Host screening by ELHO/HELO initial conversation

Post your MailEnable suggestions here.
Post Reply
bitechbobbrenner
Posts: 41
Joined: Tue Jan 20, 2015 4:57 pm

Host screening by ELHO/HELO initial conversation

Post by bitechbobbrenner »

Ian,

First let me say thank for your dedication to a well-built product! I have been using it myself and supporting for three other commercial clients for almost 14 years now and will continue to do.

I have observed many MailEnable Discussion Forum inquiries in reference to blocking/stopping certain EHLO’s identifications during the initial conversation (connection) with MailEnable but with no actual remedy. From what I have found in the Discussion Forums don’t actually address the problem other than redirections to another add on program like MXScan or ban the IP. Firstly MXScan it doesn’t have a function to drop/disconnect/ban and connection based on the EHLO conversation identification, example: ylmf-pc. Secondly blocking the IP is an unrealistic solution as ylmf-pc and others have massive exposure through the wan with infected workstations and using hundreds if not thousands of different IP’s.

PTR and SPF have been implemented but as you know are not a realistic solution because of many legitimate servers are incorrectly configured that our client base must have email conversations with, this includes improperly US governmental agencies.
For a simple solution I’m requesting for your serious consideration that this should be a function available with MailEnable within the MTU configuration section. The section should have the possibility to add several phrases with the option of each to include a wildcard (*) both as a prefix and or suffix. It would also be a benefit if each detected connection that matches the rule be banded by IP for at least one or more hours. Here are some samples of the ELHO conversations that I would block.

task*
localhost
ownerpc
ylmf-pc
cable*

In addition the above the capability of blocking ELHO’s with only IP numbers would be beneficial.

Thank you
Bob Brenner

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: Host screening by ELHO/HELO initial conversation

Post by Brett Rowbotham »

I most definitely second this suggestion.

http://forum.mailenable.com/viewtopic.php?f=6&t=27294

Cheers,
Brett

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: Host screening by ELHO/HELO initial conversation

Post by Admin »

Hi,

This is available as a registry key in version 8.56 and later. It does not do wildcards yet though. But you can add a list of ones you want to block. The registry key required is below and takes a string value of the items you want to block. Separate them with a comma:

For 32bit Windows:

Code: Select all

[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Connectors\SMTP]
"Blocked HELO"="localhost,ylmf-pc"
For 64bit Windows:

Code: Select all

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Connectors\SMTP]
"Blocked HELO"="localhost,ylmf-pc"
You will need to restart the SMTP service when you change this. If a match is made the SMTP service just drops the connection. We'll likely expand on this. Not sure you want to block ones that send IPs though, as some valid clients may be doing this.

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: Host screening by ELHO/HELO initial conversation

Post by Brett Rowbotham »

Excellent - thanks for the update.

Personally I am not bothered blocking HELO with IP address, it's that damn ylmf-pc that has me seeing red.

Cheers,
Brett

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: Host screening by ELHO/HELO initial conversation

Post by Brett Rowbotham »

Happy to report that this working well for me.

In the 2 hours 50 minutes since the SMTP service restart after making the registry setting, the service has already dropped 8372 connection attempts by ylmf-pc.

:D :D :D

bitechbobbrenner
Posts: 41
Joined: Tue Jan 20, 2015 4:57 pm

Re: Host screening by ELHO/HELO initial conversation

Post by bitechbobbrenner »

Thank you for the registry solution and yes it has helped. As for the ylmf-pc slamming Brett Rownbotham, I thought I was getting slammed, not. I did eventually put up an email gateway called "SctollOutF1" and you may want to look into it so far I'm REALY liking it! I installed it in a VM under the MailEnable server and so far so good!

Enjoy!

Bob Brenner

mexelby
Posts: 25
Joined: Wed Jul 09, 2014 5:24 am

Re: Host screening by ELHO/HELO initial conversation

Post by mexelby »

Hi Bob/Brett,

Ian pointed me to this article to do a very similar procedure on a bot or spammer using the EHLO command.

Did this registry key already exist for you guys or did you have to add it? What exact arguments did you put in? What options did you use below? (I have a windows 2012 R2 box). I'm looking to block by hostname. Any help is appreciated.

Key
String Value
Binary Value
DWORD
QWORD
Multi-String Value
Expandable String Value

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: Host screening by ELHO/HELO initial conversation

Post by Brett Rowbotham »

The key, as detailed in an earlier post, had to be added, it did not already exist. It must be created as a string value. As for arguments, it is just a comma-separated list of hostnames that should be blocked at the EHLO/HELO stage of the SMTP conversation.

Cheers,
Brett

mexelby
Posts: 25
Joined: Wed Jul 09, 2014 5:24 am

Re: Host screening by ELHO/HELO initial conversation

Post by mexelby »

Clearly I'm just not getting the concept here. I went ahead and created the string value and have it presented like this. Tried with quotes in string value, without quotes. Restarted the SMTP service, nothing. See below. Did I do this right? I'm at a loss. It's not blocking it either way. This is just a test im using currently. tried short names, long names,

Image

Brett Rowbotham
Posts: 560
Joined: Mon Nov 03, 2003 7:48 am
Location: Cape Town

Re: Host screening by ELHO/HELO initial conversation

Post by Brett Rowbotham »

The key name is "Blocked HELO" whereas you have used "Blocked EHLO".

Cheers,
Brett

Post Reply