Mail Content Filter to block a domain (TLD)

Discussion in 'General' started by onastvar, Dec 10, 2018.

  1. onastvar

    onastvar Member

    I'm trying to block domain qq.com using Mail Content Filter. I followed this how to i'm still getting emails in JUNK folder from qq.com domain, any ideas how to block it from the server completely? (see attached Mail Content Filter for qq.com domain)
     

    Attached Files:

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess you missed the \ for the dot before .com
    qq\.com
     
  3. onastvar

    onastvar Member

    Thank you Till! I made an update, I'll watch to see what happens now.
     
  4. onastvar

    onastvar Member

    I'm still getting SPAM from qq.com domain after I updated
    Regexp. Pattern: /<[email protected]+?\.qq\.com>/
    in Mail Content Filter.

    Code:
    Return-Path: <[email protected]>
    Delivered-To: [email protected]
    Received: from localhost (localhost.localdomain [127.0.0.1])
        by sun.mydomain.com (Postfix) with ESMTP id 3BFC91488F69
        for <[email protected]>; Mon, 10 Dec 2018 15:16:56 -0600 (CST)
    X-Virus-Scanned: Debian amavisd-new at sun.mydomain.com
    X-Spam-Flag: YES
    X-Spam-Score: 10.487
    X-Spam-Level: **********
    X-Spam-Status: Yes, score=10.487 tagged_above=1 required=4.5
        tests=[BAYES_50=0.8, FREEMAIL_DISPTO=0.249,
        FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
        FROM_EXCESS_BASE64=0.979, HTML_MESSAGE=0.001,
        HTML_MIME_NO_HTML_TAG=0.377, MIME_HTML_ONLY=0.723,
        RCVD_IN_RP_RNBL=1.31, RCVD_IN_SORBS_DUL=0.001, RDNS_NONE=0.793,
        SCHAALIT_HEADER_3635=5, SPF_FAIL=0.001, SPF_HELO_FAIL=0.001,
        UNPARSEABLE_RELAY=0.001] autolearn=no autolearn_force=no
    Received: from sun.mydomain.com ([127.0.0.1])
        by localhost (sun.mydomain.com [127.0.0.1]) (amavisd-new, port 10024)
        with ESMTP id Qq6g-5nf2aNF for <[email protected]>;
        Mon, 10 Dec 2018 15:16:54 -0600 (CST)
    Received: from qq.com (unknown [125.118.240.17])
        by sun.mydomain.com (Postfix) with SMTP id 0022B1488E9C
        for <[email protected]>; Mon, 10 Dec 2018 15:16:53 -0600 (CST)
    Received: from qq.com (unknown (196.223.112.135])
        by qq.com with SMTP id fdcb31d2-43ba-445a-8167-1cec4abe1812;
        for <[email protected]>;Tue, 11 Dec 2018 05:16:41 +08:00
    Message-ID: <[email protected]>
    From: "=?utf-8?B?55m96Im+6KeC?=" <[email protected]>
    To: <[email protected]>
    Subject:
        =?UTF-8?Q?***SPAM***drZbqmiRE=EF=BC=9A=E5=B9=B8=E7=A6=8F=E9=95=BF=E5=8F?=
        =?UTF-8?Q?=88=E9=95=BF=EF=BC=81=E5=A8=B1=E4=B9=90=E5=9F=8E=E7=9C=9F=E4=BA?=
        =?UTF-8?Q?=BA=E5=8D=9A(=E5=BD=A9=E5=B9=B3=E5=8F=B0=EF=BC=81=E9=A9=BB*=E6?=
        =?UTF-8?Q?=81=BB=E5=B6=BA18=E2=92=8F=E7=B6=B5-=E9=87=91~=E6=89=BE=E4=BC?=
        =?UTF-8?Q?=81=E2=80=A6=E9=B9=85862070751=E6=B8=85=E5=BB=89604951-C?= 0
        M
    Date: Tue, 11 Dec 2018 05:16:41 +0800
    MIME-Version: 1.0
    Content-Type: text/html;
        charset="utf-8"
    Content-Transfer-Encoding: quoted-printable
    Disposition-Notification-To: [email protected]
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

  6. onastvar

    onastvar Member

    Thank you Jesse!
    Updated.
    I'll wait to see if any SPAM from qq.com gets delivered.
     
  7. onastvar

    onastvar Member

    Jesse thank you, above code worked. Somehow I'm getting lots of SPAM from other TLD, I would have to block each domain manually. What's the best approach to fight SPAM. Do I block whole country, or TLD such as .ru or .cz etc?
     
  8. Jesse Norell

    Jesse Norell Well-Known Member

    Just like security, the best approach is multiple/layered. Some things to get started: install postscreen using weighted rbl's (and use postwhite along with it), make sure you're running a recent version of spamassassin, and configure optional plugins for it (pyzor, razor, dcc, txrep, hashbl, etc .. browse through the /etc/spamassassin/*.pre files and see what plugins are available but commented out, check the docs for each one and configure/use the ones that are appropriate), keep a corpus of hand-sorted spam/ham and train (bayes and txrep) from that.

    There is a lot more you can do (consult the spamassassin documentation and users list archives for ideas), but that's a start. TLD blocking works really well for some tld's (I don't use country tld's offhand, but you could if your userbase is small/known to not need those). I haven't used greylisting for a few years, as postscreen offers a similar effect with less legitimate mail interfered with, but recently added selective greylisting back in using mtpolicyd, and it has been very effective for delaying zero-day spam long enough to get added to blacklists/checksum databases. (selective as in not all mail gets greylisted, eg. servers on dnswl high trust level bypass it, etc.)
     
    till likes this.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    As a short outlook into the future. ISPConfig 3.2 comes with support for rspamd (as optional amavisd replacement), the filter rate offrom rspamd is much better than spamassassin/amavis in our tests and it is way faster too. The code has been submitted in master a few days ago, but master branch is undergoing major changes at the moment, so nothing that you should install on a live server for now.
     
  10. onastvar

    onastvar Member

    Thank you Jesse! Already have postscreen & postwhite installed/configured. I do have to check spamassassin version. I run OS-Updates (aptitude -y upgrade) on my servers as soon as they become available, would they update spamassassin? I do have to look at plugins (pyzor, razor, dcc, txrep, hashbl, etc).

    For the user who had SPAM issues I went to MAIL DOMAIN and set Spamfilter to "Delete SPAM" which seem to minimize the SPAM user was getting.

    Till that's great news, keep up the good work and thank you, looking forward for 3.2 release

    As we all know SPAM is a big issue nowadays, somehow spammers are always ahead of us, and always find new ways to SPAM our inbox.
     
    Last edited: Dec 21, 2018
  11. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    This will not update the rulesets for spamassassin. We use a script, that checks for updates every hour and updates spamassassin if new rules are available. https://sa.schaal-it.net/
     
  12. onastvar

    onastvar Member

    Thanks Florian! I have installed your shell-script in /etc/cron.hourly while ago.
     

Share This Page