unknown users sending e-mails from our hmailserver

This section contains scripts that hMailServer has contributed with. hMailServer 4 is needed to use these.
Post Reply
User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 11:38

Hi Guys,

I really need some help on this.
We have an hmail server that we use for our OTRS ticketing system, and for our devices (routers, switches, servers, scanners, ... etc) to send notifications.
The problem I see is that there are many unknown users (no account on the server) using this mail server to send spam. I can see many e-mails daily in the queue in the form of SOMEONE@our.domain sending to random addresses.
This is of course causing the mail reputation to drop to poor, and our tickets e-mails to our clients are rejected.
I am trying to obtain the the IP addresses of the offending spammers and block them from reaching the server, but this is a losing battle, as there are thousands of them.
Any suggestion on how to check if the account does actually exist in any of the domains defined in the server, and if it not just simply block it/prevent it from sending ? any available script for that ?

we do use Auto-ban, and defined IP ranges, but offenders still seem to be able to authenticate and send mails.

I appreciate any help on that.

User avatar
RvdH
Senior user
Senior user
Posts: 1084
Joined: 2008-06-27 14:42
Location: Netherlands

Re: unknown users sending e-mails from our hmailserver

Post by RvdH » 2020-05-07 12:43

Without more details it is hard to say whats going on... are you really using hmailserver version 4.x?

If posting here was a mistake and you are running 5.x
  1. Can you post a piece of the SMTPD logfile were the attacker sends the mail(s)?
  2. run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914

Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.

If it is a authenticated sender, the account might be compromised (as well), and i would suggest you change password for that account immediately
You can obtain username by posting a partial log file with offending sender using https://log.damnation.org.uk/, this username details on the fly making it easier to find a compromised account
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

Re: unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 14:39

Hi,

Thank you very much for the quick response.
Our hmailserver is version 5.6.4-B2283, running on Windows Server 2012r2.

- Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
I see a lot of ramodon-names@our.domain. So the domain looks correct, yet the users are not actual registered accounts.

- If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
so basically, I need to copy the script, save it on the server as ANYNAME.vbs along with the other scripts and hit reload scripts, is that correct ?

Regards

User avatar
RvdH
Senior user
Senior user
Posts: 1084
Joined: 2008-06-27 14:42
Location: Netherlands

Re: unknown users sending e-mails from our hmailserver

Post by RvdH » 2020-05-07 15:42

ali.kalamchi wrote:
2020-05-07 14:39
Hi,

Thank you very much for the quick response.
Our hmailserver is version 5.6.4-B2283, running on Windows Server 2012r2.

- Was the spammer using the authenticated accounts (From) e-mailadres? Or just random (non-existing) names?
I see a lot of ramodon-names@our.domain. So the domain looks correct, yet the users are not actual registered accounts.
Did the spammer authenticate?
ali.kalamchi wrote:
2020-05-07 14:39
- If it is using random non-existing names, you might try one of those scripts to limit the spammers ability to use a account other then the authenticated account/domain.
so basically, I need to copy the script, save it on the server as ANYNAME.vbs along with the other scripts and hit reload scripts, is that correct ?

Regards
C:\Program Files (x86)\hMailServer\Events\EventHandlers.vbs

If you already have something in 'Sub OnAcceptMessage(oClient, oMessage)' then simply append one of the scripts i posted above
Otherwise just paste it in there, save and Reload Script

But unless you are a open relay you have more issues, either with a account password being guessed or a very poor setup
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

Re: unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 15:57

Here is what I have in EventHandlers:

Code: Select all

'   Sub OnClientConnect(oClient)
'   End Sub

'   Sub OnSMTPData(oClient, oMessage)
'   End Sub

'   Sub OnAcceptMessage(oClient, oMessage)
'   End Sub

'   Sub OnDeliveryStart(oMessage)
'   End Sub

'   Sub OnDeliverMessage(oMessage)
'   End Sub

'   Sub OnBackupFailed(sReason)
'   End Sub

'   Sub OnBackupCompleted()
'   End Sub

'   Sub OnError(iSeverity, iCode, sSource, sDescription)
'   End Sub

'   Sub OnDeliveryFailed(oMessage, sRecipient, sErrorMessage)
'   End Sub

'   Sub OnExternalAccountDownload(oFetchAccount, oMessage, sRemoteUID)
'   End Sub

Sub OnChangeCISSender(oMessage)
	oldBody = Ucase(oMessage.body)
 
	nOtrsBegin = InStr( oldBody, "<OTRS>")
 	nOtrsEnd   = InStr( oldBody, "</OTRS>")
 	nXOtrsCustomerUser = Instr( oldBody, "X-OTRS-CUSTOMERUSER=")
 
 	If nOtrsBegin <> 0 And nOtrsEnd <> 0 And nXOtrsCustomerUser <> 0 then
  		XOtrsCustomer = Mid( oMessage.body, nXOtrsCustomerUser + 20, nOtrsEnd - nXOtrsCustomerUser - 20 )
  		oMessage.From=Trim( XOtrsCustomer )
		oMessage.FromAddress=Trim( XOtrsCustomer )
  
  		Xbody = Mid( oMessage.body, nOtrsEnd + 7 )
  
 		While Left( Xbody, 2 ) = chr(13) + chr(10)
   			Xbody = Mid ( Xbody, 3 )
  		Wend 
  
  		oMessage.body = Xbody
 	End If
    oMessage.Save
End Sub
So basically If I understood correctly, I need to copy the script and paste it under Sub OnAcceptMessage(oClient, oMessage) which is currently empty as shown above ?

- Did the spammer authenticate?
I am not really sure. However, I see many different random names, so it seems that somehow they are bypassing authentication ?

User avatar
RvdH
Senior user
Senior user
Posts: 1084
Joined: 2008-06-27 14:42
Location: Netherlands

Re: unknown users sending e-mails from our hmailserver

Post by RvdH » 2020-05-07 16:37

If you keep answering only half or less of the questions i asked for i am not able, nor do I like to assist you any further, i have better things to do then act like a parrot :?
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

Re: unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 17:00

Hey, I'm just trying to figure out how to solve the issue we are having, and I really don't have experience with hmailserver or its scripts/logs, and I have not been offensive so i'm not sure why are you taking it personally.
I do genuinely need help with the issue.

thanks anyway

User avatar
RvdH
Senior user
Senior user
Posts: 1084
Joined: 2008-06-27 14:42
Location: Netherlands

Re: unknown users sending e-mails from our hmailserver

Post by RvdH » 2020-05-07 17:13

RvdH wrote:
2020-05-07 12:43
  1. Can you post a piece of the SMTPD logfile were the attacker sends the mail(s)?
  2. run this and post the results: https://www.hmailserver.com/forum/viewt ... 20&t=30914
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

Re: unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 17:37

Here is some log samples, fake e-mail addresses highlighted:

Code: Select all

"SMTPD"	2080	52721398	"2020-05-07 00:10:46.804"	"171.35.169.187"	"SENT: 220 Welcome to talia.systems."
"SMTPD"	2084	52721398	"2020-05-07 00:10:47.429"	"171.35.169.187"	"RECEIVED: EHLO mail.talia.systems"
"SMTPD"	2084	52721398	"2020-05-07 00:10:47.429"	"171.35.169.187"	"SENT: 250-mail.talia.systems[nl]250-SIZE 100000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	2080	52721398	"2020-05-07 00:10:48.054"	"171.35.169.187"	"RECEIVED: AUTH LOGIN"
"SMTPD"	2080	52721398	"2020-05-07 00:10:48.054"	"171.35.169.187"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	2084	52721398	"2020-05-07 00:10:48.695"	"171.35.169.187"	"RECEIVED: bmFzQHRhbGlhLnN5c3RlbXM="
"SMTPD"	2084	52721398	"2020-05-07 00:10:48.695"	"171.35.169.187"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	2076	52721398	"2020-05-07 00:10:49.336"	"171.35.169.187"	"RECEIVED: ***"
"SMTPD"	2076	52721398	"2020-05-07 00:10:49.336"	"171.35.169.187"	"SENT: 235 authenticated."
"SMTPD"	2080	52721398	"2020-05-07 00:10:50.007"	"171.35.169.187"	"RECEIVED: MAIL FROM:<[color=#FF0000]leivisonviana@talia.systems[/color]>"
"SMTPD"	2080	52721398	"2020-05-07 00:10:50.007"	"171.35.169.187"	"SENT: 250 OK"
"SMTPD"	2076	52721398	"2020-05-07 00:10:50.648"	"171.35.169.187"	"RECEIVED: RCPT TO:<vanderlei-adv@hotmail.com>"
"SMTPD"	2076	52721398	"2020-05-07 00:10:50.648"	"171.35.169.187"	"SENT: 250 OK"
"SMTPD"	2080	52721398	"2020-05-07 00:10:51.320"	"171.35.169.187"	"RECEIVED: DATA"
"SMTPD"	2080	52721398	"2020-05-07 00:10:51.320"	"171.35.169.187"	"SENT: 354 OK, send."
"SMTPD"	1324	52721398	"2020-05-07 00:10:53.023"	"171.35.169.187"	"SENT: 250 Queued (1.664 seconds)"

