In the past I could block an entire TLD by adding **@**.(domain) to a group and having said group applied to a policy which sends all traffic from that TLD to quarantine. Our spam seems to come in waves from one of these funky TLD's or another. Is there a new method to tell Sophos to quaratine anything coming from say **@**.beer?
Hi Michael
When you add **@**.domain to the "include senders" tab you are ONLY checking the envelope from field.
I DO NOT RECOMMEND creating Top level domain rules and would only do so with EXCEPTIONAL care and attention to details.
The FIRST thing I would check is to ensure that the delayed email queue is enabled on your appliance.
configuration / policy / smtp options / delay queue
ensure the top drop down is set to ON and not collect.
This feature will wipe out most snow shoe spam on its own and should allow you to get away with out creating TLD rules.
---- CUT ----
If you still insist on creating effective TLD rules please see the following 2 rules. Although these rules are as tight as possible there still may be a very small chance of a false positive. I HIGHLY recommend setting the rule to quarantine.
In order to do it correctly you will need 2 data control rules. The first rule will check the DATA from and the second will check the ENVELOPE from.
You MUST modify BOTH rules for each domain to exclude.
For the sake of this example I will include .info and .tv you can add as many as you like. I do NOT recommend trying to add more then one TLD per header rule.
Make sure you double check EVERY step is EXACTLY as listed before you enable these rules .. one missed step may cause you a world of pain.
#1 : DATA rule checker
under configuration / policy / data control / inbound
add
rule type : messages matching specific words or phrases
enable advanced policy
next
rule config
next
message attributes
add ( add 1 new rule for each domain, so if you have 10 domains you need to add 10 items)
select Header from the drop down
name From (the capital F is important)
matches regular expression
value : .*@.*\.domain$ (This expression is : period star AT period star slash period (domain) dollar sign)
In English this expression is Anything or nothing in front of an @ sign Anything or nothing behind the @ sign ending in .domain
ie : .*@.*\.tv$ or .*@.*\.info$
click the check box "One of the message attributes must be active"
apply
next
select users
next
main action:
quarantine / reason keyword (or delete)
next
next until rule description... give it a name and activate the rule
once you get dropped back to the rules listing make sure this rule is #1 in the list, click save order
#2 Envelope rule
under configuration / policy / data control / inbound
add
rule type : messages matching specific words or phrases
enable advanced policy
next
rule config
click on the regular expressions tab
.* (This expression is : Period Star)
add
next
message attributes
next
select users
click on include sender
custom group add
**@**.domain
ie: **@**.info **@**.tv
click add
main action:
quarantine for keyword (or delete)
next to the end
give it a name, activate the rule
once its saved move this rule directly under the previous rule and click save order.
Final notes:
These rules are set to quarantine messages for the reason of Keyword. If you go into the search tool change the reason on the left to keyword and it will show you all of the hits.
***********
Keep in mind
#1 that setting these rules to delete is complete destruction of mail, there is NO recycle bin mail that is deleted is GONE forever
#2 datacontrol rules are processed BEFORE any other rules like additional policy and spam checking so if you delete email here your other rules may not trigger.
************
Happy Trails.
Complete Walk through
Add rule type
Enable advanced, next
next
Click add (your list will be blank)
Select header
From
regular expression
.*@.*\.tv$
Apply
(repeat this for as many domains as you need)
select the radio button when done
Next
Next
Quarantine, Reason Keyword.
this way you can search by keyword from the UI and it will show you all the hits.
Next
Next
Name it, activate it and save it
Rule #2
Same options for rule type
next
Click regular expressions tab
enter .* (this is an easy way to apply this rule to every inbound message)
next
Next
Click include sender
click groups
add ALL of the TLD's you entered header rules for
**@**.domain
Next
Quarantine for Keyword,
Next
Next
Name it, activate it, save it
You should see the following.
Hi Michael
When you add **@**.domain to the "include senders" tab you are ONLY checking the envelope from field.
I DO NOT RECOMMEND creating Top level domain rules and would only do so with EXCEPTIONAL care and attention to details.
The FIRST thing I would check is to ensure that the delayed email queue is enabled on your appliance.
configuration / policy / smtp options / delay queue
ensure the top drop down is set to ON and not collect.
This feature will wipe out most snow shoe spam on its own and should allow you to get away with out creating TLD rules.
---- CUT ----
If you still insist on creating effective TLD rules please see the following 2 rules. Although these rules are as tight as possible there still may be a very small chance of a false positive. I HIGHLY recommend setting the rule to quarantine.
In order to do it correctly you will need 2 data control rules. The first rule will check the DATA from and the second will check the ENVELOPE from.
You MUST modify BOTH rules for each domain to exclude.
For the sake of this example I will include .info and .tv you can add as many as you like. I do NOT recommend trying to add more then one TLD per header rule.
Make sure you double check EVERY step is EXACTLY as listed before you enable these rules .. one missed step may cause you a world of pain.
#1 : DATA rule checker
under configuration / policy / data control / inbound
add
rule type : messages matching specific words or phrases
enable advanced policy
next
rule config
next
message attributes
add ( add 1 new rule for each domain, so if you have 10 domains you need to add 10 items)
select Header from the drop down
name From (the capital F is important)
matches regular expression
value : .*@.*\.domain$ (This expression is : period star AT period star slash period (domain) dollar sign)
In English this expression is Anything or nothing in front of an @ sign Anything or nothing behind the @ sign ending in .domain
ie : .*@.*\.tv$ or .*@.*\.info$
click the check box "One of the message attributes must be active"
apply
next
select users
next
main action:
quarantine / reason keyword (or delete)
next
next until rule description... give it a name and activate the rule
once you get dropped back to the rules listing make sure this rule is #1 in the list, click save order
#2 Envelope rule
under configuration / policy / data control / inbound
add
rule type : messages matching specific words or phrases
enable advanced policy
next
rule config
click on the regular expressions tab
.* (This expression is : Period Star)
add
next
message attributes
next
select users
click on include sender
custom group add
**@**.domain
ie: **@**.info **@**.tv
click add
main action:
quarantine for keyword (or delete)
next to the end
give it a name, activate the rule
once its saved move this rule directly under the previous rule and click save order.
Final notes:
These rules are set to quarantine messages for the reason of Keyword. If you go into the search tool change the reason on the left to keyword and it will show you all of the hits.
***********
Keep in mind
#1 that setting these rules to delete is complete destruction of mail, there is NO recycle bin mail that is deleted is GONE forever
#2 datacontrol rules are processed BEFORE any other rules like additional policy and spam checking so if you delete email here your other rules may not trigger.
************
Happy Trails.
Complete Walk through
Add rule type
Enable advanced, next
next
Click add (your list will be blank)
Select header
From
regular expression
.*@.*\.tv$
Apply
(repeat this for as many domains as you need)
select the radio button when done
Next
Next
Quarantine, Reason Keyword.
this way you can search by keyword from the UI and it will show you all the hits.
Next
Next
Name it, activate it and save it
Rule #2
Same options for rule type
next
Click regular expressions tab
enter .* (this is an easy way to apply this rule to every inbound message)
next
Next
Click include sender
click groups
add ALL of the TLD's you entered header rules for
**@**.domain
Next
Quarantine for Keyword,
Next
Next
Name it, activate it, save it
You should see the following.
