Text filtering on EHLO field
Idea shared by Ben Conner - 6/3/2019 at 8:51 PM

One of the things I'm seeing is a lot of spammers self-identifying with bogus values in the EHLO parameter when they connect.  Example from the smtp log from yesterday:

server                                                Frequency   Percent
ADMIN                                                      176      4.60                                                   70      1.83
mx-out.facebook.com                                         64      1.67
ylmf-pc                                                     59      1.54
boldego.icu                                                 58      1.52
halfred.icu                                                 55      1.44
unitybus.icu                                                54      1.41
nat1.mia2.cbssports.com                                     46      1.20
smtprelay.registrarmail.net                                 30      0.78
rouge.fightalz.bid                                          21      0.55

Were I to have filtering control over the server name given in the EHLO statement, I would block any server with .icu, .bid, .stream, etc. from dropping off mail.  And ADMIN.  

While I can do this post-analysis, having it as an upfront rule would be quite useful.


1 Reply

Reply to Thread
Tony Scholz Replied
Employee Post
Hello Ben. 

The EHLO command is something that can be blocked. You would do this from the SMTP blocks tab under security. 

SMTP block allows three entry types. 
  • EHLO
  • Domain
  • email address
Thank you
Tony Scholz
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278

Reply to Thread