Block SMTP connections based on who they say they are
Idea shared by Paul White - March 19, 2016 at 1:33 PM
Proposed
I know I can setup filtering, but this does nothing to stop of flow of spam through the mail server even though it does keep it out of the inbox.  I am looking for something more aggressive.  Is there any way to setup smartermail to detect on the HELLO the user's sending toplevel domain, and then blocking based on it.  Maybe even implimenting a 24 hour block by the IP, or IP block for any IP that sends email on their behalf.  I have already setup something like this outside of smartermail with a chron job that reads the SMTP logs, and firewalls IPs automatically, but I was hoping to do something similar within smartermail without having to use my firewall.
WhiteSites.com
Blog.whitesites.com

4 Replies

Reply to Thread
0
Paul,
 
You can use SECURITY > ADVANCED SETTINGS > SMTP BLOCKING to block based upon EHLO DOMAIN. Although you can block based upon a specific EHLO Domain it does also allow for Wildcards in the EHLO Domain. We do this all the time for some Spambot Networks that use predictable names for their EHLO (i.e., prs.*.link, res.*.us, wer*.*.work, iax*.*.ninja, etc). Although there may be hundreds or thousands of different ELHOs for one of these wildcard domains, they all get stopped by SmarterMail.
 
Unfortunately, there is no way inherent in SmarterMail to parse out EHLO for Spammers. You just have to grep the SMTP Logs for EHLO addresses. I noticed that if I kept track of incoming connections for 90-day spans the repeat offenders and the patterns in their EHLO Domains was pretty obvious, enabling me to bulk block their entire botnets.
0
Thanks for your reply. I will give that a try.
WhiteSites.com
Blog.whitesites.com
0
If you simply block EHLO YLMF-PC you'll block a lot of spam. I've never seen a single valid message from YLMF-PC and we block thousands of them daily.
0
Joe,

That is probably the highest volume offender for us too.

We also get a lot of mileage out of blocking the following EHLOs (in addition to YLMF-PC):

*.yinksoft.com
mycomputer
marinsek
servidornew
localhost
ADMIN-PC
wan-ip
device.lan
MSI64
example.com
null.host.com
SH3LLS-56959
no-rdns.clues.ro
unknown.carohosting.net
unused.midphase.com
unassigned.psychz.net
dynamic.vdc.vn
viettel.vn

Reply to Thread