How to block EHLO ylmf-pc, Please help!!!

Discussions on webmail and the Professional version.
joneswan
Posts: 3
Joined: Thu Sep 04, 2008 6:32 am

How to block EHLO ylmf-pc, Please help!!!

Post by joneswan » Fri Mar 14, 2014 8:06 am

I got bruteforce attack which uses different IPs every once in a while to check authentication.
03/14/14 02:12:13 SMTP-IN 2EBB4DBBC88746B9948808F3F7E413CF.MAI 1076 75.151.147.161 EHLO EHLO ylmf-pc 250-[mydomain] [75.151.147.161], this server offers 4 extensions 135 14
03/14/14 02:12:13 SMTP-IN 2EBB4DBBC88746B9948808F3F7E413CF.MAI 1076 75.151.147.161 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
03/14/14 02:12:13 SMTP-IN 2EBB4DBBC88746B9948808F3F7E413CF.MAI 1076 75.151.147.161 AUTH {blank} 334 UGFzc3dvcmQ6 18 26 info@tritonpe.com
03/14/14 02:12:14 SMTP-IN 2EBB4DBBC88746B9948808F3F7E413CF.MAI 1076 75.151.147.161 AUTH MTIzMTIz 504 Invalid Username or Password 34 10 [mailbox]@[mydomain]
03/14/14 02:12:14 SMTP-IN 6730ED4AFAD54AD9B6690481979D65DB.MAI 1012 75.151.147.161 220 -[mydomain] ESMTP MailEnable Service, Version: 0-6.85- ready at 03/14/14 02:12:14 0 0

How can I block the login from the machine " ylmf-pc", anyone can help, please!

MailEnable-Ian
Site Admin
Posts: 9319
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How to block EHLO ylmf-pc, Please help!!!

Post by MailEnable-Ian » Mon Mar 17, 2014 4:37 am

Hi,

No specific option to prevent brute force attacks in MailEnable other than enabling the "Abuse detection and prevention" option under the "localhost > Policies" tab. The option will automatically ban the incoming IP from connecting after 10 invalid commands are issued to the service which may help reduce the attacks. IT would be more ideal though looking into dedicated spam gateways that have the ability to stop these kind of attacks hitting the mail server.
Regards,

Ian Margarone
MailEnable Support

Brett Rowbotham
Posts: 546
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: How to block EHLO ylmf-pc, Please help!!!

Post by Brett Rowbotham » Tue Mar 18, 2014 10:01 am

I'm also looking for a way to drop connections at the EHLO stage when ylmf-pc is the reported name.

We are seeing many brute force authentication attempts with EHLO ylmfc-PC and the problem is that the mailbox is locked out after a few attempts which results in the legitimate user being unable to login to their mailbox until the lock expires, or I release the lock manually.

Is there any SMTP script I can deploy to block these login attempts without compromising the use of the mail server by legitimate users ?

Cheers,
Brett

MailEnable-Ian
Site Admin
Posts: 9319
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How to block EHLO ylmf-pc, Please help!!!

Post by MailEnable-Ian » Wed Mar 19, 2014 2:01 am

Hi,

You could try looking into the Magic Spam SMTP plugin for MailEnable to see if it does HELO/EHLO checking.

http://www.magicspam.com/anti-spam-prot ... enable.php
Regards,

Ian Margarone
MailEnable Support

microwil
Posts: 88
Joined: Thu Jan 08, 2004 9:44 pm

Re: How to block EHLO ylmf-pc, Please help!!!

Post by microwil » Sat Nov 07, 2015 10:55 am

setting up "Abuse detection and prevention" can block the HELO but not the EHLO attack. Any one try this one:

http://www.spamword.com/index.php

Doesn't look like it has that function too.
Hope someone can find a solution.

microwil
Posts: 88
Joined: Thu Jan 08, 2004 9:44 pm

Re: How to block EHLO ylmf-pc, Please help!!!

