Drop SMTP connection at HELO/EHLO matching machine name

danielvasc

Active Member
Mar 5, 2014
29
0
1
cPanel Access Level
DataCenter Provider
Helo guys!

Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.

My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.

I'm trying to add a rule to block HELO the machine named "Ylmf-pc", but exim has an error.

I need to use the following rule:

Code:
acl_smtp_helo = acl_smtp_helo
acl_smtp_helo:

#BEGIN ACL_SMTP_HELO_BLOCK
drop
   condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
   log_message = HELO/EHLO - ylmf-pc blocked
   message = I Nailed You at HELO
accept
#END ACL_SMTP_HELO_BLOCK
When I try to apply, I get the following error:

[email protected] [/etc]# /etc/init.d/exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf:
error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo"
[FAILED]
0 processes (antirelayd) sent signal 9
/usr/local/cpanel/scripts/update_sa_rules: running in background
 

danielvasc

Active Member
Mar 5, 2014
29
0
1
cPanel Access Level
DataCenter Provider
The solution I found was blocking through the firewall.

Code:
iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP
Yours,
Daniel Vasconcelos
--
IT Analyst
 

garconcn

Well-Known Member
Oct 29, 2009
152
9
68
The solution I found was blocking through the firewall.

Code:
iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP
Yours,
Daniel Vasconcelos
--
IT Analyst
Thanks for sharing. How to use this if the server use CSF? Not found where to add custom iptable rule in CSF.