Access denied - Invalid HELO name

keat63

• December 12, 2014 12:12

Any ideas what this is trying to do ?
2014-12-12 12:37:43 H=114-24-5-187.dynamic.hinet.net (xxx.my.server.xxx) [114.24.5.187]:1829 rejected MAIL : Access denied - Invalid HELO name (See RFC2821 4.1.3)

• 

  rscalover

  • December 12, 2014 17:18

  Re: Any ideas what this is trying to do ? That looks like somebody is trying to use your mailserver to send mail but your server is denying the attempt.I get those attempts to from hostnames ending in "hinet.net" it's an abussive isp.

  0
• 

  keat63

  • December 12, 2014 17:56

  He's persistent

  0
• 

  keat63

  • December 12, 2014 18:07

  Re: Any ideas what this is trying to do ? My server has it's own hostname, which i've no intentions of emailing from. I will only ever email from packages /accounts. If i removed the mx entries from DNS for the hostname, would this stop them and would it have any other implications ?

  0
• 

  cPanelMichael

  • December 12, 2014 18:11

  Hello :) Could you post the full output of this entry from /var/log/exim_mainlog? Thank you.

  0
• 

  keat63

  • December 12, 2014 19:07

  
  2014-12-12 12:37:40 SMTP connection from [114.24.5.187]:4744 (TCP/IP connection count = 1) 2014-12-12 12:37:41 H=114-24-5-187.dynamic.hinet.net (xxx.xxx.xxx.31) [114.24.5.187]:4744 rejected MAIL : Access denied - Invalid HELO name (See RFC2821 4.1.3) 2014-12-12 12:37:41 SMTP connection from 114-24-5-187.dynamic.hinet.net (xxx.xxx.xxx.31) [114.24.5.187]:4744 closed by DROP in ACL 2014-12-12 12:37:42 SMTP connection from [114.24.5.187]:1829 (TCP/IP connection count = 1) 2014-12-12 12:37:43 H=114-24-5-187.dynamic.hinet.net (xxx.xxx.xxx.153) [114.24.5.187]:1829 rejected MAIL : Access denied - Invalid HELO name (See RFC2821 4.1.3) 2014-12-12 12:37:43 SMTP connection from 114-24-5-187.dynamic.hinet.net (xxx.xxx.xxx.153) [114.24.5.187]:1829 closed by DROP in ACL
  Looks like he's had a go at both IP's

  0
• 

  cPanelMichael

  • December 12, 2014 19:13

  You could block the IP address in your firewall if you want to prevent that IP address from making additional SMTP connection attempts. Otherwise, the HELO check is working successfully. Thank you.

  0
• 

  keat63

  • December 12, 2014 19:40

  CSF has blocked him, but no doubt he might come back under another IP. so I may consider blocking the first two octets i guess As always, thanks for your help guys. Much appreciated.

  0
• 

  Infopro

  • December 12, 2014 20:03

  so I may consider blocking the first two octets i guess
  Be careful how you block IPs. For example that crazy list in your other thread (removed now, bad advice). Let CSF do its job, automagically. Spending time understanding all the settings in CSF and how to make best use of them, far more important than blocking already blocked IPs. ;)

  0
• 

  keat63

  • December 13, 2014 16:13

  ]Be careful how you block IPs. For example that crazy list in your other thread (removed now, bad advice). Let CSF do its job, automagically. Spending time understanding all the settings in CSF and how to make best use of them, far more important than blocking already blocked IPs. ;)

  
  Hi Info. That crazy list :-), i added to CPHULK. I take it, this isn't good ? Could you elaborate please. As regards blocking ISP's, i've no interest in traffic from TW, as we are a UK company and would only supply to customers in the UK. We have no marked with TW. I have learnt that blocking whole continents has detrimental effect. Thanks

  0
• 

  cPanelMichael

  • December 17, 2014 19:57

  ]That crazy list :-), i added to CPHULK. I take it, this isn't good ? Could you elaborate please.

  
  It's not a good idea to block IP addresses in such a broad scope because you can block legitimate traffic. Thank you.

  0

Please sign in to leave a comment.