1 Topic by cvcvelo

  • cvcvelo
  • Member
  • Offline
  • Registered: 2014-06-16
  • Posts: 151

Topic: Blocking "EHLO ylmf-pc" connection attempts

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.6
- Linux/BSD distribution name and version: FreeBSD 11.0-RELEASE-p9
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

The maillog files are full of connection attempts like the ones pasted below. I think the "EHLO ylmf-pc" string is part of a botnet. It's possible to block each address individually but these requests come from many addresses.

How to configure iRedMail or iRedAdmin Pro to block these connection attempts?

Thanks.

Apr 16 08:59:21 mail postfix/postscreen[52051]: CONNECT from [36.35.98.136]:3289 to [192.73.244.137]:25
Apr 16 08:59:21 mail postfix/postscreen[52051]: PREGREET 14 after 0.29 from [36.35.98.136]:3289: EHLO ylmf-pc\r\n
Apr 16 08:59:21 mail postfix/postscreen[52051]: HANGUP after 0.61 from [36.35.98.136]:3289 in tests after SMTP handshake
Apr 16 08:59:21 mail postfix/postscreen[52051]: DISCONNECT [36.35.98.136]:3289
Apr 16 08:59:22 mail postfix/postscreen[52051]: CONNECT from [36.35.98.136]:3626 to [192.73.244.137]:25
Apr 16 08:59:22 mail postfix/postscreen[52051]: PREGREET 14 after 0.29 from [36.35.98.136]:3626: EHLO ylmf-pc\r\n
Apr 16 08:59:23 mail postfix/postscreen[52051]: HANGUP after 0.64 from [36.35.98.136]:3626 in tests after SMTP handshake
Apr 16 08:59:23 mail postfix/postscreen[52051]: DISCONNECT [36.35.98.136]:3626
Apr 16 08:59:23 mail postfix/postscreen[52051]: CONNECT from [36.35.98.136]:4080 to [192.73.244.137]:25
Apr 16 08:59:24 mail postfix/postscreen[52051]: PREGREET 14 after 0.32 from [36.35.98.136]:4080: EHLO ylmf-pc\r\n
Apr 16 08:59:24 mail postfix/postscreen[52051]: HANGUP after 0.62 from [36.35.98.136]:4080 in tests after SMTP handshake

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Blocking "EHLO ylmf-pc" connection attempts

Use the latest Fail2ban filter file:
https://bitbucket.org/zhb/iredmail/src/ … ew-default

BTW, "ymlf" is a pirate of Windows XP OS in China, was widely used by Chinese.

3 Reply by cvcvelo

  • cvcvelo
  • Member
  • Offline
  • Registered: 2014-06-16
  • Posts: 151

Re: Blocking "EHLO ylmf-pc" connection attempts

Thanks for this. I am familiar with fail2ban on Linux but this is the first time I have installed it on FreeBSD, using the py-fail2ban port.

After installing that port, putting your file in the filter.d directory, and starting the fail2ban daemon, the mail server logged 61 more ylmf connection attempts from the same IP address in less than 10 minutes. There is no indication of blocking (or of a problem) in the fail2ban log. Is any other configuration required?

Thanks again.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Blocking "EHLO ylmf-pc" connection attempts

Did you setup the commands (in fail2ban) used to ban IP? Do you use ipfw or pf as firewall?

5 Reply by cvcvelo

  • cvcvelo
  • Member
  • Offline
  • Registered: 2014-06-16
  • Posts: 151

Re: Blocking "EHLO ylmf-pc" connection attempts

Hi zhb,

I have the same ylmf-pc bad EHLO messages in a new Debian server. However, the bitbucket URL above redirects to GitHub, and I can't find the fail2ban filter file there.

Is there an updated pointer for the fail2ban filter for this?

Thanks!

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Blocking "EHLO ylmf-pc" connection attempts

We moved to GitHub:
https://github.com/iredmail/iRedMail