG"	3480	"2020-10-01 00:00:06.398"	"TCP connection started for session 25404"
"SMTPD"	3480	25404	"2020-10-01 00:00:06.398"	"64.225.43.21"	"SENT: 220 fuck you idiot"
"SMTPD"	14900	25404	"2020-10-01 00:00:06.572"	"64.225.43.21"	"RECEIVED: EHLO sfo-v2ray"
"SMTPD"	14900	25404	"2020-10-01 00:00:06.572"	"64.225.43.21"	"SENT: 250-mail.MYDOMAINNAME.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"DEBUG"	3480	"2020-10-01 00:00:06.701"	"Creating session 25409"
"TCPIP"	3480	"2020-10-01 00:00:06.701"	"TCP - 60.248.164.129 connected to 200.123.XXX.XXX:25."
"DEBUG"	3480	"2020-10-01 00:00:06.702"	"TCP connection started for session 25408"
"SMTPD"	3480	25408	"2020-10-01 00:00:06.702"	"60.248.164.129"	"SENT: 220 fuck you idiot"
"SMTPD"	3100	25404	"2020-10-01 00:00:06.745"	"64.225.43.21"	"RECEIVED: AUTH LOGIN"
"SMTPD"	3100	25404	"2020-10-01 00:00:06.745"	"64.225.43.21"	"SENT: 334 VXNlcm5hbWU6"
"DEBUG"	18928	"2020-10-01 00:00:06.770"	"ClamWin: C:\Program Files\ClamAV\clamdscan.exe --database="C:\Program Files\ClamAV\database" "{46119352-5402-4BBB-8C8E-771DB8BD308B}.eml" --tempdir="C:\Program Files (x86)\hMailServer\Temp". Return code: 2"
"DEBUG"	18928	"2020-10-01 00:00:06.771"	"Connecting to ClamAV virus scanner..."
"DEBUG"	5400	"2020-10-01 00:00:06.771"	"ClamWin: C:\Program Files\ClamAV\clamdscan.exe --database="C:\Program Files\ClamAV\database" "{FD36F725-7DCE-477B-BAFD-8F1FEC0BE320}.eml" --tempdir="C:\Program Files (x86)\hMailServer\Temp". Return code: 2"
"DEBUG"	5400	"2020-10-01 00:00:06.771"	"Connecting to ClamAV virus scanner..."
"SMTPD"	3480	25404	"2020-10-01 00:00:06.919"	"64.225.43.21"	"RECEIVED: cG9zdG1hc3RlckBob29kYXJjaGVyeXNob3AuY29t"
"SMTPD"	3480	25404	"2020-10-01 00:00:06.919"	"64.225.43.21"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	14900	25408	"2020-10-01 00:00:06.947"	"60.248.164.129"	"RECEIVED: EHLO 60-248-164-129.HINET-IP.hinet.net"
"SMTPD"	14900	25408	"2020-10-01 00:00:06.947"	"60.248.164.129"	"SENT: 250-mail.MYDOMAINNAME.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	3100	25404	"2020-10-01 00:00:07.092"	"64.225.43.21"	"RECEIVED: ***"
"SMTPD"	3100	25404	"2020-10-01 00:00:07.102"	"64.225.43.21"	"SENT: 235 authenticated."
"SMTPD"	3480	25408	"2020-10-01 00:00:07.194"	"60.248.164.129"	"RECEIVED: AUTH LOGIN"
"SMTPD"	3480	25408	"2020-10-01 00:00:07.194"	"60.248.164.129"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	3100	25404	"2020-10-01 00:00:07.276"	"64.225.43.21"	"RECEIVED: MAIL FROM:<message752bd8fe39cd16f61d@mail.MYDOMAINNAME.com>"
"SMTPD"	3100	25404	"2020-10-01 00:00:07.277"	"64.225.43.21"	"SENT: 250 OK"
"SMTPD"	14900	25408	"2020-10-01 00:00:07.439"	"60.248.164.129"	"RECEIVED: cG9zdG1hc3RlckBob29kYXJjaGVyeXNob3AuY29t"
"SMTPD"	14900	25408	"2020-10-01 00:00:07.439"	"60.248.164.129"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	3480	25404	"2020-10-01 00:00:07.450"	"64.225.43.21"	"RECEIVED: RCPT TO:<lou@lrgcontractor.com>"
"SMTPD"	3480	25404	"2020-10-01 00:00:07.451"	"64.225.43.21"	"SENT: 250 OK"
"SMTPD"	3100	25404	"2020-10-01 00:00:07.624"	"64.225.43.21"	"RECEIVED: DATA"
"SMTPD"	3100	25404	"2020-10-01 00:00:07.624"	"64.225.43.21"	"SENT: 354 OK, send."
"SMTPD"	14900	25408	"2020-10-01 00:00:07.685"	"60.248.164.129"	"RECEIVED: ***"
"SMTPD"	14900	25408	"2020-10-01 00:00:07.701"	"60.248.164.129"	"SENT: 235 authenticated."
"SMTPD"	3100	25408	"2020-10-01 00:00:07.947"	"60.248.164.129"	"RECEIVED: MAIL FROM:<message98a034e0bcc552@mail.MYDOMAINNAME.com>"
"SMTPD"	3100	25408	"2020-10-01 00:00:07.948"	"60.248.164.129"	"SENT: 250 OK"
"SMTPD"	3480	25408	"2020-10-01 00:00:08.194"	"60.248.164.129"	"RECEIVED: RCPT TO:<rgrimm5@mix.wvu.edu>"
"SMTPD"	3480	25408	"2020-10-01 00:00:08.196"	"60.248.164.129"	"SENT: 250 OK"
"SMTPD"	14900	25408	"2020-10-01 00:00:08.442"	"60.248.164.129"	"RECEIVED: DATA"
"SMTPD"	14900	25408	"2020-10-01 00:00:08.442"	"60.248.164.129"	"SENT: 354 OK, send."
"ERROR"	18928	"2020-10-01 00:00:08.775"	"Severity: 3 (Medium), Code: HM5406, Source: ClamAVVirusScanner::Scan, Description: Unable to connect to ClamAV server at localhost:3310."
"DEBUG"	18928	"2020-10-01 00:00:08.775"	"Applying rules"
"ERROR"	5400	"2020-10-01 00:00:08.776"	"Severity: 3 (Medium), Code: HM5406, Source: ClamAVVirusScanner::Scan, Description: Unable to connect to ClamAV server at localhost:3310."
"DEBUG"	18928	"2020-10-01 00:00:08.776"	"Applying rule piçler"
"DEBUG"	18928	"2020-10-01 00:00:08.776"	"Performing local delivery"
"DEBUG"	5400	"2020-10-01 00:00:08.776"	"Applying rules"
"DEBUG"	18928	"2020-10-01 00:00:08.776"	"Local delivery completed"
"TCPIP"	18928	"2020-10-01 00:00:08.776"	"DNS MX lookup: emeil.com"
"DEBUG"	5400	"2020-10-01 00:00:08.776"	"Applying rule piçler"
"DEBUG"	5400	"2020-10-01 00:00:08.777"	"Performing local delivery"
"DEBUG"	5400	"2020-10-01 00:00:08.777"	"Local delivery completed"
"TCPIP"	5400	"2020-10-01 00:00:08.777"	"DNS MX lookup: waltgragg.com"
"TCPIP"	5400	"2020-10-01 00:00:08.801"	"DNS - MX Result: 0 IP addresses were found."
"APPLICATION"	5400	"2020-10-01 00:00:08.801"	"SMTPDeliverer - Message 30741: No mail servers could be found for the address steve@waltgragg.com."
"DEBUG"	5400	"2020-10-01 00:00:08.801"	"Summarizing delivery result"
"DEBUG"	5400	"2020-10-01 00:00:08.801"	"Summarized delivery results"
"DEBUG"	5400	"2020-10-01 00:00:08.801"	"SD::RescheduleDelivery_"
"DEBUG"	5400	"2020-10-01 00:00:08.801"	"Retrieving retry options."
"DEBUG"	5400	"2020-10-01 00:00:08.801"	"Starting rescheduling."
"APPLICATION"	5400	"2020-10-01 00:00:08.802"	"SMTPDeliverer - Message 30741: Message could not be delivered. Scheduling it for later delivery in 60 minutes."
"DEBUG"	5400	"2020-10-01 00:00:08.802"	"PersistentMessage::SetNextTryTime()"
"DEBUG"	5400	"2020-10-01 00:00:08.812"	"PersistentMessage::~SetNextTryTime()"
"DEBUG"	5400	"2020-10-01 00:00:08.814"	"Message rescheduled for later delivery."
"APPLICATION"	5400	"2020-10-01 00:00:08.814"	"SMTPDeliverer - Message 30741: Message delivery thread completed."
"DEBUG"	3480	"2020-10-01 00:00:08.936"	"Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG"	12908	"2020-10-01 00:00:08.936"	"Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG"	12908	"2020-10-01 00:00:08.936"	"Saving message: {7B6285F2-919E-46AD-9CD5-E2C0CA62E67F}.eml"
"DEBUG"	12908	"2020-10-01 00:00:08.944"	"Requesting SMTPDeliveryManager to start message delivery"
"SMTPD"	12908	25408	"2020-10-01 00:00:08.944"	"60.248.164.129"	"SENT: 250 Queued (0.512 seconds)"
"DEBUG"	13572	"2020-10-01 00:00:08.948"	"Adding task DeliveryTask to work queue SMTP delivery queue"

