Helo guys!
Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.
My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.
I'm trying to add a rule to block HELO the machine named "Ylmf-pc", but exim has an error.
I need to use the following rule:
When I try to apply, I get the following error:
[email protected] [/etc]# /etc/init.d/exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf:
error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo"
[FAILED]
0 processes (antirelayd) sent signal 9
/usr/local/cpanel/scripts/update_sa_rules: running in background
Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.
My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.
I'm trying to add a rule to block HELO the machine named "Ylmf-pc", but exim has an error.
I need to use the following rule:
Code:
acl_smtp_helo = acl_smtp_helo
acl_smtp_helo:
#BEGIN ACL_SMTP_HELO_BLOCK
drop
condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
log_message = HELO/EHLO - ylmf-pc blocked
message = I Nailed You at HELO
accept
#END ACL_SMTP_HELO_BLOCK
[email protected] [/etc]# /etc/init.d/exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf:
error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo"
[FAILED]
0 processes (antirelayd) sent signal 9
/usr/local/cpanel/scripts/update_sa_rules: running in background