I am thinking that this should not be allowed

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

I am thinking that this should not be allowed

Post by DrmCa » 2020-12-23 20:00

This spammer is essentially DDOSing my server. I only noticed because I tried to load this log file into a database and it failed due to the primary key violation. Good thing it did because otherwise I would not have known.

Code: Select all

"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38870"
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Creating session 38938"
"TCPIP"	7332	"2020-12-21 13:46:17.037"	"TCP - 216.118.251.2 connected to 192.168.1.3:110."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38937"
They managed to get another connection attempt within the same millisecond. If hMailServer knows to bounce them, it should not be instantaneous. There should be some cooling off period.

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-23 20:27

DrmCa wrote:
2020-12-23 20:00
This spammer is essentially DDOSing my server. I only noticed because I tried to load this log file into a database and it failed due to the primary key violation. Good thing it did because otherwise I would not have known.

Code: Select all

"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38870"
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Creating session 38938"
"TCPIP"	7332	"2020-12-21 13:46:17.037"	"TCP - 216.118.251.2 connected to 192.168.1.3:110."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38937"
They managed to get another connection attempt within the same millisecond. If hMailServer knows to bounce them, it should not be instantaneous. There should be some cooling off period.
Do some searching on the forum... I made an IDS scripting with a database and an external handler run by scheduler and Palinka wrapped his Firewall control around it. It's all there if you search ;-)
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
RvdH
Senior user
Senior user
Posts: 1214
Joined: 2008-06-27 14:42
Location: Netherlands

Re: I am thinking that this should not be allowed

Post by RvdH » 2020-12-23 20:45

SorenR wrote:
2020-12-23 20:27
DrmCa wrote:
2020-12-23 20:00
This spammer is essentially DDOSing my server. I only noticed because I tried to load this log file into a database and it failed due to the primary key violation. Good thing it did because otherwise I would not have known.

Code: Select all

"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38870"
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Creating session 38938"
"TCPIP"	7332	"2020-12-21 13:46:17.037"	"TCP - 216.118.251.2 connected to 192.168.1.3:110."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Client connection from 216.118.251.2 was not accepted. Blocked either by IP range or by connection limit."
"DEBUG"	7332	"2020-12-21 13:46:17.037"	"Ending session 38937"
They managed to get another connection attempt within the same millisecond. If hMailServer knows to bounce them, it should not be instantaneous. There should be some cooling off period.
Do some searching on the forum... I made an IDS scripting with a database and an external handler run by scheduler and Palinka wrapped his Firewall control around it. It's all there if you search ;-)
How does that help him with simultaneous connections like this?

@DrmCa
Force disconnect (all instances) of that IP after 1st ban
https://www.hmailserver.com/forum/viewt ... 67#p206167
https://www.hmailserver.com/forum/viewt ... 42#p206842
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-23 21:01

IIRC one of the versions of IDS had my AutoBan "Disconnect" function that is using CPorts https://www.nirsoft.net/utils/cports.html to disconnect all connections fron one IP address in one go.

OTOH if using Palinka's edition the IP address is blocked in firewall... Should be pretty terminal for the bot ;-)
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
RvdH
Senior user
Senior user
Posts: 1214
Joined: 2008-06-27 14:42
Location: Netherlands

Re: I am thinking that this should not be allowed

Post by RvdH » 2020-12-23 21:08

SorenR wrote:
2020-12-23 21:01
OTOH if using Palinka's edition the IP address is blocked in firewall... Should be pretty terminal for the bot ;-)
Even then simultaneous connections are possible before they get banned on firewall level :?: :!:

@DrmCa

Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution
CIDR to RegEx: d-fault.nl/CIDRtoRegEx
DNS Lookup: d-fault.nl/DNSTools
DNSBL Lookup: d-fault.nl/DNSBLLookup
GEOIP Lookup: d-fault.nl/GeoipLookup

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-24 00:19

RvdH wrote:
2020-12-23 21:08
SorenR wrote:
2020-12-23 21:01
OTOH if using Palinka's edition the IP address is blocked in firewall... Should be pretty terminal for the bot ;-)
Even then simultaneous connections are possible before they get banned on firewall level :?: :!:

@DrmCa

Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution
Well... On my server it's 3 strikes and you are out! I run a 180 minute moving window - any SMTP connect not sending an email count.

Actually, with all my "weird stuff" in Eventhandlers.vbs I have switched off the built in AutoBan. It was not flexible enough for my use.

My own AutoBan is now banning two servers simultaneously using a homebrew of a RESTful API and it works both ways between the two servers.

I have two Internet connections and this is a quick and dirty solution to be able to send and receiveon both without using an intermediate router - which I may end up installing anyways from a network perspective.
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
jim.bus
Senior user
Senior user
Posts: 630
Joined: 2011-05-28 11:49
Location: US

Re: I am thinking that this should not be allowed

Post by jim.bus » 2020-12-24 02:06

I don't know if this would work in this situation but my ASUS Router Firewall has a Denial Of Service (DOS) function built into the Router Firmware. If it would work then perhaps he should confirm if his Router has a similar DOS Function.

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-24 03:22

Not sure Routers can do Layer 7 DDOS protection... Most common are Layer 3 and Layer 4 like TCP-SYN floods, UDP
floods, and ICMP attacks.

https://blog.radware.com/security/2016/ ... ive-apdos/

Actually, poking around the Interweb I came across this reply to a basic question about DDOS protection for SMTP ...
.
One of the difficulties in securing SMTP lies in the protocol itself, specifically the admonitions in RFC 5321 which give proscriptions on timing out a session. A faithful implementation provides no facility for timing a session out. Ideally one would want to ignore those recommendations, and set a session timeout for the mail session. This will prevent for example any attacks where long delays are used to send data character by character with large mail sizes. For example if you have a mail server with a 10MB mail size limit, it is fairly easy to write a script which delivers a fake mail to your server and writes a Lorem Ipsum message, one character at a time up to the 10MB limit, but delaying each character by 1 - 2 minutes. Theoretically without a session limit such a mail session could run around 10 million minutes. So now run a script that simply starts bots that do this from hundreds of places on the web, and pretty soon the bots will have all your connections tied up (assuming you have connection limits, or are using a connection pool).

Ideally, one would set up a timer from the time the DATA command was issued to the time that the "CRLF . CRLF" was issued. Something like 5 minutes or so for the whole data to transmit should be reasonable. And violate the RFC and simply drop the connection if it exceeds that timeout. Well behaved clients will never come close to that limit and even people using the command line terminal ought to be able to send data within that time frame presuming they know how to type.
A read-worthy document:
https://www.crysys.hu/publications/file ... R07cts.pdf

It turns out my server is reasonably safe. I do not allow sending or relaying mail without authentication. Authentication is limited to Danish realms via GEOIP. SMTP connections not resulting in emails are banned. Firewall ban would be preferred but server is W2K3 Server R2 and that firewall sux ;-)

So, I'll leave the Layer 3 and Layer 4 DDOS to the routers. ;-)
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-24 03:26

SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
jim.bus
Senior user
Senior user
Posts: 630
Joined: 2011-05-28 11:49
Location: US

Re: I am thinking that this should not be allowed

Post by jim.bus » 2020-12-24 03:31

SorenR wrote:
2020-12-24 03:22
Not sure Routers can do Layer 7 DDOS protection... Most common are Layer 3 and Layer 4 like TCP-SYN floods, UDP
floods, and ICMP attacks.

To your point, my ASUS Router (RT-AC5300) specifies it protects for DoS not DDoS attacks.

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-24 03:48

jim.bus wrote:
2020-12-24 03:31
SorenR wrote:
2020-12-24 03:22
Not sure Routers can do Layer 7 DDOS protection... Most common are Layer 3 and Layer 4 like TCP-SYN floods, UDP
floods, and ICMP attacks.

To your point, my ASUS Router (RT-AC5300) specifies it protects for DoS not DDoS attacks.
DoS is Denial of Service, DDoS is Distributed Denial of Service AKA more than one mother f.... :wink:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

palinka
Senior user
Senior user
Posts: 2476
Joined: 2017-09-12 17:57

Re: I am thinking that this should not be allowed

Post by palinka » 2020-12-24 16:17

RvdH wrote:
2020-12-23 21:08
Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution
Yep. Bad idea to use it on localhost. :lol:

(Ask me how I know. Nah, don't ask! :mrgreen: )

palinka
Senior user
Senior user
Posts: 2476
Joined: 2017-09-12 17:57

Re: I am thinking that this should not be allowed

Post by palinka » 2020-12-24 16:19

SorenR wrote:
2020-12-23 20:27
Do some searching on the forum... I made an IDS scripting with a database and an external handler run by scheduler
Can attest! This IDS is both simple and brilliant.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: I am thinking that this should not be allowed

Post by DrmCa » 2020-12-24 22:25

The algorithm should be very simple: if the server determines that there is a rule that bans this IP, do not return right away and wait for X number of milliseconds instead. This would slow down their hacking rate many times.

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-25 01:26

DrmCa wrote:
2020-12-24 22:25
The algorithm should be very simple: if the server determines that there is a rule that bans this IP, do not return right away and wait for X number of milliseconds instead. This would slow down their hacking rate many times.
hMailServer 5.6.8 ... hMailServer.ini
[Settings]
BlockedIPHoldSeconds=10
; Number of seconds to wait before dropping the connection of an IP range banned IP
; Default is 0 or disabled if not defined
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-25 02:04

SorenR wrote:
2020-12-24 03:22
Ideally, one would set up a timer from the time the DATA command was issued to the time that the "CRLF . CRLF" was issued. Something like 5 minutes or so for the whole data to transmit should be reasonable. And violate the RFC and simply drop the connection if it exceeds that timeout. Well behaved clients will never come close to that limit and even people using the command line terminal ought to be able to send data within that time frame presuming they know how to type.
Poking around the 5.6.8 sourcecode I found this in the [settings] section of the hmailserver.ini:

;SMTPCMinTimeout=90
; 30 seconds is default

;SMTPCMaxTimeout=600
; 600 seconds is default

My server got

SMTPCMaxTimeout=120

That's 2 minutes ... :mrgreen:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

DrmCa
Normal user
Normal user
Posts: 112
Joined: 2011-02-14 21:30

Re: I am thinking that this should not be allowed

Post by DrmCa » 2020-12-25 20:10

I did not know that .INI file was a thing and only ever used the Amin UI.
I guess they are creating multiple simultaneous connections from the same IP then. Can this be blocked too?