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: HELP! MY MAIL SERVER IS HACKED!

Post by jimimaseye » 2020-10-01 15:17

postmaster@hoodarcheryshop.com Is the account that has had the password hacked.

Change the password.

More help: https://www.hmailserver.com/documentati ... d_for_spam

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
johang
Senior user
Senior user
Posts: 349
Joined: 2008-09-01 09:20

Re: HELP! MY MAIL SERVER IS HACKED!

Post by johang » 2020-10-01 16:29

.
if you want to get rid of spammers connecting to your SMTP port 25 to send mail, you can always "lock it" so it does not accept authentication

Add this to your hmailserver.ini

Code: Select all

[settings]
DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.
combined with allowing external to external on your applicable IP range
BUT of course you and all your clients will have to authenticate on another SMTP port ( like 587 or something like it ) to be able to send mail
___________________________________________________________end of the line

mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-02 01:42

johang wrote:
2020-10-01 16:29
.
if you want to get rid of spammers connecting to your SMTP port 25 to send mail, you can always "lock it" so it does not accept authentication

Add this to your hmailserver.ini

Code: Select all

[settings]
DisableAUTHList=25
; Setting DisableAUTHList allows you to specify a comma-separated list of SMTP ports which authentication should not be enabled for.
; This is useful when working with legacy systems with malfunctioning SMTP support.
combined with allowing external to external on your applicable IP range
BUT of course you and all your clients will have to authenticate on another SMTP port ( like 587 or something like it ) to be able to send mail
Great solution tnx!

mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-02 02:21

Also they send mail from that addresss klhmdflhkfmhlfkh@mail.hoodarcheryshop.com, how to fix this?
normally my adress is info@hoodarcheryshop.com

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mattg » 2020-10-02 02:33

Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-02 13:20

Thank you very much!

