none
Problem on server RRS feed

  • Question

  • Hi,
    People were trying to make use of my domain and Email server to send out Email. Please see below log details that they even created user accounts on my domain. How to remove the user accounts on my domain, as I cannot find out such user accounts within my Active directory.

    "DEBUG"	3740	"2019-06-18 01:57:10.790"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.791"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.792"	"185.222.211.12"	"RECEIVED: RCPT TO:<dean@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.799"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.801"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.802"	"185.222.211.12"	"RECEIVED: RCPT TO:<victoria@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.809"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.811"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.812"	"185.222.211.12"	"RECEIVED: RCPT TO:<alexandra@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.819"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.821"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.821"	"185.222.211.12"	"RECEIVED: RCPT TO:<customercare@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.829"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.830"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.831"	"185.222.211.12"	"RECEIVED: RCPT TO:<barry@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.838"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.839"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.840"	"185.222.211.12"	"RECEIVED: RCPT TO:<diego@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.847"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.849"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.850"	"185.222.211.12"	"RECEIVED: RCPT TO:<macromedia@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.857"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.858"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.859"	"185.222.211.12"	"RECEIVED: RCPT TO:<nfe@abc.co>"
    "DEBUG"	3740	"2019-06-18 01:57:10.866"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.867"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3724	228	"2019-06-18 01:57:10.869"	"185.222.211.12"	"RECEIVED: RCPT TO:<joel@abc.co>"
    "DEBUG"	3724	"2019-06-18 01:57:10.876"	"AWStats::LogDeliveryFailure"
    "SMTPD"	3724	228	"2019-06-18 01:57:10.878"	"185.222.211.12"	"SENT: 550 Unknown user"
    "SMTPD"	3740	228	"2019-06-18 01:57:10.879"	"185.222.211.12"	"RECEIVED: RCPT TO:<louise@abc.co>"


    Many Thanks & Best Regards, Hua Min

    Tuesday, June 18, 2019 9:35 AM

All replies

  • I don't see anything in your post that looks like "they even created user accounts on my domain.". Just a bunch of send errors.

    Is your SMTP server configured to allow anonymous access? You need to require users to authenticate to the SMTP server. 

     If user accounts (email accounts?) were created, you will need to describe your SMTP environment before someone who has experience with that software can help you.  
    Tuesday, June 18, 2019 11:39 AM
  • Hi,
    I cannot find out relevant User accounts (in the list above), to my AD. It seems other people is sending out messages using my server. How to stop this? I only allow specific IP to be used as Local IP address (within Firewall rule). Is it enough?


    Many Thanks & Best Regards, Hua Min

    Wednesday, June 19, 2019 6:41 AM
  • Spammers are likely using your SMTP system as a relay. Are you using Exchange, IIS SMTP, or 3rd party software? No one can help you until you provide more information about your software environment. 
    Wednesday, June 19, 2019 11:35 AM
  • Hi,

    I'm using hMailserver.


    Many Thanks & Best Regards, Hua Min

    Thursday, June 20, 2019 12:16 PM
  • You will probably find more experienced users if you ask your question on the hMailserver forum. 

    https://www.hmailserver.com/forum/

    Thursday, June 20, 2019 12:59 PM
  • Hi,
    How to ban all IPs that 'look' like they are scamming / hacking / trying stuff, which is trying to "approach" the server?

    Many Thanks & Best Regards, Hua Min

    Saturday, June 22, 2019 11:18 AM
  • Hi ,

    You could use windows firewall to block the special IP.

    For how to block IP address, please refer to the following steps:

    Open Windows Firewall with Advanced Security by running wf.msc. On the left, select Inbound Rules, then under the Action menu, choose New Rule.

    1.On the Rule Type page, choose Custom.

    2.On Program, choose "All programs."

    3.On Protocol and Ports, leave the default of Any.

    4.On Scope, select "These IP addresses" in the remote addresses section and add the problematic IP address in the Add dialog.

    5.On Action, choose "Block the connection."

    6.On Profile, leave the defaults of everything checked.

    7.Finally, on Name, give the rule a name and optionally a description.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    • Marked as answer by HuaMin Chen Thursday, June 27, 2019 1:44 AM
    • Unmarked as answer by HuaMin Chen Friday, June 28, 2019 1:37 AM
    Tuesday, June 25, 2019 7:10 AM
    Moderator
  • Hi ,

    You could mark the useful reply as answer if you want to end this thread up.

