How to block mail coming from a domain

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

How to block mail coming from a domain

Enrico Morelli
Dear,

in this days my mail server receiving a lot of mail coming from a
domain ending with .monster. Every day the central part of the domain
change:

diabetes.monster
identitese.monster
copcamm.monster
saersruf.monster
tymeshare.monster
adcbd.monster
winrow.monster
omeinsu.monster

I tried to put .monster or *.monster in sender_access but doesn't work.
Is there a way to block *.monster mails?

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Wesley Peng-4


on 2019/9/26 16:34, Enrico Morelli wrote:
> I tried to put .monster or *.monster in sender_access but doesn't work.
> Is there a way to block *.monster mails?

Can you setup spamassassin for domain blacklist?

regards.
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Enrico Morelli
On Thu, 26 Sep 2019 16:37:14 +0800
Wesley Peng <[hidden email]> wrote:

> on 2019/9/26 16:34, Enrico Morelli wrote:
> > I tried to put .monster or *.monster in sender_access but doesn't
> > work. Is there a way to block *.monster mails?  
>
> Can you setup spamassassin for domain blacklist?
>
> regards.

How can do that?

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Wesley Peng-4


on 2019/9/26 16:42, Enrico Morelli wrote:
>> Can you setup spamassassin for domain blacklist?
>>
>> regards.
> How can do that?

The SpamAssassin whitelist and blacklist options can include globs, not
regular expressions. The valid metacharacters are ? and * to match 0-1
or 0-many characters respectively. This is the same as a shell glob.

To blacklist mail from foo.com and *.foo.com the following should work:

blacklist_from *@foo.com
blacklist_from *.foo.com

Don't be tempted to blacklist *foo.com, lest you inadvertently block
[hidden email].

Regards.
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Enrico Morelli
In reply to this post by Enrico Morelli
On Thu, 26 Sep 2019 10:42:46 +0200
Enrico Morelli <[hidden email]> wrote:

> On Thu, 26 Sep 2019 16:37:14 +0800
> Wesley Peng <[hidden email]> wrote:
>
> > on 2019/9/26 16:34, Enrico Morelli wrote:  
> > > I tried to put .monster or *.monster in sender_access but doesn't
> > > work. Is there a way to block *.monster mails?    
> >
> > Can you setup spamassassin for domain blacklist?
> >
> > regards.  
>
> How can do that?
>

In /etc/spamassassin/local.cf I putted:

blacklist_from *.monster

Is it correct?

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Matus UHLAR - fantomas
In reply to this post by Enrico Morelli
On 26.09.19 10:34, Enrico Morelli wrote:

>in this days my mail server receiving a lot of mail coming from a
>domain ending with .monster. Every day the central part of the domain
>change:
>
>diabetes.monster
>identitese.monster
>copcamm.monster
>saersruf.monster
>tymeshare.monster
>adcbd.monster
>winrow.monster
>omeinsu.monster
>
>I tried to put .monster or *.monster in sender_access but doesn't work.
>Is there a way to block *.monster mails?

.monster should work, maybe you should set parent_domain_matches_subdomains
to empty value.

I have local dnsbl (and rhsbl) provided by rbldnsd server, that can include
*.monster record and I use that dnsbl for mail rejection.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Henrik K
On Thu, Sep 26, 2019 at 11:44:11AM +0200, Matus UHLAR - fantomas wrote:

> On 26.09.19 10:34, Enrico Morelli wrote:
> >in this days my mail server receiving a lot of mail coming from a
> >domain ending with .monster. Every day the central part of the domain
> >change:
> >
> >diabetes.monster
> >identitese.monster
> >copcamm.monster
> >saersruf.monster
> >tymeshare.monster
> >adcbd.monster
> >winrow.monster
> >omeinsu.monster
> >
> >I tried to put .monster or *.monster in sender_access but doesn't work.
> >Is there a way to block *.monster mails?
>
> .monster should work, maybe you should set parent_domain_matches_subdomains
> to empty value.
>
> I have local dnsbl (and rhsbl) provided by rbldnsd server, that can include
> *.monster record and I use that dnsbl for mail rejection.

Obviously these will only work for envelope sender.  Most likely needing
header_checks /^From:.*\.monster/ here..

Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Enrico Morelli
In reply to this post by Matus UHLAR - fantomas
On Thu, 26 Sep 2019 11:44:11 +0200
Matus UHLAR - fantomas <[hidden email]> wrote:

> On 26.09.19 10:34, Enrico Morelli wrote:
> >in this days my mail server receiving a lot of mail coming from a
> >domain ending with .monster. Every day the central part of the domain
> >change:
> >
> >diabetes.monster
> >identitese.monster
> >copcamm.monster
> >saersruf.monster
> >tymeshare.monster
> >adcbd.monster
> >winrow.monster
> >omeinsu.monster
> >
> >I tried to put .monster or *.monster in sender_access but doesn't
> >work. Is there a way to block *.monster mails?  
>
> .monster should work, maybe you should set
> parent_domain_matches_subdomains to empty value.
>
> I have local dnsbl (and rhsbl) provided by rbldnsd server, that can
> include *.monster record and I use that dnsbl for mail rejection.
>

Very interesting. Is it easy to setup a local rbldnsd server?
Do you follow some guide?

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Dominic Raferd
In reply to this post by Henrik K
On Thu, 26 Sep 2019 at 10:52, Henrik K <[hidden email]> wrote:
>
> On Thu, Sep 26, 2019 at 11:44:11AM +0200, Matus UHLAR - fantomas wrote:
> > On 26.09.19 10:34, Enrico Morelli wrote:
> > >in this days my mail server receiving a lot of mail coming from a
> > >domain ending with .monster...
>
> Obviously these will only work for envelope sender.  Most likely needing
> header_checks /^From:.*\.monster/ here..
>
Of course this assumes pcre (or maybe regex) file. To ensure it picks
up only email addresses in From header (and not text), then, using
pcre file for header_checks:

if /^From:/
/\.monster>?\s*$/ REJECT
# add other From header checks here...
endif
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

@lbutlr
In reply to this post by Henrik K
On Sep 26, 2019, at 03:51, Henrik K <[hidden email]> wrote:
> Obviously these will only work for envelope sender.  Most likely needing
> header_checks /^From:.*\.monster/ here..

Yep. I use header checks to block most top level domains, letting only a dozen or so through and rejecting all the rest since it is impossible to keep up with all the new tlds and most of then are cesspits of spammer scum.


Or wretched hives of villainy, if you prefer.


Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Matus UHLAR - fantomas
In reply to this post by Henrik K
>> On 26.09.19 10:34, Enrico Morelli wrote:
>> >in this days my mail server receiving a lot of mail coming from a
>> >domain ending with .monster. Every day the central part of the domain
>> >change:
>> >
>> >diabetes.monster
>> >identitese.monster
>> >copcamm.monster
>> >saersruf.monster
>> >tymeshare.monster
>> >adcbd.monster
>> >winrow.monster
>> >omeinsu.monster
>> >
>> >I tried to put .monster or *.monster in sender_access but doesn't work.
>> >Is there a way to block *.monster mails?

>On Thu, Sep 26, 2019 at 11:44:11AM +0200, Matus UHLAR - fantomas wrote:
>> .monster should work, maybe you should set parent_domain_matches_subdomains
>> to empty value.
>>
>> I have local dnsbl (and rhsbl) provided by rbldnsd server, that can include
>> *.monster record and I use that dnsbl for mail rejection.

On 26.09.19 12:51, Henrik K wrote:
>Obviously these will only work for envelope sender.  Most likely needing
>header_checks /^From:.*\.monster/ here..

I further use local blacklist in SpamAssassin using check_uridnsbl and
check_rbl. Yes, explicit rules are sometimes needed but I prefer generic...
--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Matus UHLAR - fantomas
In reply to this post by Enrico Morelli
>> On 26.09.19 10:34, Enrico Morelli wrote:
>> >in this days my mail server receiving a lot of mail coming from a
>> >domain ending with .monster. Every day the central part of the domain
>> >change:
>> >
>> >diabetes.monster
>> >identitese.monster
>> >copcamm.monster
>> >saersruf.monster
>> >tymeshare.monster
>> >adcbd.monster
>> >winrow.monster
>> >omeinsu.monster
>> >
>> >I tried to put .monster or *.monster in sender_access but doesn't
>> >work. Is there a way to block *.monster mails?

>On Thu, 26 Sep 2019 11:44:11 +0200
>Matus UHLAR - fantomas <[hidden email]> wrote:
>> .monster should work, maybe you should set
>> parent_domain_matches_subdomains to empty value.
>>
>> I have local dnsbl (and rhsbl) provided by rbldnsd server, that can
>> include *.monster record and I use that dnsbl for mail rejection.

On 26.09.19 11:58, Enrico Morelli wrote:
>Very interesting. Is it easy to setup a local rbldnsd server?
>Do you follow some guide?

I followed Debian's /etc/default/rbldnsd and its manual pages.
dnsbl can be used by postscreen_dnsbl_sites (if you use postscreen, which I
recomment) and reject_rbl_client

rhsbl can be further used by reject_rhsbl_sender, reject_rhsbl_recipient,
reject_rhsbl_client and reject_rhsbl_reverse_client

both can be used by spamassassin.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Enrico Morelli
On Thu, 26 Sep 2019 12:12:31 +0200
Matus UHLAR - fantomas <[hidden email]> wrote:

> >> On 26.09.19 10:34, Enrico Morelli wrote:  
> >> >in this days my mail server receiving a lot of mail coming from a
> >> >domain ending with .monster. Every day the central part of the
> >> >domain change:
> >> >
> >> >diabetes.monster
> >> >identitese.monster
> >> >copcamm.monster
> >> >saersruf.monster
> >> >tymeshare.monster
> >> >adcbd.monster
> >> >winrow.monster
> >> >omeinsu.monster
> >> >
> >> >I tried to put .monster or *.monster in sender_access but doesn't
> >> >work. Is there a way to block *.monster mails?  
>
> >On Thu, 26 Sep 2019 11:44:11 +0200
> >Matus UHLAR - fantomas <[hidden email]> wrote:  
> >> .monster should work, maybe you should set
> >> parent_domain_matches_subdomains to empty value.
> >>
> >> I have local dnsbl (and rhsbl) provided by rbldnsd server, that can
> >> include *.monster record and I use that dnsbl for mail rejection.  
>
> On 26.09.19 11:58, Enrico Morelli wrote:
> >Very interesting. Is it easy to setup a local rbldnsd server?
> >Do you follow some guide?  
>
> I followed Debian's /etc/default/rbldnsd and its manual pages.
> dnsbl can be used by postscreen_dnsbl_sites (if you use postscreen,
> which I recomment) and reject_rbl_client
>
> rhsbl can be further used by reject_rhsbl_sender,
> reject_rhsbl_recipient, reject_rhsbl_client and
> reject_rhsbl_reverse_client
>
> both can be used by spamassassin.
>

I've search in my Debian 10 packages but there isn't postscreen.
Is it in bundle with new postfix version? In Debian 10 I've postfix
3.4.5
 

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Dominic Raferd
On Thu, 26 Sep 2019 at 11:24, Enrico Morelli <[hidden email]> wrote:
> I've search in my Debian 10 packages but there isn't postscreen.
> Is it in bundle with new postfix version? In Debian 10 I've postfix
> 3.4.5

Yes it is a standard part of postfix - try 'man postscreen'
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Enrico Morelli
On Thu, 26 Sep 2019 11:29:38 +0100
Dominic Raferd <[hidden email]> wrote:

> On Thu, 26 Sep 2019 at 11:24, Enrico Morelli <[hidden email]>
> wrote:
> > I've search in my Debian 10 packages but there isn't postscreen.
> > Is it in bundle with new postfix version? In Debian 10 I've postfix
> > 3.4.5  
>
> Yes it is a standard part of postfix - try 'man postscreen'

Good. In the master.cf I've

smtp      inet  n       -       y       -       -       smtpd
#smtp      inet  n       -       y       -       1       postscreen

to enable postscreen have I to uncomment the second line and comment
the first one?