That code is work for me, also i was denied attackers ip range on my firewall .

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
    If oClient.Username <> "" Then
        dim authemail, authemail_value, fromemail, fromemail_value
        authemail = Split ( (oClient.Username) , "@" )
        authemail_value = authemail(1)

        fromemail = Split ( (oMessage.FromAddress) , "@" )
        fromemail_value = fromemail(1)

        If LCase(authemail_value) <> LCase(fromemail_value) Then
            Result.Value = 2
            Result.Message = "You are only allowed to send from your domain"
        End If
    End If
End Sub

palinka
Senior user
Senior user
Posts: 2180
Joined: 2017-09-12 17:57

Re: HELP! MY MAIL SERVER IS HACKED!

Post by palinka » 2020-10-02 15:59

mk148a wrote:
2020-10-02 13:20
Thank you very much!

That code is work for me, also i was denied attackers ip range on my firewall .

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
    If oClient.Username <> "" Then
        dim authemail, authemail_value, fromemail, fromemail_value
        authemail = Split ( (oClient.Username) , "@" )
        authemail_value = authemail(1)

        fromemail = Split ( (oMessage.FromAddress) , "@" )
        fromemail_value = fromemail(1)

        If LCase(authemail_value) <> LCase(fromemail_value) Then
            Result.Value = 2
            Result.Message = "You are only allowed to send from your domain"
        End If
    End If
End Sub
This is an interesting script. This is for outgoing mail only, correct? I think you'd only get oclient.username at auth.

I'm wondering how it could work for incoming mail. Check envelope from against from? Could that cause problems with incoming mailing lists?

User avatar
jim.bus
Senior user
Senior user
Posts: 522
Joined: 2011-05-28 11:49
Location: US

Re: HELP! MY MAIL SERVER IS HACKED!

Post by jim.bus » 2020-10-03 00:35

On your TCO/IP Port 25, you specify connection security StartTLS Optional but yet you do not supply an SSL Certificate. This means when there is a connection otherwise capable Encryption your server will not be able to avail itself of the added security. So if your intent was to encrypt when available you need to add an SSL Certificate.

On your SSL/TLS setting you really should Verify remote server SSL/TLS cetficates.

You may want on your Internet IP Range to consider selecting 'Require SSL/TLS for authentication'.

mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-03 02:10

I was add that script but problem still here:(

XX.217.XXX.XXX MEAN MY MAIL SERVER IP ADDRESS


my eventhandler

Code: Select all

'   Sub OnClientConnect(oClient)
'   End Sub

'   Sub OnSMTPData(oClient, oMessage)
'   End Sub

Sub OnAcceptMessage(oClient, oMessage)
    If oClient.Username <> "" Then
        dim authemail, authemail_value, fromemail, fromemail_value
        authemail = Split ( (oClient.Username) , "@" )
        authemail_value = authemail(1)

        fromemail = Split ( (oMessage.FromAddress) , "@" )
        fromemail_value = fromemail(1)

        If LCase(authemail_value) <> LCase(fromemail_value) Then
            Result.Value = 2
            Result.Message = "You are only allowed to send from your domain"
        End If
    End If
End Sub

