Text filtering on EHLO field

Idea shared by Conner - 6/3/2019 at 8:51 PM

Completed

Hi,

One of the things I'm seeing is a lot of spammers self-identifying with bogus values in the EHLO parameter when they connect. Example from the smtp log from yesterday:

server Frequency Percent
ADMIN 176 4.60
127.0.0.1 70 1.83
mx-out.facebook.com 64 1.67
ylmf-pc 59 1.54
boldego.icu 58 1.52
halfred.icu 55 1.44
unitybus.icu 54 1.41
nat1.mia2.cbssports.com 46 1.20
smtprelay.registrarmail.net 30 0.78
rouge.fightalz.bid 21 0.55

Were I to have filtering control over the server name given in the EHLO statement, I would block any server with .icu, .bid, .stream, etc. from dropping off mail. And ADMIN.

While I can do this post-analysis, having it as an upfront rule would be quite useful.

--Ben