Drop SMTP connection at HELO/EHLO matching machine name

danielvasc · Nov 26, 2014

Helo guys!

Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.

My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.

I'm trying to add a rule to block HELO the machine named "Ylmf-pc", but exim has an error.

I need to use the following rule:

Code:

acl_smtp_helo = acl_smtp_helo
acl_smtp_helo:

#BEGIN ACL_SMTP_HELO_BLOCK
drop
   condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
   log_message = HELO/EHLO - ylmf-pc blocked
   message = I Nailed You at HELO
accept
#END ACL_SMTP_HELO_BLOCK

When I try to apply, I get the following error:

[email protected] [/etc]# /etc/init.d/exim restart
Shutting down clamd: [ OK ]
Shutting down exim: [ OK ]
Shutting down spamd: [ OK ]
Starting clamd: [ OK ]
Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf:
error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo"
[FAILED]
0 processes (antirelayd) sent signal 9
/usr/local/cpanel/scripts/update_sa_rules: running in background

hddntha · Nov 27, 2014

Hello; i have same problem with exim.conf. about this regex. Waiting for someone's response.

danielvasc · Nov 27, 2014

The solution I found was blocking through the firewall.

Code:

iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP

Yours,
Daniel Vasconcelos
--
IT Analyst

garconcn · Nov 27, 2014

danielvasc said:
The solution I found was blocking through the firewall.

Code:

iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP

Yours,
Daniel Vasconcelos
--
IT Analyst

Thanks for sharing. How to use this if the server use CSF? Not found where to add custom iptable rule in CSF.

danielvasc · Nov 27, 2014

Do not know, sorry.

brianoz · Nov 29, 2014

Look for the description of csfpost.sh in CSF's readme.txt.

cPanelMichael · Dec 1, 2014

danielvasc said:
The solution I found was blocking through the firewall.

Hello

I am happy to see you were able to find a solution. Thank you for updating us with the outcome.

Thread starter	Similar threads	Forum	Replies	Date
E	TLD dropped from outbound mail	Email	3	Aug 24, 2018
	ERROR: Connection dropped by IMAP server	Email	2	May 4, 2018
S	exim drop external smtp request from ONE specific email address	Email	3	May 9, 2016
J	Can you drop an SMTP connection for spam?	Email	1	Aug 7, 2008
S	exim rejected RCPT not dropping smtp connection afterwards	Email	1	Mar 14, 2006

Search

Search

Drop SMTP connection at HELO/EHLO matching machine name

danielvasc

Active Member

hddntha

Registered

danielvasc

Active Member

garconcn

Well-Known Member

danielvasc

Active Member

brianoz

Well-Known Member

cPanelMichael

Administrator