David confirms the issue and has now added a fix for it in the upcoming maintenance release. Thanks for pointing it out! 

[quote user="ruler"]hi, i seem to have a few problems with someone hacking my mercury mail server and sending thousands of spam emails. Is there a way to limit how many emails can be sent per user or total sent per day? it is not a fix i know but it may help limit the amount of junk sent out. thanks[/quote]

How are you using Mercury/32 on your network? If you have disabled relaying controls and have open SMTP access then your server will be abused (and then blacklisted).

 We've investigated further and actually the killfile was working fine. Our mail client (not Pegasus) writes addresses to the killfile but also sends an automated response telling the mail sender that their address has been blacklisted (just in case they are genuine). It was a bug in the automated response that was causing the crashes. We haven't found out exactly what, but we have definitely pinpointed the root cause. Again, many thanks for everyone's help.

Best Regards

Duncan

Thanks Rolf.  I have been waiting for more evidence of this problem.

Today, I have received three messages from the same person.  One containing only text and one with images and a subject line were forwarded as expected to the two external accounts for which I have set up entries in Mercury's Global Filtering.  The third message had images but no subject line and wasn't received by the external accounts.   The transactions for all three messages were shown as successful in the SMTPRelay file (in verbose mode).

It occurs to me that my antivirus application might be the culprit.  I am investigating this as well.

 GordonM 

Ah, that's great news.

Glad I could help.  ^_^

MercuryB offers mailing list support via a web interface. Have you disabled it now?

[quote]ifnot subject has "a,e,i,o,u,1,2,3,4" and body matches "*http://*" weight 51 tag "empty subject link"

but it is catching a lot of messages maybe all that obviously have something in the subject.

Does anyone know where I am going wrong.[/quote]

"has" wants a wordlist. Normaly letters are indicated to be a word by having a blank in front and afterwords: " word " (OK - may be a point or so afterwords and no blank at beginning of subject :-). I think, most subjects will not include these letters and numbers standing more ore less alone. That's gone wrong.

I'm not shure, if one of these is possible, so try it yourself:

ifnot subject matches "" and body matches "*http://*" weight 51 tag "empty subject link"

ifnot subject matches "?*" and body matches "*http://*" weight 51 tag "empty subject link" 

 bye    Olaf

Thanks for the update :)

It DOES hit, and that's the problem.  Numerous false positive hits in headers searches due to detections in the content of the X-Ham-Report header.

So long as your relaying options are set appropriately in the SMTP module and you don't allow remote connections to send mail you can ignore these. It may look like a lot is going on but your legitimate mail, inbound and outbound, will still be delivered.

You should check all the boxes and that will only allow users that have a password to send email.   The only hole in the system (might be) that they are not all checked by default.

Nobody has replied to this in over a week and I suspect it's a problem nobody else has had before.

I've never had to change the mail destination address in the server (and I've never used "rewrite") but it seems that it can't be done by that method.

Can you give more detail one why you need to change the domain on mail (is it incoming or outgoing) and what the "issues" are that you get when the To: address doesn't match?  Maybe someone here can suggest another solution.

[quote user="Brian Fluet"]

... Some of them are "blind link clickers" and "mindless attachment openers" so if I see a message that is of concern malware-wise I want to get it out of other mailboxes as soon as possible. ...

[/quote]

Brian

I have to give security awareness training sessions where I work which educates staff so they can look for the tell-tale signs of malicious messages and social engineering techniques. If you send me a PM with your email address I will send you a copy of my notes if you'd like them (18 pages). They contain examples etc., of alerts and are useful to give out to attendees as they can use them for their personal devices as well.

Hi!

I have couple of local receiver addresses in Exclude - section,  and in spamhalter log file there is message regarding of these addresses:

I 20170214 035036.021 MG00D28E Receiver excluded

 So, I think it is for local receiver, but it is interesting, if Lukas can clear up this.

:)

 Jyrki 

 Edit: Actually, My addresses in exclude sections are remote addresses from Mercury point of view, because they are in our Exchange server. So, maybe exclude section is for to - addresses (local or remote), as you said..

Hello.

I have a Mercury site at home with this configuration from About dialog. Runs in Windows 7 Professional SP1 64 bits in Spanish.

Mercury/32 version: Mercury/32, v4.80.149, Aug 18 2015

Operating mode: Standalone

Windows version: 6.1

MERCURY.EXE directory: C:\MERCURY

Base directory: C:\MERCURY

New mailbox location: C:\MERCURY\MAIL\~N

TMP environment variable: C:\Temp\angel

TEMP environment variable: C:\Temp\angel

[No license installed]

All works fine but from time to time, the TCP/IP protocol is blocked outgoing. I can't browser any web page, all browsers fails: IExplorer, Firefox and Maxthon. But there are incoming connections: web server Apache, FTP server, etc. The solution is reboot computer.

