On 01/12/2016 08:15 AM, Chris Siebenmann wrote:
>> 2016-01-12 16:50:35 H=121-73-98-209.cable.telstraclear.net (ylmf-pc)
>> [121.73.98.209] rejected EHLO or HELO ylmf-pc: SPAM remote host has
>> blacklisted HELO.
>>
>> I guess it's time to feed these IPs to fail2ban.
> My experience is that you might as well immediately fail2ban anything
> that HELOs with 'ylmf-pc'. The software behind this HELO will bang away
> like mad basically regardless of what you say and what you do to it.
>
> (I believe it's not even trying to send mail, but instead is trying
> a brute force SMTP AUTH attack.)
This works for me. In acl_smtp_auth:
drop condition = ${if match{$sender_helo_name}{ylmf-pc}{yes}{no}}
>
> - cks
>
