Brute force - blocking (ylmf-pc)
Question asked by Gary P - 3/4/2019 at 4:12 PM
Answered
Seeing lots of SMTP authentication attempts from various IP's but with common line in the log

cmd: EHLO ylmf-pc

How can i block this ?
I tried via Security>SMTP Blocks> EHLO domain, but it says 'This is not a valid domain or email address.'? Is there a way around this?


10 Replies

Reply to Thread
0
David Thomas Replied
Bug ?
0
Gary P Replied
Reading this thread from a few years ago would seem to indicate a bug ?

https://portal.smartertools.com/community/a2611/re-brute-force-attack-ylmf-pc.aspx


1
Devang Shah Replied
yes, it gives error This is not a valid domain when try to add "ylmf-pc" with EHLO Domain
2
Scarab Replied
Definitely a bug. The HELO/EHLO Domain can be a FQDN but it isn't required to be (and many times, as in the case of ymlf-pc botnet it is not a FQDN). The SMTP Blocks form should not be doing input .tld validation on HELO/EHLO entries. This should be reported with a Support Ticket.

Gary, to work around it you could create a placeholder such as "ylmf-pc.com" in Smartermail, stop the Smartermail service, then manually modify the \Service\Settings\Settings.json so the address_to_block is just "ylmf-pc", and restart the SmarterMail service. I can confirm that v17/v100 works when address_to_block is set to just "ylmf-pc".
0
Devang Shah Replied
Hi Scarab,

Would above method work for SM16? 

i couldn't find \service\settings folder in SM16 or settings.json file

\Smartertools\smartermail\service but no Setting folder under it 

i have created placeholder ylmf-pc.com in Smtp Block for EHLO


0
Scarab Replied
Devang,

For v16 of SmarterMail it would be located in the \Service\mailConfig.xml, otherwise the process would be the same.
1
Devang Shah Replied
Scarab,

thanks it worked perfectly


still i am facing spam issue from one domain, i've disabled that domain but still thousand of mails keep coming in my spool, this is the mail which is in spool for more than 5 hours 


"This account is hacked! Renew your password immediately!
You do not know me me and you really are probably wanting to know why you're getting this letter, proper?
I'm ahacker who openedyour emailand all devicestwo months ago.
Do not make an attempt to talk to me or alternatively try to find me, it is definitely impossible, because I directed you an email from YOUR account that I've hacked.
I set up malware to the adult videos (porno) website and suppose that you enjoyed this website to have a good time (think you understand what I want to say).
While you were taking a look at movies, your browser started out to act as a RDP (Remote Control) that have a keylogger that provided me permission to access your screen and network camera.
Consequently, my software programaquiredall information.
You have entered passwords on the online resources you visited, I already caught them.
Surely, you are able modify each of them, or perhaps already modified them.
But it really does not matter, my spyware updates needed data regularly.
What actually did I do?
I compiled a reserve copy of your system. Of all the files and contact lists.
I got a dual-screen video recording. The 1st screen presents the clip you had been watching (you have got an interesting preferences, ha-ha...), and the 2nd part demonstrates the recording from your web camera.
What exactly must you do?
So, I think, 1000 USD is basically a inexpensive amount of money for our small riddle. You will make the deposit by bitcoins (if you do not know this, search “how to buy bitcoin” in Google)."
My bitcoin wallet address:
181EcKKiagjnE9Tk8xBkt8rysEy79XeoXd
(It is cAsE sensitive, so just copy and paste it).
Warning:
You have only 48 hours to make the payment. (I have an unique pixel in this email, and at this time I understand that you have read through this email).
To tracethe reading of a letterand the actionsinside it, I utilizea Facebook pixel. Thanks to them. (Anything thatis usedfor the authorities might actually helpus.)

In the event I fail to get bitcoins, I shall undoubtedly direct your video to all your contacts, along with relatives, colleagues, and so forth?





any idea what should i check?
1
Robert Emmett Replied
Employee Post Marked As Answer
We have removed the validation as an email address/domain for EHLO domain / domain / email address in SMTP Blocking. We have also verified that wildcards work as expected.  This is will included in the next SmarterMail Build.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Gary P Replied
Scarab,

Thanks for confirming my suspicion , and offering a solution, I  have opened ticket with ST for the bug.

1
Robert Emmett Replied
Employee Post
The fix/change for this was released in the 7008 public build release.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com

Reply to Thread