Koozali.org: home of the SME Server

Email: How to block top-level domain?

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Email: How to block top-level domain?
« on: May 10, 2019, 05:10:10 AM »
Found this old discussion https://forums.contribs.org/index.php?topic=47808.0

Any help on how to install check_badpatterns plugins from here https://www.wormbytes.ca/software/qpsmtpd/ to be able to use "wildmat format" as suggested by Charlie?

I'd realy need to block entire spamming @*.icu TLD and this isn't an accepted format in qmail badmailfrom section of email WBL contrib.

RBLList and SBLList used are catching up with quite big delay and spamming server are hopping anyways.

Thanks

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Email: How to block top-level domain?
« Reply #1 on: May 10, 2019, 05:46:20 AM »
No wildcart but better

This plugin also supports regular expression matches. This allows
special patterns to be denied (e.g. FQDN-VERP, percent hack, bangs,
double ats).
Patterns are stored in the format pattern(\s+)response, where pattern
is a Perl pattern expression. Don't forget to anchor the pattern
(front ^ and back $) if you want to restrict it from matching
anywhere in the string.
 ^streamsendbouncer@.*\.mailengine1\.com$    Your right-hand side VERP doesn't fool me
 ^return.*@.*\.pidplate\.biz$                I don't want it regardless of subdomain
 ^admin.*\.ppoonn400\.com$

In qpsmtpd badmailfrom add this:

Code: [Select]
^.*@.*\.icu$

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Email: How to block top-level domain?
« Reply #2 on: May 10, 2019, 01:46:44 PM »
Warning and Apologies.

I discovered that the insert below was causing fatal errors in my badmailfrom plugin due to a copy/paste error - I somehow acquired an extra asterisk at the beginning of each line. See later post for correction

See correction in https://forums.contribs.org/index.php/topic,53984.msg281701.html#msg281701

=========================================================================
Install Email_Whitelist-Blacklist_Control and run the console-save event so that you can make config changes
Code: [Select]
yum install --enablerepo=smecontribs smeserver-wbl
signal-event console-save

In server-manager, select 'Email-WBL' in Configuration

Insert your pattern in 'Blacklist' -> 'qmail badmailfrom'.
Here is the list of  patterns I ended up with after closely monitoring spam on one server for a few months (the second column is an error message that will appear in the qpsmtpd logs for triggered emails):
Code: [Select]
*^.*\.accountant$                         check_badmailfrom_patterns-^.*\.accountant$
*^.*\.asia$                               check_badmailfrom_patterns-^.*\.asia$
*^.*\.bid$                                check_badmailfrom_patterns-^.*\.bid$
*^.*\.biz$                                check_badmailfrom_patterns-^.*\.biz$
*^.*\.cf$                                 check_badmailfrom_patterns-^.*\.cf$
*^.*\.club$                               check_badmailfrom_patterns-^.*\.club$
*^.*\.cricket$                            check_badmailfrom_patterns-^.*\.cricket$
*^.*\.date$                               check_badmailfrom_patterns-^.*\.date$
*^.*\.de$                                 check_badmailfrom_patterns-^.*\.de$
*^.*\.download$                           check_badmailfrom_patterns-^.*\.download$
*^.*\.eu$                                 check_badmailfrom_patterns-^.*\.eu$
*^.*\.faith$                              check_badmailfrom_patterns-^.*\.faith$
*^.*\.fr$                                 check_badmailfrom_patterns-^.*\.fr$
*^.*\.ga$                                 check_badmailfrom_patterns-^.*\.ga$
*^.*\.gq$                                 check_badmailfrom_patterns-^.*\.gq$
*^.*\.help$                               check_badmailfrom_patterns-^.*\.help$
*^.*\.info$                               check_badmailfrom_patterns-^.*\.info$
*^.*\.in\.net$                            check_badmailfrom_patterns-^.*\.in\.net$
*^.*\.internal$                           check_badmailfrom_patterns-^.*\.internal$
*^.*\.ip-pool.com$                        check_badmailfrom_patterns-^.*\.ip-pool.com$
*^.*\.loan$                               check_badmailfrom_patterns-^.*\.loan$
*^.*\.lol$                                check_badmailfrom_patterns-^.*\.lol$
*^.*\.ml$                                 check_badmailfrom_patterns-^.*\.ml$
*^.*\.news.*\.de$                         check_badmailfrom_patterns-^.*\.news.*\.de$
*^.*\.ninja$                              check_badmailfrom_patterns-^.*\.ninja$
*^.*\.party$                              check_badmailfrom_patterns-^.*\.party$
*^.*\.pw$                                 check_badmailfrom_patterns-^.*\.pw$
*^.*\.racing$                             check_badmailfrom_patterns-^.*\.racing$
*^.*\.review$                             check_badmailfrom_patterns-^.*\.review$
*^.*\.ru$                                 check_badmailfrom_patterns-^.*\.ru$
*^.*\.rx\.com$                            check_badmailfrom_patterns-^.*\.rx\.com$
*^.*\.sales.*\.hk$                        check_badmailfrom_patterns-^.*\.sales.*\.hk$
*^.*\.science$                            check_badmailfrom_patterns-^.*\.science$
*^.*\.site$                               check_badmailfrom_patterns-^.*\.site$
*^.*\.space$                              check_badmailfrom_patterns-^.*\.space$
*^.*special.*\.net$                       check_badmailfrom_patterns-^.*special.*\.net$
*^.*\.tk$                                 check_badmailfrom_patterns-^.*\.tk$
*^.*\.top$                                check_badmailfrom_patterns-^.*\.top$
*^.*\.trade$                              check_badmailfrom_patterns-^.*\.trade$
*^.*\.uno$                                check_badmailfrom_patterns-^.*\.uno$
*^.*\.wan$                                check_badmailfrom_patterns-^.*\.wan$
*^.*\.wang$                               check_badmailfrom_patterns-^.*\.wang$
*^.*\.webcam$                             check_badmailfrom_patterns-^.*\.webcam$
*^.*\.website$                            check_badmailfrom_patterns-^.*\.website$
*^.*\.win$                                check_badmailfrom_patterns-^.*\.win$
*^.*\.work$                               check_badmailfrom_patterns-^.*\.work$
*^.*\.xyz$                                check_badmailfrom_patterns-^.*\.xyz$

