blacklist a complete tld range in ispconfig mail config

Discussion in 'Installation/Configuration' started by fabienne, Feb 19, 2016.

  1. fabienne

    fabienne New Member

    Hi,
    since a few days, I receive a lot of spam, all coming from email addresses with the tld .xyz.
    Is it possible to add a blacklisting rule to block all emails with a domain name ending in .xyz (or any other tld)
    I send the htf report I generated a few minutes ago.
    Thank you very much.
     

    Attached Files:

  2. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

  3. fabienne

    fabienne New Member

  4. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    glad it works :)
     
    fabienne likes this.
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Another option: recent spamassassin (v3.4.1 or newer) provides a list of new gtld's coming out that are being used for spam, so you don't have to track/maintain it, just run sa-update. There are pro's and con's to each approach (eg. blocking in postfix saves system resources).
     
    fabienne likes this.
  6. fabienne

    fabienne New Member

    Thank you! I have spamassassin v3.4.0 installed with the ispconfig Perfect Server tutorial. As the updates are done automatically, I am not sure if I can update SA manually, could it break the system?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You can run sa-update at any time manually, then restart amavsid to apply the update.
     
    fabienne likes this.
  8. sjau

    sjau Local Meanie Moderator

    Hmmmm, can't you just use ISPCs Postfix Blacklist feature with type "Sender"? Not sure how the blacklist address entry should be for the gTLD
     
  9. fabienne

    fabienne New Member

    Thank you! I actually run the command /usr/bin/sa-update but I didn't think to restart amavisd. I did it now, I hope this does the trick! Thank you.
     
  10. fabienne

    fabienne New Member

    Thank you! I will read up on it in the docs.
     
  11. sjau

    sjau Local Meanie Moderator

    Ok, I have now tested it how to do it in ISPC directly. I was wrong with the Sender Blacklist, since that seems to require a second level domain, e.g. domain.tld.
    However the content filter work fine.
    1. Log into ISPC
    2. Go to Email tab
    3. On the left on Global Filters select the "Content Filter"
    4. Press on "Add new Content Filter"
    5. Make sure that it uses "Header Filter"
    6. In the Regexp Pattern input enter for example:
    Code:
    /<.+?@.+?\.xyz>/
    
    7. In the Data input box you can enter some message. I use like: "No .xyz mail allowed here"
    8. For the Action use "Reject" or "Discard"
    9. Save

    Basically what you do here is filter email headers for a specific string. In this case you look whether ".xyz>" appears somewhere in the header. I would include the closing bracket ">" as it is usually shows the end of the email address. Hence the xyz is the tld seperated from the second level domain by the ".".
    The message in the Data input box will be logged in your mail.log file - hence I like to give it some meaningful text in case someone complains about not having received the email and you can then figure out quickly which filter was applied and correct the situation.
    Also if you select "Reject" then the mail will bounce back to the sender and with according information that you set in the Data input box.
    If you select to "Discard", then postfix will just silently delete the mail.

    I'll need to update my email tool to submit gTLDs to the blacklist also.
     
    Last edited: Mar 9, 2016
    ztk.me and fabienne like this.
  12. fabienne

    fabienne New Member

    Thank you so much!!! It helps me understanding the content filters as well. Thanks a lot!
     
  13. sjau

    sjau Local Meanie Moderator

    I'm currently updating my little helper tool. I have several servers and I want to apply spam filter and stuff on them all. So I made a little helper script with PHP, since I run on my notebook apache/php, that will allow me to easily add stuff to the filters.
     
  14. sjau

    sjau Local Meanie Moderator

  15. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Something like /<.+@.+\.xyz>/ might help a small bit with false positives. Offhand, does your script set a timestamp when an entry was added or should be expired, sjau?
     
  16. sjau

    sjau Local Meanie Moderator

    good catch about the @ :)

    Nah, my script just runs locally and uses the API to add stuff to ISPC. By default, the global mail filters do not have an expiration date. However, I think you could use the "data" field to add a timestamp and then regularly run a script to purge instead.
     
  17. sjau

    sjau Local Meanie Moderator

    Addon:
    Making it a bit less greedy seems better:
    Code:
     /<.+?@.+?\.xyz>/
    
     
  18. sjau

    sjau Local Meanie Moderator

    Just today, I started getting spam from .bid TLD:

    Code:
    tail -f /var/log/mail.log | grep TLD
    Mar  1 09:50:41 manager postfix/cleanup[19833]: 6CDE19E643B2: reject: header Received: by server.cegyb.bid id hqlbu2000dso for <[email protected]>; Mon, 29 Feb 2016 20:57:04 -0500 (envelope-from <[email protected]>) from server.cegyb.bid[37.139.22.244]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<server.cegyb.bid>: 5.7.1 Spam not tolerated here - header - bid (TLD)
    Mar  1 09:50:41 manager postfix/cleanup[19833]: 814739E643B2: reject: header Received: by server.cegyb.bid id hqlbu2000dso for <[email protected]>; Mon, 29 Feb 2016 20:57:41 -0500 (envelope-from <[email protected]>) from server.cegyb.bid[37.139.22.244]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<server.cegyb.bid>: 5.7.1 Spam not tolerated here - header - bid (TLD)
    Mar  1 09:50:41 manager postfix/cleanup[19833]: 900D49E643B2: reject: header Received: by server.cegyb.bid id hqlbu2000dso for <[email protected]>; Mon, 29 Feb 2016 22:08:16 -0500 (envelope-from <[email protected]>) from server.cegyb.bid[37.139.22.244]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<server.cegyb.bid>: 5.7.1 Spam not tolerated here - header - bid (TLD)
    Mar  1 09:50:41 manager postfix/cleanup[19833]: 9D7649E643B2: reject: header Received: by server.cegyb.bid id hqlbu2000dso for <[email protected]>; Mon, 29 Feb 2016 22:09:39 -0500 (envelope-from <[email protected]>) from server.cegyb.bid[37.139.22.244]; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<server.cegyb.bid>: 5.7.1 Spam not tolerated here - header - bid (TLD)
    
     
  19. Hello all, first: i'm sory but my english is realy bad.
    I do not quite understand exactly the parameters defined in this post.
    I need to block the domain "@xxxxxx.xxx" and I used the header filter "/<.+?@.+?\xxxxxx.xxx>/" but it is not working for me.
    Can someone explain to me the use of each of the parameters of the string "/<.+?@.+?\.xyz>/" or else show me an example of use for this particular case?
     
  20. recin

    recin Active Member

    I think in your case it should be "/<[email protected]>/"
     

Share This Page