User avatar
jimimaseye
Moderator
Moderator
Posts: 8917
Joined: 2011-09-08 17:48

Re: I am thinking that this should not be allowed

Post by jimimaseye » 2020-12-25 21:36

SorenR wrote:
2020-12-25 02:04
SorenR wrote:
2020-12-24 03:22
Ideally, one would set up a timer from the time the DATA command was issued to the time that the "CRLF . CRLF" was issued. Something like 5 minutes or so for the whole data to transmit should be reasonable. And violate the RFC and simply drop the connection if it exceeds that timeout. Well behaved clients will never come close to that limit and even people using the command line terminal ought to be able to send data within that time frame presuming they know how to type.
Poking around the 5.6.8 sourcecode I found this in the [settings] section of the hmailserver.ini:

;SMTPCMinTimeout=90
; 30 seconds is default

;SMTPCMaxTimeout=600
; 600 seconds is default

My server got

SMTPCMaxTimeout=120

That's 2 minutes ... :mrgreen:
As listed here: https://www.hmailserver.com/forum/viewt ... 10&t=30900

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-26 23:36

SorenR wrote:
2020-12-24 00:19
RvdH wrote:
2020-12-23 21:08
Even then simultaneous connections are possible before they get banned on firewall level :?: :!:

@DrmCa

Be warned, disconnect.exe or CPorts, will kill all instances of that ip...also the ones connected to other services, use with caution
Well... On my server it's 3 strikes and you are out! I run a 180 minute moving window - any SMTP connect not sending an email count.

Actually, with all my "weird stuff" in Eventhandlers.vbs I have switched off the built in AutoBan. It was not flexible enough for my use.
Just remembered ... I modified my IDS to include ALL ports and ALL protocols ... SMTP not sending email x3 = BAN, POP3/IMAP not authenticating x3 = BAN.

Yeah I know ... Too much wine/glögg/moonshine ;-)

Yuletide begins at December 21'st and ends January 1'st and is in its simplicity an eating and drinking orxx... nah ... feast. :mrgreen:
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
jimimaseye
Moderator
Moderator
Posts: 8917
Joined: 2011-09-08 17:48

Re: I am thinking that this should not be allowed

Post by jimimaseye » 2020-12-26 23:44

*hic*

Yep.

*hic* 🥂 🍻
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

palinka
Senior user
Senior user
Posts: 2476
Joined: 2017-09-12 17:57

Re: I am thinking that this should not be allowed

Post by palinka » 2020-12-30 00:23

SorenR wrote:
2020-12-26 23:36
Just remembered ... I modified my IDS to include ALL ports and ALL protocols ... SMTP not sending email x3 = BAN, POP3/IMAP not authenticating x3 = BAN.
I noticed that its botnets that try guessing passwords and because I collect statistics on my firewall ban project, its a rare occasion indeed that a bot returns. These botnets are YUUUUGE.

User avatar
SorenR
Senior user
Senior user
Posts: 4195
Joined: 2006-08-21 15:38
Location: Denmark

Re: I am thinking that this should not be allowed

Post by SorenR » 2020-12-30 02:47

palinka wrote:
2020-12-30 00:23
SorenR wrote:
2020-12-26 23:36
Just remembered ... I modified my IDS to include ALL ports and ALL protocols ... SMTP not sending email x3 = BAN, POP3/IMAP not authenticating x3 = BAN.
I noticed that its botnets that try guessing passwords and because I collect statistics on my firewall ban project, its a rare occasion indeed that a bot returns. These botnets are YUUUUGE.
Well, if a BOT tries to authenticate outside the Danish realm it is a guaranteed instant BAN on my system.

One of the reasons I modified "OnClientLogon" to show passwords was to trace BOT's based on the idea that IF the BOT is using a hacked password it would be the same every time... I am seeing a mix of BOT's pairing accounts with passwords and BOT's appearing to have a list a mile long.

I have found one or two accounts that had their password changed in the neck of time... https://haveibeenpwned.com/ is a useful source ;-)

They have a neat API https://haveibeenpwned.com/API/v3 that I just might find some use for as I do get to see every password on my system eventually :shock:
One use could be to let the account know when and if their password has become unsafe 8)
SørenR.

Algorithm (noun.)
Word used by programmers when they do not want to explain what they did.

User avatar
mattg
Moderator
Moderator
Posts: 21268
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: I am thinking that this should not be allowed

Post by mattg » 2020-12-30 03:41

SorenR wrote:
2020-12-30 02:47
One use could be to let the account know when and if their password has become unsafe 8)
Google is doing this

In chrome, go to settings >> passwords and they will show you any username / password combos that are unsafe. I assume from the same list
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply