Topic: Block spamming domains

[crazybob]

I am getting a fair amount of spam form a variety of .click domains.
Is there an easy way to block all .click domains?
The IPs seem to be from the US
TAI
Bob

[janet]

Bob

Do you have RBL lists enabled ?
Show us output of
config show qpsmtpd

[crazybob]

Code: [Select]

qpsmtpd=service
    Bcc=disabled
    BccMode=off
    BccUser=maillog
    DNSBL=enabled
    LogLevel=6
    MaxScannerSize=25000000
    RBLList=bl.spamcop.net:zen.spamhaus.org
    RHSBL=enabled
    RelayRequiresAuth=disabled
    SBLList=multi.surbl.org:rhsbl.sorbs.net
    TlsBeforeAuth=1
    access=public
    qplogsumm=disabled
    setprop=qpsmtpd
    status=enabled

I would like to block all .click domains if possible.
I am finding they are using things like .click, and .link and to me and my users this stuff is all spam.

Thanks

[janet]

Bob

That looks OK.
Try installing the smeserver-wbl contrib, although it's effectiveness can vary. Configure it via the server manager panel that is added when the contrib is installed

[ReetP]

Try installing the smeserver-wbl contrib, although it's effectiveness can vary. Configure it via the server manager panel that is added when the contrib is installed

Check the bug tracker for some issues with wbl / whitelisting

http://bugs.contribs.org/show_bug.cgi?id=8747

http://bugs.contribs.org/show_bug.cgi?id=8321

http://bugs.contribs.org/show_bug.cgi?id=8327

http://bugs.contribs.org/show_bug.cgi?id=8319

With those fixes it seems to work OK.

I think there is a new build with these in testing, but please check.

B. Rgds
John

[crazybob]

I do have the smesrver-wbl contributed installed.
In the black list area I entered @*.click in both fields, and it has no effect. Can I enter just click in those lists?

The white list does not appear to be giving any issues. I am not sure which version I am ruining
Server I SME8.1 fully updated

[ReetP]

Have a look here for the required format :

http://wiki.qpsmtpd.org/doku.php?id=plugins

The two plugins are :

check_badmailfrom

Format :

user@spammer.com
@very.bad.spammer.net

check_spamhelo

Format :

hotmail.com
aol.com
yahoo.com
localhost
localhost.localdomain
friend

I am not sure you can use '*' in the hostname.

To get the patches you may need to use a testing repo - I need to check and will post back later.

B. Rgds
John

[MSmith]

I asked this very question awhile back ... how to block an entire TLD ... I too would want to block not only .click, but .rock and even .info. But there doesn't seem to be a way to do this currently.

[janet]

crazybob

I am getting a fair amount of spam form a variety of .click domains.
Is there an easy way to block all .click domains?
The IPs seem to be from the US

If you can look at those messages & obtain the sending IP, you can block incoming IPs with this
http://wiki.contribs.org/SME_Server:Documentation:FAQ:Section05
Mail can be sent via different mail servers, so you will therefore have to configure multiple sending IPs, & you may have to setup quite a few, with the risk of blocking other wanted domains that are using the same servers.

Otherwise follow the advice given by ReetP re
check_badmailfrom
&
check_spamhelo
but you will have to enter domain names in the form
@abc.click
@123.click
@xyz.click
etc
So examine your logs for troublesome domains, & rather than excluding all of .click, exclude the errant sub domains one by one.

[ReetP]

Funnily enough I just found this on a google for

Qpsmtpd block tld

http://forums.contribs.org/index.php/topic,47808.msg236493.html#msg236493

Seems that plugin may sort you out.

Also

http://blog.steve.org.uk/tags/qpsmtpd/

I'll check tomorrow... Think you need to manually configure qpsmtpd to use it

Let us know how you get on.

B. Rgds
John

[janet]

ReetP

I checked that thread.

From this obsoleted & closed SME 7.x forum, CharlieBrady made this post  http://forums.contribs.org/index.php/topic,47808.msg236493.html#msg236493
which said
This qpsmtpd plugin allows a badmailpatterns file to be used for "wildmat format" sender addresses:
ftp://ftp.canl.nc/Sharewares/Linux/Network/courrier/anti-spam/qpsmtpd/check_badpatterns..txt

The link that Charlie refers to requires a user & password to access it.
Anyone know how to look at that ?
Maybe Charlie .... are you reading this.... ?
Thanks

[ReetP]

Janet - thanks. Yes, I can't access it now I have looked.

OK, had a longer look at this

I note that in /usr/share/qpsmtpd/plugins there is one called check_badmailfrom_patterns which may be either a) similar or b) do the job.

From the plugin :

Patterns are stored in the format pattern\sresponse, where pattern
is a Perl pattern expression. Don't forget to anchor the pattern
(front ^ and back $) if you want to restrict it from matching
anywhere in the string.

 ^streamsendbouncer@.*\.mailengine1\.com$    Your right-hand side VERP doesn't fool me
 ^return.*@.*\.pidplate\.biz$                I don't want it regardless of subdomain
 ^admin.*\.ppoonn400\.com$

So I am not sure if something like these would work (a bit of a stab in the dark !):

^*\.info$

I kludged a bit of code from the plugin to test as follows - you can try it to see if it works 'as expected'. Put the code in a file called domaintest.pl  - amend the contents of $user and $domain to test and you should be able to run it on the CLI with perl domaintest.pl :

Code: [Select]

#!/usr/bin/perl
use strict;

my $user = 'John';
my $domain = 'blog';

my @badmailfrom = ('^*.info$', '^*.test$');

    my ($self, $transaction, $sender, %param) = @_;


    my $host = lc ($domain);
    my $from = lc($user) . '@' . $host;


    for (@badmailfrom) {
        my ($pattern, $response) = split /\s+/, $_, 2;
        next unless $from =~ /$pattern/;
        $response = "Your envelope sender is in my badmailfrom_patterns list"
           unless $response;
           print $response;
}


To enable this plugin you will need to generate some custom templates.

The actual file that dictates which plugins are loaded is :

/var/service/qpsmtpd/config/peers/0

Try a template fragment here :

Code: [Select]

mkdir /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins

echo "check_badmailfrom_patterns" >> /etc/e-smith/templates-custom/var/service/qpsmtpd/config/plugins/31check_badmailfrom_patterns

And we need a symlink :

Code: [Select]

mkdir /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0

cd /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0

ln -s ../../plugins/31check_badmailfrom_patterns 31check_badmailfrom_patterns

signal-event email-update
Check that the plugin is there :

Code: [Select]

cat /var/service/qpsmtpd/config/peers/0
Then you need a file for your patterns :

Code: [Select]

touch /var/service/qpsmtpd/config/check_badmailfrom_patterns
Then manually add your patterns to this file.

Please note that I make no guarantees about the above - test at your own risk. I'm no real coder so it is all done on a best guess estimate ! Please let us know if it works and it can be added to the wiki.

This could also be templated and added as part of the WBL contrib I guess - if you would like to see it then please open a bug