In the world of Windows email servers, Hmail server is number one. Many businesses, institutions, and even large corporations have been using it for many years. I have been using it for more than five years, but I was concern about its security features, right from the beginning…
Hmail server has four email delivery configurations:
- Local to Local
- Local to External
- External to Local
- External to External. (Please see the picture in the URL as well).
According to their configuration suggestions by their hard-coded protocols (or design or whatever anyone would call it), anyone who don’t have physical access to the server, or has no account on the server, no access in local network, would not have any reach on first three protocols to mess around with the server. Only if an ignorant and stupid server engineer check the last #4 protocol, someone from outside can use your server as a portal as spamming machine sending emails through it continuously with a program.
However, some group of hackers somewhere in the world have figured out a way to work around with weaknesses in hmail server codes to turn first 3 protocol options to act like #4. My email server and many hmail servers turned into a monster spamming machine in last several days, but I caught it.
I battled with this challenging problem, picking my brain what could be the solution to remedy it. I was ready to consult to the last resort to forfeit using Hmail server and use Apache James email server. I have much more respect to Apache Foundation and all their products than Hmail. I thought my admin password was hacked and changed it, but it wasn’t the case and it didn’t help. I tried blocking specific IPs at my Windows Firewall, but the hack program had many IP address at its disposal and it automatically changed them. I tried limiting allowed connections, groups, and ability to send multiple addresses to only 1 for each, still it didn’t stop this hack program. My email server still executed spam emails one by one at explosive speed even with just one connection! I did extensive research on the internet via google to see what could be the issue and found that fresh hack report URL.
First, I have to bow to the douchebag hackers who worked so hard to annoy everyone hmail servers all over the world! Their program is so powerful that it could adjust itself in a few seconds, it could change its IP addresses to come through the firewall with different IPs, and it makes up its all email accounts (or addresses) ending with your domain extension, but the physical email accounts don’t even exist on email server.
For example, if 1000 connections with SMTP, IMAP, or POP protocols are allowed with emailing capabilities to whatever number of lists allowed from an account with maximum number allowed, such as 10,000 email at once, it will use maximum allowable resources on the Hmail server to send out emails to all kinds of email addresses tirelessly every second. The hmail server logs will explode to 10 gigabytes or more in just about 3 days, and sent-data-archive directory will explode the same way. This could crash the whole physical server if no one catches it on time. In addition, all those connections traffic will act like DDoS attack on the bandwidth of the mail server, all other servers on the physical machine, whole network, and your entire internet line.
I experimented to see how smart their spamming/hacking program was. Blocking their IP addresses manually via firewall didn’t help; changing the allowed connections to even 1 per account with the ability to send only 1 email at a time (no list, no multi domain), didn’t help. The hack program didn’t need to have physical account in your domain exist to execute the email, but it did need to obey your rule settings like limiting abilities described above. So what did it do? It tried to send many emails, one email from one non-existing fake account each, to accomplish it spamming needs, so it created many non-existing fake accounts and kept spamming using the hmail server involuntarily. Again, it didn’t need your admin password to be hacked. The hackers have found some holes in the hard coded protocols to exploit it. The hmail developers really need to fix this problem ASAP. For now, putting passwords on the first three protocols kicked the hacking program out form hmail server; it will automatically kick out the repeated fail-authenticate connection attempts. This hacking incident created a mess for many email server IP addresses with good reputation like mine to be blacklisted unfortunately.
PS. I also put live log view about what’s going on. The IP addresses in the middle 43.38.144.202 are the bad guys’ IP.
