Smartermail – kill active connections on password change – “fix”

potato
Here’s a picture of a heart shaped potato 🙂

Well, if you got here, I don’t have to explain the issue, do I? 🙂

Basically, if you have a spammer on your Smartermail email server, changing the password will not kill the currently active sessions, thus, the spammer can keep sending emails. In this case, only a restart of Smartermail would solve the issue (active sessions would get dropped 🙂 ).

 

Let me describe what the script does and why.

1. Checks if it needs to run. Remember, script needs to run on “Password change” event, but not on all of them!

Let’s break it down :

– We don’t want to run a script when a legitimate client changes the password himself through some control panel or webmail and thus blocking his IP.

– We only need to start the script if we (sysadmin) change the password

– We only need to start a script in case there was a spammer on the server, not in case where admin does a regular password change on user request.

In order to solve that, we use a “specially crafted” password, and the only requirement is that it has to end with letters “spm”  . Ofcourse you can change it to something else if you wish. You can do that by changing the password pattern in the script ).

2. Parses the current Smartermail’s SMTP log file and extracts all IP addresses that were used to log in with the email account for whom you’ve just changed the password.

3. Matches the extracted IP addresses with countries. This is usefull if your clients are from a specific region, so you can whitelist those countries ( I’m sure you’ll find an use case for this 🙂 )

4. Takes last 10 unique IP addresses and adds them to the Windows firewall block list.  It will block incoming and outgoing connections only on port 25,465 and 587  for all “offensive” IP addresses.

5. Sleeps for  5 minutes and removes the IP addresses from the block list (you’d want to remove “unnecessary” firewall rules when they’re not needed).

So, in order to get this puppy going, you need to do this:

1. Create a new event in Smartermail ( Settings – Events )

2.  Event Category : User, Event type “User changed password”

3.  Click on “Actions”, click on “Add action” and set it like in the picture ( was lazy to type 😀 )

smartermailevent

Ofcourse, you can save the files in some other folder, just be sure to set the arguments right.

Bat file :

 

PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command “C:\work\spmblock.ps1 %1 %2”

 

Powershell script ( I suggest that you download the .zip file with the script, instead of copying it from the post  ) :

 

$arguments = $args.Split(” “)
$email = $arguments[0]
$password = $arguments[1]
Function BlockSpammers{
#Check if we need to run
$pwd_regex = “spm\z” #you can change the trigger letters( leave the “\z”) or pattern here.
if($password -match $pwd_regex -eq $true){
$date = get-date -Format yyyy.MM.dd
$blockedips = $null

$ports = “25,465,587”
$countries = “(US|IE|DE|AU)” # you can add countries to the whitelist here
$match_regex = “\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b”
$web = New-Object Net.WebClient
del c:\work\ips.txt
del c:\work\tmp.txt
gc C:\Smartermail\Logs\$date-smtpLog.log | select-string “Authenticated as $email” | out-file c:\work\tmp.txt
Select-string -path c:\work\tmp.txt -Pattern $match_regex -AllMatches | % { $_.Matches } | % { $_.Value } > c:\work\ips.txt
$ips = gc c:\work\ips.txt
$ips = $ips | select-object -Unique | Select-Object -last 10
#check if we need to block the IP
foreach($ip in $ips){
$data = $web.DownloadString(“http://toic.org/network/geoip/search/?query=$ip”)
if ($data -match “Country code$countries” -eq $True){continue}
else{

netsh advfirewall firewall add rule name=”$ip” dir=in remoteip=$ip protocol=TCP localport=$ports action=block | out-null
netsh advfirewall firewall add rule name=”$ip” dir=out remoteip=$ip protocol=TCP localport=$ports action=block |out-null
$blockedips = $blockedips + $ip+”`n”
}
}
Start-Sleep 300
foreach($ip in $ips){
netsh advfirewall firewall delete rule name=”$ip” |out-null
}
}
}
BlockSpammers

 

You can download all files in a zip archive from HERE

 

Please note that you will have to allow Powershell to run unsigned scripts  ( Set-ExecutionPolicy Unrestricted ) .

Hope it helps some fo you.

Bye, Alesandro.

Leave a Comment

Your email address will not be published. Required fields are marked *