Clicky

20200208

hMailserver geolocation blacklist

The purpose of the next scripts is twofold:
  1. Block email sessions of email servers that are on the blacklist
  2. Automatically create a blocking firewall rule in case of bad behaving or misconfigured remote email servers
Let start with requirement #1: We use here the free gelocation service (max 20 lookups per minute) of https://extreme-ip-lookup.com. They provide different IP-to-Geo lookup methods. Here we use the JSONP method:

The IP address of the remote email server is available in the OnClientConnect subroutine of the hMailserver EventHandler.vbs script. The code to obtain the remote emailserver's IP address is this:

Sub OnClientConnect(oClient)

    Const BlackList=" AR BG BO BR CC CM CO GA IN IQ IR KE KZ MA ME MX RO RO RU TH TH TK TW UA VN "
      
    geoLocation = IPtoGeo(oClient.ipaddress)


    if len(geoLocation) = 2 and geoLocation <> "XX" then
        if Instr(Blacklist, geoLocation) > 0 then
            Eventlog.Write("[Blacklist] OnClientConnect: " & oClient.ipaddress & " - " & geoLocation & " is in the Blacklist and the session is disconnected.")
          
            '--- Reject message...
            Result.Value = 1   
        end if
      
    end if

End Sub


We use a seperate function (IPtoGeo) to map the IP address to a countrycode. The function IPtoGeo looks like this:

function IPtoGeo(IPaddr)

    Const countryString = """countryCode"".*"   
   
    geoLocation = "XX"
   
    if Instr(IPaddr,"192.168.") <> 1 and Instr(IPaddr,"10.") <> 1 and Instr(IPaddr,"127.") <> 1 then
   
        lookupGeolocation = "https://extreme-ip-lookup.com/json/" & IPaddr & "?callback=getIP"
       
        Set objHTTP = CreateObject("Msxml2.XMLHTTP")
        objHTTP.open "GET", lookupGeolocation, False
        objHTTP.send
        returnString = Cstr(objHTTP.responseText)

        set objRegexp = new RegExp
        objRegexp.pattern = countryString
        objRegexp.ignoreCase = true
        objRegexp.global = false
        set matches = objRegexp.execute(returnString)
       
        if matches.count = 1 then
            s = matches(0).value
            t = split(s,":")
            u = split(t(1), chr(34))
            geoLocation = u(1)
        end if
       
    end if

    IPtoGeo = geoLocation

end function


When an IP address is mapped to a country code that is the blacklist (Const BlackList), the email session is disconnected (Result.Value = 1) and the hMailserver eventlog (hmailserver_events.log) shows:

4376    "2020-02-08 03:36:46.319"    "[Blacklist] OnClientConnect: 79.124.62.14 - BG is in the Blacklist and the session is disconnected."

It happens somtimes that remote email servers start retrying or even hammering the hMailserver after a rejected session. E.g. I found a remote email server continuously trying to connect twice per minute. We want to block those connections in an earlier stage.

So for requirement #2 we use a small Powershell script to create a firewall block rule. We use Powershell because the regular expressions in VBscript are slow and Powershell provides the -Match method and an easy method to set a firewall rule.

$maxAttempts = 10
$logFile = get-content "d:\hMailserver\logs\hmailserver_events.log"
$today = (get-date).ToString("yyyy-MM-dd")
$searchBase = ($logFile -match $today)

$ip = $args[0]

if ($ip -match "(?:[0-9]{1,3}\.){3}[0-9]{1,3}")
{
    $hammerCount = $searchBase -match $ip
    if ($hammerCount.count -GT
$maxAttempts) {
        $ruleDate = (get-date).toString("yyyy-MM-dd")
        $blockName = "hammerBlock ($IP, $ruleDate)"
        write-host "*** Setting rule: $blockName"
        $ruleExists = Get-NetFirewallRule -DisplayName $blockName -erroraction SilentlyContinue
        if ($ruleExists) {
            Remove-NetFirewallRule -DisplayName $blockName
        }
        New-NetFirewallRule -DisplayName $blockName -Direction Inbound -Action Block -RemoteAddress $IP | out-null
    }
}   


The powershell script (hammerBlock.ps1) is called in the OnClientConnect sub:

Sub OnClientConnect(oClient)

    dim wsh

    Const BlackList=" AR BG BO BR CC CM CO GA IN IQ IR KE KZ MA ME MX RO RO RU TH TH TK TW UA VN "

    set wsh = CreateObject("wscript.shell")
       
    geoLocation = IPtoGeo(oClient.ipaddress)
    if len(geoLocation) = 2 and geoLocation <> "XX" then
        if Instr(Blacklist,geoLocation) > 0 then
            Eventlog.Write("[Blacklist] OnClientConnect: " & oClient.ipaddress & " - " & geoLocation & " is in the Blacklist and the session is disconnected.")
           
            '--- Run the Firewall block script from here...
            runString = "powershell -file ""c:\scripts\hammerBlock.ps1"" " & oClient.ipaddress
            wsh.run runString,0,true

           
            '--- Disconnect...
            Result.Value = 1    
        end if
       
    end if

End Sub


When a remote email server, that is in the blocklist, tries to connect more than 10 times on one day, a firewall block rule is created. The rule looks like this:


I know that there are many more methods to block sessions based on geolocation. Most of them are quite hard to configure and maintain. With the scripts above, all work is executed in the hMailserver ecosystem. This also allows easy management and migration to other hMailserver instancesor adapt the scripts here for different purposes.


No comments :

Post a Comment

Real Time Web Analytics