Block SMTP connections based on who they say they are
Idea shared by Paul White - March 19, 2016 at 1:33 PM
I know I can setup filtering, but this does nothing to stop of flow of spam through the mail server even though it does keep it out of the inbox.  I am looking for something more aggressive.  Is there any way to setup smartermail to detect on the HELLO the user's sending toplevel domain, and then blocking based on it.  Maybe even implimenting a 24 hour block by the IP, or IP block for any IP that sends email on their behalf.  I have already setup something like this outside of smartermail with a chron job that reads the SMTP logs, and firewalls IPs automatically, but I was hoping to do something similar within smartermail without having to use my firewall.

4 Replies

Reply to Thread
You can use SECURITY > ADVANCED SETTINGS > SMTP BLOCKING to block based upon EHLO DOMAIN. Although you can block based upon a specific EHLO Domain it does also allow for Wildcards in the EHLO Domain. We do this all the time for some Spambot Networks that use predictable names for their EHLO (i.e., prs.*.link, res.*.us, wer*.*.work, iax*.*.ninja, etc). Although there may be hundreds or thousands of different ELHOs for one of these wildcard domains, they all get stopped by SmarterMail.
Unfortunately, there is no way inherent in SmarterMail to parse out EHLO for Spammers. You just have to grep the SMTP Logs for EHLO addresses. I noticed that if I kept track of incoming connections for 90-day spans the repeat offenders and the patterns in their EHLO Domains was pretty obvious, enabling me to bulk block their entire botnets.
Thanks for your reply. I will give that a try.
If you simply block EHLO YLMF-PC you'll block a lot of spam. I've never seen a single valid message from YLMF-PC and we block thousands of them daily.

That is probably the highest volume offender for us too.

We also get a lot of mileage out of blocking the following EHLOs (in addition to YLMF-PC):


Reply to Thread