As many MailEnable users know, an EHLO connect string of "ylmf-pc" shows that the connecting computer is part of the spamming botnet known as "PushDo" (and sometimes alternatively "Cutwail").
I've configured EHLO blocking to drop connections on receipt of the "ylmf-pc" string.
Over the last three days, I've had more than 350,000 lines in my log files from infected systems that connect, send the EHLO ylmf-pc string, get dropped, and repeat over and over for hours -- sometimes for days.
Please give us a checkbox to add EHLO-blocked IP addresses to the denied IP addresses.
EHLO Blocking -- Add to denied IP list
-
- Site Admin
- Posts: 1127
- Joined: Mon Jun 10, 2002 6:31 pm
- Location: Melbourne, Victoria, Australia
Re: EHLO Blocking -- Add to denied IP list
We had considered adding this to the abuse list so the connection is dropped earlier. Adding to the denied IP address is not ideal since the IP hangs around too long and just slows down connections (when that list gets large). But there is not really an advantage to add to abuse list either, since while it reduces the Activity log about 80 bytes for each connection, it increases the Debug log 100 bytes. And since the connection is still dropped either way, we have left as is. Not logging anything on the abuse or denied list is a consideration, but it affects diagnosing problems.
We have added wildcard ability to the EHLO blocking for the next minor update.
We have added wildcard ability to the EHLO blocking for the next minor update.
Re: EHLO Blocking -- Add to denied IP list
I can purge the list if I find connections getting too slow. That's a lot better than having 350K lines in my log files. Besides, why is it okay to add to the list on failed command counts but not okay to add to it on this?Adding to the denied IP address is not ideal since the IP hangs around too long and just slows down connections (when that list gets large).
It does argue for a feature that I requested years ago: An expiration date/time on each IP in the denied IP list. Automatically add the IP with a ten day expiration and delete it when the ten days comes around. That solves so many problems.
That's nice, but it expands the problem further, with logs of connection after connection, sometimes for hours or days at a time, as spambots try to deliver fecal matter to my users -- as shown here:We have added wildcard ability to the EHLO blocking for the next minor update.
12/31/16 02:51:54 SMTP-IN 74C58FDA0E0C474BB90B734244A12C03.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:54 EST/EDT 0 0
12/31/16 02:51:54 SMTP-IN 74C58FDA0E0C474BB90B734244A12C03.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:54 SMTP-IN 46F2CEEFB58844C5864EEE34C7873B9B.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:54 EST/EDT 0 0
12/31/16 02:51:54 SMTP-IN 46F2CEEFB58844C5864EEE34C7873B9B.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN E2F7DB7EDAC540A2AE60BCBDDB740524.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN E2F7DB7EDAC540A2AE60BCBDDB740524.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 263A07A5622E42CF88E3D924DEA703B5.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 263A07A5622E42CF88E3D924DEA703B5.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 95AEF79E980446D896800AB86C642DDC.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 95AEF79E980446D896800AB86C642DDC.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 8F8229DEDC594682BFC699C57F6EFBA8.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 8F8229DEDC594682BFC699C57F6EFBA8.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 0EC522226E0949BA86F751B6EC169EC4.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 0EC522226E0949BA86F751B6EC169EC4.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 46076EED5ACA4201BD6E745293C9D8E6.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 46076EED5ACA4201BD6E745293C9D8E6.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 4940CF5A2DA847D0BA4C21E7B0E86314.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 4940CF5A2DA847D0BA4C21E7B0E86314.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 655DAC469CAE41C5A9F199154EE8B746.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 655DAC469CAE41C5A9F199154EE8B746.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN E0CA2F5EA98F4E1CBCD868BE04F8A57F.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN E0CA2F5EA98F4E1CBCD868BE04F8A57F.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 1DAD4AA13EAB4263AFF91F45A3A4A491.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 1DAD4AA13EAB4263AFF91F45A3A4A491.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 56805682F19D4CEB872BA47004B57F0E.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 56805682F19D4CEB872BA47004B57F0E.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 413F05C9EE8A46C19CC9F3E42C521A04.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 413F05C9EE8A46C19CC9F3E42C521A04.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 509CD02CC40E4F979E76F3D4F70F5E17.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 509CD02CC40E4F979E76F3D4F70F5E17.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 92CE1F6057B94E13A22ACE3ED5DB8D18.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 92CE1F6057B94E13A22ACE3ED5DB8D18.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN FD8CC33EAB4D400387B233F99042744A.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN FD8CC33EAB4D400387B233F99042744A.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 51277CBE953D46E0AB48D51993D10DBA.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 51277CBE953D46E0AB48D51993D10DBA.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 6C5C8589B3C74192B93E0B2F632FD463.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 6C5C8589B3C74192B93E0B2F632FD463.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 75C7E39DE7A246D0864993D3702C9F15.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 75C7E39DE7A246D0864993D3702C9F15.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN B82D35D280FF49C5BD2793119BE2475B.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN B82D35D280FF49C5BD2793119BE2475B.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 3F5E339B2FCF42F2976ABBAE8836425A.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 3F5E339B2FCF42F2976ABBAE8836425A.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 6DA445E97B5B4B239566CA16E5D5B99F.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:57 SMTP-IN 6DA445E97B5B4B239566CA16E5D5B99F.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:57 SMTP-IN D5C33EA8FE1A49C09FCA51006DCCF14F.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:57 EST/EDT 0 0
12/31/16 02:51:57 SMTP-IN D5C33EA8FE1A49C09FCA51006DCCF14F.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:57 SMTP-IN 7316B1CA24B4400B86E04126B65EF451.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:57 EST/EDT 0 0
12/31/16 02:51:57 SMTP-IN 7316B1CA24B4400B86E04126B65EF451.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14