This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block entire Top Level Domains in Email Protection : Anti-spam ?

I am getting an enormous amount of spam in user quarantines from a seemingly made up TLD. I used to get .xyz and now I get .science.

Of my 10680 mails in quarrintine, 4455 are from a .science domain

I would love it if someone would tell me how to block these since that are all junk.

I tried 
*@*.science
 under Email Protection : Anti-spam : Sender blacklist but it does not work.

It looks like each SPAM campaign has a different IP, domain, and sub-domain so the TLD is the only common factor. These never get caught by rDNS or RBLs and I would like to see them gone.

Here are some sample headers: 

Received: from prescout.quinter.science ([66.248.193.188]:49960) by 7552-5.UTM-server.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YzYdc-0005Qn-0p for mic@mydomain.com; Mon, 01 Jun 2015 18:56:56 -0400
Received: from 0035201d.prescout.quinter.science ([127.0.0.1]:4011 helo=prescout.quinter.science) by prescout.quinter.science with ESMTP id 00GP3520VA1D; for ; Mon, 1 Jun 2015 15:56:55 -0700
X-CTCH-RefID: str=0001.0A020203.556CE338.00C9,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
Date: Mon, 1 Jun 2015 15:56:55 -0700
To: 
Message-ID: 

Received: from 2rqun09wm.lovechristian.science ([198.52.177.235]:50587) by 7552-5.UTM-server.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YzYS4-0004vz-0R for connie@mydomain.com; Mon, 01 Jun 2015 18:45:00 -0400
Received: from 00de1d46.2rqun09wm.lovechristian.science (amavisd, port 6523) by 2rqun09wm.lovechristian.science with ESMTP id 00PPATYDE1DVNNNY46; for ; Mon, 1 Jun 2015 15:44:56 -0700
X-CTCH-RefID: str=0001.0A020202.556CE038.0081,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
Message-ID: 
Envelope-to: connie@mydomain.com
Date: Mon, 1 Jun 2015 15:44:56 -0700
From: "ONLINE-DATING" 
Subject: ARE YOU-SINGLE?- CONSIDER THIS..
To: 
Content-Language: en-us


Will a REGEX work?

If so, can someone please post one?

Thanks.


This thread was automatically locked due to age.
Parents
  • 1. They just don't work.
    2. Yes, I think that will cause the UTM's lookup to fail and that it will not try to ask for name resolution from another DNS server.
    3. Based on BrucekConvergent's comment last year that he'd been using it, I started switching folks over to that beginning with ours.  You may need to add one or two domains to an Exception for rDNS, but probably not.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • BAlfson said:
    1. They just don't work.
    2. Yes, I think that will cause the UTM's lookup to fail and that it will not try to ask for name resolution from another DNS server.
    3. Based on BrucekConvergent's comment last year that he'd been using it, I started switching folks over to that beginning with ours.  You may need to add one or two domains to an Exception for rDNS, but probably not.

    Cheers - Bob
     

     

    I don't recommend using STRICT RDNS checks, but I do use "plain old" RDNS checks. 

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Reply
  • BAlfson said:
    1. They just don't work.
    2. Yes, I think that will cause the UTM's lookup to fail and that it will not try to ask for name resolution from another DNS server.
    3. Based on BrucekConvergent's comment last year that he'd been using it, I started switching folks over to that beginning with ours.  You may need to add one or two domains to an Exception for rDNS, but probably not.

    Cheers - Bob
     

     

    I don't recommend using STRICT RDNS checks, but I do use "plain old" RDNS checks. 

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Children
No Data