Is SMTP - EHLO and HELO treated the same in SMTP blocking ?
Question asked by Curtis Kropar www.HawaiianHope.org - September 20 at 9:51 AM
Answered
We are using SmarterMail 14, does this apply to 15, 16 or 17 ?

I have noticed a bunch of SMTP connections coming in that are "cmd: HELO"
not the typical "cmd : EHLO"

almost all of them are spam, except a very few that are legitimate. 
a local bank uses this, and i have seen legit emails from gmail and others.
In reading this :

It says that both are acceptable.

When we set up SMTP blocking, the option shows for "EHLO Domain"
Does it also look at "HELO" too ?  or is it skipping those ?

As an example, this is the type of garbage i am seeing : 
(and is there a way to block IP Addresses as part of the SMTP HELO /EHLO ?)

[2018.09.04] 11:52:16 [103.251.178.206][7602017] rsp: 220 mail.GetMySiteOnline.com
[2018.09.04] 11:52:16 [103.251.178.206][7602017] connected at 9/4/2018 11:52:16 AM
[2018.09.04] 11:52:16 [103.251.178.206][7602017] cmd: HELO [103.251.178.206]
[2018.09.04] 11:52:16 [103.251.178.206][7602017] rsp: 250 mail.GetMySiteOnline.com Hello [103.251.178.206]
[2018.09.04] 11:52:17 [103.251.178.206][7602017] cmd: MAIL FROM: <Gonzalo03@0335.com>
[2018.09.04] 11:52:17 [103.251.178.206][21202467] rsp: 220 mail.GetMySiteOnline.com
[2018.09.04] 11:52:17 [103.251.178.206][21202467] connected at 9/4/2018 11:52:17 AM
[2018.09.04] 11:52:18 [103.251.178.206][21202467] cmd: HELO [103.251.178.206]
[2018.09.04] 11:52:18 [103.251.178.206][21202467] rsp: 250 mail.GetMySiteOnline.com Hello [103.251.178.206]
[2018.09.04] 11:52:18 [103.251.178.206][21202467] cmd: MAIL FROM: <Gonzalo79@0335.com>
[2018.09.04] 11:52:19 [103.251.178.206][16136474] rsp: 220 mail.GetMySiteOnline.com
[2018.09.04] 11:52:19 [103.251.178.206][16136474] connected at 9/4/2018 11:52:19 AM
[2018.09.04] 11:52:19 [103.251.178.206][16136474] cmd: HELO [103.251.178.206]
[2018.09.04] 11:52:19 [103.251.178.206][16136474] rsp: 250 mail.GetMySiteOnline.com Hello [103.251.178.206]
[2018.09.04] 11:52:19 [103.251.178.206][16136474] cmd: MAIL FROM: <Bradley32@8900.com>
[2018.09.04] 11:52:20 [103.251.178.206][7602017] rsp: 250 OK <gonzalo03@0335.com> Sender ok
[2018.09.04] 11:52:20 [103.251.178.206][16136474] rsp: 250 OK <bradley32@8900.com> Sender ok
[2018.09.04] 11:52:20 [103.251.178.206][21202467] rsp: 250 OK <gonzalo79@0335.com> Sender ok
[2018.09.04] 11:52:21 [103.251.178.206][7602017] cmd: RCPT TO: <kropes@thecomputeracademy.com>
[2018.09.04] 11:52:21 [103.251.178.206][7602017] rsp: 550 <kropes@thecomputeracademy.com> No such user here
[2018.09.04] 11:52:21 [103.251.178.206][16136474] cmd: RCPT TO: <kropes@thecomputeracademy.com>
[2018.09.04] 11:52:21 [103.251.178.206][16136474] rsp: 550 <kropes@thecomputeracademy.com> No such user here
[2018.09.04] 11:52:21 [103.251.178.206][21202467] cmd: RCPT TO: <kropes@thecomputeracademy.com>
[2018.09.04] 11:52:21 [103.251.178.206][21202467] rsp: 550 <kropes@thecomputeracademy.com> No such user here
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------------------------


then there is this :
--------------------------------------------------------------------------------------------------------------------
[2018.09.04] 18:43:58 [66.173.111.118][20621256] rsp: 220 mail.GetMySiteOnline.com
[2018.09.04] 18:43:58 [66.173.111.118][20621256] connected at 9/4/2018 6:43:58 PM
[2018.09.04] 18:43:58 [66.173.111.118][20621256] cmd: HELO epcts1.domain
[2018.09.04] 18:43:58 [66.173.111.118][20621256] rsp: 250 mail.GetMySiteOnline.com Hello [66.173.111.118]
[2018.09.04] 18:43:58 [66.173.111.118][20621256] cmd: MAIL FROM:<test@getmysiteonline.com>
[2018.09.04] 18:44:03 [66.173.111.118][20621256] rsp: 250 OK <test@getmysiteonline.com> Sender ok
[2018.09.04] 18:44:03 [66.173.111.118][20621256] cmd: RCPT TO:<chevyview450@gmail.com>
[2018.09.04] 18:44:03 [66.173.111.118][20621256] rsp: 550 <chevyview450@gmail.com> No such user here
[2018.09.04] 18:44:11 [66.173.111.118][20621256] disconnected at 9/4/2018 6:44:11 PM

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

3 Replies

Reply to Thread
0
Scarab Replied
Marked As Answer
In SmarterMail's SMTP Blocking the EHLO Domain is used to match both the HELO/EHLO field. A SMTP connection will use one or the other to connect to your server, and it doesn't matter which is used. If there is a SMTP Block by EHLO Domain that matches the domain provided in the HELO command then it will be blocked.

For example: We have ylmf-pc set as a SMTP Block by EHLO Domain in Smartermail. This is a common bot-net and connections will be made from thousands of IP Addresses, some using HELO and some using EHLO to identify themselves. All of them are successfully blocked.
0
Thanks !
Is there a way in 14 to block IP addresses in SMTP ? or to block purely numerical domains ? Like my example above - "gonzalo03@0335.com "

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

0
Scarab Replied
To my knowledge the SMTP Blocking only allows wildcards. It has been requested before to allow RegEx for HELO/EHLO blocking, but we are coming up on v17 and I don't think this has ever been implemented.

Unfortunately there is no easy way to SMTP Block an EHLO that uses an IP4 Address when you are limited to just wildcards, unless you really, really want to set 255 individual EHLO blocks as follows:

*.*.*.1
*.*.*.2
*.*.*.3
...
*.*.*.254
*.*.*.255

With RegEx you could have just one SMTP Block for ^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$

The truly sticky widget though is unless you are using an Incoming Gateway that you can safely block numeric EHLOs on then you could be blocking a good number of legitimate Outgoing SMTP clients as many of your customer's EHLO very well may be numeric as well.

Have you considered using Declude with SmarterMail? You can set your own RegEx Filters and easily create one to filter/bounce/delete Incoming emails that were delivered by servers using their IP4 Address for the EHLO (without the risk of blocking Outgoing SMTP from your customers).

Reply to Thread