This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block entire Top Level Domains in Email Protection : Anti-spam ?

I am getting an enormous amount of spam in user quarantines from a seemingly made up TLD. I used to get .xyz and now I get .science.

Of my 10680 mails in quarrintine, 4455 are from a .science domain

I would love it if someone would tell me how to block these since that are all junk.

I tried 
*@*.science
 under Email Protection : Anti-spam : Sender blacklist but it does not work.

It looks like each SPAM campaign has a different IP, domain, and sub-domain so the TLD is the only common factor. These never get caught by rDNS or RBLs and I would like to see them gone.

Here are some sample headers: 

Received: from prescout.quinter.science ([66.248.193.188]:49960) by 7552-5.UTM-server.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YzYdc-0005Qn-0p for mic@mydomain.com; Mon, 01 Jun 2015 18:56:56 -0400
Received: from 0035201d.prescout.quinter.science ([127.0.0.1]:4011 helo=prescout.quinter.science) by prescout.quinter.science with ESMTP id 00GP3520VA1D; for ; Mon, 1 Jun 2015 15:56:55 -0700
X-CTCH-RefID: str=0001.0A020203.556CE338.00C9,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
Date: Mon, 1 Jun 2015 15:56:55 -0700
To: 
Message-ID: 

Received: from 2rqun09wm.lovechristian.science ([198.52.177.235]:50587) by 7552-5.UTM-server.com with esmtp (Exim 4.82_1-5b7a7c0-XX) (envelope-from ) id 1YzYS4-0004vz-0R for connie@mydomain.com; Mon, 01 Jun 2015 18:45:00 -0400
Received: from 00de1d46.2rqun09wm.lovechristian.science (amavisd, port 6523) by 2rqun09wm.lovechristian.science with ESMTP id 00PPATYDE1DVNNNY46; for ; Mon, 1 Jun 2015 15:44:56 -0700
X-CTCH-RefID: str=0001.0A020202.556CE038.0081,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
Message-ID: 
Envelope-to: connie@mydomain.com
Date: Mon, 1 Jun 2015 15:44:56 -0700
From: "ONLINE-DATING" 
Subject: ARE YOU-SINGLE?- CONSIDER THIS..
To: 
Content-Language: en-us


Will a REGEX work?

If so, can someone please post one?

Thanks.


This thread was automatically locked due to age.
  • Domain Dossier

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for the tip, I'll bookmark that one.

    However, this just shows his Whois record, which is 100% fake.

    He registers new domains with a script every few hours on namecheap.com.

    They are all 100% completely fake registration information.  Random words.

     

    By the time you report him, he has LONG since abandoned the domain.  He only uses them for a couple of hours.

  • I have worked out a less-than-perfect solution for blocking entire top level domains to counteract this kind of spammer. I'd rather not post it here for the spammers to see. What do you think Bob? Best if kept out of the forum? If you are a long-term user that recognizes the need for Sophos to fix what they broke in UTM 9.1 so this can be done in the global email settings drop me a PM and I will provide my tedious user level solution.

    Best Regards - HTG
    Frustrated Sophos Partner seeing all the things
    that brought me to Sophos slowly slip away.
    RIP astaro.org

  • Hello everyone,

    I believe this post will finally provide a definitive answer to this thread. Here goes.

    While blocking these bogus top level domains is a good way to catch more spam it should not be thought of as an end-all be-all. By far the 2 best ways to block spam are making sure that you are using real-time blacklists and strict rDNS checking.

    Once you have those 2 in place if you don't already, the best solution that works like a charm for blocking TLD's does involve editing the exim.conf on the backend. There are 2 schools of thought on this. One is open up a ticket and demand that Sophos make the modification for you since they broke it and have not offered a fix for years now. The other is well, not recommended.

    Credit for this solution goes to Billy Bob and it is already in the thread here:
    Modify the exim.conf file to workaround the problem but keep in mind it will break your support and may break other things if you are using profiles

    After some help from Bob and Remuflon, these are my notes on the solution (to provide to Sophos Support of course):

    If you're using high-availability then keep in mind you will have to repeat the procedure on all nodes via ha_utils ssh.

    As far as I can tell it will survive reboots but probably not most updates.

    The result is exactly what is desired. The messages are bounced telling the sender they are blacklisted.

    You can add more TLD's as required on web admin side later without breaking the solution.

    So first go to web admin and add the domains under Sender Blacklist, Blacklisted Address Patterns on the Anti-Spam tab under Email Protection, SMTP. This will update this file: /var/storage/chroot-smtp/etc/exim.conf.senderblacklist/REF_SMTPGlobalProfile

    These are the TLD's I have pulled from the log files that I'm currently using (cut-and-paste freely):
    *@*.party
    *@*.link
    *@*.xyz
    *@*.click
    *@*.pro
    *@*.top
    *@*.science
    *@*.download
    *@*.date
    *@*.design
    *@*.stream
    *@*.gdn
    *@*.men
    *@*.win
    *@*.webcam
    *@*.monster
    *@*.rest
    *@*.uno
    *@*.work
    *@*.best
    *@*.live
    *@*.asia
    *@*.casa
    *@*.icu

    Next, log into the backend as loginuser and then elevate to root using "su -" without the quotes of course.

    So as to leave yourself a backup plan if something goes wrong first make a backup copy of exim.conf by entering:
    cp /var/storage/chroot-smtp/etc/exim.conf /var/storage/chroot-smtp/etc/exim.conf.original

    Then edit the exim.conf file using your choice of editor (choices are Joe for the average Joe, or VI for pros and masochists):
    joe -help /var/storage/chroot-smtp/etc/exim.conf

    or

    vi /var/storage/chroot-smtp/etc/exim.conf

    In either editor search for "SENDERBLACKLIST" without the quotes of course. The line you want to comment is line 393 (Note: this is for 9.600-5. Line may be different for other versions).

    Comment this line:
    # senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}

    Add this line directly below it:
    senders = SENDERBLACKLIST/REF_SMTPGlobalProfile

    The section should now look like this:
    # Sender blacklist
    drop message = Access denied (sender blacklisted)
           domains = +domains
    #      senders = wildlsearch;SENDERBLACKLIST/${lookup{${lc:$domain}}nwildlsearch{SENDERBLACKLIST/domains}}
           senders = SENDERBLACKLIST/REF_SMTPGlobalProfile
           set acl_c0 = sender_blacklist
           set acl_c1 = $sender_address blacklisted
           condition = INSERT_REJECT
           logwrite = LOG_RCPT_REJECT

    NOTE: You can also edit the response the spammer receives to something more interesting by changing the part after the = sign in the "drop message" line. [:D]

    Save the file and restart the SMTP proxy using:
    /var/mdw/scripts/smtp restart

    At this point it just works in one second flat and here's the proof:
    2017:01:31-19:55:42 cloud-utm1-1 exim-in[9489]: 2017-01-31 19:55:42 SMTP connection from [192.188.88.232]:35431 (TCP/IP connection count = 1)
    2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domaim.com profile excludes greylisting: Skipping greylisting for this message
    2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 Warning: domain.com profile excludes SANDBOX scan
    2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="192.188.88.232" from="NewCarQuotes@sloy.party" to="user@domain.com" size="-1" reason="sender_blacklist" extra="NewCarQuotes@sloy.party blacklisted"
    2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 H=(0f9efdc7.sloy.party) [192.188.88.232]:35431 F=<NewCarQuotes@sloy.party> rejected RCPT <user@domain.com>: Access denied (sender blacklisted)
    2017:01:31-19:55:42 cloud-utm1-1 exim-in[12248]: 2017-01-31 19:55:42 SMTP connection from (0f9efdc7.sloy.party) [192.188.88.232]:35431 closed by DROP in ACL


    While that is truly the best solution, if you can get Sophos to do it for you; there is another way I came up with that will not void the warranty.

    It is far less than ideal but it is the only solution that does not involve modifying the config files via SSH.

    Here it is:

    First set up individual local user accounts (I imagine AD or LDAP accounts should still work if you have them) on the Users tab under Definitions & Users, Users & Groups. When creating the user accounts be sure to add all email addresses that you want associated with that user if they have more than one because this solution will only work for listed email addresses.

    Next, while still editing the user account go to Advanced User Settings and add the following list under Sender Blacklist. These are the ones I'm currently using but obviously when the spammers start using a new top level domain to further evade detection you will have to add it to each individual account.

    *@*.link
    *@*.xyz
    *@*.click
    *@*.pro
    *@*.top
    *@*.science
    *@*.download
    *@*.date
    *@*.design
    *@*.stream
    *@*.gdn
    *@*.men
    *@*.win
    *@*.party
    *@*.webcam

    Sadly not only does the solution require this be done for each individual account but also, it only forces the spam email to quarantine and doesn't just flat out bounce it like it should. Users will start to see these spams in their quarantine but they should be used to it anyway.

    The solution works fine however and it catches 100% of all spam from the TLD's specified.

    Obviously the caveats with either solution are that no legitimate mail can come from any of these top level domains and that you can not use it for common TLD's like .com, .net, .us, etc. That being said, I find it highly unlikely that there are many, if any, legitimate emails coming from these top level domains so in the end it works out okay.

    One last thing. There is an open feature request on this. Please take the time to go there and add your votes and comments. Here is that URL:
    Ability to block any subdomain in the Blacklisted address patterns

    Best Regards - HTG
    Frustrated Sophos Partner seeing all the things
    that brought me to Sophos slowly slip away.
    RIP astaro.org

  • I'm not sure what's causing it, but after I implemented this change all user defined blacklists stopped working.

    The TLD blocking works perfectly.

  • BAlfson said:
    1. They just don't work.
    2. Yes, I think that will cause the UTM's lookup to fail and that it will not try to ask for name resolution from another DNS server.
    3. Based on BrucekConvergent's comment last year that he'd been using it, I started switching folks over to that beginning with ours.  You may need to add one or two domains to an Exception for rDNS, but probably not.

    Cheers - Bob
     

     

    I don't recommend using STRICT RDNS checks, but I do use "plain old" RDNS checks. 

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Sophos Platinum Partner

    --------------------------------------

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

  • This method worked perfectly to block TLD's.

     

    The problem is, it broke user blacklists and whitelists.  This is really becoming a crisis now.  ALL user's whitelists no longer function after making this change.

    I have to have user whitelists working.  And I HAVE to have TLD domain blocking working.

     

    Please help.

  • Yesterday, xyz.bl.yodbl.net was apparently hacked as many IPs were added to it that are NOT spam IPs.  Outlook.com?  Ridiculous.  Remove it if you have it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Outlook.com is a notorious spam haven.

    99% of emails we receive from outlook.com are spam.  Microsoft allow anything to go through it.

     

    It is almost 100% indian folks telling me they can optimize my website search results.  We block them.

    Anything that microsoft touches is garbage.

  • To each his own, man, but other than outlook.com, blocked emails included those from the Sophos Community, Discover, Mail Chimp, etc.  Also, forwards from my university alumni account and my Facebook account,

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA