Block entire Top Level Domains in Email Protection : Anti-spam ?

Question

I am getting an enormous amount of spam in user quarantines from a seemingly made up TLD. I used to get .xyz and now I get .science.

Of my 10680 mails in quarrintine, 4455 are from a .science domain

I would love it if someone would tell me how to block these since that are all junk.

I tried

*@*.science

under Email Protection : Anti-spam : Sender blacklist but it does not work.

It looks like each SPAM campaign has a different IP, domain, and sub-domain so the TLD is the only common factor. These never get caught by rDNS or RBLs and I would like to see them gone.

Here are some sample headers:

Received: from prescout.quinter.science ([66.248.193.188]:49960) by 7552-5.UTM-server.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YzYdc-0005Qn-0p for mic@mydomain.com; Mon, 01 Jun 2015 18:56:56 -0400
Received: from 0035201d.prescout.quinter.science ([127.0.0.1]:4011 helo=prescout.quinter.science) by prescout.quinter.science with ESMTP id 00GP3520VA1D; for ; Mon, 1 Jun 2015 15:56:55 -0700
X-CTCH-RefID: str=0001.0A020203.556CE338.00C9,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
Date: Mon, 1 Jun 2015 15:56:55 -0700
To:
Message-ID:

Received: from 2rqun09wm.lovechristian.science ([198.52.177.235]:50587) by 7552-5.UTM-server.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YzYS4-0004vz-0R for connie@mydomain.com; Mon, 01 Jun 2015 18:45:00 -0400
Received: from 00de1d46.2rqun09wm.lovechristian.science (amavisd, port 6523) by 2rqun09wm.lovechristian.science with ESMTP id 00PPATYDE1DVNNNY46; for ; Mon, 1 Jun 2015 15:44:56 -0700
X-CTCH-RefID: str=0001.0A020202.556CE038.0081,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
Message-ID:
Envelope-to: connie@mydomain.com
Date: Mon, 1 Jun 2015 15:44:56 -0700
From: "ONLINE-DATING"
Subject: ARE YOU-SINGLE?- CONSIDER THIS..
To:
Content-Language: en-us

Will a REGEX work?

If so, can someone please post one?

Thanks.

This thread was automatically locked due to age.

