Host screening by ELHO/HELO initial conversation
-
- Posts: 41
- Joined: Tue Jan 20, 2015 4:57 pm
Host screening by ELHO/HELO initial conversation
Ian,
First let me say thank for your dedication to a well-built product! I have been using it myself and supporting for three other commercial clients for almost 14 years now and will continue to do.
I have observed many MailEnable Discussion Forum inquiries in reference to blocking/stopping certain EHLO’s identifications during the initial conversation (connection) with MailEnable but with no actual remedy. From what I have found in the Discussion Forums don’t actually address the problem other than redirections to another add on program like MXScan or ban the IP. Firstly MXScan it doesn’t have a function to drop/disconnect/ban and connection based on the EHLO conversation identification, example: ylmf-pc. Secondly blocking the IP is an unrealistic solution as ylmf-pc and others have massive exposure through the wan with infected workstations and using hundreds if not thousands of different IP’s.
PTR and SPF have been implemented but as you know are not a realistic solution because of many legitimate servers are incorrectly configured that our client base must have email conversations with, this includes improperly US governmental agencies.
For a simple solution I’m requesting for your serious consideration that this should be a function available with MailEnable within the MTU configuration section. The section should have the possibility to add several phrases with the option of each to include a wildcard (*) both as a prefix and or suffix. It would also be a benefit if each detected connection that matches the rule be banded by IP for at least one or more hours. Here are some samples of the ELHO conversations that I would block.
task*
localhost
ownerpc
ylmf-pc
cable*
In addition the above the capability of blocking ELHO’s with only IP numbers would be beneficial.
Thank you
Bob Brenner
First let me say thank for your dedication to a well-built product! I have been using it myself and supporting for three other commercial clients for almost 14 years now and will continue to do.
I have observed many MailEnable Discussion Forum inquiries in reference to blocking/stopping certain EHLO’s identifications during the initial conversation (connection) with MailEnable but with no actual remedy. From what I have found in the Discussion Forums don’t actually address the problem other than redirections to another add on program like MXScan or ban the IP. Firstly MXScan it doesn’t have a function to drop/disconnect/ban and connection based on the EHLO conversation identification, example: ylmf-pc. Secondly blocking the IP is an unrealistic solution as ylmf-pc and others have massive exposure through the wan with infected workstations and using hundreds if not thousands of different IP’s.
PTR and SPF have been implemented but as you know are not a realistic solution because of many legitimate servers are incorrectly configured that our client base must have email conversations with, this includes improperly US governmental agencies.
For a simple solution I’m requesting for your serious consideration that this should be a function available with MailEnable within the MTU configuration section. The section should have the possibility to add several phrases with the option of each to include a wildcard (*) both as a prefix and or suffix. It would also be a benefit if each detected connection that matches the rule be banded by IP for at least one or more hours. Here are some samples of the ELHO conversations that I would block.
task*
localhost
ownerpc
ylmf-pc
cable*
In addition the above the capability of blocking ELHO’s with only IP numbers would be beneficial.
Thank you
Bob Brenner
-
- Posts: 560
- Joined: Mon Nov 03, 2003 7:48 am
- Location: Cape Town
Re: Host screening by ELHO/HELO initial conversation
I most definitely second this suggestion.
http://forum.mailenable.com/viewtopic.php?f=6&t=27294
Cheers,
Brett
http://forum.mailenable.com/viewtopic.php?f=6&t=27294
Cheers,
Brett
-
- Site Admin
- Posts: 1127
- Joined: Mon Jun 10, 2002 6:31 pm
- Location: Melbourne, Victoria, Australia
Re: Host screening by ELHO/HELO initial conversation
Hi,
This is available as a registry key in version 8.56 and later. It does not do wildcards yet though. But you can add a list of ones you want to block. The registry key required is below and takes a string value of the items you want to block. Separate them with a comma:
For 32bit Windows:
For 64bit Windows:
You will need to restart the SMTP service when you change this. If a match is made the SMTP service just drops the connection. We'll likely expand on this. Not sure you want to block ones that send IPs though, as some valid clients may be doing this.
