These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Block a whole tld with SpamAssassin on the new forum.
Does anyone know what code to use to block an entire tld? I know it's considered bad practice but in this case I don't believe it is.
We're getting an enormous amount of spam from the .faith tld which is an el cheapo tld. I've contacted the .faith registrar but they don't care so I'm happy to block it completely from our servers.
Normally I would just go into Webmin > Servers > SpamAssassin Mail Filter > Denied Addresses and enter a wild card for all emails coming from a certain address but it's too time consuming for this tld.
Sorry, I don't have an answer to your actual question. I hope you don't mind if I share what I do instead.
I block them at the SMTP level - the email doesn't even make it to spamassassin as it doesn't get accepted in the first place.
Here's how:
In /etc/postfix/main.cf, I have the following line:
header_checks = regexp:/etc/postfix/header_checks
Place it above your other spam and authenticity checks.
Then, create the file /etc/postfix/header_checks
In it, you can put a bunch of things, but to block a TLD, add the following:
# Some TLD rejections. Kill entire countries.
# List of country TLDs - http://www.iana.org/domains/root/db/
/^Received: .*\.gt .*$/ REJECT Sorry, too much spam from Guatemala
/^Received: .*\.tw .*$/ REJECT Sorry, too much spam from Taiwan
/^Received: .*\.kr .*$/ REJECT Sorry, too much spam from Korea
/^Received: .*\.cr .*$/ REJECT Sorry, too much spam from Costa Rica
/^Received: .*\.cn .*$/ REJECT Sorry, too much spam from China
/^Received: .*\.ru .*$/ REJECT Sorry, too much spam from RU
/^Received: .*\.br .*$/ REJECT Sorry, too much spam from Brazil
/^Received: .*\.th .*$/ REJECT Sorry, too much spam from Thailand
/^Received: .*\.tr .*$/ REJECT Sorry, too much spam from Turkey
I also like to rub out some known problem ISPs with:
# Kill known spamming ISPs
/^Received: .*\.dynamic.hinet.net .*$/ REJECT Sorry, too much spam from HINET
Save the file and restart postfix.
This isn't a silver bullet, but I find it helpful.
Edit: Doh, I just reread that you want to kill the *.faith TLD. Sorry, the above might not be that helpful for that case (although it might be for others, so I'll leave it).
Try this instead/as well.
In /etc/postfix/main.cf, add the following line within the "smtpd_recipient_restrictions" section.
check_sender_access hash:/etc/postfix/sender_access,
You might end up with a code block that looks something like this:
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_pipelining,
reject_non_fqdn_recipient,
reject_unauth_destination,
check_sender_access hash:/etc/postfix/sender_access,
reject_rbl_client zen.spamhaus.org
Then, create a file named /etc/postfix_sender_access. In it, put what you need, but the following might give you some hints. In case you aren't aware, don't start your line with the hash. It means the line should be ignored.
#/etc/postfix/sender_access
#
# Black/Whitelist for senders matching the 'MAIL FROM' field.
#
###############################################################
# You must run the following command after making changes here.
#
# postmap /etc/postfix/sender_access
#
###############################################################
# Examples..
#
#myfriend@example.com OK
#junk@spam.com REJECT
#marketing@ REJECT We don't want any marketing emails, thanks.
#theboss@ OK
#deals.marketing.com REJECT
#somedomain.com OK
Note the line that says you need to run the command "postmap /etc/postfix/sender_access" every time you make changes to that file.
Again, you should restart postfix after adding this change.
Legend!! Works like a dream :) Thanks for taking the time.
Thanks, works for me too, only one typo: "Then, create a file named /etc/postfix_sender_access." should be "Then, create a file named /etc/postfix/sender_access."
@noisemarine: Thank you for taking the effort to post this. However, I have some questions. I hope you are still active on this forum.
The original question was about blocking complete TLDs. Then you post a solution (header_checks) which IMHO should work for TLDs. Not just for countries. Still, you apologize for not giving the correct information. ( Edit: Doh, I just reread that you want to kill the *.faith TLD. ) And then you provide the solution based on check_sender_access.
Question: Why do you say your first solution would not work for the .faith TLD? I am asking because I am afraid I don't understand what the issue is.
Secondly, in the hash /etc/postfix/sender_access I have added the line
.icu REJECT
Would that be equal to the regexp "*.icu$"? So the domain .icurse.com should not be blocked?
If not, should I create a regexp: file instead of a hash: file? But you had a reason to choose for a hash"file, not a regexp: file, right? What is it?
Addition to the previous post. The line
.icu REJECT
did not block any mails from the domain, no matter what. This is the relevant line from main.cf:
smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access,
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination
The common pitfalls like putting permit_sasl_authenticated were not applicable. I did run postmap, I did reload postfix. Then I changed the file to a regexp file and the smpt_recipient_restrictions to:
smtpd_recipient_restrictions = check_sender_access regexp:/etc/postfix/sender_access, . . .
and the contents of the sender_access to:
<snip>
/.*\.icu$/ REJECT
<snip>
And that worked as expected. Apparently I answered some of my own questions in the previous post. Although I still don't understand why the hash: file did not reject the mails from *.icu.
jlinkels, good questions. Sorry, I only just saw your posts.
In the first case, the header_checks could be manipulated to achieve the TLD block, but it would require a little more finagling with regexps. It literally looks at the headers, so you would be wanting to create a line that looks for the "From: ...." header and then writing a potentially tricky regexp that only catches what you want. View the headers of an email you have received and you can get an idea of the regexp you would need. The check_sender_access feature lets mere mortals achieve a similar thing without having to get too down and dirty with regular expressions.
The reason I said the header_checks wouldn't work as posted was the regexps were looking at the Received header, which is added by each server in the chain of delivery. For country blocks and such, that is useful as most ISPs would have configured their server hostnames and rDNS appropriately. But, they had nothing to do with what email address the sender is claiming to have, which is what the OP was looking to filter. Again, that is where check_sender_access is better suited as it looks at the MAIL FROM command.
Regarding your hash not working, you found one of the limitations of the ACCESS feature of postfix - it doesn't work with that pattern. Have a look at the HOST NAME/ADDRESS PATTERNS section of
http://www.postfix.org/access.5.html
for valid options, even though you found a workaround.Hi noisemarine. Thanks for posting your explanation. We'll continue struggling to keep that crap out of our servers.