htguru · Accepted Answer

Hello everyone, I believe this post will finally provide a definitive answer to this thread. Here goes. While blocking these bogus top level domains is a good way to catch more spam it should not be thought of as an end-all be-all. By far the 2 best ways to block spam are making sure that you are using real-time blacklists and strict rDNS checking. Once you have those 2 in place if you don't already, the best solution that works like a charm for blocking TLD's does involve editing the exim.conf on the backend. There are 2 schools of thought on this. One is open up a ticket and demand that Sophos make the modification for you since they broke it and have not offered a fix for years now. The other is well, not recommended. Credit for this solution goes to Billy Bob and it is already in the thread here: Modify the exim.conf file to workaround the problem but keep in mind it will break your support and may break other things if you are using profiles After some help from Bob and Remuflon, these are my notes on the solution (to provide to Sophos Support of course): If you're using high-availability then keep in mind you will have to repeat the procedure on all nodes via ha_utils ssh. As far as I can tell it will survive reboots but probably not most updates. The result is exactly what is desired. The messages are bounced telling the sender they are blacklisted. You can add more TLD's as required on web admin side later without breaking the solution. So first go to web admin and add the domains under Sender Blacklist, Blacklisted Address Patterns on the Anti-Spam tab under Email Protection, SMTP. This will update this file: /var/storage/chroot-smtp/etc/exim.conf.senderblacklist/REF_SMTPGlobalProfile These are the TLD's I have pulled from the log files that I'm currently using (cut-and-paste freely): *@*.party *@*.link *@*.xyz *@*.click *@*.pro *@*.top *@*.science *@*.download *@*.date *@*.design *@*.stream *@*.gdn *@*.men *@*.win *@*.webcam *@*.monster *@*.rest *@*.uno *@*.work *@*.best *@*.live *@*.asia *@*.casa *@*.icu Next, log into the backend as loginuser and then elevate to root using "su -" without the quotes of course. So as to leave yourself a backup plan if something goes wrong first make a backup copy of exim.conf by entering: cp /var/storage/chroot-smtp/etc/exim.conf /var/storage/chroot-smtp/etc/exim.conf.original Then edit the exim.conf file using your choice of editor (choices are Joe for the average Joe, or VI for pros and masochists): joe -help /var/storage/chroot-smtp/etc/exim.conf or vi /var/storage/chroot-smtp/etc/exim.conf In either editor search for "SENDERBLACKLIST" without the quotes of course. The line you want to comment is line 393 (Note: this is for 9.600-5. Line may be different for other versions). Comment this line: # senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}} Add this line directly below it: senders = SENDERBLACKLIST/REF_SMTPGlobalProfile The section should now look like this: # Sender blacklist drop message = Access denied (sender blacklisted) domains = +domains # senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}} senders = SENDERBLACKLIST/REF_SMTPGlobalProfile set acl_c0 = sender_blacklist set acl_c1 = $sender_address blacklisted condition = INSERT_REJECT logwrite = LOG_RCPT_REJECT NOTE: You can also edit the response the spammer receives to something more interesting by changing the part after the = sign in the "drop message" line. [:D] Save the file and restart the SMTP proxy using: /var/mdw/scripts/smtp restart At this point it just works in one second flat and here's the proof: 2017:01:31-19:55:42 cloud-utm1-1 exim-in[9489]: 2017-01-31 19:55:42 SMTP connection from [192.188.88.232]:35431 (TCP/IP connection count = 1) 2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domaim.com profile excludes greylisting: Skipping greylisting for this message 2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domain.com profile excludes SANDBOX scan 2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="192.188.88.232" from="NewCarQuotes@sloy.party" to="user@domain.com" size="-1" reason="sender_blacklist" extra="NewCarQuotes@sloy.party blacklisted" 2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 F= rejected RCPT : Access denied (sender blacklisted) 2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 SMTP connection from (0f9efdc7.sloy.party) [192.188.88.232]:35431 closed by DROP in ACL While that is truly the best solution, if you can get Sophos to do it for you; there is another way I came up with that will not void the warranty. It is far less than ideal but it is the only solution that does not involve modifying the config files via SSH. Here it is: First set up individual local user accounts (I imagine AD or LDAP accounts should still work if you have them) on the Users tab under Definitions & Users, Users & Groups. When creating the user accounts be sure to add all email addresses that you want associated with that user if they have more than one because this solution will only work for listed email addresses. Next, while still editing the user account go to Advanced User Settings and add the following list under Sender Blacklist. These are the ones I'm currently using but obviously when the spammers start using a new top level domain to further evade detection you will have to add it to each individual account. *@*.link *@*.xyz *@*.click *@*.pro *@*.top *@*.science *@*.download *@*.date *@*.design *@*.stream *@*.gdn *@*.men *@*.win *@*.party *@*.webcam Sadly not only does the solution require this be done for each individual account but also, it only forces the spam email to quarantine and doesn't just flat out bounce it like it should. Users will start to see these spams in their quarantine but they should be used to it anyway. The solution works fine however and it catches 100% of all spam from the TLD's specified. Obviously the caveats with either solution are that no legitimate mail can come from any of these top level domains and that you can not use it for common TLD's like .com, .net, .us, etc. That being said, I find it highly unlikely that there are many, if any, legitimate emails coming from these top level domains so in the end it works out okay. One last thing. There is an open feature request on this. Please take the time to go there and add your votes and comments. Here is that URL: Ability to block any subdomain in the Blacklisted address patterns

Billybob · Answer

This doesn't need a feature request as it used to work. But alas, as everything else that used to work in astaro, a lot of little stuff doesn't work in sophos[:@]

You can modify the exim.conf file to workaround the problem but keep in mind it will break your support and may break other things if you are using profiles. Also I wouldn't use very long lists since it may slow your exim down.
Edit using vi or whatever, but make sure you google vi tutorial before using vi. Its not intuitive if you don't know what you are doing

vi /var/storage/chroot-smtp/etc/exim.conf

Look for the section

# Sender blacklist

Comment out the line senders=wildlsearch with # in the beginning like I have done below

#       senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}

Add another line below the commented line

senders = SENDERBLACKLIST/REF_SMTPGlobalProfile

Your sender blacklist section should look like this now

  # Sender blacklist
  drop message = Access denied (sender blacklisted)
       domains = +domains
#       senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}
        senders = SENDERBLACKLIST/REF_SMTPGlobalProfile
       set acl_c0 = sender_blacklist
       set acl_c1 = $sender_address blacklisted
       condition = INSERT_REJECT
       logwrite = LOG_RCPT_REJEC

Save the file and restart the smtp proxy from webadmin. Look for any error logs and revert changes as necessary. You can now add wildcards anyway you want including TLDs[;)]

Sebastian_DBM · Answer

maybe it helps to put some votes here: Ability to block any subdomain in the Blacklisted address patterns so they have a look at it. greeting, Sebastian