Blocking by TLD or by keywords in sender address.

Users tips and ideas

Moderators: FlorianB, Pascal, bourgeois, mentor

Bookworm
Posts: 44
Joined: Thu Apr 30, 2015 3:02 am
How did you hear about Mailcleaner: Web search through forums

Blocking by TLD or by keywords in sender address.

Postby Bookworm » Sun Jun 14, 2015 9:56 pm

In Configuration -> SMTP -> Connection Control -> Reject these senders' addresses.

*@*.work
*@*.eu
*@*.club
*@*.pw
*@*.science
*@*.info
*=domainname.tld@*
*@*.vn
*@*.link
*@*.website
*@*.rocks

If you notice, there's a cuckoo in there. I found that a number of sites use malformed email addresses as their return address. Those look mostly like this.

2015-06-14 08:23:00 H=(mail.virtualsorority.com) [23.226.218.167] F=<trackr-freighting=<domain>.net@virtualsorority.com> rejected RCPT <freighting@<domain>.net>: blacklisted sender: trackr-freighting=<domain>.net@virtualsorority.com
2015-06-14 08:23:01 H=(mail.virtualsorority.com) [23.226.218.167] F=<trackr-sdavis=<domain>.net@virtualsorority.com> rejected RCPT <sdavis@<domain>.net>: blacklisted sender: trackr-sdavis=<domain>.net@virtualsorority.com
2015-06-14 08:23:01 H=(mail.virtualsorority.com) [23.226.218.167] F=<trackr-asimmons=<domain>.net@virtualsorority.com> rejected RCPT <asimmons@<domain>.net>: blacklisted sender: trackr-asimmons=<domain>.net@virtualsorority.com
2015-06-14 08:23:02 H=(mail.virtualsorority.com) [23.226.218.167] F=<trackr-adrena=<domain>.net@virtualsorority.com> rejecte

What they're doing is trying to determine by the bounces what is a good or bad email address. If the site takes the email, processes it, then bounces it (Classic Microsoft Exchange behaviour), then they'll get back an address that says "hey, it's bad".

This appears to be _mostly_ legitimate mailing list software - but I still consider it abusive. I've already let MailChimp know that they're not going to get any email into that customer, period.

So, if you add in that equals sign and your domain name, you can easily knock a lot of UCE (if not spam) out of the system. For today - 15 hours on a Sunday - it's been 182 blocks. The really cute part? This is one of those that you'll see big sections of rejections, one after another, because the systems are too stupid to read 'blacklisted', and will rotate trying to send with every email they have for the domain name.

The main point of what I posted is that you can use some basic regex commands in the fields. Mostly to do with *, rather than using 'start of line', 'end of line', and other symbols.

Some caveats.

*@*.microsoft.com would block monkey@battery.microsoft.com - but would not block monkey@microsoft.com. that would require a separate regex of
*@microsoft.com

*@*.science blocks everything that's a .science domain. That includes monkey@money.pickle.science, or just monkey@pickle.science

If it weren't for this specific customer having customers in Russia, as well as others that use .us domains, I'd be blocking .ru and .us as well. LOTS of spam with .us TLD markers. Same with .vn (Vietnam).

Be careful with TLD blocks. If you have _one_ domain you need information from, then you shouldn't use the block at all. Same with the =<domain>.tld blocks.

BW

Return to “Tips”

Who is online

Users browsing this forum: No registered users and 1 guest