Script not blocking all domain in the array

Use this forum if you have problems with a hMailServer script, such as hMailServer WebAdmin or code in an event handler.
Post Reply
kubera86
New user
New user
Posts: 5
Joined: 2019-06-11 07:02

Script not blocking all domain in the array

Post by kubera86 » 2020-02-16 08:19

I found and implemented a script from the forum to block incoming emails from certain domains.
It's able to block all domain in the array except these chinese owned domains 126.com, 163.com and aliyun.com.
Please recommend a solution. Our mailboxes are flooded daily with promotional emails from these domain. T.Y

Code: Select all

Sub OnSMTPData(oClient, oMessage)
	Dim arrayAccounts(5), C

      '************  Update the Block List array here  *********
      ' Ensure to change the index value in brackets (x) for EACH entry)

      arrayAccounts(0)= "@126.com"      
      arrayAccounts(1)= "@163.com"      
      arrayAccounts(2)= "@aliyun.com"      
      arrayAccounts(3)= "@googlegroups.com"     
      arrayAccounts(4)= "@emailsrvr.com"      
                 'Add more as needed, and ensure count does not exceed DIM attributes for arrayAccounts
   '************ End of Block list array  *************

      for C = 0 to uBound(arrayAccounts)
         If arrayAccounts(C) <> "" then
            If (InStr(1, oMessage.FromAddress, arrayAccounts(C), 1) > 0) then
               ' Reject the message   
               eventlog.write(now() & "Incoming email blocked from " & ucase(oMessage.FromAddress) & ". Subject: " & oMessage.Subject )
               Result.Value = 1    ' 1 gives rejection 554 without tailored message
               Exit For
            End If   
         End If   
      Next 'C
End Sub

User avatar
katip
Senior user
Senior user
Posts: 757
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Script not blocking all domain in the array

Post by katip » 2020-02-16 11:22

lookup "From" instead of "FromAddress" or better join both with "OR"
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

kubera86
New user
New user
Posts: 5
Joined: 2019-06-11 07:02

Re: Script not blocking all domain in the array

Post by kubera86 » 2020-02-16 12:17

katip wrote:
2020-02-16 11:22
lookup "From" instead of "FromAddress" or better join both with "OR"
I used the second, will observer for a day. :D :D :D

User avatar
SorenR
Senior user
Senior user
Posts: 3623
Joined: 2006-08-21 15:38
Location: Denmark

Re: Script not blocking all domain in the array

Post by SorenR » 2020-02-16 14:08

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
    Dim strRegEx
    
    strRegEx = "(\@126\.com)|" &_
               "(\@163\.com)|" &_
               "(\@aliyun\.com)|" &_
               "(\@googlegroups\.com|)" &_
               "(\@emailsrvr\.com)"     
    
    With CreateObject("VBScript.RegExp")
        .Pattern = strRegEx
        .Global = False
        .MultiLine = True
        .IgnoreCase = True
        If .Test(oMessage.FromAddress) Or .Test(oMessage.From) Then

            Result.Value = 2
            Result.Message = "5.3.0 [Origin Banned] The SMTP service (" & Client.HELO & ") originating on IP address (" & Client.IPAddress & ") is not welcome here."
            Eventlog.Write( Now() & "Incoming email blocked from " & UCase(oMessage.FromAddress) & ". Subject: " & oMessage.Subject )
            Exit Sub

        End If
    End With
End Sub
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

kubera86
New user
New user
Posts: 5
Joined: 2019-06-11 07:02

Re: Script not blocking all domain in the array

Post by kubera86 » 2020-02-17 06:31

Hi guys! The scripts didn't work. I guess this has something to do with FROM or SENDER?

Here's a thunderbird view source from one of the emails.

Return-Path: dpjhew@jumg.com
Received: from jumg.com (193.180.237.114.broad.lyg.js.dynamic.163data.com.cn [114.237.180.193])
by mail.******.com with ESMTP ; Sun, 16 Feb 2020 11:56:36 -0600
Message-ID: <9630948A-76D3-45EA-9D3E-1A635264BDD5@mail.******.com>
Received: from vps12549 ([127.0.0.1]) by localhost via TCP with ESMTPA; Mon, 17 Feb
2020 01:56:09 +0800
MIME-Version: 1.0
From: Susan <gaikan5935669469@126.com>
Sender: Susan <dpjhew@jumg.com>
To: zambia@******.com
Reply-To: Susan <gaikan5935669469@126.com>
Date: 17 Feb 2020 01:56:09 +0800
Subject: [SPAM] Re: Superfinishing Machines For Bearings
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: The host name specified in HELO does not match IP address. - (Score: 2)
X-hMailServer-Reason-2: Rejected by UCE Protect - (Score: 2)
X-hMailServer-Reason-3: Rejected by Spamhaus. - (Score: 4)
X-hMailServer-Reason-Score: 8
X-hMailServer-LoopCount: 1

and Below is from the Logs

"DEBUG" 4980 "2020-02-16 11:56:33.190" "TCP connection started for session 4871"
"SMTPD" 4980 4871 "2020-02-16 11:56:33.190" "114.237.180.193" "SENT: 220 mail.******.com ESMTP"
"SMTPD" 4936 4871 "2020-02-16 11:56:33.424" "114.237.180.193" "RECEIVED: EHLO jumg.com"
"SMTPD" 4936 4871 "2020-02-16 11:56:33.424" "114.237.180.193" "SENT: 250-mail.******.com[nl]250-SIZE 20480000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD" 4940 4871 "2020-02-16 11:56:33.690" "114.237.180.193" "RECEIVED: MAIL FROM:<dpjhew@jumg.com> SIZE=912"
"DEBUG" 4940 "2020-02-16 11:56:34.128" "Spam test: SpamTestDNSBlackLists, Score: 6"
"DEBUG" 4940 "2020-02-16 11:56:34.206" "Spam test: SpamTestHeloHost, Score: 2"
"DEBUG" 4940 "2020-02-16 11:56:34.299" "Spam test: SpamTestMXRecords, Score: 0"
"DEBUG" 4940 "2020-02-16 11:56:34.440" "Spam test: SpamTestSPF, Score: 0"
"DEBUG" 4940 "2020-02-16 11:56:34.440" "Total spam score: 8"
"SMTPD" 4940 4871 "2020-02-16 11:56:34.440" "114.237.180.193" "SENT: 250 OK"
"SMTPD" 4980 4871 "2020-02-16 11:56:35.175" "114.237.180.193" "RECEIVED: RCPT TO:<zambia@******.com>"
"SMTPD" 4980 4871 "2020-02-16 11:56:35.175" "114.237.180.193" "SENT: 250 OK"
"SMTPD" 4940 4871 "2020-02-16 11:56:35.425" "114.237.180.193" "RECEIVED: DATA"
"DEBUG" 4940 "2020-02-16 11:56:35.440" "Executing event OnSMTPData"
"DEBUG" 4940 "2020-02-16 11:56:35.440" "Event completed"
"SMTPD" 4940 4871 "2020-02-16 11:56:35.440" "114.237.180.193" "SENT: 354 OK, send."
"DEBUG" 4940 "2020-02-16 11:56:36.284" "Adding task AsynchronousTask to work queue Asynchronous task queue"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "Executing task AsynchronousTask in work queue Asynchronous task queue"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "SURBL: Execute"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "SURBL: Match not found"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "Spam test: SpamTestSURBL, Score: 0"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "Spam test: SpamTestDKIM, Score: 0"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "Total spam score: 0"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "Saving message: {AA317101-3168-4513-A410-C8A0D7C5287F}.eml"
"DEBUG" 4732 "2020-02-16 11:56:36.284" "Requesting SMTPDeliveryManager to start message delivery"
"SMTPD" 4732 4871 "2020-02-16 11:56:36.284" "114.237.180.193" "SENT: 250 Queued (0.844 seconds)"
"DEBUG" 4792 "2020-02-16 11:56:36.284" "Adding task DeliveryTask to work queue SMTP delivery queue"
"DEBUG" 4836 "2020-02-16 11:56:36.284" "Executing task DeliveryTask in work queue SMTP delivery queue"
"DEBUG" 4836 "2020-02-16 11:56:36.284" "Delivering message..."
"APPLICATION" 4836 "2020-02-16 11:56:36.284" "SMTPDeliverer - Message 157433: Delivering message from dpjhew@jumg.com to zambia@******.com. File: E:\hMailServer\hMailServer\Data\{AA317101-3168-4513-A410-C8A0D7C5287F}.eml"
"DEBUG" 4836 "2020-02-16 11:56:36.300" "Running custom virus scanner..."
"SMTPD" 4940 4871 "2020-02-16 11:56:36.534" "114.237.180.193" "RECEIVED: QUIT"
"SMTPD" 4940 4871 "2020-02-16 11:56:36.534" "114.237.180.193" "SENT: 221 goodbye"
"DEBUG" 4936 "2020-02-16 11:56:36.534" "Ending session 4871"
"DEBUG" 4836 "2020-02-16 11:56:36.644" "Scanner: "C:\Program Files\ESET\ESET Security\ecls.exe" /log-file="E:\hMailServer\hMailServer\Logs\nod32.log" /mailbox /unsafe /unwanted /preserve-time /clean-mode=strict "E:\hMailServer\hMailServer\Data\{AA317101-3168-4513-A410-C8A0D7C5287F}.eml". Return code: 0"
"DEBUG" 4836 "2020-02-16 11:56:36.644" "Applying rules"
"DEBUG" 4836 "2020-02-16 11:56:36.644" "Applying rule SENDER is 163 126 aliyun"
"DEBUG" 4836 "2020-02-16 11:56:36.644" "Performing local delivery"
"DEBUG" 4836 "2020-02-16 11:56:36.675" "Applying rules"
"DEBUG" 4836 "2020-02-16 11:56:36.675" "Forwarding message"
"DEBUG" 4836 "2020-02-16 11:56:36.675" "Copying mail contents"
"DEBUG" 4836 "2020-02-16 11:56:36.675" "Saving message: {3705505C-CC1F-40A6-8C1D-E189074B6019}.eml"
"DEBUG" 4836 "2020-02-16 11:56:36.690" "Local delivery completed"