'   Sub OnDeliveryStart(oMessage)
'   End Sub

'   Sub OnDeliverMessage(oMessage)
'   End Sub

'   Sub OnBackupFailed(sReason)
'   End Sub

'   Sub OnBackupCompleted()
'   End Sub

'   Sub OnError(iSeverity, iCode, sSource, sDescription)
'   End Sub

'   Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
'   End Sub

'   Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
'   End Sub

Code: Select all

"TCPIP"	7176	"2020-10-02 19:35:53.309"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:53.311"	"TCP connection started for session 302"
"SMTPD"	7176	302	"2020-10-02 19:35:53.311"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"DEBUG"	14940	"2020-10-02 19:35:53.363"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 302, Code: 2, Message: End of file"
"DEBUG"	14940	"2020-10-02 19:35:53.363"	"Ending session 302"
"DEBUG"	7176	"2020-10-02 19:35:53.578"	"Creating session 304"
"TCPIP"	7176	"2020-10-02 19:35:53.578"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:53.579"	"TCP connection started for session 303"
"SMTPD"	7176	303	"2020-10-02 19:35:53.579"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	14940	303	"2020-10-02 19:35:53.746"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	14940	303	"2020-10-02 19:35:53.747"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	18696	303	"2020-10-02 19:35:53.915"	"142.11.246.28"	"RECEIVED: MAIL FROM:<admin@MYDOMAIN.com>"
"TCPIP"	18696	"2020-10-02 19:35:53.917"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	18696	"2020-10-02 19:35:53.918"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	18696	"2020-10-02 19:35:53.918"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	18696	"2020-10-02 19:35:56.214"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	18696	"2020-10-02 19:35:56.264"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	18696	"2020-10-02 19:35:56.330"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	18696	"2020-10-02 19:35:56.331"	"Total spam score: 2"
"SMTPD"	18696	303	"2020-10-02 19:35:56.333"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	26460	303	"2020-10-02 19:35:56.502"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
"SMTPD"	26460	303	"2020-10-02 19:35:56.503"	"142.11.246.28"	"SENT: 530 SMTP authentication is required."
"DEBUG"	26460	"2020-10-02 19:35:56.503"	"AWStats::LogDeliveryFailure"
"DEBUG"	26460	"2020-10-02 19:35:56.671"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 303, Code: 2, Message: End of file"
"DEBUG"	26460	"2020-10-02 19:35:56.671"	"Deleting message file."
"DEBUG"	26460	"2020-10-02 19:35:56.671"	"Ending session 303"
"DEBUG"	7176	"2020-10-02 19:35:56.797"	"Creating session 305"
"TCPIP"	7176	"2020-10-02 19:35:56.797"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:56.798"	"TCP connection started for session 304"
"SMTPD"	7176	304	"2020-10-02 19:35:56.798"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	26460	304	"2020-10-02 19:35:56.934"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	26460	304	"2020-10-02 19:35:56.935"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	7176	304	"2020-10-02 19:35:57.077"	"142.11.246.28"	"RECEIVED: MAIL FROM:<admin@MYDOMAIN.com>"
"TCPIP"	7176	"2020-10-02 19:35:57.078"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	7176	"2020-10-02 19:35:57.079"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	7176	"2020-10-02 19:35:57.079"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	7176	"2020-10-02 19:35:59.377"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	7176	"2020-10-02 19:35:59.377"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	7176	"2020-10-02 19:35:59.378"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	7176	"2020-10-02 19:35:59.378"	"Total spam score: 2"
"SMTPD"	7176	304	"2020-10-02 19:35:59.378"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	14940	304	"2020-10-02 19:35:59.516"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
"SMTPD"	14940	304	"2020-10-02 19:35:59.517"	"142.11.246.28"	"SENT: 530 SMTP authentication is required."
"DEBUG"	14940	"2020-10-02 19:35:59.518"	"AWStats::LogDeliveryFailure"
"DEBUG"	14940	"2020-10-02 19:35:59.654"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 304, Code: 2, Message: End of file"
"DEBUG"	14940	"2020-10-02 19:35:59.654"	"Deleting message file."
"DEBUG"	14940	"2020-10-02 19:35:59.654"	"Ending session 304"
"DEBUG"	7176	"2020-10-02 19:35:59.794"	"Creating session 306"
"TCPIP"	7176	"2020-10-02 19:35:59.794"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:59.795"	"TCP connection started for session 305"
"SMTPD"	7176	305	"2020-10-02 19:35:59.795"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	14940	305	"2020-10-02 19:35:59.931"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	14940	305	"2020-10-02 19:35:59.931"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	7176	305	"2020-10-02 19:36:00.067"	"142.11.246.28"	"RECEIVED: MAIL FROM:<user@MYDOMAIN.com>"
"TCPIP"	7176	"2020-10-02 19:36:00.069"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	7176	"2020-10-02 19:36:00.069"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	7176	"2020-10-02 19:36:00.070"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:02.385"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	7176	"2020-10-02 19:36:02.385"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:02.386"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:02.386"	"Total spam score: 2"
"SMTPD"	7176	305	"2020-10-02 19:36:02.387"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	18696	305	"2020-10-02 19:36:02.523"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
"SMTPD"	18696	305	"2020-10-02 19:36:02.524"	"142.11.246.28"	"SENT: 530 SMTP authentication is required."
"DEBUG"	18696	"2020-10-02 19:36:02.524"	"AWStats::LogDeliveryFailure"
"DEBUG"	18696	"2020-10-02 19:36:02.660"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 305, Code: 2, Message: End of file"
"DEBUG"	18696	"2020-10-02 19:36:02.660"	"Deleting message file."
"DEBUG"	18696	"2020-10-02 19:36:02.661"	"Ending session 305"
"DEBUG"	7176	"2020-10-02 19:36:02.857"	"Creating session 307"
"TCPIP"	7176	"2020-10-02 19:36:02.858"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:36:02.859"	"TCP connection started for session 306"
"SMTPD"	7176	306	"2020-10-02 19:36:02.859"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	18696	306	"2020-10-02 19:36:03.039"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	18696	306	"2020-10-02 19:36:03.039"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	7176	306	"2020-10-02 19:36:03.234"	"142.11.246.28"	"RECEIVED: MAIL FROM:<admin@MYDOMAIN.com>"
"TCPIP"	7176	"2020-10-02 19:36:03.236"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	7176	"2020-10-02 19:36:03.236"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	7176	"2020-10-02 19:36:03.236"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:05.555"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	7176	"2020-10-02 19:36:05.555"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:05.556"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:05.556"	"Total spam score: 2"
"SMTPD"	7176	306	"2020-10-02 19:36:05.556"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	26460	306	"2020-10-02 19:36:05.731"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
"SMTPD"	26460	306	"2020-10-02 19:36:05.732"	"142.11.246.28"	"SENT: 530 SMTP authentication is required."
"DEBUG"	26460	"2020-10-02 19:36:05.732"	"AWStats::LogDeliveryFailure"
"DEBUG"	26460	"2020-10-02 19:36:05.905"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 306, Code: 2, Message: End of file"
"DEBUG"	26460	"2020-10-02 19:36:05.905"	"Deleting message file."
"DEBUG"	26460	"2020-10-02 19:36:05.905"	"Ending session 306"

Code: Select all

2020-10-02 19:35:56	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:35:59	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:02	user@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:05	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:08	info@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:12	sales@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:18	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:24	root@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:27	info@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:30	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:34	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:37	gunn@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:40	test@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:43	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:46	student@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:49	support@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:53	postmaster@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:56	office@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:59	webmaster@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:02	stage@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:05	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:08	contact@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:11	noreply@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:14	mail@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:17	support@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0

mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-03 02:13

jim.bus wrote:
2020-10-03 00:35
On your TCO/IP Port 25, you specify connection security StartTLS Optional but yet you do not supply an SSL Certificate. This means when there is a connection otherwise capable Encryption your server will not be able to avail itself of the added security. So if your intent was to encrypt when available you need to add an SSL Certificate.

