Drop SMTP connection at HELO/EHLO matching machine name

Email Admin

I have you at EHLORecently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.

My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.

The following was added to the EXIM ACL configuration file.

# vi /etc/exim.conf

acl_smtp_helo = acl_smtp_helo
acl_smtp_helo:

#BEGIN ACL_SMTP_HELO_BLOCK
drop
   condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
   log_message = HELO/EHLO - ylmf-pc blocked
   message = I Nailed You at HELO
accept
#END ACL_SMTP_HELO_BLOCK

Restart the EXIM service after adding the above into the EXIM configuration file.

# service exim restart

Whenever an attempt to connect to SMTP connection with the HELO string ylmf-pc, the connection will be dropped. The logs (/var/log/exim_mainlog) will look like below:-

2014-05-23 12:23:24 [31068] SMTP connection from (ylmf-pc) [96.57.55.178]:52362 I=[xxx.xxx.xxx.xxx]:25 closed by DROP in ACL
2014-05-23 12:23:28 [31075] H=(ylmf-pc) [96.57.55.178]:26634 I=[xxx.xxx.xxx.xxx]:25 rejected EHLO or HELO ylmf-pc: I Nailed you at HELO

Do you know what’s the origin of this ylmf-pc?

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.