0

Since having suffered a hack twice on my email server, the last one VERY severe, I have been VERY proactive in monitoring my logs and taking appropriate action when I see attacks. I've installed MalwareBytes for servers and this software has been very effective in stopping about 95% of the brute force password attacks (among other types) and I've reported any who have gotten through. Given that I've been very effective in stopping the attacks the attackers have changed tactics. What I'm seeing a lot of now is computers/devices will connect to my server and execute a bunch of "Unrecognized command"s. The number of connections has increased to the point where it's having an impact on the servers performance. A lot of these IPs are listed on Spamhaus.org and other DNS blocking sites and my question is, is there anyway I can configure my firewall to block any IP address that is listed on these sites? The reason I want to do this besides the obvious, is that once a user has determined their machine is "infected" and cleans it up and has it removed from the blocklist, they then, as a potential customer would once again have access to my software. I'm not aware of any software that does this and figured I would post the question here as I'm sure there has to be someone out there who knows of a solution. Any assistance would be greatly appreciated. Thank you.

This is an example of what I'm seeing in my logs, I'm running the latest version of MDaemon on Windows Server 2012 R2:

The following is the associated POP3 log entries:

Mon 2023-05-01 11:31:54.682: Session 00775141; child 0001
Mon 2023-05-01 11:31:54.682: Accepting POP3 connection from 167.248.133.127:57754 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:54.761: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:54.761: *  Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:54.761: Connection closed
Mon 2023-05-01 11:31:54.762: POP3 session terminated, (Bytes in/out: 429/1692)
Mon 2023-05-01 11:31:54.762: ----------
Mon 2023-05-01 11:31:55.044: Session 00775142; child 0001
Mon 2023-05-01 11:31:55.044: Accepting POP3 connection from 167.248.133.127:36340 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.075: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:55.075: *  Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:55.075: Connection closed
Mon 2023-05-01 11:31:55.075: POP3 session terminated, (Bytes in/out: 429/1692)
Mon 2023-05-01 11:31:55.075: ----------
Mon 2023-05-01 11:31:55.357: Session 00775143; child 0001
Mon 2023-05-01 11:31:55.357: Accepting POP3 connection from 167.248.133.127:42256 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.360: *  SSL negotiation failed, error code 0x80090331
Mon 2023-05-01 11:31:55.360: POP3 session complete (Bytes in/out: 350/0)
Mon 2023-05-01 11:31:55.360: ----------
Mon 2023-05-01 11:31:55.678: Session 00775144; child 0001
Mon 2023-05-01 11:31:55.678: Accepting POP3 connection from 167.248.133.127:47866 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:55.711: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:55.711: *  Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:55.711: Connection closed
Mon 2023-05-01 11:31:55.712: POP3 session terminated, (Bytes in/out: 336/1692)
Mon 2023-05-01 11:31:55.712: ----------
Mon 2023-05-01 11:31:55.997: Session 00775145; child 0001
Mon 2023-05-01 11:31:55.997: Accepting POP3 connection from 167.248.133.127:53762 to xxxxxxxxxxxxxxxx
Mon 2023-05-01 11:31:56.027: Socket connection closed by the other side (how rude!)
Mon 2023-05-01 11:31:56.028: *  Socket error 10053 - Connection abort.
Mon 2023-05-01 11:31:56.028: Connection closed
Mon 2023-05-01 11:31:56.028: POP3 session terminated, (Bytes in/out: 417/1692)
Mon 2023-05-01 11:31:56.028: ----------

The following is the SMTP log entries I get for IPs that are also blocked by this feature, the above IP has also executed this:
 

