block custom ehlo RSS

1

Hi!
I'm trying to block pretty well known bruteforce attack from EHLO ylmf-pc. You may google "ehlo ylmf-pc" - it's very popular.
So I have added "ylmf-pc" expression (without quotes) to user-defined helo domain blacklist and enabled HELO Blacklist filter Before Arrival.
But no success. I can still see those attacks in exchange smtp log.
What am I doing wrong?
Thanks!

by adm.ivn 3 years ago
2

@adm.ivn: Hello adm.ivn,

If the expression "ylmf-pc" is indeed on the user-defined helo domain blacklist, but ORF still allows connections from that domain, it means that that the HELO Blacklist test itself is not enabled, or ORF is not using the new configuration yet. Please try to save the ORF configuration in order to apply the new settings ('Ctrl + S' or 'File > Save Configuration') and make sure that the test is "ON" and assigned to at least one filtering point on the Filtering > Tests page.

If the above does not solve the issue, verify that the configured expression is correct by using the domain name test dialog of the HELO Blacklist (Blacklists > HELO Blakclist > Configure > Test).

Please, let me know if this has helped.

by Daniel Novak (Vamsoft) 3 years ago
(in reply to this post)

3

HELO Blacklist test is ON and filtering point is set to Before arrival. Confoguration is saved.
I have also tried this simple text expressions: ymlf-pc and *ymlf-pc*. Now I have changed text expression to regular expression: ^([^.]+\.)*ylmf-pc$. Let's see if it help. It seems this attack happens only at night, so I'll let you know tomorrow.

And one more question. I have enabled recipient validation test Before arrival. And it seems to work regarding ORF log. But I can still see all that "550 5.1.1 Bad destination mailbox address" errors in exchange smtp protocol log (C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive). Is it normal? I thought ORF should close that connections before they reach exchange.

by adm.ivn 3 years ago
4

The protocol logs of Exchange will always contain the entire communication that occurs between the messaging servers, so there is nothing to worry about. I am sure that the recipient validation test is working properly.

It is important to note, however, that ORF does not relay, queue or reject any emails on its own, it only communicates with the underlying IIS SMTP/Exchange server - via the ORF SMTP Module - and tells it what to respond to the sending server during the SMTP transmission. It does not and cannot act as a proxy, since it does not have its own SMTP engine. You can learn more about the filtering process in general at http://vamsoft.com/support/docs/how-tos/orf-101-5.4

by Daniel Novak (Vamsoft) 3 years ago
5

@adm.ivn: A couple of points to check:

In your HELO Blacklist screen, you probably want all 3 options checked (Is Malformed, Is same as recipient domain, Is not a FQDN)

It looks like you may be new to regex on ORF. I don't know if it is always necessary but I have always started my ORF Regex's with .* So, you may want to try this HELO regex:
.*ylmf\-pc

As always, monitor your results in case you get something unexpected.

by Sam Russo 3 years ago
(in reply to this post)

6

@Sam Russo: Thanks Sam, I will try your regex. But my regex (^([^.]+\.)*ylmf-pc$) was created with the help of ORF. I just entered ylmf-pc and choose Domain+subdomains and ORF generated that regex.
Anyway it seems my helo filter still doesn't work. I can see all that attacks in Exchange smtp logs and nothing in ORF log.

by adm.ivn 3 years ago
(in reply to this post)

7

@adm.ivn: Hello adm.ivn,

At this point I would suggest that we review your ORF configuration and the ORF log files to see what is causing the issue. I would appreciate if you could send us () the following for analysis:

1) The ORF configuration file called 'orfent.ini'. It can be found in the ORF program directory (default: \Program Files (x86)\ORF Fusion)

2) A few recent ORF '.log' files (e.g. orf-2016-04-04.log). They can be found on the configured logging path (default: \Program Files (x86)\ORF Fusion)

3) The relevant Exchange protocol log(s)

by Daniel Novak (Vamsoft) 3 years ago
(in reply to this post)

8

I think I have figured it out myself.
HELO filter actually works, but not as expected for me.
Here is an example:

telnet mail.mydomain.com 25
220 mail.mydomain.com
ehlo ylmf-pc
250-server1.mydomain.com Hello [1.1.1.1]
250-SIZE 52428800
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250 XRDST
mail from:
250 2.1.0 Sender OK
rcpt to:
550 5.7.1 Mailbox unavailable. HELO/EHLO domain "ylmf-pc" is rejected.

So we can see that ORF rejects only after Mail From and Rcpt to commands.
And here is an example of that bruteforce attack:

220 mail.mydomain.com,
EHLO ylmf-pc,
SMTPSubmit SMTPAcceptAnySender SMTPAcceptAuthoritativeDomainSender AcceptRoutingHeaders,Set Session Permissions
250-server1.mydomain.com Hello [112.132.111.9],
250-SIZE 52428800,
250-PIPELINING,
250-DSN,
250-ENHANCEDSTATUSCODES,
250-STARTTLS,
250-X-ANONYMOUSTLS,
250-AUTH NTLM,
250-X-EXPS GSSAPI NTLM,
250-8BITMIME,
250-BINARYMIME,
250-CHUNKING,
250 XRDST,
AUTH LOGIN,
Tarpit for '0.00:00:05' due to '504 5.7.4 Unrecognized authentication type',
504 5.7.4 Unrecognized authentication type,
Remote(SocketError)

It tries AUTH LOGIN command, it doesn't try to send an email to somebody. That auth type is not enabled on my server, so Exchange closes connection itself. And ORF do not generate any logs.

I just wanted to ask if it is normal ORF's behaviour? Shouldn't ORF close smtp connection immediately after wrong HELO?

Thanks!

by adm.ivn 3 years ago
9

@adm.ivn: Yes, it is the normal behavior. If ORF were to instruct your mail server to close the SMTP connection right after a HELO Blacklist hit, you would not be able to whitelist emails based on information that is submitted only at a later point (e.g. the sender or recipient address). If you check the test order at http://vamsoft.com/support/docs/orf-help/5.4/tests, you can see that all whitelist tests are performed before the HELO Blacklist.

by Daniel Novak (Vamsoft) 3 years ago
(in reply to this post)

10

Yes, you are right :) I forgot about whitelists.
But it would be great if you could implement an option to change HELO test priority in new ORF versions.
I'll add this to feature requests.
Thanks!

by adm.ivn 3 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

Nickname:
Email address (will not be published):
Your comment:

ORF Technical Support

Configuring, installing and troubleshooting ORF.

News & Announcements

Your dose of ORF-related news and announcements.

Everything but ORF

Discuss Exchange and system administration with fellow admins.

Feature Test Program

Feature Test Program discussion. Membership is required to visit this forum.

ORF Beta

Join the great bug hunt of the latest test release.

Customer Service

Stay Informed