2
Can i create a smtp block rule for cmd: EHLO [127.0.0.1]
Question asked by Karl Jones - 10/21/2021 at 9:45 AM
Answered
The title of the thread is my question.
I have a few clients using one form or another of Smartermail and one of them right now is getting hammered by a sophisticated brute force spambot attack that is creating the situation where users are getting locked out of their accounts, alot.!!. I cannot block the IP's or country codes from the locations of the attacks as it's obviously a bot that can change IP addresses for each attempt and they are changing coutries as well as IP's.
The only thing i see that is identical in the connect attempt is the users and the cmd: EHLO [127.0.0.1] now i am behind a sophos UTM which operates in proxy mode but it has it's own network and external IP's
I want a way to block these without blocking legitimate emails and servers.

13 Replies

Reply to Thread
1
echoDreamz Replied
We block this as well, blocks tons of crap. Never had any issues reported. 
0
Karl Jones Replied
Thanks echo. For obvious reasons i didn't want to block legitimate internal servers that identify themselves as just 127.0.0.1 or localhost.
Not sure i've seen the spambots and brute force scanbots this aggressive and sophisticated, ever.!!
0
echoDreamz Replied
Unfortunately... If a mailserver identifies itself as that, we probably dont really want to receive mail from them anyways.

We are fairly aggressive with making sure mail servers that send to us have proper identification, RDNS records, FCRDNS etc. The biggest one we blocked off was ylmf-pc EHLO, this was literally thousands of connections per day.

It's been years since we started receiving that one, and still, till this day, we still get it :)
1
Matthew Leyda Replied
Marked As Answer
We use the EHLO block with [*.*.*.*]
It blocks the connection when it only has a IP in the EHLO line. Works very well on the bots.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Karl Jones Replied
Yes Mathew, I think i like that option better than mine... :-)
BTW, do you create one with the brackets and one without?
0
Matthew Leyda Replied
With Brackets. That insures you will only block the IP address attacks.

[2021.10.22] 01:02:39 [103.146.1.101][34968492] cmd: EHLO [103.146.1.101]
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Karl Jones Replied
Got it, thanks..
0
Hi all!

Can you explai how do you create the rule that blocks EHLO [*.*.*.*] ?


P.S.: I doubt that it will also block servers that have a 4th level hostname, for example MAIL.FELTRINO.BL.IT (it's a real mail server of local public administration in Italy...)...

Are you sure this does not happen?
1
Matthew Leyda Replied

SMTP Blocks

SMTP Blocks are an effective method for temporarily preventing a domain or indiviual user from sending email from the server. For example, if a particular account is sending an abnormal amount of email, you can add their address to the SMTP Blocks list and they will be unable to send email until you remove them. Users and/or domains can be left on the list for whatever time you deem appropriate. This action can be an effective stop-gap versus actually deleting the user and/or domain from the server, giving users or Domain Admininstrators the ability to clean up their act before having their mail server privileges revoked.

NOTE: SMTP Blocks are enabled against a message's Return Path versus using the FROM address because the Return Path is generally more difficult to spoof than simply the FROM: address.

To access the SMTP Blocks, log into SmarterMail as a System Administrator and click on the Settings icon. Then click on Security in the navigation pane and select the SMTP Blocks tab.

To create a new block, click on New. When adding or editing an entry, the following configuration settings will be available, based on the Block Type chosen:

SMTP Blocking

  • Block Type - Whether the block affects an email address or an entire domain, or an EHLO domain. An "EHLO domain" is the return value given when SmarterMail sends the EHLO or HELO command. A standard EHLO domain is the fully qualified domain name set up for the mail server you're wanting to block. (E.g., "mail.your_domain.com".) However, it IS possible that it will be something different based on whether the command is sent by the SmarterMail web interface or an email client. For example, it may be the local IP address of the sending machine. Therefore, there is no well-established rule for what should be entered until some testing is done by the System Administrator.
  • Blocked Address - The complete email address of the user, the domain name or the value used for the EHLO domain.
  • Direction - For user/domain (non-EHLO domain) blocks, this refers to the types of messages that should be blocked from sending: Inbound, Outbound or All Messages.
  • Description - A friendly name or brief description of the block.

Note: SMTP blocking does NOT occur immediately when the EHLO command is given. Instead, a "soft" block is used and SmarterMail will fail any authentication attempts or RCPT TO commands. This is because if the failure occurs right after the EHLO commaned, any person attempting to spam from a mail server could figure out what the problem is and change the domain given with the command on each send. A "soft" failure should, instead, make the spammer believe he is using an incorrect password.

Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
THX!
0
I see a lot of failed login even with "EHLO localhost"

Do you think it's safe to block that EHLO domain?
0
Unfortunately blocking "EHLO [*.*.*.*] has a bad contraindication: some email client software, like for example Thunderbird, use the local IP address (eg: 192.168.1.50) as EHLO domain when they autenticate through SMTP.

So EHLO [*.*.*.*] blocking result in preventing many (if not all...) legitimate users that use SMTP to send their mails....

P.S.: I find out that the same thing can happen both by blocking the EHLO "[127.0.0.1]" and "localhost" (I don't know which are the MailClient software that use these EHLOs, but in less than 30 minutes I received complaints and the SMTP log confirmed that...), but this unfortunately jeopardizes the possibility of using this security technique. ..
1
Matthew Leyda Replied
We dont use it on the mail server. We use it on a incoming gateway that does greylisting and spam filtering.
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP

Reply to Thread