The server I used this on received significant amounts of spam where the sending email looked like <random-code-username=smedomain.tld@spammers.domain> - where "smedomain.tld" was the actual domain of the server.

I blocked those senders using this pattern:
Code: [Select]
*^.*\-.*\=smedomain\.tld\@.*\..*$         check_badmailfrom_patterns-^.*\-.*\=smedomain\.tld\@.*\..*$

Some legitimate services use the same sending email format - add the sending domains for those folks in 'White list' -> 'qpsmtpd whitelistsenders':
Code: [Select]
craigslist.org
ruthschrismail.com

The commands I used to monitor qpsmtpd and fine-tune badmailfrom, DNSBL and RHSBL are on the wiki: https://wiki.contribs.org/Email_Statistics#Useful_Commands
« Last Edit: June 01, 2019, 02:07:58 PM by TerryF »

Offline Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Email: How to block top-level domain?
« Reply #3 on: May 10, 2019, 10:04:47 PM »
Quote

*^.*\-.*\=smedomain\.tld\@.*\..*$         check_badmailfrom_patterns-^.*\-.*\=smedomain\.tld\@.*\..*$




You are blocking the clean and legitimate way that should use a mailing list to transfer email in name of the poster respecting dmarc

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Email: How to block top-level domain?
« Reply #4 on: May 11, 2019, 02:07:10 PM »
You are blocking the clean and legitimate way that should use a mailing list to transfer email in name of the poster respecting dmarc

I suspected as much -- but that particular server was getting hundreds of spam emails per day that I could block using this pattern, and only had 3 domains that needed whitelisting (craigslist, ruthschrismail, and bloomingdales). 

When I say "hundreds of spam", I really mean it.  These were not mailing lists that the recipients didn't know how to unsubscribe from; in most cases the sending server was listed in multiple RBL lists within hours.

Offline bunkobugsy

  • *
  • 274
  • +4/-0
Re: Email: How to block top-level domain?
« Reply #5 on: May 21, 2019, 03:23:50 PM »
In qpsmtpd badmailfrom add this:
Code: [Select]
^.*@.*\.icu$

This is great and should be mentioned in https://wiki.contribs.org/Email_Whitelist-Blacklist_Control

It took me quite a while to realize that you were qouting from badmailfrom and I don't need check_badpatterns plugin :)

Thanks

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Re: Email: How to block top-level domain?
« Reply #6 on: June 01, 2019, 01:34:59 PM »
Apologies.