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Matus UHLAR - fantomas
>> On Thu, 26 Sep 2019 at 11:24, Enrico Morelli <[hidden email]>
>> wrote:
>> > I've search in my Debian 10 packages but there isn't postscreen.
>> > Is it in bundle with new postfix version? In Debian 10 I've postfix
>> > 3.4.5

>On Thu, 26 Sep 2019 11:29:38 +0100
>Dominic Raferd <[hidden email]> wrote:
>> Yes it is a standard part of postfix - try 'man postscreen'

On 26.09.19 12:48, Enrico Morelli wrote:
>Good. In the master.cf I've
>
>smtp      inet  n       -       y       -       -       smtpd
>#smtp      inet  n       -       y       -       1       postscreen
>
>to enable postscreen have I to uncomment the second line and comment
>the first one?

you should follow the document
http://www.postfix.org/POSTSCREEN_README.html

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

Vu Ngoc VU
In reply to this post by Enrico Morelli
> Date: Thu, 26 Sep 2019 12:22:33
> From: Enrico Morelli <[hidden email]>
> To: [hidden email]
> Subject: Re: How to block mail coming from a domain
> I've search in my Debian 10 packages but there isn't postscreen.
> Is it in bundle with new postfix version? In Debian 10 I've postfix
> 3.4.5

Hello, as written in the POSTSCREEN README, it's in postfix since 2.8
Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

@lbutlr
In reply to this post by Dominic Raferd
On Sep 26, 2019, at 4:01 AM, Dominic Raferd <[hidden email]> wrote:
> Of course this assumes pcre (or maybe regex) file. To ensure it picks
> up only email addresses in From header (and not text), then, using
> pcre file for header_checks:

No, you do the checks for the helo, not the From: header.

The idea is to drop the connection as soon as possible, as cheaply as possible.

 check_helo_access pcre:/etc/postfix/helo_checks.pcre

# Specifric domain exceptions
/goodserver\.fm$/ DUNNO
/\.goodserver\.fm$/ DUNNO
/allowed\.social$/ DUNNO
/\.allowed\.social$/ DUNNO
/bad.com/ 550 Mail from bad.com not wanted
/\.bad.com/ 550 Mail from bad.com not wanted

#general
/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fr|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
/.*\.*$/ 550 Mail to or from this TLD is not allowed

Of course, the list of domains to accept mail from is up to you, but these work for me. I am considering adding .fm to my allowed list as I haven’t seen much spam from it for quite awhile.



--
Footnote on the High Energy Magic building: It was here that the thaum,
hitherto believed to be the smallest possible particle of magic, was
successfully demonstrated to be made up of resons (lit: 'Thing-ies) or
reality fragments. Currently research indicates that each reson is
itself made up of a combination of at least five 'flavours', known as
'up', 'down', 'sideways', 'sex appeal' and 'peppermint’.

Reply | Threaded
Open this post in threaded view
|

Re: How to block mail coming from a domain

lists@lazygranch.com
In reply to this post by Enrico Morelli


On Thu, 26 Sep 2019 10:46:27 +0200
Enrico Morelli <[hidden email]> wrote:

> On Thu, 26 Sep 2019 10:42:46 +0200
> Enrico Morelli <[hidden email]> wrote:
>
> > On Thu, 26 Sep 2019 16:37:14 +0800
> > Wesley Peng <[hidden email]> wrote:
> >
> > > on 2019/9/26 16:34, Enrico Morelli wrote:  
> > > > I tried to put .monster or *.monster in sender_access but
> > > > doesn't work. Is there a way to block *.monster mails?    
> > >
> > > Can you setup spamassassin for domain blacklist?
> > >
> > > regards.  
> >
> > How can do that?
> >
>
> In /etc/spamassassin/local.cf I putted:
>
> blacklist_from *.monster
>
> Is it correct?
>

I have been doing the following.

In the main.cf, note the spamsources:

smtpd_client_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
  reject_unknown_reverse_client_hostname,
  check_client_access hash:/etc/postfix/spamsources
smtpd_sender_restrictions =
  permit_sasl_authenticated,
  permit_mynetworks,
  reject_unauth_destination,
  reject_unknown_address,
  check_sender_access hash:/etc/postfix/spamsources

I have a file called spamsources. The basis pattern is a tld, 500, and
a friendly message:

------
stream 500 your message
download 500 your message
top 500 your message
xyz 500 your message
-----------

You need to postmap the file to make spamsources.db

These goofy tlds are cheap to buy, hence a spam source.
http://data.iana.org/TLD/tlds-alpha-by-domain.txt