This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Host/Network Blacklist not working (trying to block spam from .icu domains)

 We get lots of spam from .icu domains. Eg: pepper@coupair.icu and value@wheatsolo.icu

 

In Antispam/Sender Blacklist I have: *@*icu as a 'Blacklisted Address Pattern' and that does not work. Reading the online help I now know that "A wildcard does not work in the domain or TLD part of an address." Grrr.

 

 

So in Relaying tab, Host/Network Blacklist section I put a DNS Host with hostname *.icu but this doesn't work either. I tried adding a DNS Group here with same hostname and that doesn't work.

 

Any ideas how I can stop these as early as possible?

 

Thanks, James.



This thread was automatically locked due to age.
  • James, I think you want htguru's post or Billybob's Block TLD Email Senders earlier in that same thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Another option is to use a second spam filter.

    SmarterMail from SmarterTools.com is one possibility.   It tries to be a less complex and less expensive alternative to Exchange.  Unlike Exim, it runs on Windows, which is a big win for those of us who do not understand Unix/Linux.  For your needs, they offer it for free use as a smarthost to do filtering.    It has different filtering options than UTM, which allows you to add defenses by configuring your spam filters in sequence.   Focusing on incoming mail only, this can be done in several configuration options:

    1. UTM NAT passes incoming MX mail to SM, then SM relays back to UTM SMTP Proxy for a second look, which forwards to your mail server.
    2. UTM SMTP Standard Mode proxy is MX, filters mail, then forwards to SM for a second look, before forwarding to your mail server.
    3. UTM NAT passes incoming MX mail to SM, but Transparent SMTP proxy filters it on the way in.  Then SM forwards to your mail server.

    The decision depends in part on which spam filter needs to see the source IP and source DNS hostname to perform filtering.   UTM's capabilities for source server filtering are rather primitive, so I do not think there is much advantage to having UTM in front.  

    However, you also need an overview of all received messages and how they were dispositioned.   UTM Mail Manager is pretty inadequate, but SmarterMail only has chatter-type logs that need to be parsed.   (Not as hard as UTM's SMTP log, but not as useful as Mail Manager.)  So I think the best combination of these two is probably to use SmarterMail in transparent mode so that it can provide Mail Manager functionality while SM can provide source server filtering and other backups to UTM's protection.

  • Thanks Bob and Douglas.

    Have just voted here: suggestions/7075362-ability-to-block-any-subdomain-in-the-blacklisted?page=2&per_page=20

    I think my best option might be to file a support case.

  • Filed a Support Case and they got back to me. Said I could try the suggestion of editing the config file, but that "this will break your support".

    They then said, "Also I see you already voted for the Ideas regarding this feature. What I would recommend for the next steps regarding this is to directly contact your account manager and this discuss feature. They should be able to help and forward this to our product team so they could take a look." And with that, the case is going to be archived. 

    Will talk to account manager and see if that goes anywhere. Will keep this thread updated.

  • Let's be realistic about Ideas.Sophos.Com

    • When Sophos happens to implement an idea, do they mark it as completed?
    • Do they identify and consolidate duplicate ideas?
    • Do they ever ask for details to clarify obscure or incoherent ideas?

    In short, do they read the ideas at all?  I have not been convinced that they do.

    Given that UTM has been superceded by XG, you should not expect that even great ideas will get development funding in UTM.   However, the future of Sophos' mail filtering strategy is not an appliance.  From what I have seen, all three of Sophos' email appliances (UTM, XG, and SEA) are in the process of being superseded by Sophos Mail (in the Cloud).   So if you want the best email filter available from Sophos, with the best hope for long-term improvement, look there.

    If you want better email protection in the near future, your options are to hack the exim config file, add a secondary spam filter, or buy a better spam filter.   All of the best spam filters are now cloud services.

  • Totally agree with you Douglas.

    Anyway, I went and edited the exim config file - was pretty straightforward using 'joe' instead of 'vi'. htguru's 2 Feb 2017 post was very easy to follow.

    Seems to be working fine emails from *.icu are being blocked.