Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Drop SMTP connection at HELO/EHLO matching machine name

Discussion in 'E-mail Discussion' started by danielvasc, Nov 26, 2014.

  1. danielvasc

    danielvasc Active Member

    Joined:
    Mar 5, 2014
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Helo guys!

    Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.

    My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.

    I'm trying to add a rule to block HELO the machine named "Ylmf-pc", but exim has an error.

    I need to use the following rule:

    Code:
    acl_smtp_helo = acl_smtp_helo
    acl_smtp_helo:
    
    #BEGIN ACL_SMTP_HELO_BLOCK
    drop
       condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
       log_message = HELO/EHLO - ylmf-pc blocked
       message = I Nailed You at HELO
    accept
    #END ACL_SMTP_HELO_BLOCK
    When I try to apply, I get the following error:

    root@cpanel [/etc]# /etc/init.d/exim restart
    Shutting down clamd: [ OK ]
    Shutting down exim: [ OK ]
    Shutting down spamd: [ OK ]
    Starting clamd: [ OK ]
    Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf:
    error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo"
    [FAILED]
    0 processes (antirelayd) sent signal 9
    /usr/local/cpanel/scripts/update_sa_rules: running in background
     
  2. hddntha

    hddntha Registered

    Joined:
    Jun 9, 2014
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hello; i have same problem with exim.conf. about this regex. Waiting for someone's response.
     
  3. danielvasc

    danielvasc Active Member

    Joined:
    Mar 5, 2014
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    The solution I found was blocking through the firewall.

    Code:
    iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP
    Yours,
    Daniel Vasconcelos
    --
    IT Analyst
     
  4. garconcn

    garconcn Well-Known Member

    Joined:
    Oct 29, 2009
    Messages:
    133
    Likes Received:
    6
    Trophy Points:
    68
    Thanks for sharing. How to use this if the server use CSF? Not found where to add custom iptable rule in CSF.
     
  5. danielvasc

    danielvasc Active Member

    Joined:
    Mar 5, 2014
    Messages:
    29
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    DataCenter Provider
    Do not know, sorry.
     
  6. brianoz

    brianoz Well-Known Member

    Joined:
    Mar 13, 2004
    Messages:
    1,146
    Likes Received:
    6
    Trophy Points:
    168
    Location:
    Melbourne, Australia
    cPanel Access Level:
    Root Administrator
    Look for the description of csfpost.sh in CSF's readme.txt.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    45,214
    Likes Received:
    1,936
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello :)

    I am happy to see you were able to find a solution. Thank you for updating us with the outcome.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice