We have started receiving a fairly significant amount of spam from domains using the .top gTLD. A fair number of them are quarantined, but many are also delivered to the internal mail server. Most of this spam is very obvious spam, most of it pornographic in nature. I have configured the Antispam features and this has been working well for about 1-1/2 years. This problem began about 3 weeks ago, but I have been unable to resolve the issue. Currently, I have enabled: Reject invalid HELO or missing RDNS Use BATV Perform SPF Check I have also added these Extra RBL Zones: b.barracudacentral.org zen.spamhaus.org bl.mailspike.net backscatter.spameatingmonkey.net bl.spameatingmonkey.net urired.spameatingmonkey.net fresh.spameatingmonkey.net bl.spamcop.net We have Antispam set to Reject 'Confirmed Spam' and Quarantine 'Spam'. We are NOT using the Greylisting feature, because in general we found it to significantly delay the delivery of email, even domains that deliver email to us on a fairly regular basis. Is it possible something is misconfigured? Or are the Sophos UTM Antispam features features failing to keep up with new spamming techniques? I would appreciate any suggestions. Thank you! -- Jeremy

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antispam failing to identify spam from .top gTLD

We have started receiving a fairly significant amount of spam from domains using the .top gTLD. A fair number of them are quarantined, but many are also delivered to the internal mail server. Most of this spam is very obvious spam, most of it pornographic in nature. I have configured the Antispam features and this has been working well for about 1-1/2 years. This problem began about 3 weeks ago, but I have been unable to resolve the issue. Currently, I have enabled:

Reject invalid HELO or missing RDNS
Use BATV
Perform SPF Check

I have also added these Extra RBL Zones:

b.barracudacentral.org
zen.spamhaus.org
bl.mailspike.net
backscatter.spameatingmonkey.net
bl.spameatingmonkey.net
urired.spameatingmonkey.net
fresh.spameatingmonkey.net
bl.spamcop.net

We have Antispam set to Reject 'Confirmed Spam' and Quarantine 'Spam'. We are NOT using the Greylisting feature, because in general we found it to significantly delay the delivery of email, even domains that deliver email to us on a fairly regular basis.

Is it possible something is misconfigured? Or are the Sophos UTM Antispam features features failing to keep up with new spamming techniques? I would appreciate any suggestions. Thank you!

Jeremy

This thread was automatically locked due to age.

Parents

0 RDL over 8 years ago

Hello Jeremy,

I see the same SPAM activity with .top domains, and I read sophos did delete the capability of blocking tld domains for some reason.

Tech support cannot fix this since the feature has been removed. (in my opinion, subject to change if they put it back in after 9.401-11.

First of all, I would suggest trying, and adding bad.psky.me to your RBL list at the bottom preferably. THEY are good at .top blocking, as is zen.spamhaus.org.

That one fix will help a lot until they get a fix

FYI, i added these subnets to known spammers, manually found by me, just in april.

1..SPApr 89.248.173

1..SPApr104.168.33

1..SPApr107.172.15

1..SPApr107.173.9

1..SPApr109.236.87

1..SPApr172.86.120

1..SPApr172.86.182

1..SPApr172.86.183

1..SPApr172.86.80

1..SPApr173.208.179

1..SPApr173.208.196

1..SPApr176.9.199

1..SPApr176.9.245

1..SPApr179.43.144

1..SPApr179.43.159

1..SPApr179.43.166

1..SPApr179.43.170

1..SPApr179.43.190

1..SPApr179.43.191

1..SPApr179.43.198

1..SPApr179.43.199

1..SPApr185.70.187

1..SPApr191.96.111

1..SPApr198.143.121

1..SPApr198.143.144

1..SPApr198.143.186

1..SPApr216.107.144

1..SPApr216.107.148

1..SPApr216.150.74

1..SPApr5.39.221

1..SPApr63.246.137

1..SPApr64.187.117

1..SPApr64.187.227

1..SPApr64.187.228

1..SPApr64.187.238

1..SPApr67.215.4

1..SPApr67.222.144

1..SPApr68.64.160

1..SPApr68.64.168

1..SPApr68.64.174

1..SPApr69.4.85

1..SPApr70.39.70

1..SPApr70.39.81

1..SPApr70.39.97

1..SPApr72.9.145

1..SPApr72.9.154

1..SPApr72.9.155

1..SPApr77.81.104

1..SPApr77.81.106

1..SPApr77.81.191

...search for these subnets and see if they're the same subnets you're having issues with.