Post by microwil » Sun Nov 08, 2015 5:12 pm

Searching along the log files you may find out that "ylmf-pc" attacking you at 24/7. "ylmf-pc" is definitely not a personal computer but a server or by someone professional. We all have the experience that sometimes either your users or your users' friends get infected and keep on sending out spam. . Problem last for 7-10 hours and end after that guy turn off his computer and left the office for home. No way to be 24/7.
So, "ylmf-pc" could be someone made money out of selling filter for "ylmf-pc. :(

MailEnable-Ian
Site Admin
Posts: 9319
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How to block EHLO ylmf-pc, Please help!!!

Post by MailEnable-Ian » Sun Nov 08, 2015 10:56 pm

Hi,

http://forum.mailenable.com/viewtopic.p ... pc#p105872

The option is also configurable in version 9 under: SMTP properties "security" tab - EHLO Blocking.
Regards,

Ian Margarone
MailEnable Support

microwil
Posts: 88
Joined: Thu Jan 08, 2004 9:44 pm

Re: How to block EHLO ylmf-pc, Please help!!!

Post by microwil » Fri Jan 08, 2016 10:04 am

Hi Ian,

I am finally upgraded to version 9, but I can't find "EHLO Blocking" on SMTP properties "security" tab. Can you specify more on this? Thanks.

MailEnable-Ian
Site Admin
Posts: 9319
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How to block EHLO ylmf-pc, Please help!!!

Post by MailEnable-Ian » Mon Jan 11, 2016 12:16 am

Hi,

Are you accessing the new administration console? Navigate within the MailEnable installation path to: Mail Enable\Admin. Locate the MailEnableAdmin.msc file and double click to open the new console.
Regards,

Ian Margarone
MailEnable Support

microwil
Posts: 88
Joined: Thu Jan 08, 2004 9:44 pm

Re: How to block EHLO ylmf-pc, Please help!!!

Post by microwil » Mon Jan 11, 2016 2:12 am

Now I see it. The new console is beautiful and more dynamic.
I check the "EHLO Blocking" and it has "localhost" and "ylmf-pc" auto entered? After that I check on my SMTP logging. "ylmf-pc" is still attacked me a few hours ago.
When I first come to this "ylmf-pc" problem. "ylmf-pc" attacking me like this:
10/24/15 00:03:43 SMTP-IN 2CE9353FD872438786E3EC742B5971CF.MAI 1144 183.160.5.84 EHLO EHLO ylmf-pc 250-abc.com [183.160.5.84], this server offers 4 extensions 128 14
10/24/15 00:03:43 SMTP-IN 2CE9353FD872438786E3EC742B5971CF.MAI 1144 183.160.5.84 AUTH AUTH LOGIN 334 VXNlcm5hbWU6 18 12
10/24/15 00:03:43 SMTP-IN 2CE9353FD872438786E3EC742B5971CF.MAI 1144 183.160.5.84 AUTH {blank} 334 UGFzc3dvcmQ6 18 10 lilie
10/24/15 00:03:43 SMTP-IN 2CE9353FD872438786E3EC742B5971CF.MAI 1144 183.160.5.84 AUTH aGFudGluZ0AyMDEw 504 Invalid Username or Password

Then I turn on the "Connection Dropping" in Nov. And it goes like this:
11/01/15 00:01:01 SMTP-IN 06184A560FBC463895261DA03A69614D.MAI 944 58.216.33.253 EHLO EHLO ylmf-pc 0 14
11/01/15 00:01:01 SMTP-IN 74C040E58912487FB4F6972C2393EABE.MAI 976 58.216.33.253 220 abc.com ESMTP MailEnable Service, Version: 6.88-6.88- ready at 11/01/15 00:01:01 0 0

Now I turn on "EHLO Blocking". It looks like not doing further but the same:
01/11/16 04:38:52 SMTP-IN 75D5CB6367C34E19B94869C49A7C45CC.MAI 1012 182.118.102.251 EHLO EHLO ylmf-pc 0 14
01/11/16 04:38:55 SMTP-IN CFA2D43CF2A042098A43DF755354BE31.MAI 904 182.118.102.251 220 abc.com ESMTP MailEnable Service, Version: 9.01-9.01- ready at 01/11/16 04:38:55 0 0

Thanks.

MailEnable-Ian
Site Admin
Posts: 9319
Joined: Mon Mar 22, 2004 4:44 am
Location: Melbourne, Victoria, Australia

Re: How to block EHLO ylmf-pc, Please help!!!

Post by MailEnable-Ian » Mon Jan 11, 2016 2:25 am

Hi,

Did you restart the SMTP service after adding the EHLO blocks?
Regards,

Ian Margarone
MailEnable Support

microwil
Posts: 88
Joined: Thu Jan 08, 2004 9:44 pm

Re: How to block EHLO ylmf-pc, Please help!!!

Post by microwil » Mon Jan 11, 2016 7:34 pm

hi,

I just restarted the SMTP service and log shows:

[01/12/16 00:05:11]****************** LOG FILE CLOSED ********************
[01/12/16 00:05:11]****************** LOG FILE STARTED *******************


Then a few hours later, I still see this kind of "ylmf-pc" log coming in, repeated 10 to 20 times in each attack:

1/12/16 01:53:06 SMTP-IN 1393CDF453FF4CF99BD4C6FA073F38D3.MAI 884 114.99.234.199 EHLO EHLO ylmf-pc 0 14
01/12/16 01:53:16 SMTP-IN 0846742115B643D390FED9A69EC1D783.MAI 852 114.99.234.199 220 abc.com ESMTP MailEnable Service, Version: 9.01-9.01- ready at 01/12/16 01:53:16 0 0
01/12/16 01:53:17 SMTP-IN 0846742115B643D390FED9A69EC1D783.MAI 852 114.99.234.199 EHLO EHLO ylmf-pc 0 14
01/12/16 01:53:18 SMTP-IN C3306ECF2C26438A97CB0DDAF6972681.MAI 840 114.99.234.199 220 abc.com ESMTP MailEnable Service, Version: 9.01-9.01- ready at 01/12/16 01:53:18 0 0

Brett Rowbotham
Posts: 546
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: How to block EHLO ylmf-pc, Please help!!!

Post by Brett Rowbotham » Tue Jan 12, 2016 4:37 am

Other than the fact that you missed the initial connection, the log file output is showing that the connection is being dropped as there are no further transactions in that conversation. What did you expect to see happening ?

Look to the line just before

1/12/16 01:53:06 SMTP-IN 1393CDF453FF4CF99BD4C6FA073F38D3.MAI 884 114.99.234.199 EHLO EHLO ylmf-pc 0 14

which will be the initial connection, and then the conversation is stopped as soon as the EHLO is received with the banned server name.

Cheers,
Brett

microwil
Posts: 88
Joined: Thu Jan 08, 2004 9:44 pm

Re: How to block EHLO ylmf-pc, Please help!!!

Post by microwil » Tue Jan 12, 2016 5:54 am

Hi Brett,

Actually I don't know because when I was using version 6 and turn on the "Connection Dropping", the log goes like the same as now, dropped after the 1st line but repeat many times. And Ivan advised that version 9 can block in EHLO level. So I upgraded to version 9 and tried. And the result looks like the same.
I was expecting somewhat when "ylmf-pc" start its attack a few times, version 9 can temporary block the ip, a long way before it meets the SMTP service. So you only see a few line of "ylmf-pc", but not as now showing as the last time I counted over 30 lines of "ylmf-pc" in a very short period.

If this is the best, I am still a happy man. My broadband bandwidth can tolerance that. I know I can't stop "ylmf-pc" attacking me. I just want to find a auto-way to block it as early as possible.

Thanks everyone.

Brett Rowbotham
Posts: 546
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: How to block EHLO ylmf-pc, Please help!!!

Post by Brett Rowbotham » Tue Jan 12, 2016 6:10 am

Why not post a suggestion that IP blocking or blacklisting is implemented after blocking say 5 EHLO attempts for the same banned server name. That would allow blocking by EHLO and bad IP in the same function.

We are on a fiber connection so as long as the connections are blocked we don't care how many times they try.

Cheers,
Brett

Post Reply