Code: Select all

"SMTPD"	2080	52721398	"2020-05-07 00:11:11.023"	"171.35.169.187"	"RECEIVED: RCPT TO:<mj@m-jackowski.pl>"
"SMTPD"	2080	52721398	"2020-05-07 00:11:11.039"	"171.35.169.187"	"SENT: 250 OK"
"SMTPD"	2096	52721398	"2020-05-07 00:11:11.680"	"171.35.169.187"	"RECEIVED: DATA"
"SMTPD"	2096	52721398	"2020-05-07 00:11:11.680"	"171.35.169.187"	"SENT: 354 OK, send."
"SMTPD"	1324	52721398	"2020-05-07 00:11:12.570"	"171.35.169.187"	"SENT: 250 Queued (0.896 seconds)"
"SMTPD"	2084	52721398	"2020-05-07 00:11:13.227"	"171.35.169.187"	"RECEIVED: MAIL FROM:<[color=#FF0000]lelek1978@talia.systems[/color]>"
"SMTPD"	2084	52721398	"2020-05-07 00:11:13.227"	"171.35.169.187"	"SENT: 250 OK"
"SMTPD"	2096	52721398	"2020-05-07 00:11:13.883"	"171.35.169.187"	"RECEIVED: RCPT TO:<mogilskie@gmail.com>"
"SMTPD"	2096	52721398	"2020-05-07 00:11:13.883"	"171.35.169.187"	"SENT: 250 OK"
"SMTPD"	2084	52721398	"2020-05-07 00:11:14.524"	"171.35.169.187"	"RECEIVED: DATA"
"SMTPD"	2084	52721398	"2020-05-07 00:11:14.524"	"171.35.169.187"	"SENT: 354 OK, send."
"SMTPD"	1324	52721398	"2020-05-07 00:11:15.789"	"171.35.169.187"	"SENT: 250 Queued (1.280 seconds)"

Code: Select all

"SMTPD"	2076	52722122	"2020-05-07 00:22:42.881"	"202.137.155.168"	"SENT: 220 Welcome to talia.systems."
"SMTPD"	2076	52722122	"2020-05-07 00:22:44.772"	"202.137.155.168"	"RECEIVED: EHLO mail.talia.systems"
"SMTPD"	2076	52722122	"2020-05-07 00:22:44.772"	"202.137.155.168"	"SENT: 250-mail.talia.systems[nl]250-SIZE 100000000[nl]250-AUTH LOGIN[nl]250 HELP"
"SMTPD"	2096	52722122	"2020-05-07 00:22:46.912"	"202.137.155.168"	"RECEIVED: AUTH LOGIN"
"SMTPD"	2096	52722122	"2020-05-07 00:22:46.912"	"202.137.155.168"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	2076	52722122	"2020-05-07 00:22:49.819"	"202.137.155.168"	"RECEIVED: bmFzQHRhbGlhLnN5c3RlbXM="
"SMTPD"	2076	52722122	"2020-05-07 00:22:49.819"	"202.137.155.168"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	2076	52722122	"2020-05-07 00:22:51.600"	"202.137.155.168"	"RECEIVED: ***"
"SMTPD"	2076	52722122	"2020-05-07 00:22:51.600"	"202.137.155.168"	"SENT: 235 authenticated."
"SMTPD"	2080	52722122	"2020-05-07 00:22:52.944"	"202.137.155.168"	"RECEIVED: MAIL FROM:<esi2001@talia.systems>"
"SMTPD"	2080	52722122	"2020-05-07 00:22:52.944"	"202.137.155.168"	"SENT: 250 OK"
"SMTPD"	2076	52722122	"2020-05-07 00:22:54.710"	"202.137.155.168"	"RECEIVED: RCPT TO:<jameshawkins21@hotmail.co.uk>"
"SMTPD"	2076	52722122	"2020-05-07 00:22:54.710"	"202.137.155.168"	"SENT: 250 OK"
"SMTPD"	2076	52722122	"2020-05-07 00:22:56.852"	"202.137.155.168"	"RECEIVED: DATA"
"SMTPD"	2076	52722122	"2020-05-07 00:22:56.852"	"202.137.155.168"	"SENT: 354 OK, send."
"SMTPD"	1324	52722122	"2020-05-07 00:23:09.258"	"202.137.155.168"	"SENT: 250 Queued (12.416 seconds)"
"SMTPD"	2076	52722122	"2020-05-07 00:23:09.961"	"202.137.155.168"	"RECEIVED: MAIL FROM:<[color=#FF0000]esi2001@talia.systems[/color]>"
"SMTPD"	2076	52722122	"2020-05-07 00:23:09.961"	"202.137.155.168"	"SENT: 250 OK"
"SMTPD"	2080	52722122	"2020-05-07 00:23:10.992"	"202.137.155.168"	"RECEIVED: RCPT TO:<JAuletta@mba-it.net>"
"SMTPD"	2080	52722122	"2020-05-07 00:23:10.992"	"202.137.155.168"	"SENT: 250 OK"
"SMTPD"	2096	52722122	"2020-05-07 00:23:11.602"	"202.137.155.168"	"RECEIVED: DATA"
"SMTPD"	2096	52722122	"2020-05-07 00:23:11.617"	"202.137.155.168"	"SENT: 354 OK, send."
The above are few examples.
Attached is the diagnostic file.

