Block a whole tld with SpamAssassin

8 posts / 0 new
Last post
#1 Thu, 08/17/2017 - 23:36
crewmark

Block a whole tld with SpamAssassin

Does anyone know what code to use to block an entire tld? I know it's considered bad practice but in this case I don't believe it is.

We're getting an enormous amount of spam from the .faith tld which is an el cheapo tld. I've contacted the .faith registrar but they don't care so I'm happy to block it completely from our servers.

Normally I would just go into Webmin > Servers > SpamAssassin Mail Filter > Denied Addresses and enter a wild card for all emails coming from a certain address but it's too time consuming for this tld.

Fri, 08/18/2017 - 04:36
noisemarine

Sorry, I don't have an answer to your actual question. I hope you don't mind if I share what I do instead.

I block them at the SMTP level - the email doesn't even make it to spamassassin as it doesn't get accepted in the first place.

Here's how:

In /etc/postfix/main.cf, I have the following line:

header_checks = regexp:/etc/postfix/header_checks

Place it above your other spam and authenticity checks.

Then, create the file /etc/postfix/header_checks

In it, you can put a bunch of things, but to block a TLD, add the following:

# Some TLD rejections. Kill entire countries.
# List of country TLDs - http://www.iana.org/domains/root/db/
/^Received: .*\.gt .*$/ REJECT Sorry, too much spam from Guatemala
/^Received: .*\.tw .*$/ REJECT Sorry, too much spam from Taiwan
/^Received: .*\.kr .*$/ REJECT Sorry, too much spam from Korea
/^Received: .*\.cr .*$/ REJECT Sorry, too much spam from Costa Rica
/^Received: .*\.cn .*$/ REJECT Sorry, too much spam from China
/^Received: .*\.ru .*$/ REJECT Sorry, too much spam from RU
/^Received: .*\.br .*$/ REJECT Sorry, too much spam from Brazil
/^Received: .*\.th .*$/ REJECT Sorry, too much spam from Thailand
/^Received: .*\.tr .*$/ REJECT Sorry, too much spam from Turkey

I also like to rub out some known problem ISPs with:

# Kill known spamming ISPs
/^Received: .*\.dynamic.hinet.net .*$/ REJECT Sorry, too much spam from HINET

Save the file and restart postfix.

This isn't a silver bullet, but I find it helpful.

Edit: Doh, I just reread that you want to kill the *.faith TLD. Sorry, the above might not be that helpful for that case (although it might be for others, so I'll leave it).

Try this instead/as well.

In /etc/postfix/main.cf, add the following line within the "smtpd_recipient_restrictions" section.

check_sender_access hash:/etc/postfix/sender_access,

You might end up with a code block that looks something like this:

smtpd_recipient_restrictions = permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_pipelining,
                               reject_non_fqdn_recipient,
                               reject_unauth_destination,
                               check_sender_access hash:/etc/postfix/sender_access,
                               reject_rbl_client zen.spamhaus.org

Then, create a file named /etc/postfix_sender_access. In it, put what you need, but the following might give you some hints. In case you aren't aware, don't start your line with the hash. It means the line should be ignored.

#/etc/postfix/sender_access
#
# Black/Whitelist for senders matching the 'MAIL FROM' field.
#
###############################################################
# You must run the following command after making changes here.
#
#       postmap /etc/postfix/sender_access
#
###############################################################
# Examples..
#
#myfriend@example.com   OK
#junk@spam.com          REJECT
#marketing@             REJECT We don't want any marketing emails, thanks.
#theboss@               OK
#deals.marketing.com    REJECT
#somedomain.com         OK

Note the line that says you need to run the command "postmap /etc/postfix/sender_access" every time you make changes to that file.

Again, you should restart postfix after adding this change.

Mon, 08/21/2017 - 16:07
crewmark

Legend!! Works like a dream :) Thanks for taking the time.

Thu, 08/09/2018 - 10:29
liviu24

Thanks, works for me too, only one typo: "Then, create a file named /etc/postfix_sender_access." should be "Then, create a file named /etc/postfix/sender_access."

Wed, 07/31/2019 - 08:10
jlinkels

@noisemarine: Thank you for taking the effort to post this. However, I have some questions. I hope you are still active on this forum.

The original question was about blocking complete TLDs. Then you post a solution (header_checks) which IMHO should work for TLDs. Not just for countries. Still, you apologize for not giving the correct information. ( Edit: Doh, I just reread that you want to kill the *.faith TLD. ) And then you provide the solution based on check_sender_access.

Question: Why do you say your first solution would not work for the .faith TLD? I am asking because I am afraid I don't understand what the issue is.

Secondly, in the hash /etc/postfix/sender_access I have added the line

.icu              REJECT

Would that be equal to the regexp "*.icu$"? So the domain .icurse.com should not be blocked?

If not, should I create a regexp: file instead of a hash: file? But you had a reason to choose for a hash"file, not a regexp: file, right? What is it?

Thu, 08/01/2019 - 08:45
jlinkels

Addition to the previous post. The line

.icu          REJECT

did not block any mails from the domain, no matter what. This is the relevant line from main.cf:

smtpd_recipient_restrictions = check_sender_access hash:/etc/postfix/sender_access,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination

The common pitfalls like putting permit_sasl_authenticated were not applicable. I did run postmap, I did reload postfix. Then I changed the file to a regexp file and the smpt_recipient_restrictions to:

smtpd_recipient_restrictions = check_sender_access regexp:/etc/postfix/sender_access, . . .

and the contents of the sender_access to:

<snip>
/.*\.icu$/                              REJECT
<snip>

And that worked as expected. Apparently I answered some of my own questions in the previous post. Although I still don't understand why the hash: file did not reject the mails from *.icu.

Sat, 08/03/2019 - 17:20
noisemarine

jlinkels, good questions. Sorry, I only just saw your posts.

In the first case, the header_checks could be manipulated to achieve the TLD block, but it would require a little more finagling with regexps. It literally looks at the headers, so you would be wanting to create a line that looks for the "From: ...." header and then writing a potentially tricky regexp that only catches what you want. View the headers of an email you have received and you can get an idea of the regexp you would need. The check_sender_access feature lets mere mortals achieve a similar thing without having to get too down and dirty with regular expressions.

The reason I said the header_checks wouldn't work as posted was the regexps were looking at the Received header, which is added by each server in the chain of delivery. For country blocks and such, that is useful as most ISPs would have configured their server hostnames and rDNS appropriately. But, they had nothing to do with what email address the sender is claiming to have, which is what the OP was looking to filter. Again, that is where check_sender_access is better suited as it looks at the MAIL FROM command.

Regarding your hash not working, you found one of the limitations of the ACCESS feature of postfix - it doesn't work with that pattern. Have a look at the HOST NAME/ADDRESS PATTERNS section of http://www.postfix.org/access.5.html for valid options, even though you found a workaround.

Sun, 08/04/2019 - 13:53
jlinkels

Hi noisemarine. Thanks for posting your explanation. We'll continue struggling to keep that crap out of our servers.

Topic locked