User avatar
mattg
Moderator
Moderator
Posts: 20897
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Script not blocking all domain in the array

Post by mattg » 2020-02-17 07:26

OnAcceptMessage should fire between antivirus and rules

Do you have scripts enabled in hMailserver?
Did you include the above sub in your eventhandlers.vbs?
Is there ONLY one OnAcceptMessage sub in the eventhandlers.vbs
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

kubera86
New user
New user
Posts: 5
Joined: 2019-06-11 07:02

Re: Script not blocking all domain in the array

Post by kubera86 » 2020-02-17 07:57

mattg wrote:
2020-02-17 07:26
OnAcceptMessage should fire between antivirus and rules

Do you have scripts enabled in hMailserver?
YES
Did you include the above sub in your eventhandlers.vbs?
YES inside OnSMTPData
Is there ONLY one OnAcceptMessage sub in the eventhandlers.vbs
YES and commented empty.
The script above works on other domains except the mentioned 3.
The DELETE Rule also doesn't work on theses domains.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8644
Joined: 2011-09-08 17:48

Re: Script not blocking all domain in the array

Post by jimimaseye » 2020-02-17 09:50

FROM:<dpjhew@jumg.com
You dont list jumg.com in your block list.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 20897
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Script not blocking all domain in the array

Post by mattg » 2020-02-17 10:21

kubera86 wrote:
2020-02-17 07:57
mattg wrote:
2020-02-17 07:26
Did you include the above sub in your eventhandlers.vbs?
YES inside OnSMTPData
That's likely your issue

On SMTP data is pretty early, and not all of the info is present then
https://www.hmailserver.com/documentati ... onSMTPdata
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
katip
Senior user
Senior user
Posts: 757
Joined: 2006-12-22 07:58
Location: Istanbul

Re: Script not blocking all domain in the array

Post by katip » 2020-02-17 14:46

jimimaseye wrote:
2020-02-17 09:50
FROM:<dpjhew@jumg.com
You dont list jumg.com in your block list.

[Entered by mobile. Excuse my spelling.]
OP's problem is From header, i.e. oMessage.From, not FromAddress.
we see lots of Chinese spam which have absurd addresses in FromAddress (Return-Path) such as jrhfhgd@svdfhtx.com but ...@163.com and ...@126.com in From header and often in Reply-To too.
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
jimimaseye
Moderator
Moderator
Posts: 8644
Joined: 2011-09-08 17:48

Re: Script not blocking all domain in the array

Post by jimimaseye » 2020-02-17 15:13

katip wrote:
2020-02-17 14:46
jimimaseye wrote:
2020-02-17 09:50
FROM:<dpjhew@jumg.com
You dont list jumg.com in your block list.

