rejecting 'fancy' TLDs, allowing a specified one ?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

rejecting 'fancy' TLDs, allowing a specified one ?

lists-3
I have a check to reject 'fancy TLDs' as below

smtpd_sender_restrictions =
 permit_mynetworks,
 permit_sasl_authenticated,
 check_sender_access pcre:/etc/postfix/sender_pcre,
 check_sender_access pcre:/etc/postfix/reject_domains

cat /etc/postfix/reject_domains
/\.bid$/ REJECT We reject all .bid domains
/\.biz$/ REJECT We reject all .biz domains
...

that works well, but, now have a user who gets a valid inbound rejected

Dec 16 15:06:14 postfix/smtpd[8695]: NOQUEUE: reject: RCPT from
mail-sy4aus01on2077.outbound.protection.outlook.com[40.107.107.77]: 554
5.7.1 <[hidden email]>: Sender address rejected: We reject all .biz
domains; from=<[hidden email]> to=<recipient@tld> proto=ESMTP
helo=<AUS01-SY4-obe.outbound.protection.outlook.com>

is there an easy way, and how, to exempt a specified domain like
'abcd.biz' from my sender restriction ?

thanks, V


Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

Dominic Raferd
On 16/12/2020 11:07, [hidden email] wrote:

> I have a check to reject 'fancy TLDs' as below
>
> smtpd_sender_restrictions =
>   permit_mynetworks,
>   permit_sasl_authenticated,
>   check_sender_access pcre:/etc/postfix/sender_pcre,
>   check_sender_access pcre:/etc/postfix/reject_domains
>
> cat /etc/postfix/reject_domains
> /\.bid$/ REJECT We reject all .bid domains
> /\.biz$/ REJECT We reject all .biz domains
> ...
>
> that works well, but, now have a user who gets a valid inbound rejected
>
> Dec 16 15:06:14 postfix/smtpd[8695]: NOQUEUE: reject: RCPT from
> mail-sy4aus01on2077.outbound.protection.outlook.com[40.107.107.77]: 554
> 5.7.1 <[hidden email]>: Sender address rejected: We reject all .biz
> domains; from=<[hidden email]> to=<recipient@tld> proto=ESMTP
> helo=<AUS01-SY4-obe.outbound.protection.outlook.com>
>
> is there an easy way, and how, to exempt a specified domain like
> 'abcd.biz' from my sender restriction ?

/etc/postfix/reject_domains:

/@abcd\.biz$/ DUNNO
/\.bid$/ REJECT We reject all .bid domains
/\.biz$/ REJECT We reject all .biz domains
Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

@lbutlr
On 16 Dec 2020, at 04:14, Dominic Raferd <[hidden email]> wrote:
> /etc/postfix/reject_domains:
>
> /@abcd\.biz$/ DUNNO
> /\.bid$/ REJECT We reject all .bid domains
> /\.biz$/ REJECT We reject all .biz domains

I do this:

/.*automators\.fm$/ DUNNO
/.*counter\.social/ DUNNO
/.*ometria.email/ DUNNO
/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
/.*\.*$/ 550 Mail to or from this TLD is not allowed

Fourth line passes all the "good" TLDs that I accept mail from, based on my server's mail. The first three accept specific domains. The last tells everyone else to go away, and why.

This means I do not need to keep track of the new TLDs that are being created every day to firehose more spam, they simply get dropped almost immediately.

--
IT'S POTATO, NOT POTATOE Bart chalkboard Ep. 7F01

Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

Jaroslaw Rafa
Dnia 18.12.2020 o godz. 06:38:32 @lbutlr pisze:
> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
> /.*\.*$/ 550 Mail to or from this TLD is not allowed

Should I feel offended that Poland does not exist for you? ;)
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

Viktor Dukhovni
In reply to this post by lists-3
On Wed, Dec 16, 2020 at 10:07:39PM +1100, [hidden email] wrote:

> that works well, but, now have a user who gets a valid inbound rejected
>
> Dec 16 15:06:14 postfix/smtpd[8695]: NOQUEUE: reject: RCPT from
> mail-sy4aus01on2077.outbound.protection.outlook.com[40.107.107.77]: 554
> 5.7.1 <[hidden email]>: Sender address rejected: We reject all .biz
> domains; from=<[hidden email]> to=<recipient@tld> proto=ESMTP
> helo=<AUS01-SY4-obe.outbound.protection.outlook.com>
>
> is there an easy way, and how, to exempt a specified domain like
> 'abcd.biz' from my sender restriction ?

Exceptions via "DUNNO", as noted by others, are of course an option, but
far better to not impose such crude measures, and not block entire TLDs.
The ".biz" TLD is now well established, and not dramatically more prone
to abuse than the others.  Best to rely on a couple of decent RBLs and
a spam-classifying content filter or milter.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

@lbutlr
In reply to this post by Jaroslaw Rafa
On 18 Dec 2020, at 07:54, Jaroslaw Rafa <[hidden email]> wrote:
> Dnia 18.12.2020 o godz. 06:38:32 @lbutlr pisze:
>> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
>> /.*\.*$/ 550 Mail to or from this TLD is not allowed
>
> Should I feel offended that Poland does not exist for you? ;)

It has nothing to do with exists or not, it has to do with the mail my server receives.

--
Ninety percent of true love is acute, ear-burning embarrassment.
        --Wyrd Sisters

Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

Phil Stracchino
In reply to this post by @lbutlr
On 12/18/20 8:38 AM, @lbutlr wrote:

> On 16 Dec 2020, at 04:14, Dominic Raferd <[hidden email]> wrote:
>> /etc/postfix/reject_domains:
>>
>> /@abcd\.biz$/ DUNNO
>> /\.bid$/ REJECT We reject all .bid domains
>> /\.biz$/ REJECT We reject all .biz domains
>
> I do this:
>
> /.*automators\.fm$/ DUNNO
> /.*counter\.social/ DUNNO
> /.*ometria.email/ DUNNO
> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
> /.*\.*$/ 550 Mail to or from this TLD is not allowed
>
> Fourth line passes all the "good" TLDs that I accept mail from, based on my server's mail. The first three accept specific domains. The last tells everyone else to go away, and why.


Revisiting this ...  where exactly do you apply this ruleset?  I'm
looking at implementing a rule to discard all four-letter-and-above TLDs
except whitelisted ones, because I'm tired of playing whack-a-mole.

Are you using header_checks rule, or something else?


--
  Phil Stracchino
  Babylon Communications
  [hidden email]
  [hidden email]
  Landline: +1.603.293.8485
  Mobile:   +1.603.998.6958
Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

Viktor Dukhovni
On Sat, Jan 30, 2021 at 01:20:13PM -0500, Phil Stracchino wrote:

> I'm looking at implementing a rule to discard all
> four-letter-and-above TLDs except whitelisted ones, because I'm tired
> of playing whack-a-mole.

I'd like to strongly advise against filtering by TLD.  This is a very
low quality signal.  There is no shortage of abuse mail from the
traditional gTLDs, and also a non-trivial quantity of legitimate
email from new gTLDs.

Most of the ".brand" gTLDs are not open for public registration of
subdomains, and if say citibank decided to send email from a ".citi"
subdomain, that'd be just fine.  They should be able to use the gTLD
they control.

For example, the ".info" and ".name" gTLDs are established sources of
legitimate email.  Looking at DANE-enabled domains, which junk mail
senders are unlikely to bother setting up, I see the following top 30
domain counts by TLD, indicating a population of non-abusive domains.

   6389 info
   3397 online
   1231 shop
    941 email
    825 amsterdam
    784 site
    715 cloud
    561 tech
    531 store
    402 world
    360 swiss
    330 name
    283 work
    248 space
    235 studio
    229 club
    212 agency
    197 blog
    190 academy
    185 family
    164 rocks
    158 design
    153 link
    150 live
    144 network
    138 media
    127 tips
    122 company
    120 solutions
    113 life
    ...

To filter junk mail, deploy better content-based filters.

--
    Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

Dominic Raferd

On 30/01/2021 20:22, Viktor Dukhovni wrote:

> On Sat, Jan 30, 2021 at 01:20:13PM -0500, Phil Stracchino wrote:
>
>> I'm looking at implementing a rule to discard all
>> four-letter-and-above TLDs except whitelisted ones, because I'm tired
>> of playing whack-a-mole.
> I'd like to strongly advise against filtering by TLD.  This is a very
> low quality signal.  There is no shortage of abuse mail from the
> traditional gTLDs, and also a non-trivial quantity of legitimate
> email from new gTLDs.
>
> Most of the ".brand" gTLDs are not open for public registration of
> subdomains, and if say citibank decided to send email from a ".citi"
> subdomain, that'd be just fine.  They should be able to use the gTLD
> they control.
>
> For example, the ".info" and ".name" gTLDs are established sources of
> legitimate email.  Looking at DANE-enabled domains, which junk mail
> senders are unlikely to bother setting up, I see the following top 30
> domain counts by TLD, indicating a population of non-abusive domains.
>
>    ...

Viktor's advice is (as always) sound. My original reply was a
non-advisory answer to OP's question.

FWIW my approach is a bespoke header test within SpamAssassin (local.cf)
against 'EnvelopeFrom' and 'From' which adds a heavy point penalty for
TLDs that are - for us - out of the ordinary, with a few special
exceptions. My welcome-listed TLDs do not include any of those listed by
Viktor except for '.email'. But I am running private mail servers with
active quarantine management so I can tweak these settings when FPs
occur without significant risk of rejecting ham.

Reply | Threaded
Open this post in threaded view
|

Re: rejecting 'fancy' TLDs, allowing a specified one ?

@lbutlr
In reply to this post by Phil Stracchino
On 30 Jan 2021, at 11:20, Phil Stracchino <[hidden email]> wrote:

> On 12/18/20 8:38 AM, @lbutlr wrote:
>> I do this:
>>
>> /.*automators\.fm$/ DUNNO
>> /.*counter\.social/ DUNNO
>> /.*ometria.email/ DUNNO
>> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
>> /.*\.*$/ 550 Mail to or from this TLD is not allowed
>>
>> Fourth line passes all the "good" TLDs that I accept mail from, based on my server's mail. The first three accept specific domains. The last tells everyone else to go away, and why.
>
>
> Revisiting this ...  where exactly do you apply this ruleset?  I'm
> looking at implementing a rule to discard all four-letter-and-above TLDs
> except whitelisted ones, because I'm tired of playing whack-a-mole.
>
> Are you using header_checks rule, or something else?

I have a file named helo-checks.pcre which I call in main.cf in smtpd_help_restrictions:

smtpd_helo_restrictions = reject_invalid_helo_hostname
    check_helo_access pcre:$config_directory/helo_checks.pcre
    permit

You do need to stay on top of the list of TLDs you allow for example in the last month since that pst I have added info. I still get a lot of spam attempts from shop and email, but there's enough not-spam that I had to add them as well.

My main reason for doing this is not spam blocking per se as SpamAssasin will reject the mails, it is more about minimizing the amount of work SA does and the number of lookups I make against the RBLs.


--
Hard work pays off in the future. Laziness pays off now.