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Candy


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com   

    Wednesday, June 26, 2019 7:26 AM
    Moderator
  • Hi,
    I've created the firewall rule (in your way), to protect against the IP range like 185.222.211.1-185.222.211.255, but now still the spammer is trying to approach my server like

    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	ag@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	marty@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	sdqq@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	georgia@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	sb@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	lance@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	florian@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	alejandro@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	de@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	hola@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0
    2019-06-28 09:15:26	hffntyktv82nn@rem42.ru	5c1o8epjgcs3v3dk@a.ab	185.222.211.14	127.0.0.1	SMTP	?	550	0



    Many Thanks & Best Regards, Hua Min

    Friday, June 28, 2019 1:38 AM
  •  but now still the spammer is trying to approach my server like

    If you still see activity from the IP range in your SMTP log, then the firewall rule is not defined properly. 

    Here is a sample where I blocked a simple range on my private network. Does this look like what you havespecified? 

     


    Friday, June 28, 2019 6:46 PM
  • Hi,

    The point is that I have created the proper rule (Inbound), but how the spammer was still able to access it?


    Many Thanks & Best Regards, Hua Min

    Saturday, June 29, 2019 3:27 AM
  • Obviously there is something wrong with either the rule or the firewall configuration.

    Log on to a test machine and ping your smtp server. Verify that it works. Or try the telnet client and see if you can connect to known ports, 25, 80, 445, 3389. 

    Then add that test machine's IP address to the rule. Again try to ping or connect to ports. They should all fail. 

    From an admin command prompt:

    DISM /Online /Enable-Feature /FeatureName:telnetclient 

    telnet yourservername portnumber

    Saturday, June 29, 2019 12:48 PM
  • I did defer application of relevant IP ranges, with such option

    but the spammer did access my server like

    "DEBUG"	3772	"2019-06-30 06:41:05.398"	"The client has timed out. Session: 693"
    "IMAPD"	3772	693	"2019-06-30 06:41:05.402"	"113.255.214.28"	"SENT: * BYE You will be disconnected because of timeout (30 minutes)."
    "DEBUG"	3820	"2019-06-30 06:41:10.407"	"The client has timed out. Session: 693"
    "DEBUG"	3820	"2019-06-30 06:43:05.405"	"Ending session 693"
    "DEBUG"	3820	"2019-06-30 06:47:04.872"	"Creating session 714"
    "TCPIP"	3820	"2019-06-30 06:47:04.877"	"TCP - 185.234.219.109 connected to 113.255.213.124:25."
    "DEBUG"	3820	"2019-06-30 06:47:04.886"	"TCP connection started for session 713"
    "SMTPD"	3820	713	"2019-06-30 06:47:04.889"	"185.234.219.109"	"SENT: 220 WIN-APIUFD1NJEU ESMTP"
    "SMTPD"	3788	713	"2019-06-30 06:47:05.098"	"185.234.219.109"	"RECEIVED: EHLO 113.255.213.124"
    "SMTPD"	3788	713	"2019-06-30 06:47:05.101"	"185.234.219.109"	"SENT: 250-WIN-APIUFD1NJEU[nl]250-SIZE 20480000[nl]250-STARTTLS[nl]250-AUTH LOGIN[nl]250 HELP"
    "SMTPD"	3772	713	"2019-06-30 06:47:05.309"	"185.234.219.109"	"RECEIVED: AUTH LOGIN"
    "SMTPD"	3772	713	"2019-06-30 06:47:05.313"	"185.234.219.109"	"SENT: 530 A SSL/TLS-connection is required for authentication."
    "DEBUG"	3796	"2019-06-30 06:47:05.525"	"The read operation failed. Bytes transferred: 0 Remote IP: 185.234.219.109, Session: 713, Code: 2, Message: End of file"
    


    Many Thanks & Best Regards, Hua Min

    Saturday, June 29, 2019 11:37 PM
  • Why did you do that? It says "let the application decide". Did you then make some change within the application settings to account for hacking attempts? Or define an IP range of some sort to the application? 

    If you have a server with a known port that is open on the internet, then you should expect to be attacked by hackers every day.  

    Sunday, June 30, 2019 3:04 AM
  • I selected below option but problem persists.


    Many Thanks & Best Regards, Hua Min

    Wednesday, July 3, 2019 9:39 AM
  • Did you try my ping/telnet test from a second machine?

    Log on to a test machine and ping your smtp server. Verify that it works. Or try the telnet client and see if you can connect to known ports, 25, 80, 445, 3389. 

    Then add that test machine's IP address to the rule. Again try to ping or connect to ports. They should all fail. 

    Wednesday, July 3, 2019 5:01 PM