Topic: Urgent - How to block one incoming email address

[Damian]

We're being hit by a dozen emails a minute from one external address and I've searched through the forums for a solution for blocking one address. The recieved wisdom appears to be to wait until the address appears in a RBL blacklist but it appears that after 10 hours of this activity it still isn't in a list.
Can SME 6.0 c/w Knuddi's Clam & Spamassassin contribs be made to block a single incoming address ? This is killing SME right now. Blocking port 25 at the FW calms the system down so I'm fairly sure it's that.
Thanks,
Damian

SME 6.0 Server Mode
Smoothwall FW
System load - yoyos between 10 and 40!

[cc_skavenger]

Add the ip block in /etc/hosts.deny and reboot.
That should take care of it.

HTH

[Damian]

Thanks for the quick response Marco.
If the mail came in directly from her that would work but it's coming through our ISP mail relay (possibly due to the SME loading, mail is being delivered to the alternate MX and then forwarded on). If I deny the alt MX server then most mail will stop.
Can it be done within SA using the From: field ?
Thanks,
Damian

[raem]

If you want to block actual email address(es) or domains at the smtp level then install
dungog-mailblocking-1.1-2.noarch.rpm
from
http://www.dungog.net/sme/files/
and configure the server manager panel accordingly.

Excerpt from panel:
"You may define rules that are applied during smtp connections. The rules can either accept or reject a sender from e-mailing a designated destination. The default rules permit anyone internal to send to anyone external. In addition anyone external may send to any valid internal e-mail address. You may define custom rules below to overide these defaults."

[Damian]

Thanks Ray.
That looks like just the job. I'll try it when I get back.
Damian

[hordeusr]

You may want to consider ASSP for spam filtering.  In my experience it's much more efficient at blocking spam, and does it at the smtp level.  Blocking an individual address is possible, but I've never had the need.  If you report the spam to ASSP it learns quick.

[Damian]

Thanks, I'll have a look at it.
In the case of this server it's remote (about 45 miles away) so it's a brave man that upgrades a production server by remote )
I'll do some testing on a dev box first.
Damian

[cc_skavenger]

you can also look at the mailfront rules contrib

[Damian]

OK, I had to install dungog-mailblocking-1.0-4.noarch.rpm instead as dungog-mailblocking-1.1-2.noarch.rpm is for SME 6.5 or above.
I added the rules in the panel and it has no effect. I restarted SME but it still accepts the stuff. Excerpt from /var/log/smtpfront-qmail/current:

@40000000426fc6102f0d43e4 smtpfront-qmail[2581]: RCPT TO:<nigel.bond@xxxx.co.uk>
@40000000426fc6170dbc26c4 smtpfront-qmail[2581]: Accepted message qp 3174 bytes 34517
@40000000426fc6172d46d00c smtpfront-qmail[2581]: MAIL FROM:<katherineb@calloptions.biz>
@40000000426fc6172d46feec smtpfront-qmail[2581]: RCPT TO:<nigel.bond@xxxx.co.uk>
@40000000426fc61e2fc7ba44 smtpfront-qmail[2581]: Accepted message qp 3192 bytes 35569
@40000000426fc61f2e9f7a6c smtpfront-qmail[2581]: MAIL FROM:<katherineb@calloptions.biz>
@40000000426fc61f2e9fa94c smtpfront-qmail[2581]: RCPT TO:<nigel.bond@xxxx.co.uk>

From the dungog panel:

Rule: Reject
From: katherineb@calloptions.biz
To: nigel.bond@xxxx.co.uk

Any ideas where I can check to get this going ?

Thanks

[cc_skavenger]

Why don't you try:
reject
FROM:  *@calloptions.biz
TO: *@*

This is what I do for the mailfront mailrules.

[Damian]

Hi Marco,
OK, I tried that but it's still getting through (darn it).
On the positive side the Sys load is hovering around 2 now.
I'm still having difficulty visualising the incoming email mechanism. Probably not beyond me but I don't know where to start (don't say port 25 )
Damian

[cc_skavenger]

can you post the headers from one of the e-mails.  I wonder if something is being forged.

[Damian]

No Problem, here's one ....

Return-Path: <katherineb@calloptions.biz>
Delivered-To: nigel.bond@mail.xxxx.co.uk
Received: (qmail 10498 invoked by alias); 27 Apr 2005 17:57:12 -0000
Delivered-To: alias-localdelivery-nigel.bond@xxxx.co.uk
Received: (qmail 10491 invoked from network); 27 Apr 2005 17:57:01 -0000
X-Virus-Scanned: by amavis-ng-0.1.6.4-03dc on mail.xxxx.co.uk
Received: from lon1-relay-1.mail.demon.net (HELO relay-1.mail.demon.net) (194.217.242.208)
  by mail.xxxx.co.uk (192.168.126.240) with ESMTP; 27 Apr 2005 17:56:57 -0000
Received: from [212.135.6.14] (helo=smarthost4.mail.uk.easynet.net)
   by relay-1.mail.demon.net with esmtp id 1DQWjH-0007W3-SL
   for nigel.bond@xxxx.co.uk; Tue, 26 Apr 2005 20:32:23 +0000
Received: from zenith-5.dsl1.easynet.co.uk ([212.135.24.61] helo=zenithinternational.com)
   by smarthost4.mail.uk.easynet.net with esmtp (Exim 4.10)
   id 1DQWas-0007M9-00; Tue, 26 Apr 2005 21:23:45 +0100
Received: from mail pickup service by zenithinternational.com with Microsoft SMTPSVC;
    Tue, 26 Apr 2005 21:23:30 +0100
X-claradeliver-Version: 4.22.16
MIME-Version: 1.0
Content-Type: multipart/alternative;
   boundary="----_=_NextPart_001_01C54A78.BB9EEB94"
Subject: tesy
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
Content-Transfer-Encoding: 7bit
Content-Class: urn:content-classes:message
Date: Tue, 26 Apr 2005 21:23:29 +0100
X-MS-Has-Attach:
X-Mailer: Microsoft CDO for Exchange 2000
X-MS-TNEF-Correlator:
Message-ID: <019b01c54a9d$cf539750$0202a8c0@zenithInternational.local>
Thread-Topic: tesy
thread-index: AcVKeLsKPFLSBKdzSRuQVSXt+f8Iyg==
From: "Katherine Blackburn" <katherineb@calloptions.biz>

[cc_skavenger]

well, I don't see anything unusal there.  I think the problem lies between your ISP and your server picking up the mail.  Are the e-mails sent from and to the same e-mail addresses?  Maybe you can have spamassassin learn the address as a spam address.
Command:
sa-learn --spam /home/e-smith/files/users/username/Maildir/cur

What I did was create a user called spam and I have everyone forward & CC all unmarked spam to this address.  I then check the mail on that account, but tell my mail client to leave a copy on the server till I delete it.  I go through it, just to make sure and then run the above command to make it learn the new addresses.  I then delete the e-mails and wait till someone sends me more.

Just a suggestion.

ps.  If this doesn't help, then you might ask your ISP to block the address for you.

HTH

[Damian]

Hi Marco,

Yes, they're all from and to the same email address. The originator is a valid address in that she is a business contact for the recipient but she's just spamming him with this flood of mail now. If SA is told that her address should be treated as spam then they'll lose contact from then on. Seems like a small price to pay to me  
That realworld example of the sa-learn command is very useful and I'll add that to the archive. I'll try and contact her today and if I can't reach her or she's not interested then she's SA history.

Thanks for the good suggestions - I'll post back with the results.

Damian