Exim – Dropping SMTP connection at HELO/EHLO !

by | Sep 15, 2014 | Mail service, Servers | 8 comments

We are observing a brute-force attack towards SMTP connections from different IP addresses with the same machine name – “ylmf-pc“

It could be many malware affected machines involved or an extended IP spoofing.

If you have CSF configured properly, the IPs would be blocked at the firewall level.

Another solution is to drop the SMTP connection at HELO so that no further processing is carried out and no packet states of different IPs are examined. If CSF was to block these IPs, it could be a very large list and it could affect the performance of the server.

Add the following to EXIM ACL configuration file.

# vi /etc/exim.conf

acl_smtp_helo = acl_smtp_helo

#BEGIN ACL_SMTP_HELO_BLOCK
 drop
 condition = ${if eq {$sender_helo_name}{ylmf-pc} {yes}{no}}
 log_message = HELO/EHLO - ylmf-pc blocked
 message = I Nailed You at HELO
 accept

#END ACL_SMTP_HELO_BLOCK

Restart exim once this is done.

# service exim restart

This would make sure that the connections from these ylmf-pc ‘s are dropped before further processing !

Update : If you want to block connections from other domains too, give the following piece of code in exim.conf instead of the above :

drop
   condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
   log_message = HELO/EHLO - HELO on heloblocks Blocklist
   message = HELO on heloblocks Blocklist
accept

Once the above config is given, create a new file ‘/etc/heloblocks’ and give in the domain name one by one.

Dont forget to restart exim once this is done.

Click here to read more about DDoS protection !!

 

8 Comments

  1. thenub
    thenub on October 16, 2018 at 3:18 am

    The acl_smtp_helo: stuff needs to be specified after the “begin acl” directive in exim4.conf

    Reply
  2. thenub
    thenub on September 10, 2015 at 10:44 am

    The acl_smtp_helo: stuff needs to be specified after the “begin acl” directive in exim4.conf

    Reply

Submit a Comment