I revised all programs use TCP/IP heavily and I found this in Mercury. The module MercuryD (POP3 client) polls mails each 5 minutes from several servers and accounts (telefonica, gmail, yahoo, etc). As you can see in the log session, first this Warning: SSL connection improperly closed by remote host. In the next poll, this error OpenSSL timed out during handshake. After that, the TCP/IP protocol blocks outgoing communications. Any ideas what it happens. Don't hesitate to request more info. 

Thanks a lot. Angel.

01:12:26.798: --- 21 Jan 2017, 1:12:26.798 ---

01:12:26.801: Connect to 'pop.gmail.com', timeout 10 seconds.

01:12:27.953: SSL/TLS session established

01:12:27.953: ECDHE-RSA-AES256-GCM-SHA384, TLSv1.2, Kx=ECDH, Au=RSA, Enc=AESGCM(256), Mac=AEAD<lf>

01:12:27.954: Peer's certificate name is '/C=US/ST=California/L=Mountain View/O=Google Inc/CN=pop.gmail.com'.

01:12:27.954: >> +OK Gpop ready for requests from 88.XXXXXXXX f35mb135943214wrf<cr><lf>

01:12:27.954: << USER XXXXXXXXXXX<cr><lf>

01:12:27.985: >> +OK send PASS<cr><lf>

01:12:27.985: << PASS XXXXXXXXXXX<cr><lf>

01:12:29.233: >> +OK Welcome.<cr><lf>

01:12:29.234: << STAT<cr><lf>

01:12:29.438: >> +OK 0 0<cr><lf>

01:12:29.439: << QUIT<cr><lf>

01:12:29.595: >> +OK Farewell.<cr><lf>

01:12:29.598: Warning: SSL connection improperly closed by remote host.

01:12:29.599: --- Connection closed normally at 21 Jan 2017, 1:12:29.599. ---

01:12:29.599:

01:17:46.538: --- 21 Jan 2017, 1:17:46.538 ---

01:17:46.541: Connect to 'pop.gmail.com', timeout 10 seconds.

01:17:57.556: OpenSSL timed out during handshake.

Well, as you probably know, make sure your data and system state is fully backed up before moving forward. The RAID card firmware may not be OK, as I recall when upgrading a server from 2000 to 2003 I had to upgrade the firmware of the PERC card so that it would interact with 2003. Can you not buy a new server, instead of upgrading an existing one?

Also, the driver will probably be OS specific so the Win 7 setup process may not recognise the card and won't see the drives. However, if you're prepared to simply perform a fresh install of Win 7, do a backup and buy a new Win 7 compatible RAID card and use that. But, I suspect that Brian's option of simply using a Win 7 desktop for Mercury may be the easiest option.

[quote user="Sr. Grumpy Bear"]Thanks for the  suggestion of Petr's daemon.  Will check into that.   Still thought though that Mercury has (had) something built into it.  

[/quote]

I think all Mercury server modules do have limits built in - but they only auto blacklist on multiple failures during the same connection.  It doesn't count attempts made on new connections.

Hi Rolf,

Is it just a coincidence?  See my next post on the number of Password failures.  :) 

I can understand and fully accept that companies need to verify email accounts, get rid of the closed and miss typed  accounts.  But like I had stated, this is a private account, not used for companies and such.  I have Gmail, Yahoo, Hotmail etc. to use for them.  Let there servers have the marketing tools requests. 

For now, I guess I will just leave it unblocked, but will watch it. 

 Thanks for your thoughts. 

We have two branch offices. Email to users at these offices comes to Mercury (v4.80) at our main office (eg user1@eslers.com.au) and is redirected to the appropriate site using aliases (eg user1@branch1.eslers.com.au).

If a user at a branch office sends an email to a user at head office with delivery confirmation, Mercury seems to attempt to send the confirmation email ignoring the alias for that user, so I can see on the MercuryE window:

15:50:48: processing job MO005185
Resolved MX for 'eslers.com.au' to 115.69.20.109
Connecting to 115.69.20.109
Connection error.

There seem to be two problems here. One is that the module handling the delivery confirmation ignores the alias, and the other is that Mercury is using MercuryE to send to a local address.

Does anyone know how to fix this?

Pat

So far that seems to have got it. Thanks!