Community Discussions and Support
MercuryS: Can I block IP address in EHLO?

From the command line, you can run the following commands to create firewall rules that ban all traffic to and from an address:

netsh advfirewall firewall add rule name="From 1.2.3.4" dir=in interface=any action=block remoteip=1.2.3.4/32
netsh advfirewall firewall add rule name="To 1.2.3.4" dir=out interface=any action=block remoteip=1.2.3.4/32

<p>From the command line, you can run the following commands to create firewall rules that ban all traffic to and from an address:</p><p><span style="font-size: 10pt;">netsh advfirewall firewall add rule name="From </span><span style="font-size: 13.3333px;">1.2.3.4</span><span style="font-size: 10pt;">" dir=in interface=any action=block remoteip=</span><span style="font-size: 13.3333px;">1.2.3.4</span><span style="font-size: 10pt;">/32 </span><span style="font-size: 10pt;">netsh advfirewall firewall add rule name="To </span><span style="font-size: 13.3333px;">1.2.3.4</span><span style="font-size: 10pt;">" dir=out interface=any action=block remoteip=1.2.3.4/32</span></p>

Hi All,


My MercuryS is logging repeated attempts by various "connection from" IP address but the all have the same IP Address in the EHLO.  Please let me know if there is a way that block on that EHLO IP address. 

Rolf, is this something that your smtpevt daemon would detect?  I haven't gotten it in place yet but it's on my "to get to" list.   

Here is a snippet from the log.

T 20190402 062058 5c78ee84 Connection from 196.3.195.242

T 20190402 062059 5c78ee84 EHLO [185.180.222.147]

T 20190402 062059 5c78ee84 AUTH LOGIN

T 20190402 062100 5c78ee84 Connection closed with 196.3.195.242, 2 sec. elapsed.

T 20190402 062101 5c78ee85 Connection from 178.64.50.21

T 20190402 062101 5c78ee85 EHLO [185.180.222.147]

T 20190402 062102 5c78ee85 AUTH LOGIN

T 20190402 062103 5c78ee85 Connection closed with 178.64.50.21, 2 sec. elapsed. 


<p>Hi All,</p><p> </p><p>My MercuryS is logging repeated attempts by various "connection from" IP address but the all have the same IP Address in the EHLO.  Please let me know if there is a way that block on that EHLO IP address. </p><p>Rolf, is this something that your smtpevt daemon would detect?  I haven't gotten it in place yet but it's on my "to get to" list.   </p><p> Here is a snippet from the log.</p><p><span style="font-size: 10pt;">T 20190402 062058 5c78ee84 Connection from 196.3.195.242</span></p><p><span style="font-size: 10pt;"></span><span style="font-size: 10pt;">T 20190402 062059 5c78ee84 EHLO [185.180.222.147]</span></p><p>T 20190402 062059 5c78ee84 AUTH LOGIN</p><p>T 20190402 062100 5c78ee84 Connection closed with 196.3.195.242, 2 sec. elapsed.</p><p>T 20190402 062101 5c78ee85 Connection from 178.64.50.21</p><p>T 20190402 062101 5c78ee85 EHLO [185.180.222.147]</p><p>T 20190402 062102 5c78ee85 AUTH LOGIN</p><p>T 20190402 062103 5c78ee85 Connection closed with 178.64.50.21, 2 sec. elapsed.<span style="font-size: 10pt;"> </span></p><p> </p>

Hi Brian,

You can do that with Transaction Filtering with a line like this:-

H, "*185.180.222.147*", BS, "554 Bad HELO/EHLO format - connection dropped."

 

John.

EDIT:- The file you want is TRANSFLT.MER which is in the Mercury root folder, and don't forget to enable transaction level expression filtering in the COMPLIANCE tab of  the MercuryS config.

J.[:)]

<p>Hi Brian,</p><p>You can do that with Transaction Filtering with a line like this:-</p><p>H, "*185.180.222.147*", BS, "554 Bad HELO/EHLO format - connection dropped."</p><p> </p><p>John. </p><p>EDIT:- The file you want is TRANSFLT.MER which is in the Mercury root folder, and don't forget to enable transaction level expression filtering in the COMPLIANCE tab of  the MercuryS config.</p><p>J.[:)] </p>

I have only a dsl account and my ip changes every 24 hours. I am using the following:

H, "[EHeh][EHeh][LOlo][LOlo]??", RS, "554 Illegal HELO, connection refused."

 

 

Connection from 45.79.13.119, Mon Apr 01 02:37:21 2019

EHLO

Host 45.79.13.119 added to short-term blacklist

554 Illegal HELO, connection refused.

15 sec. elapsed, connection closed Mon Apr 01 02:37:36 2019


<p>I have only a dsl account and my ip changes every 24 hours. I am using the following:</p><p>H, "[EHeh][EHeh][LOlo][LOlo]??", RS, "554 Illegal HELO, connection refused."</p><p> </p><p> </p><p>Connection from 45.79.13.119, Mon Apr 01 02:37:21 2019</p><p>EHLO</p><p>Host 45.79.13.119 added to short-term blacklist</p><p>554 Illegal HELO, connection refused.</p><p>15 sec. elapsed, connection closed Mon Apr 01 02:37:36 2019</p><div> </div>

Thank you both.  I have enabled transaction filter and placed the line from John in TRANSFLT.MER.

Sellerie, yours looks more 'all purpose' but my regex is rudimentary so I'm wondering how it works.  I see where it detects all upper and lower case variations of "EHLO" and "HELO" but I'm curious about the double question marks instead of an asterisk.  Is it simply that checking for two trailing characters is all that is needed or is there something more meaningful about "??".

<p>Thank you both.  I have enabled transaction filter and placed the line from John in TRANSFLT.MER.</p><p>Sellerie, yours looks more 'all purpose' but my regex is rudimentary so I'm wondering how it works.  I see where it detects all upper and lower case variations of "EHLO" and "HELO" but <span style="font-size: 10pt;">I'm curious about the double question marks instead of an asterisk.  Is it simply that checking for two trailing characters is all that is needed or is there something more meaningful about "??".</span></p>

The ?? are for connections, where the sender sends a greeting and only a space or nothing else. Normally after the helo stands the name of the sender (EHLO mail-oi1-f99.google.com) or simply his ip adress (if the sender uses your external ip = spammer, close connection). If you take the asterisk, then you would match ALL after the helo...

 

<p>The ?? are for connections, where the sender sends a greeting and only a space or nothing else. Normally after the helo stands the name of the sender (EHLO mail-oi1-f99.google.com) or simply his ip adress (if the sender uses your external ip = spammer, close connection). If you take the asterisk, then you would match ALL after the helo...</p><p> </p>

Hi Brian,

I hope the filter is working for you!

I think transaction filtering is great. it has little overhead on the server and allows Mercury to drop any matching connections without having to receive the body of the email. A couple of filters will blitz a huge amount of junk. I use the following two filters:-

H, "*.*", RSN, "554 Bad HELO/EHLO format - connection dropped."

This first one says that if the HELO/EHLO greating does NOT contain a dot or period, reject the connection. This gets rid of all the common greatings like USER, WINDOWS, SERVER etc. as well behaved mail servers will provide a FQDN as their greating, so will have at least one dot in them.

H, "*[0-9]+.[0-9]+.[0-9]+.[0-9]*", BS, "554 Bad HELO/EHLO format - connection dropped."

This next one is a variation on the IP address greating provided above, except that this works for a greating with any IP address in it. (Caution here though, as Thunderbird, for instance, provides the local IP address of the machine it is running on as its greating. The way around this is to define and allow connections from your local subnets in the connection control tab of MercuryS, and also check Exempt from transaction filtering for those ranges)

I have a few other more specific filters defined, but these two kill most all of the rubbish.

John.

<p>Hi Brian,</p><p>I hope the filter is working for you!</p><p>I think transaction filtering is great. it has little overhead on the server and allows Mercury to drop any matching connections without having to receive the body of the email. A couple of filters will blitz a huge amount of junk. I use the following two filters:-</p><p>H, "*.*", RSN, "554 Bad HELO/EHLO format - connection dropped." </p><p>This first one says that if the HELO/EHLO greating does NOT contain a dot or period, reject the connection. This gets rid of all the common greatings like USER, WINDOWS, SERVER etc. as well behaved mail servers will provide a FQDN as their greating, so will have at least one dot in them. </p><p>H, "*[0-9]+.[0-9]+.[0-9]+.[0-9]*", BS, "554 Bad HELO/EHLO format - connection dropped." </p><p>This next one is a variation on the IP address greating provided above, except that this works for a greating with any IP address in it. (Caution here though, as Thunderbird, for instance, provides the local IP address of the machine it is running on as its greating. The way around this is to define and allow connections from your local subnets in the connection control tab of MercuryS, and also check Exempt from transaction filtering for those ranges) </p><p>I have a few other more specific filters defined, but these two kill most all of the rubbish.</p><p>John. </p>

TRANSFLT.MER, Here I come!

Thank You John! 

<p>TRANSFLT.MER, Here I come!</p><p>Thank You John! </p>

I just realized that our phone system uses an IP address as the EHLO when sending voicemails out in email.   How do I accept only that IP address in the EHLO?  Will an "accept" entry in Content Control override transaction filtering?

Edit:  I just read the manual so now know that transaction filtering occurs before content control.  Excluding all IP addresses in the EHLO is a great idea but I need to except 10.10.6.250.  Is there a way?

Edit2:  I found the exception list.  I also discovered that the connection from a road warriors iDevice contains an IP address in the EHLO.  It's probably not a good idea for me to try to block IP addresses in the EHLO. 

<p>I just realized that our phone system uses an IP address as the EHLO when sending voicemails out in email.   How do I accept only that IP address in the EHLO?  Will an "accept" entry in Content Control override transaction filtering?</p><p><span style="font-size: 10pt;">Edit:  I just read the manual so now know that transaction filtering occurs before content control.  Excluding all IP addresses in the EHLO is a great idea but I need to except 10.10.6.250.  Is there a way?</span></p><p>Edit2:  I found the exception list.  I also discovered that the connection from a road warriors <span style="font-size: 10pt;">iDevice contains an IP address in the EHLO.  It's probably not a good idea for me to try to block IP addresses in the EHLO. </span></p>

Hi Brian,

As I said above, if you put  10.10.6.250 in the CONNECTION CONTROL tab of MercuryS, and set to ALLOW, then check the EXEMPT from TRANSACTION FILTERING box that IP will not be subject to filtering.

You can add your whole local subnet if desired in the same way.

John.

<p>Hi Brian,</p><p>As I said above, if you put  10.10.6.250 in the CONNECTION CONTROL tab of MercuryS, and set to ALLOW, then check the EXEMPT from TRANSACTION FILTERING box that IP will not be subject to filtering.</p><p>You can add your whole local subnet if desired in the same way.</p><p>John. </p>

Brian,

Re your EDIT 2 (cross posting) Yes that will be a problem, so probably best not to if any of your road warriors have dynamic IP's

J.

<p>Brian,</p><p>Re your EDIT 2 (cross posting) Yes that will be a problem, so probably best not to if any of your road warriors have dynamic IP's</p><p>J. </p>
live preview
enter atleast 10 characters
WARNING: You mentioned %MENTIONS%, but they cannot see this message and will not be notified
Saving...
Saved
With selected deselect posts show selected posts
All posts under this topic will be deleted ?
Pending draft ... Click to resume editing
Discard draft