On your SSL/TLS setting you really should Verify remote server SSL/TLS cetficates.

You may want on your Internet IP Range to consider selecting 'Require SSL/TLS for authentication'.
you mean this?
Image

User avatar
jim.bus
Senior user
Senior user
Posts: 522
Joined: 2011-05-28 11:49
Location: US

Re: HELP! MY MAIL SERVER IS HACKED!

Post by jim.bus » 2020-10-03 02:30

mk148a wrote:
2020-10-03 02:13
jim.bus wrote:
2020-10-03 00:35
On your TCO/IP Port 25, you specify connection security StartTLS Optional but yet you do not supply an SSL Certificate. This means when there is a connection otherwise capable Encryption your server will not be able to avail itself of the added security. So if your intent was to encrypt when available you need to add an SSL Certificate.

On your SSL/TLS setting you really should Verify remote server SSL/TLS cetficates.

You may want on your Internet IP Range to consider selecting 'Require SSL/TLS for authentication'.
you mean this?
Image
Yes.

But you still would need an SSL Certificate installed. From what you've shown of your setup. I have no confirmation you have installed one. I noticed as indicated in my Post that you selected Connection Security for Port 25 but you didn't select an SSL Certificate for it to use. So I have to advise that an SSL Certificate will need to be installed if one isn't already otherwise there will be no Connection Security (Encryption).

One other thing I have noticed about your TCP/IP Port settings. You seem to have specified an IP Address for the Ports. Unless you have a specific need to assign hMailServer to listen on a specific IP Address, generally the IP Address can be 0.0.0.0 which means to list to all available IP Addresses. From what I understand and I just learned about this the other day is the IP Address you reference here should be he IP Address assigned to the PC hMailServer is running on. So specifying 0.0.0.0 (the Default) works just fine and eliminates the need to change the IP Address should the PC IP Address change on your Network.

User avatar
johang
Senior user
Senior user
Posts: 349
Joined: 2008-09-01 09:20

Re: HELP! MY MAIL SERVER IS HACKED!

Post by johang » 2020-10-03 15:48

mk148a wrote:
2020-10-03 02:10
I was add that script but problem still here:(

Code: Select all

"TCPIP"	7176	"2020-10-02 19:35:53.309"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:53.311"	"TCP connection started for session 302"
"SMTPD"	7176	302	"2020-10-02 19:35:53.311"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"DEBUG"	14940	"2020-10-02 19:35:53.363"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 302, Code: 2, Message: End of file"
"DEBUG"	14940	"2020-10-02 19:35:53.363"	"Ending session 302"
"DEBUG"	7176	"2020-10-02 19:35:53.578"	"Creating session 304"
"TCPIP"	7176	"2020-10-02 19:35:53.578"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:53.579"	"TCP connection started for session 303"
"SMTPD"	7176	303	"2020-10-02 19:35:53.579"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	14940	303	"2020-10-02 19:35:53.746"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	14940	303	"2020-10-02 19:35:53.747"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	18696	303	"2020-10-02 19:35:53.915"	"142.11.246.28"	"RECEIVED: MAIL FROM:<admin@MYDOMAIN.com>"
"TCPIP"	18696	"2020-10-02 19:35:53.917"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	18696	"2020-10-02 19:35:53.918"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	18696	"2020-10-02 19:35:53.918"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	18696	"2020-10-02 19:35:56.214"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	18696	"2020-10-02 19:35:56.264"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	18696	"2020-10-02 19:35:56.330"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	18696	"2020-10-02 19:35:56.331"	"Total spam score: 2"
"SMTPD"	18696	303	"2020-10-02 19:35:56.333"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	26460	303	"2020-10-02 19:35:56.502"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
"SMTPD"	26460	303	"2020-10-02 19:35:56.503"	"142.11.246.28"	"SENT: 530 SMTP authentication is required."
"DEBUG"	26460	"2020-10-02 19:35:56.503"	"AWStats::LogDeliveryFailure"
"DEBUG"	26460	"2020-10-02 19:35:56.671"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 303, Code: 2, Message: End of file"
"DEBUG"	26460	"2020-10-02 19:35:56.671"	"Deleting message file."
"DEBUG"	26460	"2020-10-02 19:35:56.671"	"Ending session 303"
"DEBUG"	7176	"2020-10-02 19:35:56.797"	"Creating session 305"
"TCPIP"	7176	"2020-10-02 19:35:56.797"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:56.798"	"TCP connection started for session 304"
"SMTPD"	7176	304	"2020-10-02 19:35:56.798"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	26460	304	"2020-10-02 19:35:56.934"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	26460	304	"2020-10-02 19:35:56.935"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	7176	304	"2020-10-02 19:35:57.077"	"142.11.246.28"	"RECEIVED: MAIL FROM:<admin@MYDOMAIN.com>"
"TCPIP"	7176	"2020-10-02 19:35:57.078"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	7176	"2020-10-02 19:35:57.079"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	7176	"2020-10-02 19:35:57.079"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	7176	"2020-10-02 19:35:59.377"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	7176	"2020-10-02 19:35:59.377"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	7176	"2020-10-02 19:35:59.378"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	7176	"2020-10-02 19:35:59.378"	"Total spam score: 2"
"SMTPD"	7176	304	"2020-10-02 19:35:59.378"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	14940	304	"2020-10-02 19:35:59.516"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
"SMTPD"	14940	304	"2020-10-02 19:35:59.517"	"142.11.246.28"	"SENT: 530 SMTP authentication is required."
"DEBUG"	14940	"2020-10-02 19:35:59.518"	"AWStats::LogDeliveryFailure"
"DEBUG"	14940	"2020-10-02 19:35:59.654"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 304, Code: 2, Message: End of file"
"DEBUG"	14940	"2020-10-02 19:35:59.654"	"Deleting message file."
"DEBUG"	14940	"2020-10-02 19:35:59.654"	"Ending session 304"
"DEBUG"	7176	"2020-10-02 19:35:59.794"	"Creating session 306"
"TCPIP"	7176	"2020-10-02 19:35:59.794"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:35:59.795"	"TCP connection started for session 305"
"SMTPD"	7176	305	"2020-10-02 19:35:59.795"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	14940	305	"2020-10-02 19:35:59.931"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	14940	305	"2020-10-02 19:35:59.931"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	7176	305	"2020-10-02 19:36:00.067"	"142.11.246.28"	"RECEIVED: MAIL FROM:<user@MYDOMAIN.com>"
"TCPIP"	7176	"2020-10-02 19:36:00.069"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	7176	"2020-10-02 19:36:00.069"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	7176	"2020-10-02 19:36:00.070"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:02.385"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	7176	"2020-10-02 19:36:02.385"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:02.386"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:02.386"	"Total spam score: 2"
"SMTPD"	7176	305	"2020-10-02 19:36:02.387"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	18696	305	"2020-10-02 19:36:02.523"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
 "SMTPD"	18696	305	"2020-10-02 19:36:02.524"	"142.11.246.28"	"SENT: 530 SMTP authentication is required." 
"DEBUG"	18696	"2020-10-02 19:36:02.524"	"AWStats::LogDeliveryFailure"
"DEBUG"	18696	"2020-10-02 19:36:02.660"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 305, Code: 2, Message: End of file"
"DEBUG"	18696	"2020-10-02 19:36:02.660"	"Deleting message file."
"DEBUG"	18696	"2020-10-02 19:36:02.661"	"Ending session 305"
"DEBUG"	7176	"2020-10-02 19:36:02.857"	"Creating session 307"
"TCPIP"	7176	"2020-10-02 19:36:02.858"	"TCP - 142.11.246.28 connected to XX.217.XXX.XXX:25."
"DEBUG"	7176	"2020-10-02 19:36:02.859"	"TCP connection started for session 306"
"SMTPD"	7176	306	"2020-10-02 19:36:02.859"	"142.11.246.28"	"SENT: 220 fuck you idiot"
"SMTPD"	18696	306	"2020-10-02 19:36:03.039"	"142.11.246.28"	"RECEIVED: EHLO hwc-hwp-6038660"
"SMTPD"	18696	306	"2020-10-02 19:36:03.039"	"142.11.246.28"	"SENT: 250-mail.MYDOMAIN.com[nl]250-SIZE 36480000[nl]250-STARTTLS[nl]250 HELP"
"SMTPD"	7176	306	"2020-10-02 19:36:03.234"	"142.11.246.28"	"RECEIVED: MAIL FROM:<admin@MYDOMAIN.com>"
"TCPIP"	7176	"2020-10-02 19:36:03.236"	"DNS lookup: 28.246.11.142.zen.spamhaus.org, 0 addresses found: (none), Match: False"
"TCPIP"	7176	"2020-10-02 19:36:03.236"	"DNS lookup: 28.246.11.142.bl.spamcop.net, 0 addresses found: (none), Match: False"
"DEBUG"	7176	"2020-10-02 19:36:03.236"	"Spam test: SpamTestDNSBlackLists, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:05.555"	"Spam test: SpamTestHeloHost, Score: 2"
"DEBUG"	7176	"2020-10-02 19:36:05.555"	"Spam test: SpamTestMXRecords, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:05.556"	"Spam test: SpamTestSPF, Score: 0"
"DEBUG"	7176	"2020-10-02 19:36:05.556"	"Total spam score: 2"
"SMTPD"	7176	306	"2020-10-02 19:36:05.556"	"142.11.246.28"	"SENT: 250 OK"
"SMTPD"	26460	306	"2020-10-02 19:36:05.731"	"142.11.246.28"	"RECEIVED: RCPT TO:<josemurcio7193@gmail.com>"
"SMTPD"	26460	306	"2020-10-02 19:36:05.732"	"142.11.246.28"	"SENT: 530 SMTP authentication is required."
"DEBUG"	26460	"2020-10-02 19:36:05.732"	"AWStats::LogDeliveryFailure"
"DEBUG"	26460	"2020-10-02 19:36:05.905"	"The read operation failed. Bytes transferred: 0 Remote IP: 142.11.246.28, Session: 306, Code: 2, Message: End of file"
"DEBUG"	26460	"2020-10-02 19:36:05.905"	"Deleting message file."
"DEBUG"	26460	"2020-10-02 19:36:05.905"	"Ending session 306"

