Expression blocking, blacklist patterns not working

For the past week we have been under a relentless spam attack.

The senders names look like this: yourdata51@2020.com.   Where the numbers are random for each spam message.

 

I created a blacklist address pattern of yourdata*@*.com, which did nothing.

I also tried it as a regular expression which also did nothing.

 

Any suggestions?

UTM 9.602-3.

  • You're right that you can't blacklist anything with @* in it.

    Can you post the headers and the content of one of these spams?

    Cheers - Bob

  • In reply to BAlfson:

    2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="202.56.191.61" from="YourData72@4780.com" to="xxx@mydomain.com" size="-1" reason="rdns_helo" extra="RDNS missing"
    2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 H=([202.56.191.61]) [202.56.191.61]:53849 F=<YourData72@4780.com> rejected RCPT <xxx@mydomain.com>: No RDNS entry for 202.56.191.61
    2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 SMTP connection from ([202.56.191.61]) [202.56.191.61]:53849 closed by DROP in ACL

    I've long since given up on UTM doing this.
    Now I'm studying Exim to configure it myself.

    Between Exim and Fail2ban I will succeed.
    I'll never understand why Sophos refuses to fix the expressions and TLD blocking. It's such a fundamental and basic requirement for a working system.
  • In reply to Remuflon:

    Just in case anyone is interested, I have exim configured now with regex expressions and we are fully blocking all the trash TLD's, and the YOURDATA and YOURPRIVACY spam and everything is working perfectly.

    It's also handing the IP's to fail2ban where they get blocked, then it notifies AbuseIPDB so other people can block them too.

    My UTM has over 64,000 IP's and subnets blocked so far and that goes up every minute.

    Happy!  I love watching that number tick up.