EHLO Blocking - HELO *.*

mfogarty
Posts: 56
Joined: Mon Apr 18, 2005 2:56 pm

EHLO Blocking - HELO *.*

Postby mfogarty » Sun Jan 01, 2017 9:19 pm

I recently activated ehlo blocking on 'ylmf-pc' and that has stopped thousands of bogus login attempts. now the one i'm seeing most of sends 'HELO *.*'. is there a way to block that? running me pro 9.52.

telecomputers
Posts: 43
Joined: Sat Dec 04, 2004 3:59 pm

Re: EHLO Blocking - HELO *.*

Postby telecomputers » Tue Jan 31, 2017 5:26 pm

Not quite sure what you mean by HELO *.* - Are you actually seeing the asterisks?
You certainly do not want to block *.* as I am pretty sure that will block everything.

You should update to 9.54 (or above) as it has the full working function for the HELO process.

Here is what we are using in there to block 40% of our spam at the HELO:

YLMF-PC
wanip
*.vn
*.top
*.stream
*.xyz
*.local
localhost
*.localdomain
mata.com
*timeshare*
*herpes*

Hope this helps.

Note: I edited this post to remove {*.*.*.*] from the above list - sorry - it appeared to be blocking legit smartphone connections.
Last edited by telecomputers on Fri Feb 10, 2017 11:22 pm, edited 1 time in total.
j@mes

MEpro 9.61
JAM Software - SpamAssassin in a Box
ClamAV / Sanesecurity

mfogarty
Posts: 56
Joined: Mon Apr 18, 2005 2:56 pm

Re: EHLO Blocking - HELO *.*

Postby mfogarty » Wed Feb 01, 2017 12:36 am

hi. thanks for the input. yes, it's just like that, with the asterisks.

I noticed you have [*.*.*.*] in your block list. what do the brackets do? are you blocking ip addresses enclosed in brackets, or do they do something else?

thanks,
mf

telecomputers
Posts: 43
Joined: Sat Dec 04, 2004 3:59 pm

Re: EHLO Blocking - HELO *.*

Postby telecomputers » Wed Feb 01, 2017 7:38 am

Hello again,

Yes we see a lot of email come in with this bracket format - [192.168.1.100] the IP addresses are all different of course. Here are a few examples from the log files:

EHLO EHLO+[197.157.18.98]
EHLO EHLO+[185.99.32.109]
EHLO EHLO+[10.75.60.50]

After careful review of these messages it appears that 100% are bad - we tried very hard to find one addressed like that that was legit but there were none - at least on our servers. So we chose to block them. So the way to show the HELO blocking function to do that was with the wildcard * between the dots. So [*.*.*.*] will block any HELO result that has the brackets around an IP address.

There is a previous discussion about this topic here:
http://forum.mailenable.com/viewtopic.php?f=6&t=41039&p=110295#p110295

In this thread we discussed ways to improve the HELO blocking by using wildcards and ME took it upon themselves to expend the HELO blocking functions to allow us to now use wildcards in this most current release 9.54. It worked in 9.53 but there was a problem with entering the "phrases to block" through the admin backend- that has been resolved in 9.54.

From what I understand according to the RFC rules it is possible that a HELO name could be an IP address however I have never seen one in our log files. However the iP address surrounded by brackets seems to be only from machines trying to send email with our accounts but we require authentication so they all fail - so this way we stop them right at the HELO to save our resources.

That said we have seen names like these which start with an IP:

EHLO EHLO+179-124-191-190.cab.prima.net.ar
EHLO EHLO+195.175.45.238.static.turktelekom.com.tr
EHLO EHLO+117-103-81-22.idsbangladesh.net.bd
EHLO EHLO+109-92-22-43.static.isp.telekom.rs

We have also seen this type of thing:

EHLO EHLO+189-050-157-037.static.starweb.net.br
EHLO EHLO+10-220-195-190.cab.prima.net.ar
EHLO EHLO+114-39-74-208.dynamic.hinet.net
j@mes

MEpro 9.61
JAM Software - SpamAssassin in a Box
ClamAV / Sanesecurity

telecomputers
Posts: 43
Joined: Sat Dec 04, 2004 3:59 pm

Re: EHLO Blocking - HELO *.*

Postby telecomputers » Fri Feb 10, 2017 11:19 pm

Update on this thread:

it would appear that smartphones are sending their HELO in this format
EHLO+[10.0.0.121]

The Android that I tested used the above. I assume iPhone do the same.
The IP is the one assigned to the device by the WiFi connection from the DHCP on the internal network.

Definitely recommend removing the [*.*.*.*] from the block list.
j@mes

MEpro 9.61
JAM Software - SpamAssassin in a Box
ClamAV / Sanesecurity

Who is online

Users browsing this forum: Baidu [Spider] and 1 guest