10
SMTP Blocking EHLO Domain
Idea shared by Scarab - 11/20/2014 at 1:54 PM
Completed
I know that Smartermail's SMTP Blocking allows wildcards in the EHLO Domain, but does it allow for Regular Expressions?
 
We recently noticed that the EHLO of the majority of spambot networks currently hitting our servers follows the same name format:
 
abc123.domain.tld
 
(basically three random lower case letters that are common to all servers in that specific botnet, three numbers for the last octet of the server's IP address, followed by the registered domain with a tld that is either .link, .mobi, .me, .pw, or .eu)
 
Using Regular Expressions I could easily block all of these by adding a STMP Block of:
 
(^[a-z]{3})+([0-9]{3})+(\.[0-9a-z_-]+\.(?:link|mobi|me|pw|eu))
 
I suppose I could SMTP Block the EHLO of "*.*.link" and another with "*.*.me" and so on but these wildcards wouldn't be as precise and would block a lot of legitimate Mail Servers.
 
Does anyone know if SMTP Block EHLO can use Regular Expressions? The documentation doesn't say.
 

7 Replies

Reply to Thread
3
Employee Replied
Employee Post
Currently, SmarterMail only supports the wildcards in the EHLO Domain--no regular expressions.  However, I will change this from a Question thread to an Idea thread and add it to our feature request list for further consideration in a future release.
0
Thank you very much for the response Robert, and thanks for considering it as an idea!
1
In the meanwhile, there are still numerous spambot networks that can be blocked safely with using wildcards in SMTP Block with EHLO. Some of the more sophisticated spambot networks use randomizers for their sub-domains, but many just identify themselves with the same sub-domain for all of their domains spread across multiple providers (they will rotate through a half-dozen providers when they develop a poor reputation and start getting listed on RBLs and wait until those blocks are dropped and their reputation returns to good before reusing that provider a month to 9 months later to prevent from being perma-blocked by IP Address).
 
We are blocking the following EHLOs using wildcards and found a significant drop in the volume of junk e-mail:
 
fst*.*.click
range.*.com
blink*.*.org
complex*.*.org
hgb*.*.rocks
sdf.*.rocks
wen.*.rocks
wer.*.rocks
dre.*.us
enc.*.us
ert.*.us
host.*.us
mars.*.us
post.*.us
tcd.*.us
hype*.*.work
ns*.ztomy.com (I have never seen anything legitimate from ztomy.com, but this one may cause false positives. Use this one with discretion.)
 
After implementing you should see a significant bump in your SMTP Blocked Connections.
 
Still, there are many more that could be blocked if we could use REGEX in SMTP Blocking of EHLO domains.
1
Scarab,
I have a question. In the EHLO, if i put in *.click  - I would assume that "click" would be on the far right of the matching domain.  But would these also match it ?
 
EHLO mta3-21.email.clickdimensions.com
EHLO mail.clickdeets.com
EHLO srv01.clicknetguarai.com.br
EHLO louis.clickoffrr.us
 
In looking at the smarter mail SMTP logs, just doing a search for .click brings those up too, or does it treat the SMTP only as the far right ?
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
1
Robert,
Sort of a question about regular Expressions and EHLO Domain
 
I have noticed in our logs a LOT of EHLO Domain that are NOT domains.  In fact many of them that are attempting to hack in do not contain and periods and are single words.  like
"EHLO USER"
"EHLO WebServer"
"EHLO localhost"
"EHLO kljasghdfkjhsgdf" (random gibberish) - (CEOUDQPM) (OKCRITTM) (DPSUIIYBG) (JVYGYGQ)
 
It would be awesome to be able to block something that does NOT contain a period. or contains multiple periods, like an IP address.
 
 
 
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
For Wildcards, does it support both * and ?
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
0
Andrea Free Replied
Employee Post
In Build 7008, released Mar 10, 2019, we've added the ability to use regular expression in SMTP Blocking. Please refer to the release note "Changed: Removed the validation from EHLO/Domain/Email address field in SMTP Blocking."

In addition, @Curtis Kropar, SMTP Blocking does indeed support both * and ? wildcards:

  • The * wildcard allows you to enter a wildcard for anything to the right of the character, whether it by zero or more wild characters. Here's two examples: If your wildcard was “1*3”, it would encompass "1abc3", "123", "1abcdefg3", etc. If your wildcard was "1*", it would encompass: "1", "12", "123", "1234", etc.
  • The ? wildcard looks specifically for 1 wild character. As an example, if you entered "1?", it would encompass "12", "13", "1B", etc. It would not encompass "1". If you entered “1?3", it would encompass "123", "1a3", "193", etc.
Andrea Free SmarterTools Inc. 877-357-6278 www.smartertools.com

Reply to Thread