I discovered that my earlier post in this topic was causing fatal errors in my badmailfrom plugin due to a copy/paste error - I somehow acquired an extra asterisk at the beginning of each line.

Here is the same list in a format that can be copy/pasted into the server-panel field for qmail badmailfrom:
Code: [Select]
^.*\.accountant$                         check_badmailfrom_patterns-^.*\.accountant$
^.*\.asia$                               check_badmailfrom_patterns-^.*\.asia$
^.*\.bid$                                check_badmailfrom_patterns-^.*\.bid$
^.*\.biz$                                check_badmailfrom_patterns-^.*\.biz$
^.*\.cf$                                 check_badmailfrom_patterns-^.*\.cf$
^.*\.club$                               check_badmailfrom_patterns-^.*\.club$
^.*\.cricket$                            check_badmailfrom_patterns-^.*\.cricket$
^.*\.date$                               check_badmailfrom_patterns-^.*\.date$
^.*\.de$                                 check_badmailfrom_patterns-^.*\.de$
^.*\.download$                           check_badmailfrom_patterns-^.*\.download$
^.*\.eu$                                 check_badmailfrom_patterns-^.*\.eu$
^.*\.faith$                              check_badmailfrom_patterns-^.*\.faith$
^.*\.fr$                                 check_badmailfrom_patterns-^.*\.fr$
^.*\.ga$                                 check_badmailfrom_patterns-^.*\.ga$
^.*\.gq$                                 check_badmailfrom_patterns-^.*\.gq$
^.*\.help$                               check_badmailfrom_patterns-^.*\.help$
^.*\.in\.net$                            check_badmailfrom_patterns-^.*\.in\.net$
^.*\.info$                               check_badmailfrom_patterns-^.*\.info$
^.*\.internal$                           check_badmailfrom_patterns-^.*\.internal$
^.*\.ip-pool.com$                        check_badmailfrom_patterns-^.*\.ip-pool.com$
^.*\.loan$                               check_badmailfrom_patterns-^.*\.loan$
^.*\.lol$                                check_badmailfrom_patterns-^.*\.lol$
^.*\.ml$                                 check_badmailfrom_patterns-^.*\.ml$
^.*\.news.*\.de$                         check_badmailfrom_patterns-^.*\.news.*\.de$
^.*\.ninja$                              check_badmailfrom_patterns-^.*\.ninja$
^.*\.party$                              check_badmailfrom_patterns-^.*\.party$
^.*\.pw$                                 check_badmailfrom_patterns-^.*\.pw$
^.*\.racing$                             check_badmailfrom_patterns-^.*\.racing$
^.*\.review$                             check_badmailfrom_patterns-^.*\.review$
^.*\.ru$                                 check_badmailfrom_patterns-^.*\.ru$
^.*\.rx\.com$                            check_badmailfrom_patterns-^.*\.rx\.com$
^.*\.sales.*\.hk$                        check_badmailfrom_patterns-^.*\.sales.*\.hk$
^.*\.science$                            check_badmailfrom_patterns-^.*\.science$
^.*\.site$                               check_badmailfrom_patterns-^.*\.site$
^.*\.space$                              check_badmailfrom_patterns-^.*\.space$
^.*\.tk$                                 check_badmailfrom_patterns-^.*\.tk$
^.*\.top$                                check_badmailfrom_patterns-^.*\.top$
^.*\.trade$                              check_badmailfrom_patterns-^.*\.trade$
^.*\.uno$                                check_badmailfrom_patterns-^.*\.uno$
^.*\.wan$                                check_badmailfrom_patterns-^.*\.wan$
^.*\.wang$                               check_badmailfrom_patterns-^.*\.wang$
^.*\.webcam$                             check_badmailfrom_patterns-^.*\.webcam$
^.*\.website$                            check_badmailfrom_patterns-^.*\.website$
^.*\.win$                                check_badmailfrom_patterns-^.*\.win$
^.*\.work$                               check_badmailfrom_patterns-^.*\.work$
^.*\.xyz$                                check_badmailfrom_patterns-^.*\.xyz$
^.*special.*\.net$                       check_badmailfrom_patterns-^.*special.*\.net$