1
Re: Brute force attack: ylmf-pc
Question asked by Hemen Shah - 4/3/2015 at 6:32 AM
Answered
Hi,
 
I have been getting regular brute force attack which has cmd: EHLO ylmf-pc from different IPs, though abuse detection rule is doing the job by adding the IP to block but is there other way to prevent this based on EHLO name ?
 
had googled "ylmf-pc" and it seems its known over the year for bruteforce attack, any once faced this or better solution to prevent such.
 
Thanks.

11 Replies

Reply to Thread
0
Merle Wait Replied
yes if you look in 
 
SmarterMail Antispam Settings Document Updated
 
 it list several of those type to block.   We block that specific one 
1
Employee Replied
Employee Post Marked As Answer
Greetings,
 
The only way I could see to block this attack based on the common EHLO response is for us to add a new feature such as an EHLO filter that would terminate and block the IP if certain conditions were met during the SMTP session.
 
I'll write this up and get it over to the developers as a feature request to be considered for a future release. 
 
In the mean time, the only other option is to allow the abuse detection rule to block a single IP address at a time. You can also investigate the IP's that have already been blocked and see if they are all belonging to an assigned block of IP addresses on the same network, if it is, you can block the entire range. Typically with wide-spread attacks such as these, they can apply to an entire /24 range of IP's. 
 
EDIT: It looks like this has changed in a SmarterMail update previosuly. You can block based on the EHLO domain.
 
This can be configured under Security -> Advanced Settings -> SMTP Blocking. You can create a new rule and set the Block Type to EHLO Domain and Blocked Address to ylmf-pc This should then take care of the issue.
0
Hemen Shah Replied
Hi, have already done that and it is working, but wanted to know if any other way based on ehlo name.
0
Hemen Shah Replied
Hi Von,
 
Thanks for the quick response,
 
When i check the IP, all are of different block pointing to different countries due to which it becomes difficult to add each and every IP, have read the SMTP logs and attempt is non stop from different ips with same EHLO.
 
will be waiting for this feature as this is needed.
 
Thanks
0
Employee Replied
Employee Post
Hemen, I edited my reply, it looks like this feature was put in place with a previous upgrade. As long as you're on SmarterMail 13, you should have access to this. You can block based on the EHLO domain. This can be configured under Security -> Advanced Settings -> SMTP Blocking. You can create a new rule and set the Block Type to EHLO Domain and Blocked Address to ylmf-pc This should then take care of the issue.
0
Hemen Shah Replied
Von, I got the same and added the EHLO name to block, but when i see the SMTP logs today i am still getting the attack and rule message "The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected." i hope it is the way it was suppose to work, is it possible to completely ban from connecting itself. Thanks.
1
Hemen Shah Replied
Von,
 
I got the same and added the EHLO name to block, but when i see the SMTP logs today i am still getting the attack and rule message "The domain given in the EHLO command violates an EHLO SMTP blocking rule. Any authentication attempts or RCPT commands will be rejected." i hope it is the way it was suppose to work, is it possible to completely ban from connecting itself.
 
Thanks.
0
W. T. Leaver Replied
Looks like SmarterMail is dropping the connection after receiving the EHLO. This is the only way it can work--SmarterMail doesn't know what the EHLO is until the sending mail server sends it, so there will still be a connection, albeit a very short one.
0
Steve Reid Replied
Seems you should take some time to familiarize yourself some more with the software, especially before replying.
0
Employee Replied
Employee Post
Hemen, This is how it's supposed to function. The connections will still be accepted, however any rcpt commands they issue will return a 550 user does not exist. Since this was made for e-mail harvesting prevention the rule was designed to 'trick' the spammer into thinking the user is invalid, potentially removing it from the spammers list of valid addresses preventing any harvesting from occurring.
0
Robert Mathias Replied
SM actually issues a 535 response (authentication failure), not a 550 (user does not exist).

Source: our SMTP logs, (SmarterMail v 13.3.5535), where ylmf-pc fails to authenticate with a username,

We get over 800 authentication failures every day from ylmf-pc. If we try to block their IPs they just start up on new ones from servers situated anywhere, today the selection being Australia, Belarus, Canada, France, Italy, Malaysia, Sweden and the US !

Reply to Thread