EHLO Blocking -- Add to denied IP list

Post your MailEnable suggestions here.
Post Reply
fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

EHLO Blocking -- Add to denied IP list

Post by fbmaxwell »

As many MailEnable users know, an EHLO connect string of "ylmf-pc" shows that the connecting computer is part of the spamming botnet known as "PushDo" (and sometimes alternatively "Cutwail").

I've configured EHLO blocking to drop connections on receipt of the "ylmf-pc" string.

Over the last three days, I've had more than 350,000 lines in my log files from infected systems that connect, send the EHLO ylmf-pc string, get dropped, and repeat over and over for hours -- sometimes for days.

Please give us a checkbox to add EHLO-blocked IP addresses to the denied IP addresses.

Admin
Site Admin
Posts: 1127
Joined: Mon Jun 10, 2002 6:31 pm
Location: Melbourne, Victoria, Australia

Re: EHLO Blocking -- Add to denied IP list

Post by Admin »

We had considered adding this to the abuse list so the connection is dropped earlier. Adding to the denied IP address is not ideal since the IP hangs around too long and just slows down connections (when that list gets large). But there is not really an advantage to add to abuse list either, since while it reduces the Activity log about 80 bytes for each connection, it increases the Debug log 100 bytes. And since the connection is still dropped either way, we have left as is. Not logging anything on the abuse or denied list is a consideration, but it affects diagnosing problems.

We have added wildcard ability to the EHLO blocking for the next minor update.

fbmaxwell
Posts: 24
Joined: Mon Apr 14, 2014 3:52 pm

Re: EHLO Blocking -- Add to denied IP list

Post by fbmaxwell »

Adding to the denied IP address is not ideal since the IP hangs around too long and just slows down connections (when that list gets large).
I can purge the list if I find connections getting too slow. That's a lot better than having 350K lines in my log files. Besides, why is it okay to add to the list on failed command counts but not okay to add to it on this?

It does argue for a feature that I requested years ago: An expiration date/time on each IP in the denied IP list. Automatically add the IP with a ten day expiration and delete it when the ten days comes around. That solves so many problems.
We have added wildcard ability to the EHLO blocking for the next minor update.
That's nice, but it expands the problem further, with logs of connection after connection, sometimes for hours or days at a time, as spambots try to deliver fecal matter to my users -- as shown here:

12/31/16 02:51:54 SMTP-IN 74C58FDA0E0C474BB90B734244A12C03.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:54 EST/EDT 0 0
12/31/16 02:51:54 SMTP-IN 74C58FDA0E0C474BB90B734244A12C03.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:54 SMTP-IN 46F2CEEFB58844C5864EEE34C7873B9B.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:54 EST/EDT 0 0
12/31/16 02:51:54 SMTP-IN 46F2CEEFB58844C5864EEE34C7873B9B.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN E2F7DB7EDAC540A2AE60BCBDDB740524.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN E2F7DB7EDAC540A2AE60BCBDDB740524.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 263A07A5622E42CF88E3D924DEA703B5.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 263A07A5622E42CF88E3D924DEA703B5.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 95AEF79E980446D896800AB86C642DDC.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 95AEF79E980446D896800AB86C642DDC.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 8F8229DEDC594682BFC699C57F6EFBA8.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 8F8229DEDC594682BFC699C57F6EFBA8.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 0EC522226E0949BA86F751B6EC169EC4.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 0EC522226E0949BA86F751B6EC169EC4.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 46076EED5ACA4201BD6E745293C9D8E6.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 46076EED5ACA4201BD6E745293C9D8E6.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 4940CF5A2DA847D0BA4C21E7B0E86314.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 4940CF5A2DA847D0BA4C21E7B0E86314.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 655DAC469CAE41C5A9F199154EE8B746.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 655DAC469CAE41C5A9F199154EE8B746.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN E0CA2F5EA98F4E1CBCD868BE04F8A57F.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN E0CA2F5EA98F4E1CBCD868BE04F8A57F.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:55 SMTP-IN 1DAD4AA13EAB4263AFF91F45A3A4A491.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:55 EST/EDT 0 0
12/31/16 02:51:55 SMTP-IN 1DAD4AA13EAB4263AFF91F45A3A4A491.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 56805682F19D4CEB872BA47004B57F0E.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 56805682F19D4CEB872BA47004B57F0E.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 413F05C9EE8A46C19CC9F3E42C521A04.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 413F05C9EE8A46C19CC9F3E42C521A04.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 509CD02CC40E4F979E76F3D4F70F5E17.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 509CD02CC40E4F979E76F3D4F70F5E17.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 92CE1F6057B94E13A22ACE3ED5DB8D18.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 92CE1F6057B94E13A22ACE3ED5DB8D18.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN FD8CC33EAB4D400387B233F99042744A.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN FD8CC33EAB4D400387B233F99042744A.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 51277CBE953D46E0AB48D51993D10DBA.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 51277CBE953D46E0AB48D51993D10DBA.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 6C5C8589B3C74192B93E0B2F632FD463.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 6C5C8589B3C74192B93E0B2F632FD463.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 75C7E39DE7A246D0864993D3702C9F15.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 75C7E39DE7A246D0864993D3702C9F15.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN B82D35D280FF49C5BD2793119BE2475B.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN B82D35D280FF49C5BD2793119BE2475B.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 3F5E339B2FCF42F2976ABBAE8836425A.MAI 836 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:56 SMTP-IN 3F5E339B2FCF42F2976ABBAE8836425A.MAI 836 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:56 SMTP-IN 6DA445E97B5B4B239566CA16E5D5B99F.MAI 860 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:56 EST/EDT 0 0
12/31/16 02:51:57 SMTP-IN 6DA445E97B5B4B239566CA16E5D5B99F.MAI 860 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:57 SMTP-IN D5C33EA8FE1A49C09FCA51006DCCF14F.MAI 828 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:57 EST/EDT 0 0
12/31/16 02:51:57 SMTP-IN D5C33EA8FE1A49C09FCA51006DCCF14F.MAI 828 23.227.199.26 EHLO EHLO ylmf-pc 0 14
12/31/16 02:51:57 SMTP-IN 7316B1CA24B4400B86E04126B65EF451.MAI 788 23.227.199.26 220 {redacted} ESMTP ready at 12/31/16 02:51:57 EST/EDT 0 0
12/31/16 02:51:57 SMTP-IN 7316B1CA24B4400B86E04126B65EF451.MAI 788 23.227.199.26 EHLO EHLO ylmf-pc 0 14

Post Reply