This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block single domain when blocklist set to quarantine.

Hi,

Using the SEA,

I have already configured the standard blocklist to quarantine various messages and do not want to change this.

However - I have a domain I would like to discard all traffic from.

I have added the domain to a phrase filter set to discard but the emails still flow through. The rule is moved to top of the list but not triggering?

I have tried adding the domain as: *@domain.com and just @domain.com neither method works.

Am I missing an obvious solution? can anyone help?

Thanks,

Tony

This thread was automatically locked due to age.

0 Red_Warrior over 5 years ago

DISCLAIMER: this response contains information that could have unexpected results. DO NOT SET ANY RULES TO DISCARD as there is no "recycle bin" DISCLAIMER

always set the main action to quarantine until you are sure your rules work exactly as expected insurance you need to retrieve a false positive.

Hi Tony,

If you mean you have changed filtering options to quarantine.. that may not be the best idea..

in short:

the results "should" be the same, except if you leave it to discard.. any connecting mta that is blacklisted would be dropped by postfix at the connection level.

this is good because your appliance is not wasting its time processing mail from bad senders.

this is bad because it means its ruling all your policy against all of this mail that should be dropped.. so any policy that may say "deliver immediately" or other scanning rules could be delivered when it should never have been accepted in the first place.

Before going on, I highly recommend you have a look at my KB on spam settings: community.sophos.com/.../120802

In regards to dropping mail from a domain. here is an example : community.sophos.com/.../118845

configuration / policy / allow/block list / block list

you will see a pop up with HOSTS and SENDERS tabs

HOSTS: should be root domains or ips / cidar ranges .. IE google.com 129.0.0.0/8 etc

SENDERS: checks the DATA from .. IE: @domain.com

do not try and use any wild cards or similar.. If this does not work then chances are the mta and data senders may be mixed up .. or similar.

another option would be to create a watch list rule. the sample KB can be found here: community.sophos.com/.../117383

under additional policy ..

add:

watch list

select users : choose the Include sender (this makes the rule ONLY apply to who you enter next)

check custom groups

**@mydomain.com

ADD

main action : quarantine

next, name it, save it.

Email Globs .. the short version...

email globs are specifically used for email address matching... they are slightly different

for example

One * means 1 word between a qualifier .. it is not a "normal" wildcard .. like delete *.*

*@mydomain.com

would match:

joe@mydomain.com

it would not match

jimmy.joe@mydomain.com or

jimmy@mysubdomain.mydomain.com

** means match any number of words regardless

**@mydomain.com

would match any number of chars in front of the @

jimmy.bob.is.a.real.cool.dude@mydomain.com

likewise:

**@**.mydomain.com

would NOT match jimmy.bob@mydomain.com

but it would match

any.thing.in.front.of@with.any.number.of.sub.domains.mydomain.com

there are two other common ones you could use in the (message attributes) rules .. under regular expressions.. they are:

.* = means match anything OR nothing ..

and $ means ends in ..

Examples:

match a blank or null string: may be useful for emails with no subject for example. but again be very careful with rules like this.

^\s*$

top level domain (when used with a watch list rule like above you could target all mail from a tld or country)

.*@.*\.tv$

or a combination .. like

**@domain.com$

means anything in front of the @ that specifically ends in domain.com

there are some cases where you may need multiple rules to accomplish the goal.. for example ..

there are 2 rules you could use to search for all mail from .info and .tv domains.

again .. do NOT set these rules to discard.

here is an example using all of the examples listed above ...

BELOW is an example of using all of the above matching to match both ENVELOPE and DATA senders.

This sample would quarantine any mail from .info and .tv top level domains.

BE VERY VERY CAREFUL with these rules.

NOTE: mail that is quarantined for the reason of KEYWORD will not show up in the quarantine digest.. but you CAN search through the UI .. this will allow you to see all of the hits on the rules..

two rules are required:

#1 : DATA rule checker

under configuration / policy / data control / inbound
add
rule type : messages matching specific words or phrases
enable advanced policy
next
rule config
next
message attributes
add
select Header from the drop down
name From (the capital F is important)
matches regular expression
value : .*@.*\.domain$
ie : .*@.*\.tv$ or .*@.*\.info$
apply
next
select users
next
main action:
quarantine / reason keyword
next
next until rule description... give it a name and activate the rule

once you get dropped back to the rules listing make sure this rule is #1 in the list, click save order

#2 Envelope rule

under configuration / policy / data control / inbound
add
rule type : messages matching specific words or phrases
enable advanced policy
next
rule config
click on the regular expressions tab
.*
add
next
message attributes
next
select users{}
click on include sender
custom group add
**@**.tv
ie: **@**.info
click add
main action:
quarantine for keyword
next to the end
give it a name, activate the rule
once its saved move this rule directly under the previous rule and click save order.

in closing.

the SEA is an exceptional email appliance, in regards to rules.. the skys the limit.. just always make sure your rules are as specific as possible to avoid false positives.

have fun..
Cancel
Vote Up 0 Vote Down

Cancel