Pegasus Mail & Mercury

Welcome to the Community for Pegasus Mail and
The Mercury Mail Transport System, the Internet's longest-serving PC e-mail system!
Welcome to Pegasus Mail & Mercury Sign in | Join | Help
in
Home Blogs Forums Downloads Pegasus Mail Overview Mercury Overview Wiki

MercuryS: Can I block IP address in EHLO?

Last post 04-03-2019, 16:13 by Anaglypta. 9 replies.
Sort Posts: Previous Next
  •  04-02-2019, 16:06

    • Brian Fluet is not online. Last active: 04-18-2019, 18:16 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 24,700

    MercuryS: Can I block IP address in EHLO?

    Hi All,


    My MercuryS is logging repeated attempts by various "connection from" IP address but the all have the same IP Address in the EHLO.  Please let me know if there is a way that block on that EHLO IP address. 

    Rolf, is this something that your smtpevt daemon would detect?  I haven't gotten it in place yet but it's on my "to get to" list.   

    Here is a snippet from the log.

    T 20190402 062058 5c78ee84 Connection from 196.3.195.242

    T 20190402 062059 5c78ee84 EHLO [185.180.222.147]

    T 20190402 062059 5c78ee84 AUTH LOGIN

    T 20190402 062100 5c78ee84 Connection closed with 196.3.195.242, 2 sec. elapsed.

    T 20190402 062101 5c78ee85 Connection from 178.64.50.21

    T 20190402 062101 5c78ee85 EHLO [185.180.222.147]

    T 20190402 062102 5c78ee85 AUTH LOGIN

    T 20190402 062103 5c78ee85 Connection closed with 178.64.50.21, 2 sec. elapsed. 


  •  04-02-2019, 16:40

    • Anaglypta is not online. Last active: 03 Apr 2019, 16:25 Anaglypta
    • Top 500 Contributor
    • Joined on 09-30-2016
    • Luton, England
    • Member
    • Points 340

    Re: MercuryS: Can I block IP address in EHLO?

    Hi Brian,

    You can do that with Transaction Filtering with a line like this:-

    H, "*185.180.222.147*", BS, "554 Bad HELO/EHLO format - connection dropped."

     

    John.

    EDIT:- The file you want is TRANSFLT.MER which is in the Mercury root folder, and don't forget to enable transaction level expression filtering in the COMPLIANCE tab of  the MercuryS config.

    J.Smile

  •  04-02-2019, 18:26

    • Sellerie is not online. Last active: 2019/04/02, 22:19 Sellerie
    • Top 75 Contributor
    • Joined on 04-10-2014
    • Member
    • Points 1,040

    Re: MercuryS: Can I block IP address in EHLO?

    I have only a dsl account and my ip changes every 24 hours. I am using the following:

    H, "[EHeh][EHeh][LOlo][LOlo]??", RS, "554 Illegal HELO, connection refused."

     

     

    Connection from 45.79.13.119, Mon Apr 01 02:37:21 2019

    EHLO

    Host 45.79.13.119 added to short-term blacklist

    554 Illegal HELO, connection refused.

    15 sec. elapsed, connection closed Mon Apr 01 02:37:36 2019


  •  04-02-2019, 20:18

    • Brian Fluet is not online. Last active: 04-18-2019, 18:16 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 24,700

    Re: MercuryS: Can I block IP address in EHLO?

    Thank you both.  I have enabled transaction filter and placed the line from John in TRANSFLT.MER.

    Sellerie, yours looks more 'all purpose' but my regex is rudimentary so I'm wondering how it works.  I see where it detects all upper and lower case variations of "EHLO" and "HELO" but I'm curious about the double question marks instead of an asterisk.  Is it simply that checking for two trailing characters is all that is needed or is there something more meaningful about "??".

  •  04-02-2019, 22:18

    • Sellerie is not online. Last active: 2019/04/02, 22:19 Sellerie
    • Top 75 Contributor
    • Joined on 04-10-2014
    • Member
    • Points 1,040

    Re: MercuryS: Can I block IP address in EHLO?

    The ?? are for connections, where the sender sends a greeting and only a space or nothing else. Normally after the helo stands the name of the sender (EHLO mail-oi1-f99.google.com) or simply his ip adress (if the sender uses your external ip = spammer, close connection). If you take the asterisk, then you would match ALL after the helo...

     

  •  04-03-2019, 12:36

    • Anaglypta is not online. Last active: 03 Apr 2019, 16:25 Anaglypta
    • Top 500 Contributor
    • Joined on 09-30-2016
    • Luton, England
    • Member
    • Points 340

    Re: MercuryS: Can I block IP address in EHLO?

    Hi Brian,

    I hope the filter is working for you!

    I think transaction filtering is great. it has little overhead on the server and allows Mercury to drop any matching connections without having to receive the body of the email. A couple of filters will blitz a huge amount of junk. I use the following two filters:-

    H, "*.*", RSN, "554 Bad HELO/EHLO format - connection dropped."

    This first one says that if the HELO/EHLO greating does NOT contain a dot or period, reject the connection. This gets rid of all the common greatings like USER, WINDOWS, SERVER etc. as well behaved mail servers will provide a FQDN as their greating, so will have at least one dot in them.

    H, "*[0-9]+.[0-9]+.[0-9]+.[0-9]*", BS, "554 Bad HELO/EHLO format - connection dropped."

    This next one is a variation on the IP address greating provided above, except that this works for a greating with any IP address in it. (Caution here though, as Thunderbird, for instance, provides the local IP address of the machine it is running on as its greating. The way around this is to define and allow connections from your local subnets in the connection control tab of MercuryS, and also check Exempt from transaction filtering for those ranges)

    I have a few other more specific filters defined, but these two kill most all of the rubbish.

    John.

  •  04-03-2019, 13:10

    • Brian Fluet is not online. Last active: 04-18-2019, 18:16 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 24,700

    Re: MercuryS: Can I block IP address in EHLO?

    TRANSFLT.MER, Here I come!

    Thank You John! 

  •  04-03-2019, 13:23

    • Brian Fluet is not online. Last active: 04-18-2019, 18:16 Brian Fluet
    • Top 10 Contributor
    • Joined on 12-24-2014
    • North Carolina, USA
    • SuperStar
    • Points 24,700

    Re: MercuryS: Can I block IP address in EHLO?

    I just realized that our phone system uses an IP address as the EHLO when sending voicemails out in email.   How do I accept only that IP address in the EHLO?  Will an "accept" entry in Content Control override transaction filtering?

    Edit:  I just read the manual so now know that transaction filtering occurs before content control.  Excluding all IP addresses in the EHLO is a great idea but I need to except 10.10.6.250.  Is there a way?

    Edit2:  I found the exception list.  I also discovered that the connection from a road warriors iDevice contains an IP address in the EHLO.  It's probably not a good idea for me to try to block IP addresses in the EHLO. 

  •  04-03-2019, 16:10

    • Anaglypta is not online. Last active: 03 Apr 2019, 16:25 Anaglypta
    • Top 500 Contributor
    • Joined on 09-30-2016
    • Luton, England
    • Member
    • Points 340

    Re: MercuryS: Can I block IP address in EHLO?

    Hi Brian,

    As I said above, if you put  10.10.6.250 in the CONNECTION CONTROL tab of MercuryS, and set to ALLOW, then check the EXEMPT from TRANSACTION FILTERING box that IP will not be subject to filtering.

    You can add your whole local subnet if desired in the same way.

    John.

  •  04-03-2019, 16:13

    • Anaglypta is not online. Last active: 03 Apr 2019, 16:25 Anaglypta
    • Top 500 Contributor
    • Joined on 09-30-2016
    • Luton, England
    • Member
    • Points 340

    Re: MercuryS: Can I block IP address in EHLO?

    Brian,

    Re your EDIT 2 (cross posting) Yes that will be a problem, so probably best not to if any of your road warriors have dynamic IP's

    J.

View as RSS news feed in XML

Contact | Advertise | Host provider: PraktIT | Terms of Use | Privacy Statement
Copyright © 2007-2011 David Harris / Peter Strömblad. | Pegasus Mail Home Page