Sat 2023-04-29 09:40:13.202: Session 00773261; child 0001
Sat 2023-04-29 09:40:13.202: Accepting SMTP connection from 162.142.125.223:53396 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.205: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.205: <-- ¨
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <--
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <-- À$À­À¯À,ÀrÀsÌ©ÌÀÀÀÀ'À/ÀÀ(À0À`ÀaÀvÀw̨ÌÀ
Sat 2023-04-29 09:40:13.205: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.205: <--
Sat 2023-04-29 09:40:13.205: Too many errors encountered
Sat 2023-04-29 09:40:13.205: SMTP session terminated (Bytes in/out: 429/183)
Sat 2023-04-29 09:40:13.206: ----------
Sat 2023-04-29 09:40:13.514: Session 00773262; child 0001
Sat 2023-04-29 09:40:13.514: Accepting SMTP connection from 162.142.125.223:38992 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.516: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.516: <-- ¨
Sat 2023-04-29 09:40:13.516: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.516: <-- <rá®RD²ã ¬Ë–?äžII!úXJ×…—÷c×mCà‚]¹ ÿºiƒ
Sat 2023-04-29 09:40:13.517: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.517: <-- ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÀÌÌ©ÀsÀrÀ,À¯À­À$À
Sat 2023-04-29 09:40:13.517: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.517: <-- À+À®À¬À#À À
Sat 2023-04-29 09:40:13.517: Too many errors encountered
Sat 2023-04-29 09:40:13.517: SMTP session terminated (Bytes in/out: 429/183)
Sat 2023-04-29 09:40:13.517: ----------
Sat 2023-04-29 09:40:13.823: Session 00773263; child 0001
Sat 2023-04-29 09:40:13.823: Accepting SMTP connection from 162.142.125.223:52074 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:13.824: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:13 -0400
Sat 2023-04-29 09:40:13.825: <-- Y
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.825: <-- À+À®À¬À#À À
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:13.825: <--
Sat 2023-04-29 09:40:13.825: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.374: <--
Sat 2023-04-29 09:40:14.374: Too many errors encountered
Sat 2023-04-29 09:40:14.374: SMTP session terminated (Bytes in/out: 350/183)
Sat 2023-04-29 09:40:14.374: ----------
Sat 2023-04-29 09:40:14.655: Session 00773264; child 0001
Sat 2023-04-29 09:40:14.655: Accepting SMTP connection from 162.142.125.223:59426 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:14.658: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:14 -0400
Sat 2023-04-29 09:40:14.659: <-- K
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.659: <--
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:14.659: <--
Sat 2023-04-29 09:40:14.659: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.208: <--
Sat 2023-04-29 09:40:15.208: Too many errors encountered
Sat 2023-04-29 09:40:15.208: SMTP session terminated (Bytes in/out: 336/183)
Sat 2023-04-29 09:40:15.208: ----------
Sat 2023-04-29 09:40:15.488: Session 00773266; child 0001
Sat 2023-04-29 09:40:15.488: Accepting SMTP connection from 162.142.125.223:38688 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:15.490: --> 220 smtp.myemailserver.com ESMTP MSA MDaemon 23.0.1; Sat, 29 Apr 2023 09:40:15 -0400
Sat 2023-04-29 09:40:15.491: <-- œ
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- vk¢_[ UU
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- À+À®ÌÀ¬ÀÀ#
Sat 2023-04-29 09:40:15.491: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:40:15.491: <-- À
Sat 2023-04-29 09:40:15.491: Too many errors encountered
Sat 2023-04-29 09:40:15.491: SMTP session terminated (Bytes in/out: 417/183)
Sat 2023-04-29 09:40:15.491: ----------
Sat 2023-04-29 09:40:56.122: Session 00773271; child 0001
Sat 2023-04-29 09:40:56.122: Accepting SMTP connection from 167.248.133.52:42486 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.196: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:56.196: SMTP session terminated (Bytes in/out: 429/1692)
Sat 2023-04-29 09:40:56.196: ----------
Sat 2023-04-29 09:40:56.478: Session 00773272; child 0001
Sat 2023-04-29 09:40:56.478: Accepting SMTP connection from 167.248.133.52:53048 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.510: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:56.510: SMTP session terminated (Bytes in/out: 429/1692)
Sat 2023-04-29 09:40:56.510: ----------
Sat 2023-04-29 09:40:56.793: Session 00773273; child 0001
Sat 2023-04-29 09:40:56.793: Accepting SMTP connection from 167.248.133.52:33830 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:56.796: * SSL error 0x80090331 The client and server cannot communicate, because they do not possess a common algorithm.
Sat 2023-04-29 09:40:56.796: SMTP session terminated (Bytes in/out: 350/0)
Sat 2023-04-29 09:40:56.796: ----------
