Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 2 subscribers
  • Views 7917 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Email appliance groups no longer are accepting wild cards? TLD EMail Blocking.

MichaelMedwid

In the past I could block an entire TLD by adding **@**.(domain) to a group and having said group applied to a policy which sends all traffic from that TLD to quarantine. Our spam seems to come in waves from one of these funky TLD's or another. Is there a new method to tell Sophos to quaratine anything coming from say **@**.beer?



This thread was automatically locked due to age.
  • 0

    Hi Michael

    When you add **@**.domain to the "include senders" tab you are ONLY checking the envelope from field.

    I DO NOT RECOMMEND creating Top level domain rules and would only do so with EXCEPTIONAL care and attention to details.

    The FIRST thing I would check is to ensure that the delayed email queue is enabled on your appliance.

    configuration / policy / smtp options / delay queue
    ensure the top drop down is set to ON and not collect.

    This feature will wipe out most snow shoe spam on its own and should allow you to get away with out creating TLD rules.

    ---- CUT ----

    If you still insist on creating effective TLD rules please see the following 2 rules. Although these rules are as tight as possible there still may be a very small chance of a false positive. I HIGHLY recommend setting the rule to quarantine.

    In order to do it correctly you will need 2 data control rules. The first rule will check the DATA from and the second will check the ENVELOPE from.

    You MUST modify BOTH rules for each domain to exclude.

    For the sake of this example I will include .info and .tv you can add as many as you like. I do NOT recommend trying to add more then one TLD per header rule.

    Make sure you double check EVERY step is EXACTLY as listed before you enable these rules .. one missed step may cause you a world of pain.

    #1 : DATA rule checker

    under configuration / policy / data control / inbound
    add
    rule type : messages matching specific words or phrases
    enable advanced policy
    next
    rule config
    next
    message attributes
    add ( add 1 new rule for each domain, so if you have 10 domains you need to add 10 items)

    select Header from the drop down
    name From (the capital F is important)
    matches regular expression
    value : .*@.*\.domain$ (This expression is : period star AT period star slash period (domain) dollar sign)

    In English this expression is Anything or nothing in front of an @ sign Anything or nothing behind the @ sign ending in .domain
    ie : .*@.*\.tv$ or .*@.*\.info$


    click the check box "One of the message attributes must be active"
    apply
    next
    select users
    next
    main action:
    quarantine / reason keyword (or delete)
    next
    next until rule description... give it a name and activate the rule

    once you get dropped back to the rules listing make sure this rule is #1 in the list, click save order

    #2 Envelope rule

    under configuration / policy / data control / inbound
    add
    rule type : messages matching specific words or phrases
    enable advanced policy
    next
    rule config
    click on the regular expressions tab
    .* (This expression is : Period Star)
    add
    next
    message attributes
    next
    select users
    click on include sender
    custom group add
    **@**.domain
    ie: **@**.info **@**.tv
    click add
    main action:
    quarantine for keyword (or delete)
    next to the end
    give it a name, activate the rule
    once its saved move this rule directly under the previous rule and click save order.


    Final notes:

    These rules are set to quarantine messages for the reason of Keyword. If you go into the search tool change the reason on the left to keyword and it will show you all of the hits.

    ***********

    Keep in mind

    #1 that setting these rules to delete is complete destruction of mail, there is NO recycle bin mail that is deleted is GONE forever

    #2 datacontrol rules are processed BEFORE any other rules like additional policy and spam checking so if you delete email here your other rules may not trigger.

    ************

    Happy Trails.

    Complete Walk through

    Add rule type

    Enable advanced, next

    next

    Click add (your list will be blank)

    Select header

    From

    regular expression

    .*@.*\.tv$

    Apply

    (repeat this for as many domains as you need)

    select the radio button when done

    Next

    Next

    Quarantine, Reason Keyword.

    this way you can search by keyword from the UI and it will show you all the hits.

    Next

    Next

    Name it, activate it and save it

    Rule #2

    Same options for rule type

    next

    Click regular expressions tab

    enter .*  (this is an easy way to apply this rule to every inbound message)

    next

    Next

    Click include sender

    click groups

    add ALL of the TLD's you entered header rules for

    **@**.domain

    Next

    Quarantine for Keyword,

    Next

    Next

    Name it, activate it, save it

    You should see the following.

Unfiltered HTML