Thanks
Attachments
HMSDiagnostic_202005071515.zip
(3.17 KiB) Downloaded 32 times

User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

Re: unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 17:39

sorry, changing the font color didn't work. below are examples of the fake accounts from the posted log:

leivisonviana@talia.systems
lelek1978@talia.systems
esi2001@talia.systems

We don't have any of those accounts within our talia.systems domain.

User avatar
SorenR
Senior user
Senior user
Posts: 3620
Joined: 2006-08-21 15:38
Location: Denmark

Re: unknown users sending e-mails from our hmailserver

Post by SorenR » 2020-05-07 18:32

You may want to change the password for nas@talia.systems !
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
RvdH
Senior user
Senior user
Posts: 1084
Joined: 2008-06-27 14:42
Location: Netherlands

Re: unknown users sending e-mails from our hmailserver

Post by RvdH » 2020-05-07 18:55

SorenR wrote:
2020-05-07 18:32
You may want to change the password for nas@talia.systems !
We have got a winner... might also be a good time to check check the system (nas device?) for malware or unwanted external access
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

Re: unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 19:14

Hi,

Many thanks. Will do and watch the situation. Yes, it is a NAS device. In the worst case I might even stop it from accessing the mail server at this point.
May I ask how did you specify exactly which account might be causing the issue ?

regards

User avatar
RvdH
Senior user
Senior user
Posts: 1084
Joined: 2008-06-27 14:42
Location: Netherlands

Re: unknown users sending e-mails from our hmailserver

Post by RvdH » 2020-05-07 19:27

ali.kalamchi wrote:
2020-05-07 19:14
Hi,

Many thanks. Will do and watch the situation. Yes, it is a NAS device. In the worst case I might even stop it from accessing the mail server at this point.
May I ask how did you specify exactly which account might be causing the issue ?

regards

Code: Select all

"SMTPD"	2080	52721398	"2020-05-07 00:10:48.054"	"171.35.169.187"	"RECEIVED: AUTH LOGIN"
"SMTPD"	2080	52721398	"2020-05-07 00:10:48.054"	"171.35.169.187"	"SENT: 334 VXNlcm5hbWU6"
"SMTPD"	2084	52721398	"2020-05-07 00:10:48.695"	"171.35.169.187"	"RECEIVED: bmFzQHRhbGlhLnN5c3RlbXM="
"SMTPD"	2084	52721398	"2020-05-07 00:10:48.695"	"171.35.169.187"	"SENT: 334 UGFzc3dvcmQ6"
"SMTPD"	2076	52721398	"2020-05-07 00:10:49.336"	"171.35.169.187"	"RECEIVED: ***"
"SMTPD"	2076	52721398	"2020-05-07 00:10:49.336"	"171.35.169.187"	"SENT: 235 authenticated."
Copy/paste above log part in: https://log.damnation.org.uk/

It decodes the base64 encoded username
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
ali.kalamchi
New user
New user
Posts: 9
Joined: 2020-03-09 12:39

Re: unknown users sending e-mails from our hmailserver

Post by ali.kalamchi » 2020-05-07 20:05

many thanks. I really do appreciate the help.
I have completely disabled this account for tonight. Will monitor the server and see how it goes.

have a nice evening :)

Post Reply