Block single domain when blocklist set to quarantine.

Hi,

Using the SEA,

 

I have already configured the standard blocklist to quarantine various messages and do not want to change this.

However - I have a domain I would like to discard all traffic from.

 

I have added the domain to a phrase filter set to discard but the emails still flow through. The rule is moved to top of the list but not triggering?

I have tried adding the domain as:  *@domain.com  and just @domain.com neither method works.

Am I missing an obvious solution? can anyone help?

 

Thanks,

Tony

  • DISCLAIMER: this response contains information that could have unexpected results.  DO NOT SET ANY RULES TO DISCARD as there is no "recycle bin"  DISCLAIMER

    always set the main action to quarantine until you are sure your rules work exactly as expected insurance you need to retrieve a false positive. 

     

    Hi Tony,

    If you mean you have changed filtering options to quarantine..  that may not be the best idea..

    in short:

    the results "should" be the same, except if you leave it to discard.. any connecting mta that is blacklisted would be dropped by postfix at the connection level.

    this is good because your appliance is not wasting its time processing mail from bad senders. 

    this is bad because it means its ruling all your policy against all of this mail that should be dropped.. so any policy that may say "deliver immediately" or other scanning rules could be delivered when it should never have been accepted in the first place.

     

    Before going on, I highly recommend you have a look at my KB on spam settings: community.sophos.com/.../120802

     

    In regards to dropping mail from a domain.  here is an example : community.sophos.com/.../118845

    configuration / policy / allow/block list / block list

    you will see a pop up with HOSTS and SENDERS tabs

    HOSTS: should be root domains or ips / cidar ranges .. IE google.com 129.0.0.0/8 etc

    SENDERS: checks the DATA from .. IE: @domain.com

    do not try and use any wild cards or similar..   If this does not work then chances are the mta and data senders may be mixed up .. or similar. 

     

    another option would be to create a watch list rule.  the sample KB can be found here: community.sophos.com/.../117383

     

    under additional policy ..

    add: 

    watch list

    select users : choose the Include sender  (this makes the rule ONLY apply to who you enter next)

    check custom groups

    **@mydomain.com

    ADD

    main action : quarantine

    next, name it, save it. 

     

    Email Globs .. the short version...

    email globs are specifically used for email address matching... they are slightly different 

     

    for example

    One  * means 1 word between a qualifier ..  it is not a "normal" wildcard .. like delete *.*

    *@mydomain.com 

    would match:

    joe@mydomain.com

    it would not match

    jimmy.joe@mydomain.com or

    jimmy@mysubdomain.mydomain.com

     

    ** means match any number of words regardless 

    **@mydomain.com 

    would match any number of chars in front of the @

    jimmy.bob.is.a.real.cool.dude@mydomain.com

    likewise:

    **@**.mydomain.com

    would NOT match   jimmy.bob@mydomain.com

    but it would match

    any.thing.in.front.of@with.any.number.of.sub.domains.mydomain.com

     

    there are two other common ones you could use in the (message attributes) rules .. under regular expressions.. they are:

    .*  = means match anything OR nothing ..

    and $  means ends in ..

     

    Examples: 

    match a blank or null string:  may be useful for emails with no subject for example. but again be very careful with rules like this.

    ^\s*$

     

    top level domain (when used with a watch list rule like above you could target all mail from a tld or country) 

    .*@.*\.tv$

     

    or a combination .. like

    **@domain.com$

    means anything in front of the @ that specifically ends in domain.com

     

    there are some cases where you may need multiple rules to accomplish the goal..  for example .. 

    there are 2 rules you could use to search for all mail from .info and .tv domains. 

     

    again .. do NOT set these rules to discard.

    here is an example using all of the examples listed above ...

     

    BELOW is an example of using all of the above matching to match both ENVELOPE and DATA senders.

     

    This sample would quarantine  any mail from .info and .tv top level domains. 

    BE VERY VERY CAREFUL with these rules.

     NOTE: mail that is quarantined for the reason of KEYWORD will not show up in the quarantine digest.. but you CAN search through the UI .. this will allow you to see all of the hits on the rules..

     

     

    two rules are required:

    #1 : DATA rule checker

    under configuration / policy / data control / inbound
    add
    rule type : messages matching specific words or phrases
    enable advanced policy
    next
    rule config
    next
    message attributes
    add
    select Header from the drop down
    name From (the capital F is important)
    matches regular expression
    value : .*@.*\.domain$
    ie : .*@.*\.tv$ or .*@.*\.info$
    apply
    next
    select users
    next
    main action:
    quarantine / reason keyword 
    next
    next until rule description... give it a name and activate the rule

    once you get dropped back to the rules listing make sure this rule is #1 in the list, click save order

    #2 Envelope rule

    under configuration / policy / data control / inbound
    add
    rule type : messages matching specific words or phrases
    enable advanced policy
    next
    rule config
    click on the regular expressions tab
    .*
    add
    next
    message attributes
    next
    select users{}
    click on include sender
    custom group add
    **@**.tv
    ie: **@**.info
    click add
    main action:
    quarantine for keyword
    next to the end
    give it a name, activate the rule
    once its saved move this rule directly under the previous rule and click save order.

     

    in closing.

     

    the SEA is an exceptional email appliance, in regards to rules.. the skys the limit.. just always make sure your rules are as specific as possible to avoid false positives. 

     

    have fun..