Sat 2023-04-29 09:40:57.102: Session 00773274; child 0001
Sat 2023-04-29 09:40:57.102: Accepting SMTP connection from 167.248.133.52:43136 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:57.133: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:57.133: SMTP session terminated (Bytes in/out: 336/1692)
Sat 2023-04-29 09:40:57.133: ----------
Sat 2023-04-29 09:40:57.414: Session 00773275; child 0001
Sat 2023-04-29 09:40:57.414: Accepting SMTP connection from 167.248.133.52:52120 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:40:57.450: * SSL error 10054 An existing connection was forcibly closed by the remote host.
Sat 2023-04-29 09:40:57.450: SMTP session terminated (Bytes in/out: 417/1692)
Sat 2023-04-29 09:40:57.450: ----------
Sat 2023-04-29 09:41:52.287: Session 00773280; child 0001
Sat 2023-04-29 09:41:52.287: Accepting SMTP connection from 167.248.133.187:39424 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.289: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.290: <-- ¨
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <-- À$À­À¯À,ÀrÀsÌ©ÌÀÀÀÀ'À/ÀÀ(À0À`ÀaÀvÀw̨ÌÀ
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <--
Sat 2023-04-29 09:41:52.290: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.290: <--
Sat 2023-04-29 09:41:52.290: Too many errors encountered
Sat 2023-04-29 09:41:52.290: SMTP session terminated (Bytes in/out: 429/179)
Sat 2023-04-29 09:41:52.290: ----------
Sat 2023-04-29 09:41:52.598: Session 00773281; child 0001
Sat 2023-04-29 09:41:52.598: Accepting SMTP connection from 167.248.133.187:49952 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.600: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.600: <-- ¨
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <--
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <-- ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÀÌÌ©ÀsÀrÀ,À¯À­À$À
Sat 2023-04-29 09:41:52.601: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.601: <-- À+À®À¬À#À À
Sat 2023-04-29 09:41:52.601: Too many errors encountered
Sat 2023-04-29 09:41:52.601: SMTP session terminated (Bytes in/out: 429/179)
Sat 2023-04-29 09:41:52.601: ----------
Sat 2023-04-29 09:41:52.911: Session 00773282; child 0001
Sat 2023-04-29 09:41:52.911: Accepting SMTP connection from 167.248.133.187:59158 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:52.913: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:52 -0400
Sat 2023-04-29 09:41:52.913: <-- Y
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <-- À+À®À¬À#À À
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <--
Sat 2023-04-29 09:41:52.914: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:52.914: <--
Sat 2023-04-29 09:41:52.914: Too many errors encountered
Sat 2023-04-29 09:41:52.914: SMTP session terminated (Bytes in/out: 350/179)
Sat 2023-04-29 09:41:52.914: ----------
Sat 2023-04-29 09:41:53.220: Session 00773283; child 0001
Sat 2023-04-29 09:41:53.220: Accepting SMTP connection from 167.248.133.187:38580 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:53.223: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:53 -0400
Sat 2023-04-29 09:41:53.223: <-- K
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.223: <--
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.223: <--
Sat 2023-04-29 09:41:53.223: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:53.775: <--
Sat 2023-04-29 09:41:53.775: Too many errors encountered
Sat 2023-04-29 09:41:53.775: SMTP session terminated (Bytes in/out: 336/179)
Sat 2023-04-29 09:41:53.776: ----------
Sat 2023-04-29 09:41:54.057: Session 00773284; child 0001
Sat 2023-04-29 09:41:54.057: Accepting SMTP connection from 167.248.133.187:37494 to xxxxxxxxxxxxxxxx
Sat 2023-04-29 09:41:54.058: --> 220 smtp.myemailserver.com ESMTP MDaemon 23.0.1; Sat, 29 Apr 2023 09:41:54 -0400
Sat 2023-04-29 09:41:54.059: <-- œ
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <-- À+À®ÌÀ¬ÀÀ#
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <-- À
Sat 2023-04-29 09:41:54.059: --> 500 5.0.0 Unrecognized command
Sat 2023-04-29 09:41:54.059: <--
Sat 2023-04-29 09:41:54.059: Too many errors encountered
Sat 2023-04-29 09:41:54.059: SMTP session terminated (Bytes in/out: 417/179)
Sat 2023-04-29 09:41:54.059: ----------
Improve this question
2
  • One of the problems here is that hackers and people just scanning the internet have malicious intentions and the notion of them cleaning up there PC is false. Sometime you need to permanently block IP's and sometimes whole subnets of IP
    – cybernard
    May 4 at 15:41
  • If they don't clean up their PCs they stay on the blocklist and stay blocked. I use dynamic screening to block IPs temporarily, but was looking for a more "automatic" and permanent solution.
    – Prescott Chartier
    May 4 at 15:56

