The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to block based on HELO in Exim Advanced Editor

Discussion in 'E-mail Discussions' started by sneader, Mar 26, 2015.

  1. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    We've been seeing spams coming from the HELO of ylmf-pc for a long time, but today we got hit with a huge spam dump with the HELO as yarde.com.

    I've decided to try to figure out how to block emails based on HELO, and (for now) stop both ylmf-pc and yarde.com

    I found some information on how to block ONE of them... you do the following:

    1) WHM > Exim Configuration Manager > Advanced Editor
    2) Scroll down until you find "acl_smtp_helo"
    3) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code:
    Code:
    drop
       condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
       log_message = HELO/EHLO - ylmf-pc blocked
       message = ylmf-pc HELO blocked
    accept
    4) Scroll to bottom of Editor and click SAVE

    Now, how do I block BOTH ylmf-pc and also this new yarde.com? Could I add the same code twice? (EDIT: I tested this and it did not work)

    Or is there a better way? Thanks in advance for your help!

    - Scott
     
    #1 sneader, Mar 26, 2015
    Last edited: Mar 26, 2015
    rbanke likes this.
  2. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Thanks to some help on the "Exim Users" mailing list, I have the proper solution:

    1) Create a file with a list of the HELOs that you want to block. For example, create and edit /etc/heloblocks

    2) Go to WHM > Exim Configuration Manager > Advanced Editor.

    3) Scroll down until you find "acl_smtp_helo"

    4) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code:
    Code:
    drop
       condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
       log_message = HELO/EHLO - HELO on heloblocks Blocklist
       message = HELO on heloblocks Blocklist
    accept
    Of course, you can customize the log message and the message (that the end user receives)

    5) Scroll down and hit SAVE which will save the config and restart Exim.

    If you want to test it out, start up a tail of /var/log/exim_mainlog, and then telnet from your computer like this:

    telnet mail.example.com 25
    then after receiving the welcome message, type this:
    helo ylmf-pc

    You should immediately get disconnected and you should see a log message indicating the block.

    Hope this helps.

    - Scott
     
    mtindor likes this.
  3. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    How do you list the helo's in heloblocks, by next line ?
     
  4. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,126
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Create /etc/heloblocks

    In that file, just list the HELOs, one per line, like:

    ymlf-pc
    yarde.com
    example.com
    foo

    - Scott
     
  5. k2tec

    k2tec Well-Known Member

    Joined:
    Aug 26, 2011
    Messages:
    81
    Likes Received:
    1
    Trophy Points:
    8
    Location:
    Netherlands
    cPanel Access Level:
    Root Administrator
    Thanks Scott,
    works perfectly.
     
Loading...

Share This Page