10
SMTP Blocking EHLO Domain
Idea shared by Scarab - November 20, 2014 at 1:54 PM
Under Consideration
I know that Smartermail's SMTP Blocking allows wildcards in the EHLO Domain, but does it allow for Regular Expressions?
 
We recently noticed that the EHLO of the majority of spambot networks currently hitting our servers follows the same name format:
 
abc123.domain.tld
 
(basically three random lower case letters that are common to all servers in that specific botnet, three numbers for the last octet of the server's IP address, followed by the registered domain with a tld that is either .link, .mobi, .me, .pw, or .eu)
 
Using Regular Expressions I could easily block all of these by adding a STMP Block of:
 
(^[a-z]{3})+([0-9]{3})+(\.[0-9a-z_-]+\.(?:link|mobi|me|pw|eu))
 
I suppose I could SMTP Block the EHLO of "*.*.link" and another with "*.*.me" and so on but these wildcards wouldn't be as precise and would block a lot of legitimate Mail Servers.
 
Does anyone know if SMTP Block EHLO can use Regular Expressions? The documentation doesn't say.
 

4 Replies

Reply to Thread
3
Robert Emmett Replied
November 21, 2014 at 9:42 AM
Employee Post
Currently, SmarterMail only supports the wildcards in the EHLO Domain--no regular expressions.  However, I will change this from a Question thread to an Idea thread and add it to our feature request list for further consideration in a future release.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Scarab Replied
February 26, 2015 at 12:07 PM
In the meanwhile, there are still numerous spambot networks that can be blocked safely with using wildcards in SMTP Block with EHLO. Some of the more sophisticated spambot networks use randomizers for their sub-domains, but many just identify themselves with the same sub-domain for all of their domains spread across multiple providers (they will rotate through a half-dozen providers when they develop a poor reputation and start getting listed on RBLs and wait until those blocks are dropped and their reputation returns to good before reusing that provider a month to 9 months later to prevent from being perma-blocked by IP Address).
 
We are blocking the following EHLOs using wildcards and found a significant drop in the volume of junk e-mail:
 
fst*.*.click
range.*.com
blink*.*.org
complex*.*.org
hgb*.*.rocks
sdf.*.rocks
wen.*.rocks
wer.*.rocks
dre.*.us
enc.*.us
ert.*.us
host.*.us
mars.*.us
post.*.us
tcd.*.us
hype*.*.work
ns*.ztomy.com (I have never seen anything legitimate from ztomy.com, but this one may cause false positives. Use this one with discretion.)
 
After implementing you should see a significant bump in your SMTP Blocked Connections.
 
Still, there are many more that could be blocked if we could use REGEX in SMTP Blocking of EHLO domains.
1
Curtis Kropar www.HawaiianHope.org Replied
December 23, 2016 at 9:12 AM
Scarab,
I have a question. In the EHLO, if i put in *.click  - I would assume that "click" would be on the far right of the matching domain.  But would these also match it ?
 
EHLO mta3-21.email.clickdimensions.com
EHLO mail.clickdeets.com
EHLO srv01.clicknetguarai.com.br
EHLO louis.clickoffrr.us
 
In looking at the smarter mail SMTP logs, just doing a search for .click brings those up too, or does it treat the SMTP only as the far right ?
www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.
0
Curtis Kropar www.HawaiianHope.org Replied
March 1 at 10:11 AM
Robert,
Sort of a question about regular Expressions and EHLO Domain
 
I have noticed in our logs a LOT of EHLO Domain that are NOT domains.  In fact many of them that are attempting to hack in do not contain and periods and are single words.  like
"EHLO USER"
"EHLO WebServer"
"EHLO localhost"
"EHLO kljasghdfkjhsgdf" (random gibberish) - (CEOUDQPM) (OKCRITTM) (DPSUIIYBG) (JVYGYGQ)
 
It would be awesome to be able to block something that does NOT contain a period. or contains multiple periods, like an IP address.
 
 
 
www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

Reply to Thread