1 Answer 1

Reset to default
0 
netsh advfirewall firewall add rule name="banned IP" dir=in interface=any action=block remoteip=167.248.133.127/32

Hackers gain access to blocks of IP and it is likely they will start +1 there IP addresses and you will need to start block /24 subnets worth of IPs.

Currently whole countries like Russia,north korea, and China have people randomly attacking computers and it is likely in your best interest to just do a whois lookup on IP's and if they come from these countries just block ALL of them. Whois will list a range of PCs that said company owns so you can block all of them.

I use linux because I find it all around a better mail server experience but I have over 1 million banned IP addresses.

The random characters your experiencing

ÀĮ̀ÀwÀvÀaÀ`À0À(ÀÀ/À'ÀÀÀÌÌ©ÀsÀrÀ,À¯À­À$À

Are hacker trying to exploit vulnerabilities in your mail server. When they find one you will be hacked again.

https://www.spamhaus.com/dataset/ip-blocklists/

This link lets you sign up for a free trial, but I read prices start as low as $250 per year.

You may want to also look at the AbuseIPDB website as I believe you can download a list from there.

Then you write a batch to iterate the list into the windows firewall.

security I have no personal experience with MDaemon but this youtube video seems to describe how to secure your server. https://www.youtube.com/watch?v=m4Ky2cPvLfI

Improve this answer
5
  • I already block any range of IPs that are outside the US and Canada. I don't do business with anyone outside North America, so that's an easy thing. My problem is with IPs that are US or Canada based, a lot are already on the blocklist but I have no way to "automatically" check an IP against the block list. Using Linux is not an option as I have a substantial investment is in-house developed software. DigitalOcean hosts a lot of these actors.
    – Prescott Chartier
    May 4 at 16:00
  • @PrescottChartier I have added a youtube video you may find useful as it describes how to setup RBL (Realtime block lists) in MDaemon using the SecurityPlus plug in. You need RBL and it doesn't matter what plugin you use, but this is the one I stumbled on first.
    – cybernard
    May 4 at 16:07
  • Yes, I've already secured the server using all available tools that MDaemon provides. I implemented SPF, DKIM and DMARC as well. My issues isn't SPAM thats pretty much under control, my issue is attacks from computer/devices at IPs that are on the block list at Spamhaus and other DNS block list sites. I'm looking for a way to automatically lookup and block any IP that is contained on those block lists. If I could do that, I suspect that 95% of the attacks would be blocked.
    – Prescott Chartier
    May 4 at 16:31
  • @PrescottChartier spamhaus.org/faq/section/DNSBL%20Usage#108 From this we learn "Spamhaus public mirrors can be used free of charge by querying "zen.spamhaus.org", if: Use of the Spamhaus DNSBLs is non-commercial and" The obvious implication here is you will have to pay them money if you want to use them commercially.
    – cybernard
    May 4 at 16:38
  • You are clearly meant to have to email or call them to get any useful pricing data, but during my quick scan of their website prices between $250 and $5000 a year exist.
    – cybernard
    May 4 at 16:45

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .