hMailServer Forensics

author
Published By Anurag Sharma
Anuraag Singh
Approved By Anuraag Singh
Published On April 4th, 2015
Reading Time 5 Minutes Reading
Category Forensics

hMailServer is a Windows email Server and the most appreciable part of it is, you don’t need an Internet Service Provider (ISP) for management. It is available free of cost for commercial use and is generally an option for medium sized organizations. It supports POP3, IMAP, and SMTP protocol for email delivery.

Database for hMailServer

In hMail Server v5, MSSQL CE was used which gave the advantage of small memory and no requirement for any external application installation on machine. Since the database engine works internally for hMailServer, there is no reliance upon any external DB engines. The compact edition of database engine has limit of 4GB only.

If there are thousands of messages and hundreds of mail accounts, then it recommended to choose external database engine integration like SQL Server or MYSQL. This is because MSSQL CE edition is slower and can get easily corrupt due to hardware related issues or system crash.

How hMailServer Saves Mail Data

When an email is received, its details get saved into SMTP envelope and the receive-time/message flags gets stored into the database (.sdf). The email gets saved into EML files at C:\Program Files (*86)\hMailServer\Data\hMailServer.local\User Account\ File Folder.

Note: The earlier versions of hMailServer saves emails into .hma files instead of .eml.

hMailServer Used for Spam?

It is a known fact that spammers generally use other servers to send spam mails. Although this is not possible with hMailServer by default but yes, improper configuration can lead to misuse of the server in cases like weak passwords assigned to mail accounts.

How to check if the HmailServer is used for Spamming?

Check out the mail delivery queue. If you notice that a lot of messages have been sent from external to an external server, then possibly someone is abusing your server. The delivery queue can be checked through MailServer Administrator that is a console for managing the messaging system. Click on “Status” and check the “Delivery Queue”option. Detailed information about the sender, receiver, delivery failure/success etc. will be available here that could help to recognize of the hMailServer is used as spam.

Test Email Attack through Attachments

Email attachments are known to cause disasters. To prevent pharming attacks under the network, the hMailServer is available with the option for blocking certain type of attachments which include .exe, .com, .cmd, .reg, .pif, .lnk and many more. It should be tested if the following attachment blocking is restricted or not. If blocking is enabled, then it can be ensured that no harm due to email attachments has been tried to done and in the contrary situation investigation may get a clue to get started and surely proceed further.

Mail Filtering against Spam

By default, hMailServer performs spam test through following options:

SPF (Sender Policy Framework): This help in examining the sender’s address against forgery. If the SPF value is Pass, it indicates that no changes have been done to the address of the message sender.

Check HOST in HELO Command: When an external server delivers a mail to hMailServer, it checks for the host name in the HELO command for SMTP. In that case, the hMailServer checks out the host name in the DNS for confirmation. This might sometimes result in false positive sue to incorrect configuration of legitimate domains.

Check that Sender has DNS-MX Records:The MX record in a DNS defines the mail server that will accept the mail on place of recipient’s domain and how the email delivery should be prioritized in case of multiple mail servers. This defines the criteria how mail should be routed with SMTP.

Verify DKIM Signature Header: DKIM is a domain authentication technique that is embedded in header for spam analysis. This field in the header does not filter mails but aids the filters to restrict the spam.

Security Options

hMailServer comprises of a component called Mail Exchanger (MX) which is used by the mail Server when it sends a message to the external domain and vice versa. Say, an email has to be send to abc@domain.com. When a message is send from the client, it is first submitted to the hMailServer database. The Server further makes a contact with the DNS Server to get the IP address of the Server that has the charge for the domain abc@domain.com.  When the DNS responds to the IP request, hMailServer sends the message.

Unique Identifier for Message

Every message in hMailServer is assigned with unique identifier. For example:

  1. The first message that arrives the hMailServer installation is gets ID 1.
  2. When a message is copied to the inbox of the recipient, it gets the ID 2.
  3. If the message is folder to user defined or other IMAP folder, it gets ID 3.

 
IMAP clients use this message ID while communication and the protocol ascertains that the value does not get higher than 4 billion. So, if 2 billion messages are received, it means this defined limit is reached and as in case of IMAP, a copy of message will be saved into new folder. To verify the highest ID assigned to the messages, an SQL statement can be run: select max(messageid) from hm_messages

Examining Messages through Email Analysis Tools

When it comes collecting the database to carve out artifacts from it, a lot of things are dependent completely upon the fact as how the administrator has managed the server settings. There are aiding tools like MailXaminer that could help in analysis if bulk messages stored in data folder of hMailServer forensics. From collection to analysis to preservation and reporting of artifacts, the email examination tools go a long way to find out forgery done with the messages stored on server.

author

By Anurag Sharma

Tech enthusiast & cyber expert for the past 5 years. Love to solve complicated scenarios to counter cyber crimes with in-depth technical knowledge.