Finding Spammers in hMailServer Log Files

hMailServer has a couple of spam protection measures built in, such as DNS blacklists and SURBL support. Among other features, you can also ban single IP adresses or IP ranges from connecting to your mail server.

While recently browsing through the log files, I noticed a couple of IP addresses which repeatedly connected to the mail server to log in, but kept their rate over the default 30 minutes auto-ban timer.

Interestingly those addresses chose to authenticate via AUTH LOGIN, but failed every time to provide a valid password. This results in a

535 Authentication failed

answer by the server, thus closing the conversation.

In the log file, the status code 535 looks like this

"SMTPD" 3228 21101 "2016-02-03 00:05:19.743" "xxx.xx.xx.xxx" 
  "SENT: 535 Authentication failed. Too many invalid logon attempts."

To find the conversations ending in status code 535, we can simply grep or findstr the relevant log files

grep "SENT: 535" *.log

In the log files, IP address is logged in the sixth column, so we can iterate over the resulting lines with the shell’s for command with option /f “tokens=6”.

Then we sort and count

(for /f "tokens=6" %i in ('grep "SENT: 535" *.log') do @echo %i) 
  | sort | uniq -c

To count the resulting IP addresses, I use my tool uniq, implemented after the Unix command uniq.

Similarly, one could also search for “550 Unknown user”.

5 thoughts on “Finding Spammers in hMailServer Log Files

  1. I definitely wanted to jot down a note in order to say thanks to you for those magnificent tactics you are posting on this site. My time consuming internet lookup has at the end of the day been recognized with reasonable know-how to go over with my companions. I would point out that we website visitors actually are unquestionably endowed to live in a perfect place with many perfect professionals with beneficial suggestions. I feel really fortunate to have encountered your entire weblog and look forward to plenty of more fun times reading here. Thanks again for everything.

  2. Considerably, the article is in reality the greatest on this noteworthy topic. I agree with your conclusions and also definitely will eagerly look forward to your next updates. Saying thanks will not simply just be enough, for the wonderful clarity in your writing. I definitely will right away grab your rss feed to stay privy of any updates. Pleasant work and also much success in your business dealings!

  3. What your declaring is entirely true. I know that everybody should say the similar thing, but I just consider that you put it in a way that absolutely everyone can understand. I also really like the pictures you put in right here. They match so nicely with what youre trying to say. Im sure youll attain so numerous men and women with what youve obtained to say.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.