Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

How to block based on HELO in Exim Advanced Editor

Discussion in 'E-mail Discussion' started by sneader, Mar 26, 2015.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,155
    Likes Received:
    39
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    We've been seeing spams coming from the HELO of ylmf-pc for a long time, but today we got hit with a huge spam dump with the HELO as yarde.com.

    I've decided to try to figure out how to block emails based on HELO, and (for now) stop both ylmf-pc and yarde.com

    I found some information on how to block ONE of them... you do the following:

    1) WHM > Exim Configuration Manager > Advanced Editor
    2) Scroll down until you find "acl_smtp_helo"
    3) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code:
    Code:
    drop
       condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
       log_message = HELO/EHLO - ylmf-pc blocked
       message = ylmf-pc HELO blocked
    accept
    4) Scroll to bottom of Editor and click SAVE

    Now, how do I block BOTH ylmf-pc and also this new yarde.com? Could I add the same code twice? (EDIT: I tested this and it did not work)

    Or is there a better way? Thanks in advance for your help!

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    #1 sneader, Mar 26, 2015
    Last edited: Mar 26, 2015
    rbanke likes this.
  2. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,155
    Likes Received:
    39
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks to some help on the "Exim Users" mailing list, I have the proper solution:

    1) Create a file with a list of the HELOs that you want to block. For example, create and edit /etc/heloblocks

    2) Go to WHM > Exim Configuration Manager > Advanced Editor.

    3) Scroll down until you find "acl_smtp_helo"

    4) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code:
    Code:
    drop
       condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
       log_message = HELO/EHLO - HELO on heloblocks Blocklist
       message = HELO on heloblocks Blocklist
    accept
    Of course, you can customize the log message and the message (that the end user receives)

    5) Scroll down and hit SAVE which will save the config and restart Exim.

    If you want to test it out, start up a tail of /var/log/exim_mainlog, and then telnet from your computer like this:

    telnet mail.example.com 25
    then after receiving the welcome message, type this:
    helo ylmf-pc

    You should immediately get disconnected and you should see a log message indicating the block.

    Hope this helps.

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    mtindor likes this.
  3. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    98
    Likes Received:
    3
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    How do you list the helo's in heloblocks, by next line ?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,155
    Likes Received:
    39
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Create /etc/heloblocks

    In that file, just list the HELOs, one per line, like:

    ymlf-pc
    yarde.com
    example.com
    foo

    - Scott
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    98
    Likes Received:
    3
    Trophy Points:
    58
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks Scott,
    works perfectly.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice