Re: Brute force attack: ylmf-pc
Question asked by Hemen Shah - April 3, 2015 at 6:32 AM
I have been getting regular brute force attack which has cmd: EHLO ylmf-pc from different IPs, though abuse detection rule is doing the job by adding the IP to block but is there other way to prevent this based on EHLO name ?
had googled "ylmf-pc" and it seems its known over the year for bruteforce attack, any once faced this or better solution to prevent such.

4 Replies

Reply to Thread
yes if you look in 
SmarterMail Antispam Settings Document Updated
 it list several of those type to block.   We block that specific one 
Von-Austin See Replied
Employee Post
The only way I could see to block this attack based on the common EHLO response is for us to add a new feature such as an EHLO filter that would terminate and block the IP if certain conditions were met during the SMTP session.
I'll write this up and get it over to the developers as a feature request to be considered for a future release. 
In the mean time, the only other option is to allow the abuse detection rule to block a single IP address at a time. You can also investigate the IP's that have already been blocked and see if they are all belonging to an assigned block of IP addresses on the same network, if it is, you can block the entire range. Typically with wide-spread attacks such as these, they can apply to an entire /24 range of IP's. 
EDIT: It looks like this has changed in a SmarterMail update previosuly. You can block based on the EHLO domain.
This can be configured under Security -> Advanced Settings -> SMTP Blocking. You can create a new rule and set the Block Type to EHLO Domain and Blocked Address to ylmf-pc This should then take care of the issue.
Von See
Technical Support Supervisor
SmarterTools Inc.
(877) 357-6278
Hi Von,
Thanks for the quick response,
When i check the IP, all are of different block pointing to different countries due to which it becomes difficult to add each and every IP, have read the SMTP logs and attempt is non stop from different ips with same EHLO.
will be waiting for this feature as this is needed.
I got the same and added the EHLO name to block, but when i see the SMTP logs today i am still getting the attack and rule message "The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected." i hope it is the way it was suppose to work, is it possible to completely ban from connecting itself.

Reply to Thread