Page 1 of 1

List rogue connections

PostPosted: Tue Aug 27, 2019 9:41 am
by sjoram
I'm seeing a significant increase in the number of remote rogue hosts attempting connections to AMS, mainly via SMTP.

I see these failing in the logs and login being disallowed. Is there any way to get a 'list' of addresses that have failed, for example, within the past 24 hours, so that I could add these to be dropped at a network (firewall) level? I have seen instances where CPU utilisation has spiked with AMS and I have had to restart the service to recover. My suspicion is due to spikes in concurrent rogue connections.

Re: List rogue connections

PostPosted: Tue Aug 27, 2019 10:10 pm
by Code Crafters
You can only gather this information from the SMTP logs as you mentioned.

If you want us to create you a custom app to search the logs and output certain offending IPs to another file, we can give you a quote to do this. If interested, contact for more information.

Re: List rogue connections

PostPosted: Fri Aug 30, 2019 10:16 pm
by sjoram
Thanks, I have dropped a /16 network on my firewall which has eliminated a fair swathe of recent rogue traffic.

I'm still seeing AMS sitting at no less than 50% CPU and having spikes up towards 100% when clients connect. One mobile device has started having problems with both push (IDLE) and fetch style IMAP in the past few days.

I am running an older version of 3.x that hasn't had an update in quite some time and has only recently begun exhibiting this behaviour, so I can't even be sure that upgrading to the latest version 4.x will improve, but that is on my list to do in the near future. Home server, so budget considerations! :D

Re: List rogue connections

PostPosted: Sat Aug 31, 2019 7:20 am
by sjoram
I've now switched all of my Android clients to fetch every 15 mins rather than operate on push and they seem to have settled, for now.

One was refusing to connect at all for some time due to a "security error". I'm using a Let's Encrypt wildcard SSL which is working fine on other clients.

I had used IISCrypto set to 'best practices', I re-enabled some old protocols in case that was causing an issue, but haven't rebooted the OS since making that change.

Re: List rogue connections

PostPosted: Wed Sep 04, 2019 10:13 pm
by Code Crafters
Ability Mail Server 4 has a new much improved WebMail system. It also has newer SSL updates but otherwise, it may not improve your issues. You can try it free for 30 days to see if it helps though. See to download a free trial and ... ateHistory for all updates.

Re: List rogue connections

PostPosted: Wed Jan 22, 2020 7:35 pm
by sjoram
Quick update to this for the benefit of others...

I resolved the issue I had with Android clients using the Let's Encrypt cert. It wasn't an issue with the cert per-se, but Let's Encrypt provides the ca_bundle intermediate & root certs as a separate file.
During the process of converting the Let's Encrypt cert into various formats for different applications, my lack of knowledge meant that I'd missed the fact I needed to include that as part of the certificate chain.
As soon as I did so, Android clients behaved normally. I'm only using Windows/Android devices for IMAP/SMTP and Windows behaved fine at all times, hence it took a while to spot.

With regards to the original issue, I've also found that a website is providing a free service of daily updated blacklisted IP addresses/subnets (, spamhaus and dshield, also known TOR nodes) in a format that my firewall can ingest to an address list through a script. This has eliminated 95% of malicious connection attempts previously seen in AMS logs. I haven't since seen any issues with a DoS type scenario.

Re: List rogue connections

PostPosted: Mon Jan 27, 2020 11:08 pm
by Code Crafters
Thanks for the extra information. Hopefully this will help others.

Re: List rogue connections

PostPosted: Thu Jan 30, 2020 5:08 pm
by EKjellquist
Been using Let's Encrypt for a few years now; I use their le64.exe along with DNS verification to generate my certs for various things, I use the following command for certs for AMS specifically:

le64.exe -key <Domain Name>.key -csr <mail subdomain>.csr -csr-key <mail subdomain>.key -crt <mail subdomain>.crt -domains "<mail subdomain>" -generate-missing -handle-as dns -live

<Domain Name> is my main domain and <mail subdomain> is in the form of The above will generate a 4096-bit RSA PEM-style cert with key by default that work right in AMS' cert import tool. AFAIK AMS/AFS don't yet support more rigorous ECC curve certs, but 4096 RSA is still pretty good as of this writing.

The only thing you need in this method is access to your domain registrar so you can add a temporary TXT entry (which shows that you 'own' the domain), but it's pretty quick, takes me perhaps 5 mins to process and update the certs to AMS every ~85 days or so.

Re: List rogue connections

PostPosted: Sun Apr 12, 2020 2:25 pm
by sjoram
Thought I would post an update regarding my reference to firewall dynamic blacklists.
I found SquidBlacklist which someone had written for my router vendor, Mikrotik's RouterOS.
I was using this for a number of months but noticed that it had stopped working.
I later learned that the guy running the site and code had passed away several months prior. It had continued for a while under automation but eventually the service stopped.
I managed to find a replacement script which queries various published lists directly.
I thought I would share my RouterOS script as I'm sure it could be adapted to suit other platforms.
I have the script running once daily or on reboot. The first action is to clear the existing content of the list and then re-import the latest entries.
I then have a firewall rule at the top of my policy before anything else to drop any traffic with a source address matching the list.
I also have a further list & rules for IP addresses or subnets manually added from being observed in AMS logs etc.

Code: Select all
/ip firewall address-list remove [/ip firewall address-list find list=dynamicblacklist]
/ip firewall address-list
:local update do={
:do {
:local data ([:tool fetch url=$url output=user as-value]->"data")
remove [find list=blacklist comment=$description]
:while ([:len $data]!=0) do={
:if ([:pick $data 0 [:find $data "\n"]]~"^[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}") do={
:do {add list=dynamicblacklist address=([:pick $data 0 [:find $data $delimiter]].$cidr) timeout=2d} on-error={}
:set data [:pick $data ([:find $data "\n"]+1) [:len $data]]
} on-error={:log warning "Address list <$description> update failed"}
$update url= description="dshield" delimiter=("\t") cidr=/24
$update url= description="spamhausdrop" delimiter=("\_")
$update url= description="spamhausextended" delimiter=("\_")
$update url= description="bambenek" delimiter=("\2C")
$update url= description="abuse-ch" delimiter=("\r")
$update url= description="Malc0de" delimiter=("\n")
$update url= description="FireHOL Level2" delimiter=("\n")

Re: List rogue connections

PostPosted: Tue Apr 14, 2020 10:15 am
by Code Crafters
Thanks for the update.