[Entered by mobile. Excuse my spelling.]
OP's problem is From header, i.e. oMessage.From, not FromAddress.
Yes. His script is checking .fromaddress which is jumg.com (and not checking .from which is 126.com)

Therefore...
katip wrote:
2020-02-16 11:22
lookup "From" instead of "FromAddress" or better join both with "OR"
[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

kubera86
New user
New user
Posts: 5
Joined: 2019-06-11 07:02

Re: Script not blocking all domain in the array

Post by kubera86 » 2020-02-17 15:37

jimimaseye wrote:
2020-02-17 15:13
katip wrote:
2020-02-17 14:46
jimimaseye wrote:
2020-02-17 09:50


You dont list jumg.com in your block list.

[Entered by mobile. Excuse my spelling.]
OP's problem is From header, i.e. oMessage.From, not FromAddress.
Yes. His script is checking .fromaddress which is jumg.com (and not checking .from which is 126.com)

Therefore...
katip wrote:
2020-02-16 11:22
lookup "From" instead of "FromAddress" or better join both with "OR"
[Entered by mobile. Excuse my spelling.]
Exactly!

Moved the code from OnSMTPData to OnAcceptMessage Sub and joined the conditions. Will observe again for 24 hours... All of our 85 email accounts are receiving min 300 junks a day in total from those domain. I only learned QBasic and Pascal during my time, hope the code below is correct.

Code: Select all

Sub OnAcceptMessage(oClient, oMessage)
	Dim arrayAccounts(5), C

      '************  Update the Block List array here  *********
      ' Ensure to change the index value in brackets (x) for EACH entry)

      arrayAccounts(0)= "@126.com"      
      arrayAccounts(1)= "@163.com"      
      arrayAccounts(2)= "@aliyun.com"      
      arrayAccounts(3)= "@googlegroups.com"     
      arrayAccounts(4)= "@emailsrvr.com"      
                 'Add more as needed, and ensure count does not exceed DIM attributes for arrayAccounts
   '************ End of Block list array  *************

      for C = 0 to uBound(arrayAccounts)
         If arrayAccounts(C) <> "" then
            If (InStr(1, oMessage.FromAddress, arrayAccounts(C), 1) > 0 OR InStr(1, oMessage.From, arrayAccounts(C), 1) > 0) then
               ' Reject the message   
               eventlog.write(now() & "Incoming email blocked from " & ucase(oMessage.FromAddress) & ". Subject: " & oMessage.Subject )
               Result.Value = 1    ' 1 gives rejection 554 without tailored message
               Exit For
            End If   
         End If   
      Next 'C
End Sub

User avatar
jimimaseye
Moderator
Moderator
Posts: 8644
Joined: 2011-09-08 17:48

Re: Script not blocking all domain in the array

Post by jimimaseye » 2020-02-17 15:59

Looks ok.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 3623
Joined: 2006-08-21 15:38
Location: Denmark

Re: Script not blocking all domain in the array

Post by SorenR » 2020-02-17 16:55

mattg wrote:
2020-02-17 07:26
OnAcceptMessage should fire between antivirus and rules
You may want to revisit this...

Code: Select all

' hMailServer Triggers

Sub OnClientConnect(oClient)
End Sub

Sub OnClientLogon(oClient) '<< A bit special, for POP/IMAP it comes after OnClientConnect(). For SMTP it comes after OnHELO()
End Sub

Sub OnHELO(oClient)
End Sub

'*
'*  SPAM test: DNSBlackLists, HeloHost, MXRecords, SPF
'*

Sub OnSMTPData(oClient, oMessage)
End Sub

'*
'*  SPAM test: URIBL, DKIM, SpamAssassin, Saving EML to DATA
'*

Sub OnAcceptMessage(oClient, oMessage)
End Sub

Sub OnDeliveryStart(oMessage)
End Sub

'*
'*  Antivirus check, Global rules
'*

Sub OnDeliverMessage(oMessage)
End Sub

'*
'*  Local rules, Message delivered to recipient(s)
'*

Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
End Sub

Sub OnError(iSeverity, iCode, sSource, sDescription)
End Sub

Sub OnBackupCompleted()
End Sub

Sub OnBackupFailed(sReason)
End Sub

Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
End Sub

' END
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

Post Reply