Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Expression blocking, blacklist patterns not working

For the past week we have been under a relentless spam attack.

The senders names look like this: yourdata51@2020.com.   Where the numbers are random for each spam message.

 

I created a blacklist address pattern of yourdata*@*.com, which did nothing.

I also tried it as a regular expression which also did nothing.

 

Any suggestions?

UTM 9.602-3.



This thread was automatically locked due to age.
Parents
  • You're right that you can't blacklist anything with @* in it.

    Can you post the headers and the content of one of these spams?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="202.56.191.61" from="YourData72@4780.com" to="xxx@mydomain.com" size="-1" reason="rdns_helo" extra="RDNS missing"
    2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 H=([202.56.191.61]) [202.56.191.61]:53849 F=<YourData72@4780.com> rejected RCPT <xxx@mydomain.com>: No RDNS entry for 202.56.191.61
    2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 SMTP connection from ([202.56.191.61]) [202.56.191.61]:53849 closed by DROP in ACL

    I've long since given up on UTM doing this.
    Now I'm studying Exim to configure it myself.

    Between Exim and Fail2ban I will succeed.
    I'll never understand why Sophos refuses to fix the expressions and TLD blocking. It's such a fundamental and basic requirement for a working system.
Reply
  • 2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="202.56.191.61" from="YourData72@4780.com" to="xxx@mydomain.com" size="-1" reason="rdns_helo" extra="RDNS missing"
    2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 H=([202.56.191.61]) [202.56.191.61]:53849 F=<YourData72@4780.com> rejected RCPT <xxx@mydomain.com>: No RDNS entry for 202.56.191.61
    2019:06:12-00:24:08 basil exim-in[22431]: 2019-06-12 00:24:08 SMTP connection from ([202.56.191.61]) [202.56.191.61]:53849 closed by DROP in ACL

    I've long since given up on UTM doing this.
    Now I'm studying Exim to configure it myself.

    Between Exim and Fail2ban I will succeed.
    I'll never understand why Sophos refuses to fix the expressions and TLD blocking. It's such a fundamental and basic requirement for a working system.
Children
  • Just in case anyone is interested, I have exim configured now with regex expressions and we are fully blocking all the trash TLD's, and the YOURDATA and YOURPRIVACY spam and everything is working perfectly.

    It's also handing the IP's to fail2ban where they get blocked, then it notifies AbuseIPDB so other people can block them too.

    My UTM has over 64,000 IP's and subnets blocked so far and that goes up every minute.

    Happy!  I love watching that number tick up.