Blocking “ylmf-pc” on cPanel with Exim

Issue: Reports of lockouts where the reported remote host is identified as “ylmf-pc”. This is a known agent.

Solution: Add appropriate filtering in the Exim configuration to block this host / agent.

SSH into server and…

Check log to confirm:

cat /var/log/exim_mainlog | grep -i ylmf-pc

Is there a heloblocks file?

nano /etc/heloblocks

If so, append the following (if not, go ahead and enter the following):

ylmf-pc

Visit WHM and navigate to:
Home >> Service Configuration >> Exim Configuration Manager >> Advanced Editor
Look for: custom_begin_smtp_helo

and add the following:

drop
condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
log_message = HELO/EHLO - HELO on heloblocks Blocklist
message = HELO on heloblocks Blocklist
accept

Restart Exim.

Test…

Open a terminal on another host and enter command:

telnet mail.hostname.com 25

Wait for the welcome message to display and enter:

helo ylmf-pc

The connection should be terminated. The following is an example of the test:

[email protected] [~]# telnet mail.hostname.com 25
Trying xxx.xxx.xxx.xxx…
Connected to mail.hostname.com.
Escape character is ‘^]’.
220-mail.hostname.com ESMTP Exim 4.89 #1 Sat, 18 Feb 2017 08:32:50 -0500
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk email.
helo ylmf-pc
550 HELO on heloblocks Blocklist
Connection closed by foreign host.

Leave a comment

BlogLogistics