How to block based on HELO in Exim Advanced Editor
We've been seeing spams coming from the HELO of ylmf-pc for a long time, but today we got hit with a huge spam dump with the HELO as yarde.com.
I've decided to try to figure out how to block emails based on HELO, and (for now) stop both ylmf-pc and yarde.com
I found some information on how to block ONE of them... you do the following:
1) WHM > Exim Configuration Manager > Advanced Editor
2) Scroll down until you find "acl_smtp_helo"
3) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code:
4) Scroll to bottom of Editor and click SAVE Now, how do I block BOTH ylmf-pc and also this new yarde.com? Could I add the same code twice? (EDIT: I tested this and it did not work) Or is there a better way? Thanks in advance for your help! - Scott
drop
condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
log_message = HELO/EHLO - ylmf-pc blocked
message = ylmf-pc HELO blocked
accept4) Scroll to bottom of Editor and click SAVE Now, how do I block BOTH ylmf-pc and also this new yarde.com? Could I add the same code twice? (EDIT: I tested this and it did not work) Or is there a better way? Thanks in advance for your help! - Scott
-
Thanks to some help on the "Exim Users" mailing list, I have the proper solution: 1) Create a file with a list of the HELOs that you want to block. For example, create and edit /etc/heloblocks 2) Go to WHM > Exim Configuration Manager > Advanced Editor. 3) Scroll down until you find "acl_smtp_helo" 4) Below that, you will find a box titled "custom_begin_smtp_helo". In that box, paste the following code: drop condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}} log_message = HELO/EHLO - HELO on heloblocks Blocklist message = HELO on heloblocks Blocklist accept
Of course, you can customize the log message and the message (that the end user receives) 5) Scroll down and hit SAVE which will save the config and restart Exim. If you want to test it out, start up a tail of /var/log/exim_mainlog, and then telnet from your computer like this: telnet mail.example.com 25 then after receiving the welcome message, type this: helo ylmf-pc You should immediately get disconnected and you should see a log message indicating the block. Hope this helps. - Scott0 -
How do you list the helo's in heloblocks, by next line ? 0 -
How do you list the helo's in heloblocks, by next line ?
Create /etc/heloblocks In that file, just list the HELOs, one per line, like: ymlf-pc yarde.com example.com foo - Scott0 -
Thanks Scott, works perfectly. 0
Please sign in to leave a comment.
Comments
4 comments