Recently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.
My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.
The following was added to the EXIM ACL configuration file.
# vi /etc/exim.conf
acl_smtp_helo = acl_smtp_helo acl_smtp_helo: #BEGIN ACL_SMTP_HELO_BLOCK drop condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}} log_message = HELO/EHLO - ylmf-pc blocked message = I Nailed You at HELO accept #END ACL_SMTP_HELO_BLOCK
Restart the EXIM service after adding the above into the EXIM configuration file.
# service exim restart
Whenever an attempt to connect to SMTP connection with the HELO string ylmf-pc, the connection will be dropped. The logs (/var/log/exim_mainlog) will look like below:-
2014-05-23 12:23:24 [31068] SMTP connection from (ylmf-pc) [96.57.55.178]:52362 I=[xxx.xxx.xxx.xxx]:25 closed by DROP in ACL 2014-05-23 12:23:28 [31075] H=(ylmf-pc) [96.57.55.178]:26634 I=[xxx.xxx.xxx.xxx]:25 rejected EHLO or HELO ylmf-pc: I Nailed you at HELO
Do you know what’s the origin of this ylmf-pc?
Just wanted to put a word in here to say thank ive been looking for a simple yet affective solution to this dam problem and you supplied it… thanks again….
Works like a charm! Thanks for this.
From what I have read, these connections originate in China, but often bounce through pirated machines in other countries
I didn’t know it originated from China. Looks like it’s gonna stay and occupy most email servers for a while.
Thanks for your input.
The mystery is in the name. YLMF-PC = LYMF OS also known as StartOS.
http://en.wikipedia.org/wiki/StartOS
Linux distro made to look like windows xp.
Possibly backdoor’d from the get go (who knows), but it’s more likely there are just tons of poisoned iso(s) floating around in the Chinese web. China has a lot of poeple and they own a lot of computers. It’s likely your attackers are part of a large Chinese based botnet group or compromised systems found via another method.
Wow.. Thanks for the information SilentKoala. Now it does makes sense why most traffic comes from China.
Thanks, stopped the authentication brute force
It’s a pity that it does not work anymore. Exim will give an error notice about the acl_smtp_helo statement is being twice present in the config.
When removing one of the lines, another error occurs. So this might need some adjustments.
Thats because acl_smtp_helo cannot be defined twice. You need to locate the entry, then add the above code to it.
For example, my config had it defined, but had no rules in it. So I just added the following lines between BEGIN and END
drop
condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
log_message = HELO/EHLO – ylmf-pc blocked
message = Blocked ylmf-pc brute force attack
accept
@richard it does work…you need to understand how to configure exim before you go importing random code fragements that you don’t understand and then complaining when it doesn’t do as you expected.
put the acl_smtp_helo = line in the general settings towards to top of the config, prior to any defined section and the acl_smtp_helo: lines and onwards inside of the ACL section.