ylmf-pc

Webfoundry

Webfoundry

Verified User
Joined
May 23, 2014
Messages
51
Location
Leuven, Belgium
It seems many servers suffer problems for exim2 attacks by multiple ip's from the same machine-name "ylmf-pc".
Normally originating from DUL/Dynamic addressing ranges, this is a high impact attack, which simply connects to a mail server, issues a HELO/EHLO of ylmf-pc, and then exits the connections.

While not actually generating any email or spam, it can consume mail processes, or even be a DOS if enough connections come in.
Interestingly, it is not exclusive to DUL networks, we also see it originating from certain hosting/co-location facilities.

Blocking IP's is not really the sollution, as they might vary from day to day.

Does anyone know an sollution that will block these, based on machine-name, rather than IP ?
 
Some previous versions of exim.conf require a newer version of exim.pl, however I think exim.pl is automatically upgraded when you run ./build exim_conf - I think this is what you need to do:

Code: 
cd /usr/local/directadmin/custombuild
./build update
./build set eximconf yes
./build set eximconf_release 4.4
./build update
./build exim_conf

Then restart exim:
Code: 
systemctl restart exim.service
or
Code: 
service exim restart

If you do not already run the newest version of exim, also upgrade it:

Code: 
./build exim
 
Also I am not sure if it is needed to recompile dovecot and dovecot.conf, so do that to just in case:

Code: 
./build dovecot_conf
./build dovecot
 
Thanks ditto. Everything went smooth, and within 2 or 3 minutes.
Now I'm curious if I got rid of ylmf-pc.

Martynas also confirmed it was perfectly safe to upgrade exim, so ...
Thanks for your kind help all.
Sixten
 
You must log in or register to reply here.
Back
Top