If your server contains ylmf-pc in the exim_mainlog (you can check it by running command)
cat /var/log/exim_mainlog | grep -i ylmf-pc
then your server is most likely under brute force attack by ylmf-pc attacker.
To stop this attack and reject authentication attempts, you can add filtering in Exim configuration file in cPanel/WHM interface. Do add such block, implement the following steps:
- SSH into the server and create file named /etc/heloblocks
- Add strings to block, one per line. For example,
ylmf-pc. If you have more strings to block, put them on a new line each - Login to WHM and navigate to WHM > Exim Configuration Manager > Advanced Editor
- Find (Ctrl + F) a box named
custom_begin_smtp_helo - Add this code into this box:
drop
condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}}
log_message = HELO/EHLO - HELO on heloblocks Blocklist
message = HELO on heloblocks Blocklist
accept
- Scroll down to the bottom of the page and Save configuration. Wait for Exim to restart
- To test, open terminal or command shell and run this command
telnet mail.example.com 25
then after receiving the welcome message, type this:
helo ylmf-pc
You should immediately get disconnected and you should see a log message indicating the block