Drop SMTP connection at HELO/EHLO matching machine name
Helo guys!
Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name " "ylmf-pc". My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.
My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.
I'm trying to add a rule to block HELO the machine named "Ylmf-pc", but exim has an error.
I need to use the following rule:
When I try to apply, I get the following error: root@cpanel [/etc]# /etc/init.d/exim restart Shutting down clamd: [ OK ] Shutting down exim: [ OK ] Shutting down spamd: [ OK ] Starting clamd: [ OK ] Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf: error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo" [FAILED] 0 processes (antirelayd) sent signal 9 /usr/local/cpanel/scripts/update_sa_rules: running in background
acl_smtp_helo = acl_smtp_helo
acl_smtp_helo:
#BEGIN ACL_SMTP_HELO_BLOCK
drop
condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
log_message = HELO/EHLO - ylmf-pc blocked
message = I Nailed You at HELO
accept
#END ACL_SMTP_HELO_BLOCKWhen I try to apply, I get the following error: root@cpanel [/etc]# /etc/init.d/exim restart Shutting down clamd: [ OK ] Shutting down exim: [ OK ] Shutting down spamd: [ OK ] Starting clamd: [ OK ] Starting exim: 2014-11-26 09:47:42 Exim configuration error in line 534 of /etc/exim.conf: error in ACL: unknown ACL verb "acl_smtp_helo" in "acl_smtp_helo = acl_smtp_helo" [FAILED] 0 processes (antirelayd) sent signal 9 /usr/local/cpanel/scripts/update_sa_rules: running in background
-
Hello; i have same problem with exim.conf. about this regex. Waiting for someone's response. 0 -
The solution I found was blocking through the firewall. iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP
Yours, Daniel Vasconcelos -- IT Analyst0 -
]The solution I found was blocking through the firewall.
iptables -A INPUT -p tcp --dport 25 -m string --string 'ylmf-pc' --algo bm -j DROP
Yours, Daniel Vasconcelos -- IT Analyst
Thanks for sharing. How to use this if the server use CSF? Not found where to add custom iptable rule in CSF.0 -
Do not know, sorry. 0 -
Look for the description of csfpost.sh in CSF's readme.txt. 0 -
]The solution I found was blocking through the firewall.
Hello :) I am happy to see you were able to find a solution. Thank you for updating us with the outcome.0
Please sign in to leave a comment.
Comments
6 comments