1. Home
  2. cPanel
  3. How to block ylmf-pc connections in cPanel EXIM

How to block ylmf-pc connections in cPanel EXIM

If your server contains ylmf-pc in the exim_mainlog (you can check it by running command)

cat /var/log/exim_mainlog | grep -i ylmf-pc

then your server is most likely under brute force attack by ylmf-pc attacker.

To stop this attack and reject authentication attempts, you can add filtering in Exim configuration file in cPanel/WHM interface. Do add such block, implement the following steps:

  • SSH into the server and create file named /etc/heloblocks
  • Add strings to block, one per line. For example, ylmf-pc. If you have more strings to block, put them on a new line each
  • Login to WHM and navigate to WHM > Exim Configuration Manager > Advanced Editor
  • Find (Ctrl + F) a box named custom_begin_smtp_helo
  • Add this code into this box:
drop 
  condition = ${lookup{$sender_helo_name}lsearch{/etc/heloblocks}{yes}{no}} 
  log_message = HELO/EHLO - HELO on heloblocks Blocklist 
  message = HELO on heloblocks Blocklist 
accept
  • Scroll down to the bottom of the page and Save configuration. Wait for Exim to restart
  • To test, open terminal or command shell and run this command

telnet mail.example.com 25

then after receiving the welcome message, type this:

helo ylmf-pc

You should immediately get disconnected and you should see a log message indicating the block

Updated on March 25, 2017

Was this article helpful?

Related Articles

Add A Comment