EHLO command received: ylmf-pc

An interesting Bot style attack, if you see this in your logs.
Normally originating from DUL/Dynamic addressing ranges, this is a high impact attack, which simply connects to a mail server, issues a HELO/EHLO of ylmf-pc, and then exits the connections.

While not actually generating any email or spam, it can consume mail processes, or even be a DOS if enough connections come in.

Interestingly, it is not exclusive to DUL networks, we also see it originating from certain hosting/co-location facilities. In one case, a company operating as ‘webexxpurts.com’ (No contact ability on webpage) which advertises being co-location and hosting cPanel is also generating these attacks.

176.61.138.110 : Host 110.138.61.176.in-addr.arpa. not found: 3(NXDOMAIN)
176.61.138.133 : Host 133.138.61.176.in-addr.arpa. not found: 3(NXDOMAIN)
176.61.138.145 : Host 145.138.61.176.in-addr.arpa. not found: 3(NXDOMAIN)
176.61.138.154 : Host 154.138.61.176.in-addr.arpa. not found: 3(NXDOMAIN)
176.61.138.174 : Host 174.138.61.176.in-addr.arpa. not found: 3(NXDOMAIN)
176.61.138.180 : 180.138.61.176.in-addr.arpa domain name pointer ptr180.greenourlives.com.
176.61.138.190 : Host 190.138.61.176.in-addr.arpa. not found: 3(NXDOMAIN)
176.61.138.197 : Host 197.138.61.176.in-addr.arpa. not found: 3(NXDOMAIN)

Either way, using certain blocking techniques before spawning SMTP connections can help you, and should be safe from those IP(s)

This entry was posted in Informative and tagged , , . Bookmark the permalink.

Leave a Reply