Add IP Blocking for : EHLO Domain Rule that also matches Harvesting or other rules.
Idea shared by Curtis Kropar www.HawaiianHope.org - December 29, 2016 at 1:39 AM
Proposed
So I have read threads and set up the EHLO Domain Rule to block a number of spammers
*.top
*.date
and a variety of others.
 
It is working, Blocking a pile of trash, but I wish it would do more.
Below is a chunk of SMTP Log. 
It is blocking based on the EHLO rule (*.date) , but the user they are trying to email to, does not actually exist either. It appears that is normal behavior for the rule - to say the user does not exist, but REALLY, the user no longer exists - they just killed the account 2 days ago.
 
So, the incoming email now matches 2 different rules. the EHLO blocking, and the Abuse Detection - Bad SMTP session harvesting rule. (The spammer has sent about 2 dozen emails to various non existing user accounts)
 
Can we get the rule checker to see if an email matches more than one rule, and perform more than one action ? Rejecting by EHLO is awesome, but it would be nice if it also :
 
1) Automatically added the offending IP address to the blacklist.
2) Checked to see if the email matches any other rules, like harvesting, and if it does, take that action, blacklisting the IP address.
 
we are using :
  • SmarterMail Enterprise Edition
  • Version 14.4.5801
 
[2016.12.29] 00:05:03 [67.229.237.252][63666736] rsp: 220 mail.GetMySiteOnline.com
[2016.12.29] 00:05:03 [67.229.237.252][63666736] connected at 12/29/2016 12:05:03 AM
[2016.12.29] 00:05:04 [67.229.237.252][63666736] cmd: EHLO 0170984b.mentionehand.date
[2016.12.29] 00:05:04 [67.229.237.252][63666736] rsp: 250-mail.GetMySiteOnline.com Hello [67.229.237.252]250-SIZE 15728640250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.12.29] 00:05:04 [67.229.237.252][63666736] The domain given in the EHLO command violates an EHLO SMTP blocking rule.  Any authentication attempts or RCPT commands will be rejected.
[2016.12.29] 00:05:04 [67.229.237.252][63666736] cmd: MAIL FROM:<CarRentals@mentionehand.date> BODY=8BITMIME
[2016.12.29] 00:05:05 [67.229.237.252][63666736] rsp: 250 OK <carrentals@mentionehand.date> Sender ok
[2016.12.29] 00:05:05 [67.229.237.252][63666736] cmd: RCPT TO:<mimi@getmysiteonline.com>
[2016.12.29] 00:05:05 [67.229.237.252][63666736] rsp: 550 <mimi@getmysiteonline.com> No such user here
[2016.12.29] 00:05:05 [67.229.237.252][63666736] cmd: QUIT
[2016.12.29] 00:05:05 [67.229.237.252][63666736] rsp: 221 Service closing transmission channel
[2016.12.29] 00:05:05 [67.229.237.252][63666736] disconnected at 12/29/2016 12:05:05 AM
 
[2016.12.29] 07:12:45 [67.229.237.252][38219162] rsp: 220 mail.GetMySiteOnline.com
[2016.12.29] 07:12:45 [67.229.237.252][38219162] connected at 12/29/2016 7:12:45 AM
[2016.12.29] 07:12:45 [67.229.237.252][38219162] cmd: EHLO 01709858.mentionehand.date
[2016.12.29] 07:12:45 [67.229.237.252][38219162] rsp: 250-mail.GetMySiteOnline.com Hello [67.229.237.252]250-SIZE 15728640250-AUTH LOGIN CRAM-MD5250-8BITMIME250 OK
[2016.12.29] 07:12:45 [67.229.237.252][38219162] The domain given in the EHLO command violates an EHLO SMTP blocking rule.  Any authentication attempts or RCPT commands will be rejected.
[2016.12.29] 07:12:45 [67.229.237.252][38219162] cmd: MAIL FROM:<Solar-Energy@mentionehand.date> BODY=8BITMIME
[2016.12.29] 07:12:47 [67.229.237.252][38219162] rsp: 250 OK <solar-energy@mentionehand.date> Sender ok
[2016.12.29] 07:12:47 [67.229.237.252][38219162] cmd: RCPT TO:<mimi@getmysiteonline.com>
[2016.12.29] 07:12:47 [67.229.237.252][38219162] rsp: 550 <mimi@getmysiteonline.com> No such user here
[2016.12.29] 07:12:47 [67.229.237.252][38219162] cmd: QUIT
[2016.12.29] 07:12:47 [67.229.237.252][38219162] rsp: 221 Service closing transmission channel
[2016.12.29] 07:12:47 [67.229.237.252][38219162] disconnected at 12/29/2016 7:12:47 AM
 
 
 
 

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

1 Reply

Reply to Thread
0
bump

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

Reply to Thread