Inquiring minds want to know.

Good luck Mr. Phelps if you decide to accept this mission.

FYI. i'm also getting .XYZ crap spams, search for .xyz in your mail manager

this is from the help on 9.401-11

Sender Blacklist

The envelope sender of incoming SMTP sessions will be matched against the addresses on this blacklist. If the envelope sender is found on the blacklist the message will be rejected in SMTP time. Settings in the Reject at SMTP time field do not affect this function.
To add a new address pattern to the blacklist click the Plus icon in the Blacklisted Address Patterns box, enter (a part of) an address, and click Apply. You can use an asterisk (*) as a wildcard, e.g., *@abbeybnknational.com. A wildcard does not work in the domain or TLD part of an address.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 RDL over 8 years ago

Hello Jeremy,

I see the same SPAM activity with .top domains, and I read sophos did delete the capability of blocking tld domains for some reason.

Tech support cannot fix this since the feature has been removed. (in my opinion, subject to change if they put it back in after 9.401-11.

First of all, I would suggest trying, and adding bad.psky.me to your RBL list at the bottom preferably. THEY are good at .top blocking, as is zen.spamhaus.org.

That one fix will help a lot until they get a fix

FYI, i added these subnets to known spammers, manually found by me, just in april.

1..SPApr 89.248.173

1..SPApr104.168.33

1..SPApr107.172.15

1..SPApr107.173.9

1..SPApr109.236.87

1..SPApr172.86.120

1..SPApr172.86.182

1..SPApr172.86.183

1..SPApr172.86.80

1..SPApr173.208.179

1..SPApr173.208.196

1..SPApr176.9.199

1..SPApr176.9.245

1..SPApr179.43.144

1..SPApr179.43.159

1..SPApr179.43.166

1..SPApr179.43.170

1..SPApr179.43.190

1..SPApr179.43.191

1..SPApr179.43.198

1..SPApr179.43.199

1..SPApr185.70.187

1..SPApr191.96.111

1..SPApr198.143.121

1..SPApr198.143.144

1..SPApr198.143.186

1..SPApr216.107.144

1..SPApr216.107.148

1..SPApr216.150.74

1..SPApr5.39.221

1..SPApr63.246.137

1..SPApr64.187.117

1..SPApr64.187.227

1..SPApr64.187.228

1..SPApr64.187.238

1..SPApr67.215.4

1..SPApr67.222.144

1..SPApr68.64.160

1..SPApr68.64.168

1..SPApr68.64.174

1..SPApr69.4.85

1..SPApr70.39.70

1..SPApr70.39.81

1..SPApr70.39.97

1..SPApr72.9.145

1..SPApr72.9.154

1..SPApr72.9.155

1..SPApr77.81.104

1..SPApr77.81.106

1..SPApr77.81.191

...search for these subnets and see if they're the same subnets you're having issues with.

Inquiring minds want to know.

Good luck Mr. Phelps if you decide to accept this mission.

FYI. i'm also getting .XYZ crap spams, search for .xyz in your mail manager

this is from the help on 9.401-11

Sender Blacklist

The envelope sender of incoming SMTP sessions will be matched against the addresses on this blacklist. If the envelope sender is found on the blacklist the message will be rejected in SMTP time. Settings in the Reject at SMTP time field do not affect this function.
To add a new address pattern to the blacklist click the Plus icon in the Blacklisted Address Patterns box, enter (a part of) an address, and click Apply. You can use an asterisk (*) as a wildcard, e.g., *@abbeybnknational.com. A wildcard does not work in the domain or TLD part of an address.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data

Antispam failing to identify spam from .top gTLD

Sender Blacklist

Sender Blacklist