How to block based on HELO in Exim Advanced Editor

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
We've been seeing spams coming from the HELO of ylmf-pc for a long time, but today we got hit with a huge spam dump with the HELO as yarde.com.

I've decided to try to figure out how to block emails based on HELO, and (for now) stop both ylmf-pc and yarde.com

I found some information on how to block ONE of them... you do the following:

1) WHM > Exim Configuration Manager > Advanced Editor
2) Scroll down until you find "acl_smtp_helo"
3) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code:
Code:
drop
   condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
   log_message = HELO/EHLO - ylmf-pc blocked
   message = ylmf-pc HELO blocked
accept
4) Scroll to bottom of Editor and click SAVE

Now, how do I block BOTH ylmf-pc and also this new yarde.com? Could I add the same code twice? (EDIT: I tested this and it did not work)

Or is there a better way? Thanks in advance for your help!

- Scott
 
Last edited:
  • Like
Reactions: rbanke

sneader

Well-Known Member
Aug 21, 2003
1,195
63
178
La Crosse, WI
cPanel Access Level
Root Administrator
Thanks to some help on the "Exim Users" mailing list, I have the proper solution:

1) Create a file with a list of the HELOs that you want to block. For example, create and edit /etc/heloblocks

2) Go to WHM > Exim Configuration Manager > Advanced Editor.

3) Scroll down until you find "acl_smtp_helo"

4) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code:
Code:
drop
   condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
   log_message = HELO/EHLO - HELO on heloblocks Blocklist
   message = HELO on heloblocks Blocklist
accept
Of course, you can customize the log message and the message (that the end user receives)

5) Scroll down and hit SAVE which will save the config and restart Exim.

If you want to test it out, start up a tail of /var/log/exim_mainlog, and then telnet from your computer like this:

telnet mail.example.com 25
then after receiving the welcome message, type this:
helo ylmf-pc

You should immediately get disconnected and you should see a log message indicating the block.

Hope this helps.

- Scott
 
  • Like
Reactions: mtindor