Drop SMTP connection at HELO/EHLO matching machine name

Loading

I have you at EHLORecently there has been many rogue incoming SMTP connections from different IP addresses with the same machine name – “ylmf-pc“. My guess is that these different machines were infected with malware and this malware is utilizing the machine to perform brute force password attack to gain authorization.

My server is hosting cPanel and thus using EXIM as the SMTP server. The solution I decided was to drop the SMTP connection at HELO so that no further processing is performed.

The following was added to the EXIM ACL configuration file.

# vi /etc/exim.conf

acl_smtp_helo = acl_smtp_helo
acl_smtp_helo:

#BEGIN ACL_SMTP_HELO_BLOCK
drop
   condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
   log_message = HELO/EHLO - ylmf-pc blocked
   message = I Nailed You at HELO
accept
#END ACL_SMTP_HELO_BLOCK

Restart the EXIM service after adding the above into the EXIM configuration file.

# service exim restart

Whenever an attempt to connect to SMTP connection with the HELO string ylmf-pc, the connection will be dropped. The logs (/var/log/exim_mainlog) will look like below:-

2014-05-23 12:23:24 [31068] SMTP connection from (ylmf-pc) [96.57.55.178]:52362 I=[xxx.xxx.xxx.xxx]:25 closed by DROP in ACL
2014-05-23 12:23:28 [31075] H=(ylmf-pc) [96.57.55.178]:26634 I=[xxx.xxx.xxx.xxx]:25 rejected EHLO or HELO ylmf-pc: I Nailed you at HELO

Do you know what’s the origin of this ylmf-pc?

 

10 thoughts on “Drop SMTP connection at HELO/EHLO matching machine name”

  1. Just wanted to put a word in here to say thank ive been looking for a simple yet affective solution to this dam problem and you supplied it… thanks again….

    Reply
  2. From what I have read, these connections originate in China, but often bounce through pirated machines in other countries

    Reply
    • I didn’t know it originated from China. Looks like it’s gonna stay and occupy most email servers for a while.
      Thanks for your input.

      Reply
  3. The mystery is in the name. YLMF-PC = LYMF OS also known as StartOS.

    http://en.wikipedia.org/wiki/StartOS

    Linux distro made to look like windows xp.

    Possibly backdoor’d from the get go (who knows), but it’s more likely there are just tons of poisoned iso(s) floating around in the Chinese web. China has a lot of poeple and they own a lot of computers. It’s likely your attackers are part of a large Chinese based botnet group or compromised systems found via another method.

    Reply
  4. It’s a pity that it does not work anymore. Exim will give an error notice about the acl_smtp_helo statement is being twice present in the config.
    When removing one of the lines, another error occurs. So this might need some adjustments.

    Reply
    • Thats because acl_smtp_helo cannot be defined twice. You need to locate the entry, then add the above code to it.

      For example, my config had it defined, but had no rules in it. So I just added the following lines between BEGIN and END

      drop
      condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
      log_message = HELO/EHLO – ylmf-pc blocked
      message = Blocked ylmf-pc brute force attack
      accept

      Reply
  5. @richard it does work…you need to understand how to configure exim before you go importing random code fragements that you don’t understand and then complaining when it doesn’t do as you expected.

    put the acl_smtp_helo = line in the general settings towards to top of the config, prior to any defined section and the acl_smtp_helo: lines and onwards inside of the ACL section.

    Reply

Leave a Comment