Text filtering on EHLO field

Hi,

One of the things I'm seeing is a lot of spammers self-identifying with bogus values in the EHLO parameter when they connect. Example from the smtp log from yesterday:

server Frequency Percent
ADMIN 176 4.60
127.0.0.1 70 1.83
mx-out.facebook.com 64 1.67
ylmf-pc 59 1.54
boldego.icu 58 1.52
halfred.icu 55 1.44
unitybus.icu 54 1.41
nat1.mia2.cbssports.com 46 1.20
smtprelay.registrarmail.net 30 0.78
rouge.fightalz.bid 21 0.55

Were I to have filtering control over the server name given in the EHLO statement, I would block any server with .icu, .bid, .stream, etc. from dropping off mail. And ADMIN.

While I can do this post-analysis, having it as an upfront rule would be quite useful.

--Ben

Tony Scholz Replied

6/4/2019 at 7:24 AM

Employee Post

Hello Ben.

The EHLO command is something that can be blocked. You would do this from the SMTP blocks tab under security.

SMTP block allows three entry types.

EHLO
Domain
email address

Thank you

Tony Scholz System/Network Administrator SmarterTools Inc. (877) 357-6278 www.smartertools.com

1 Reply

Reply to Thread

Related Knowledge Base Articles

1 Reply

Reply to Thread

Tags

Related Knowledge Base Articles