This is available as a registry key in version 8.56 and later. It does not do wildcards yet though. But you can add a list of ones you want to block. The registry key required is below and takes a string value of the items you want to block. Separate them with a comma:
For 32bit Windows:
Code: Select all
[HKEY_LOCAL_MACHINE\SOFTWARE\Mail Enable\Mail Enable\Connectors\SMTP]
"Blocked HELO"="localhost,ylmf-pc"
Code: Select all
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mail Enable\Mail Enable\Connectors\SMTP]
"Blocked HELO"="localhost,ylmf-pc"
-
- Posts: 560
- Joined: Mon Nov 03, 2003 7:48 am
- Location: Cape Town
Re: Host screening by ELHO/HELO initial conversation
Excellent - thanks for the update.
Personally I am not bothered blocking HELO with IP address, it's that damn ylmf-pc that has me seeing red.
Cheers,
Brett
Personally I am not bothered blocking HELO with IP address, it's that damn ylmf-pc that has me seeing red.
Cheers,
Brett
-
- Posts: 560
- Joined: Mon Nov 03, 2003 7:48 am
- Location: Cape Town
Re: Host screening by ELHO/HELO initial conversation
Happy to report that this working well for me.
In the 2 hours 50 minutes since the SMTP service restart after making the registry setting, the service has already dropped 8372 connection attempts by ylmf-pc.
In the 2 hours 50 minutes since the SMTP service restart after making the registry setting, the service has already dropped 8372 connection attempts by ylmf-pc.
-
- Posts: 41
- Joined: Tue Jan 20, 2015 4:57 pm
Re: Host screening by ELHO/HELO initial conversation
Thank you for the registry solution and yes it has helped. As for the ylmf-pc slamming Brett Rownbotham, I thought I was getting slammed, not. I did eventually put up an email gateway called "SctollOutF1" and you may want to look into it so far I'm REALY liking it! I installed it in a VM under the MailEnable server and so far so good!
Enjoy!
Bob Brenner
Enjoy!
Bob Brenner
Re: Host screening by ELHO/HELO initial conversation
Hi Bob/Brett,
Ian pointed me to this article to do a very similar procedure on a bot or spammer using the EHLO command.
Did this registry key already exist for you guys or did you have to add it? What exact arguments did you put in? What options did you use below? (I have a windows 2012 R2 box). I'm looking to block by hostname. Any help is appreciated.
Key
String Value
Binary Value
DWORD
QWORD
Multi-String Value
Expandable String Value
Ian pointed me to this article to do a very similar procedure on a bot or spammer using the EHLO command.
Did this registry key already exist for you guys or did you have to add it? What exact arguments did you put in? What options did you use below? (I have a windows 2012 R2 box). I'm looking to block by hostname. Any help is appreciated.
Key
String Value
Binary Value
DWORD
QWORD
Multi-String Value
Expandable String Value
-
- Posts: 560
- Joined: Mon Nov 03, 2003 7:48 am
- Location: Cape Town
Re: Host screening by ELHO/HELO initial conversation
The key, as detailed in an earlier post, had to be added, it did not already exist. It must be created as a string value. As for arguments, it is just a comma-separated list of hostnames that should be blocked at the EHLO/HELO stage of the SMTP conversation.
Cheers,
Brett
Cheers,
Brett
Re: Host screening by ELHO/HELO initial conversation
Clearly I'm just not getting the concept here. I went ahead and created the string value and have it presented like this. Tried with quotes in string value, without quotes. Restarted the SMTP service, nothing. See below. Did I do this right? I'm at a loss. It's not blocking it either way. This is just a test im using currently. tried short names, long names,
-
- Posts: 560
- Joined: Mon Nov 03, 2003 7:48 am
- Location: Cape Town
Re: Host screening by ELHO/HELO initial conversation
The key name is "Blocked HELO" whereas you have used "Blocked EHLO".
Cheers,
Brett
Cheers,
Brett