Mailing List CGatePro@mail.stalker.com Message #106113
From: Jeff Wark <jwark@tbaytel.net>
Subject: Re: [Ext]HELO controls in CommuniGate
Date: Thu, 07 Jul 2016 16:55:08 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: CommuniGate Pro WebUser v6.0.11
Yet another reply (YAP).

It would also appear that a lot of these known, bad HELO statement are just a precursor to a login attempt, perhaps a dictionary attack via the SMTP protocol.  Those most often do not result in a successful message that can be scanned.

Now, that problem may be handled by the Failed-Login blacklisting, but we have always had trouble with that due to Outlook email clients producing one bad login for every good login.  Blocking an IP because of that is troublesome, especially in an office scenario.

--

Jeff Wark
Tbaytel Internet
On Thu, 07 Jul 2016 16:09:09 -0400
"Mark J Strawcutter" <mjstraw@iup.edu> wrote:
>>
>> You should be able to check/reject/drop using a rule
>>
>> Mark
>>
>> ----- Reply message -----
>>From: "Jeff Wark" <jwark@tbaytel.net>
>> To: "CommuniGate Pro Discussions" <CGatePro@mail.stalker.com>
>> Subject: [Ext]HELO controls in CommuniGate
>> Date: Thu, Jul 7, 2016 11:35 AM
>>
>> Just read an article that outlined some patterns that were detectable
>> in spambot HELO/EHLO commands.
>> As an example, looking at my logs show dozens of IP addresses connecting
>> with 'EHLO ylmf-pc'.
>>
>> Does anyone know of a method that allows for restricting the HELO strings in
>> CommuniGate?  It appears that Postfix has something called 'HELO controls'.  This would be an interesting feature.
>>
>> I'm thinking that there isn't because I am unaware of any options providing control at that point of the SMTP
>> connection.  The only thing I can think of is watching the logs and generating a list for blacklisting/denying IP addresses.
>>
>>
>> --
>>
>>
>> Jeff Wark
>> Tbaytel Internet
>>
>> #############################################################
>>
>> This message is sent to you because you are subscribed to
>>
>> the mailing list <CGatePro@mail.stalker.com>.
>>
>> To unsubscribe, E-mail to: <CGatePro-off@mail.stalker.com>
>>
>> To switch to the DIGEST mode, E-mail to <CGatePro-digest@mail.stalker.com>
>>
>> To switch to the INDEX mode, E-mail to <CGatePro-index@mail.stalker.com>
>>
>> Send administrative queries to  <CGatePro-request@mail.stalker.com>
>>

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster