question

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 asked SunnyQi-MSFT commented

Proper rule to create

Hi,
I have already created rule below

netsh advfirewall firewall add rule name="NETRule8/04/2021 14:16:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but such IP 5.188.206.246 is still creating bad activities on Email server like

2021-04-08 20:21:14 htwnmmiqwvpt@ump.gwdg.de operations@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-08 20:21:38 qplaiebpykgy@ump.gwdg.de oyqjaafslj@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-08 20:51:00 vzumobgvjdb@lighthouseapostolicchurch.net acnfrkbnwx@my???????.?? 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to protect the server well?


windows-serverwindows-server-2016windows-server-infrastructure
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
There is rule (created within server) like

netsh advfirewall firewall add rule name="NETRule8/04/2021 17:55:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but there is many tryouts (hundreds of similar lines) by that IP like

2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it tyler@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it dale@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it catherine@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it jonas@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it megan@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it roy@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to stop it?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
There is rule (created within server) like

netsh advfirewall firewall add rule name="NETRule8/04/2021 17:55:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but there is many tryouts (hundreds of similar lines) by that IP like

2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it tyler@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it dale@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it catherine@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it jonas@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it megan@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it roy@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to stop it?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
There is rule (created within server) like

netsh advfirewall firewall add rule name="NETRule8/04/2021 17:55:37_1" dir=in action=block remoteip=5.188.1.1-5.188.255.255

but there is many tryouts (hundreds of similar lines) by that IP like

2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it tyler@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it dale@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it catherine@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it jonas@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it megan@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0
2021-04-13 08:47:22 595gz1pi6b2b5kug@giochiegiocattoli.it roy@?????.??om 5.188.206.246 127.0.0.1 SMTP ? 550 0

how to stop it?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered cheong00 commented

Hi,
It seems I cannot post comment well to this thread. When I re-open current thread, my previous comment does disappear! (See my current comment below)
87262-1f.png



1f.png (67.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Your comment has been caught by system as spam because of the email addresses there.

If you wait some time we're release it after visually verify it's not spam.

0 Votes 0 ·
SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thank you very much for your reply.

May I know have you checked the firewall log to see if network traffics from these remoted IP have been blocked by Windows Firewall? If yes, then the Windows Firewall was working properly. Network traffic must arrive Firewall firstly, and firewall will identify if this IP was complied with the inbound rules that we configured before. We cannot decide when will the device with IP 5.188.206.246 send traffic to our machine, what we can do is when the traffic arrive at our machine, we can make our machine to drop the traffic via Firewall. As for the workflow of firewall, please refer to my first reply.

Regarding of your issue, blocking traffic from specific remote IP addresses, from Windows perspective, we usually recommend users to block these IP via Windows Firewall.

And if you want to make your server more safely, I would also recommend you could use some third party anti-virus software to protect your server.

Here is a similar thread discussed before for your reference:

Why does Windows Firewall let inbound traffic from an IP get thjrough to MalwareBytes?

Meanwhile, here are two articles talking about how to track firewall activity with the windows firewall log for your reference:

How to Track Firewall Activity with the Windows Firewall Log

https://www.howtoip.com/how-to-track-firewall-activity-with-the-windows-firewall-log/
Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
For firewall log, is it enough to enable it below?
87296-1h.png
Why is it 0 size to file below?

%systemroot%\system32\LogFiles\Firewall\pfirewall.log



1h.png (44.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
For firewall log, is it enough to enable it below?
87296-1h.png
Why is it 0 size to file below?

%systemroot%\system32\LogFiles\Firewall\pfirewall.log



1h.png (44.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
For firewall log, is it enough to enable it below?
87108-1h.png
Why is it 0 size to file below?

%systemroot%\system32\LogFiles\Firewall\pfirewall.log



1h.png (47.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
My previous comment was not saved properly. Can you help to the following?
87324-1i.png



1i.png (55.0 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Jackson1990-7147 avatar image
0 Votes"
Jackson1990-7147 answered Jackson1990-7147 published

Hi,
My previous comment was not saved properly. Can you help to the following?
87298-1h.png



1h.png (47.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.