Finding Spammers in hMailServer Log Files

hMailServer has a couple of spam protection measures built in, such as DNS blacklists and SURBL support. Among other features, you can also ban single IP adresses or IP ranges from connecting to your mail server.

While recently browsing through the log files, I noticed a couple of IP addresses which repeatedly connected to the mail server to log in, but kept their rate over the default 30 minutes auto-ban timer.

Interestingly those addresses chose to authenticate via AUTH LOGIN, but failed every time to provide a valid password. This results in a

535 Authentication failed

answer by the server, thus closing the conversation.

In the log file, the status code 535 looks like this

"SMTPD" 3228 21101 "2016-02-03 00:05:19.743" "" 
  "SENT: 535 Authentication failed. Too many invalid logon attempts."

To find the conversations ending in status code 535, we can simply grep or findstr the relevant log files

grep "SENT: 535" *.log

In the log files, IP address is logged in the sixth column, so we can iterate over the resulting lines with the shell’s for command with option /f “tokens=6”.

Then we sort and count

(for /f "tokens=6" %i in ('grep "SENT: 535" *.log') do @echo %i) 
  | sort | uniq -c

To count the resulting IP addresses, I use my tool uniq, implemented after the Unix command uniq.

Similarly, one could also search for “550 Unknown user”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: