About 1000 errors - "rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse"

[BBM]

About 1000 errors - "rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse"

Found today in my exim/rejected-log, about 1000 error messages like these (see below).

I know the hack/spam-attempts are being blocked, but I would like my server not to waste resources on this crap.
Why doesn't CSF/LFD catch these and block the IP's after the 3rd orso attempt?
What/where can I modifiy CSF/LFD to kick these IPs of my server faster? Change Portflood settings perhaps?


306 errors in a continuous row;

2016-04-19 08:41:27 H=(ylmf-pc) [185.121.132.3] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
...
...
2016-04-19 08:41:58 H=(ylmf-pc) [185.121.132.3] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

400+ errors in a row;

2016-04-19 10:04:54 H=(ylmf-pc) [192.187.127.211] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
...
...
2016-04-19 10:13:27 H=(ylmf-pc) [192.187.127.211] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

73 errors

2016-04-19 17:33:09 H=static-71-250-240-73.nwrknj.east.verizon.net (ylmf-pc) [71.250.240.73] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
...
...
2016-04-19 17:34:16 H=static-71-250-240-73.nwrknj.east.verizon.net (ylmf-pc) [71.250.240.73] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

258 errors

2016-04-19 20:23:09 H=(ylmf-pc) [173.45.192.173] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse
...
...
2016-04-19 20:24:52 H=(ylmf-pc) [173.45.192.173] rejected EHLO or HELO ylmf-pc: Bad HELO - Blocked due to abuse

 

[zEitEr]

Hello,

CSF/LFD does not scan logs for "rejected EHLO or HELO" and is not configured to block IPs because of "rejected EHLO or HELO". You an try and configure CSF/LFD to block the IPs, I did not test it myself and can not guarantee that's possible.

 

[Richard G]

What/where can I modifiy CSF/LFD to kick these IPs of my server faster? Change Portflood settings perhaps?

There is an option to create custom regexp lines to look for. However I would strongly advise against it, in this case.

There can be so many invalid ehlo/helo in logfiles so your amount of firewall lines blocking ip's is getting very large, which in fact will waste more resources then it's doing now. And you have to edit your configuration because by default CSF/LFD only blocks 500 full and 500 temp blocks at 1 time as far as I know. With any new ip added after that, the first is released again.

At this moment it's being blocked by Exim at the first possible moment, the ehlo/helo.
It will stop automatically at a certain point. We had bruteforces from Russian server's with correct ehlo/helos for a couple of weeks. You can't ban them all and it will cost you more resources to block them all then just sit it out.

 

[BBM]

Ok, thanks for the info and advice. I will leave it be.

I recall I have CSF/LFD set at 200 permanent ip-blocks and 300 temps.