Code: Select all

2020-10-02 19:35:56	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:35:59	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:02	user@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:05	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:08	info@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:12	sales@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:18	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:24	root@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:27	info@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:30	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:34	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:37	gunn@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:40	test@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:43	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:46	student@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:49	support@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:53	postmaster@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:56	office@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:36:59	webmaster@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:02	stage@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:05	admin@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:08	contact@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:11	noreply@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:14	mail@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0
2020-10-02 19:37:17	support@MYDOMAIN.com	josemurcio7193@gmail.com	142.11.246.28	127.0.0.1	SMTP	?	530	0

"SMTPD" 26460 303 "2020-10-02 19:35:56.503" "142.11.246.28" "SENT: 530 SMTP authentication is required."
"DEBUG" 26460 "2020-10-02 19:35:56.671" "Deleting message file."

"SMTPD" 14940 304 "2020-10-02 19:35:59.517" "142.11.246.28" "SENT: 530 SMTP authentication is required."
"DEBUG" 14940 "2020-10-02 19:35:59.654" "Deleting message file."

"SMTPD" 18696 305 "2020-10-02 19:36:02.524" "142.11.246.28" "SENT: 530 SMTP authentication is required."
"DEBUG" 18696 "2020-10-02 19:36:02.660" "Deleting message file."

"SMTPD" 26460 306 "2020-10-02 19:36:05.732" "142.11.246.28" "SENT: 530 SMTP authentication is required."
"DEBUG" 26460 "2020-10-02 19:36:05.905" "Deleting message file."


looks like your server is doing its job according to you log .. ..
what is the problem ? ( you cant stop spammers from trying all together... you stop them from sending through your server with various methods )
___________________________________________________________end of the line

dsgnethu
Normal user
Normal user
Posts: 54
Joined: 2015-01-20 09:07

Re: HELP! MY MAIL SERVER IS HACKED!

Post by dsgnethu » 2020-10-03 21:53

I think your problem is with the settings within Internet range. I think the proper setting should be something like this:
2020-10-03 21_53_12-Clipboard.png

User avatar
jim.bus
Senior user
Senior user
Posts: 522
Joined: 2011-05-28 11:49
Location: US

Re: HELP! MY MAIL SERVER IS HACKED!

Post by jim.bus » 2020-10-03 22:24

dsgnethu wrote:
2020-10-03 21:53
I think your problem is with the settings within Internet range. I think the proper setting should be something like this:

2020-10-03 21_53_12-Clipboard.png
You definitely do not want to use these settings.

The default settings for this can be found easily by just selecting Add when in the IP Range settings. Under Require SMTP authentication the option 'External to External email address' should be selected otherwise your will be open for SPAMMERS to use. There is also a Default Button that can be clicked on though personally, I haven't used it.

The Default is to select Allow deliveries from everything. The Default is to Require SMTP authentication from all options with the exception of External to local email addresses. External to Local email addresses should not be selected.

Edited: Sorry disregard. Just saw jimimsaeye's Post after I posted the above. I didn't realize the implication of the Deliveries being disabled.
Last edited by jim.bus on 2020-10-03 22:44, edited 4 times in total.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: HELP! MY MAIL SERVER IS HACKED!

Post by jimimaseye » 2020-10-03 22:32

jim.bus wrote:
2020-10-03 22:24
dsgnethu wrote:
2020-10-03 21:53
I think your problem is with the settings within Internet range. I think the proper setting should be something like this:
2020-10-03 21_53_12-Clipboard.png
You definitely do not want to use these settings.
Wrong. He definitely SHOULD be using those settings. They are the optimum (especially with external to external deliveries disabled). It is locked down from spammers by authentication.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
Bob.Dig
New user
New user
Posts: 26
Joined: 2020-06-29 09:18
Location: Berlin

Re: HELP! MY MAIL SERVER IS HACKED!

Post by Bob.Dig » 2020-10-04 19:40

jimimaseye wrote:
2020-10-03 22:32
Wrong. He definitely SHOULD be using those settings. They are the optimum (especially with external to external deliveries disabled). It is locked down from spammers by authentication.
Thanks for bringing this up. I changed my config too and now the log looks differently, when somebody is knocking, so to speak. Although I had asked for authentication before. So I guess, security wise it is the same, but not so open looking anymore.

User avatar
jim.bus
Senior user
Senior user
Posts: 522
Joined: 2011-05-28 11:49
Location: US

Re: HELP! MY MAIL SERVER IS HACKED!

Post by jim.bus » 2020-10-04 20:58

Bob.Dig wrote:
2020-10-04 19:40
jimimaseye wrote:
2020-10-03 22:32
Wrong. He definitely SHOULD be using those settings. They are the optimum (especially with external to external deliveries disabled). It is locked down from spammers by authentication.
Thanks for bringing this up. I changed my config too and now the log looks differently, when somebody is knocking, so to speak. Although I had asked for authentication before. So I guess, security wise it is the same, but not so open looking anymore.
I believe you are correct about it being the same security wise. If I've interpreted correctly what dsgnethu and jimimasey wrote, by using the indicated settings you eliminated some of the 'knocking on the door' attempts because you are not allowing deliveries from External to external email addresses. So, these email addresses will not be allowed which would make your Log Entries look different.

mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-05 20:25

dsgnethu wrote:
2020-10-03 21:53
I think your problem is with the settings within Internet range. I think the proper setting should be something like this:

2020-10-03 21_53_12-Clipboard.png
Thank you for this!

mk148a
New user
New user
Posts: 8
Joined: 2020-01-17 03:39

Re: HELP! MY MAIL SERVER IS HACKED!

Post by mk148a » 2020-10-05 20:29

I still have attacks like that:
"DEBUG" 22572 "2020-10-05 21:22:18.702" "Creating session 1463"
"TCPIP" 22572 "2020-10-05 21:22:18.703" "TCP - 103.253.42.54 connected to myserverip:25."
"DEBUG" 22572 "2020-10-05 21:22:18.704" "TCP connection started for session 1432"
"DEBUG" 22572 "2020-10-05 21:22:18.704" "Performing SSL/TLS handshake for session 1432. Verify certificate: False"
"TCPIP" 22572 "2020-10-05 21:22:33.707" "TCPConnection - TLS/SSL handshake failed. Session Id: 1432, Remote IP: 103.253.42.54, Error code: 1, Message: stream truncated"
"DEBUG" 22572 "2020-10-05 21:22:33.707" "Ending session 1432"
"DEBUG" 12448 "2020-10-05 21:22:36.834" "No messages to index."
"DEBUG" 12448 "2020-10-05 21:23:39.204" "No messages to index."
"DEBUG" 27048 "2020-10-05 21:23:44.420" "Creating session 1464"


i think its like ddos and my server getting slower for this attempt how can i get rid of them completely?

User avatar
jim.bus
Senior user
Senior user
Posts: 522
Joined: 2011-05-28 11:49
Location: US

Re: HELP! MY MAIL SERVER IS HACKED!

Post by jim.bus » 2020-10-05 22:04

mk148a wrote:
2020-10-05 20:29
I still have attacks like that:
"DEBUG" 22572 "2020-10-05 21:22:18.702" "Creating session 1463"
"TCPIP" 22572 "2020-10-05 21:22:18.703" "TCP - 103.253.42.54 connected to myserverip:25."
"DEBUG" 22572 "2020-10-05 21:22:18.704" "TCP connection started for session 1432"
"DEBUG" 22572 "2020-10-05 21:22:18.704" "Performing SSL/TLS handshake for session 1432. Verify certificate: False"
"TCPIP" 22572 "2020-10-05 21:22:33.707" "TCPConnection - TLS/SSL handshake failed. Session Id: 1432, Remote IP: 103.253.42.54, Error code: 1, Message: stream truncated"
"DEBUG" 22572 "2020-10-05 21:22:33.707" "Ending session 1432"
"DEBUG" 12448 "2020-10-05 21:22:36.834" "No messages to index."
"DEBUG" 12448 "2020-10-05 21:23:39.204" "No messages to index."
"DEBUG" 27048 "2020-10-05 21:23:44.420" "Creating session 1464"


i think its like ddos and my server getting slower for this attempt how can i get rid of them completely?
hMailServer itself cannot prevent the attacks to it from happening at all. As it is hMailserver is blocking the attacker from doing anything. hMailServer is doing its job. That is the attacker is attempting to gain access and hMailServer stops it. The only way to prevent the attacks to hMailServer at all would have to be done externally such as perhaps blocking them with your Firewalls (Windows Firewall) and/or Router Firewall, etc. and that would be dependent on the capability of your Firewall or other external mechanism. You give the example of DDOS. Some Routers will have the capability of stopping DOS attacks. But anything you do with hMailServer will still cause hMailServer to use CPU processing to stop the attacks and as I said hMailServer is already stopping the attacks.

dsgnethu
Normal user
Normal user
Posts: 54
Joined: 2015-01-20 09:07

Re: HELP! MY MAIL SERVER IS HACKED!

Post by dsgnethu » 2020-10-09 19:56

mk148a wrote:
2020-10-05 20:29
I still have attacks like that:
"DEBUG" 22572 "2020-10-05 21:22:18.702" "Creating session 1463"
"TCPIP" 22572 "2020-10-05 21:22:18.703" "TCP - 103.253.42.54 connected to myserverip:25."
"DEBUG" 22572 "2020-10-05 21:22:18.704" "TCP connection started for session 1432"
"DEBUG" 22572 "2020-10-05 21:22:18.704" "Performing SSL/TLS handshake for session 1432. Verify certificate: False"
"TCPIP" 22572 "2020-10-05 21:22:33.707" "TCPConnection - TLS/SSL handshake failed. Session Id: 1432, Remote IP: 103.253.42.54, Error code: 1, Message: stream truncated"
"DEBUG" 22572 "2020-10-05 21:22:33.707" "Ending session 1432"
"DEBUG" 12448 "2020-10-05 21:22:36.834" "No messages to index."
"DEBUG" 12448 "2020-10-05 21:23:39.204" "No messages to index."
"DEBUG" 27048 "2020-10-05 21:23:44.420" "Creating session 1464"


i think its like ddos and my server getting slower for this attempt how can i get rid of them completely?
This does not look like an attack. This logfile shows, that someone have tried to connect, and failed at the SSL handshake. Spammers are keep trying.
If you have a fixed IP, it is public, your mailserver is public, you have an officially registered domain name. You will definitely see these type of connections. Now it is your other settings in Hmailserver + your spamfilters job to defend you.
Your router may help on this, with Mikrotik routers I also have some Firewall suggestions and other suggestions on how to defend yourself. With other routers I don't.

Post Reply