Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: bunkobugsy on May 10, 2019, 05:10:10 AM
-
Found this old discussion https://forums.contribs.org/index.php?topic=47808.0
Any help on how to install check_badpatterns plugins from here https://www.wormbytes.ca/software/qpsmtpd/ to be able to use "wildmat format" as suggested by Charlie?
I'd realy need to block entire spamming @*.icu TLD and this isn't an accepted format in qmail badmailfrom section of email WBL contrib.
RBLList and SBLList used are catching up with quite big delay and spamming server are hopping anyways.
Thanks
-
No wildcart but better
This plugin also supports regular expression matches. This allows
special patterns to be denied (e.g. FQDN-VERP, percent hack, bangs,
double ats).
Patterns are stored in the format pattern(\s+)response, where pattern
is a Perl pattern expression. Don't forget to anchor the pattern
(front ^ and back $) if you want to restrict it from matching
anywhere in the string.
^streamsendbouncer@.*\.mailengine1\.com$ Your right-hand side VERP doesn't fool me
^return.*@.*\.pidplate\.biz$ I don't want it regardless of subdomain
^admin.*\.ppoonn400\.com$
In qpsmtpd badmailfrom add this:
^.*@.*\.icu$
-
Warning and Apologies.
I discovered that the insert below was causing fatal errors in my badmailfrom plugin due to a copy/paste error - I somehow acquired an extra asterisk at the beginning of each line. See later post for correction
See correction in https://forums.contribs.org/index.php/topic,53984.msg281701.html#msg281701
=========================================================================
Install Email_Whitelist-Blacklist_Control (https://wiki.contribs.org/Email_Whitelist-Blacklist_Control) and run the console-save event so that you can make config changes
yum install --enablerepo=smecontribs smeserver-wbl
signal-event console-save
In server-manager, select 'Email-WBL' in Configuration
Insert your pattern in 'Blacklist' -> 'qmail badmailfrom'.
Here is the list of patterns I ended up with after closely monitoring spam on one server for a few months (the second column is an error message that will appear in the qpsmtpd logs for triggered emails):
*^.*\.accountant$ check_badmailfrom_patterns-^.*\.accountant$
*^.*\.asia$ check_badmailfrom_patterns-^.*\.asia$
*^.*\.bid$ check_badmailfrom_patterns-^.*\.bid$
*^.*\.biz$ check_badmailfrom_patterns-^.*\.biz$
*^.*\.cf$ check_badmailfrom_patterns-^.*\.cf$
*^.*\.club$ check_badmailfrom_patterns-^.*\.club$
*^.*\.cricket$ check_badmailfrom_patterns-^.*\.cricket$
*^.*\.date$ check_badmailfrom_patterns-^.*\.date$
*^.*\.de$ check_badmailfrom_patterns-^.*\.de$
*^.*\.download$ check_badmailfrom_patterns-^.*\.download$
*^.*\.eu$ check_badmailfrom_patterns-^.*\.eu$
*^.*\.faith$ check_badmailfrom_patterns-^.*\.faith$
*^.*\.fr$ check_badmailfrom_patterns-^.*\.fr$
*^.*\.ga$ check_badmailfrom_patterns-^.*\.ga$
*^.*\.gq$ check_badmailfrom_patterns-^.*\.gq$
*^.*\.help$ check_badmailfrom_patterns-^.*\.help$
*^.*\.info$ check_badmailfrom_patterns-^.*\.info$
*^.*\.in\.net$ check_badmailfrom_patterns-^.*\.in\.net$
*^.*\.internal$ check_badmailfrom_patterns-^.*\.internal$
*^.*\.ip-pool.com$ check_badmailfrom_patterns-^.*\.ip-pool.com$
*^.*\.loan$ check_badmailfrom_patterns-^.*\.loan$
*^.*\.lol$ check_badmailfrom_patterns-^.*\.lol$
*^.*\.ml$ check_badmailfrom_patterns-^.*\.ml$
*^.*\.news.*\.de$ check_badmailfrom_patterns-^.*\.news.*\.de$
*^.*\.ninja$ check_badmailfrom_patterns-^.*\.ninja$
*^.*\.party$ check_badmailfrom_patterns-^.*\.party$
*^.*\.pw$ check_badmailfrom_patterns-^.*\.pw$
*^.*\.racing$ check_badmailfrom_patterns-^.*\.racing$
*^.*\.review$ check_badmailfrom_patterns-^.*\.review$
*^.*\.ru$ check_badmailfrom_patterns-^.*\.ru$
*^.*\.rx\.com$ check_badmailfrom_patterns-^.*\.rx\.com$
*^.*\.sales.*\.hk$ check_badmailfrom_patterns-^.*\.sales.*\.hk$
*^.*\.science$ check_badmailfrom_patterns-^.*\.science$
*^.*\.site$ check_badmailfrom_patterns-^.*\.site$
*^.*\.space$ check_badmailfrom_patterns-^.*\.space$
*^.*special.*\.net$ check_badmailfrom_patterns-^.*special.*\.net$
*^.*\.tk$ check_badmailfrom_patterns-^.*\.tk$
*^.*\.top$ check_badmailfrom_patterns-^.*\.top$
*^.*\.trade$ check_badmailfrom_patterns-^.*\.trade$
*^.*\.uno$ check_badmailfrom_patterns-^.*\.uno$
*^.*\.wan$ check_badmailfrom_patterns-^.*\.wan$
*^.*\.wang$ check_badmailfrom_patterns-^.*\.wang$
*^.*\.webcam$ check_badmailfrom_patterns-^.*\.webcam$
*^.*\.website$ check_badmailfrom_patterns-^.*\.website$
*^.*\.win$ check_badmailfrom_patterns-^.*\.win$
*^.*\.work$ check_badmailfrom_patterns-^.*\.work$
*^.*\.xyz$ check_badmailfrom_patterns-^.*\.xyz$
The server I used this on received significant amounts of spam where the sending email looked like <random-code-username=smedomain.tld@spammers.domain> - where "smedomain.tld" was the actual domain of the server.
I blocked those senders using this pattern:
*^.*\-.*\=smedomain\.tld\@.*\..*$ check_badmailfrom_patterns-^.*\-.*\=smedomain\.tld\@.*\..*$
Some legitimate services use the same sending email format - add the sending domains for those folks in 'White list' -> 'qpsmtpd whitelistsenders':
craigslist.org
ruthschrismail.com
The commands I used to monitor qpsmtpd and fine-tune badmailfrom, DNSBL and RHSBL are on the wiki: https://wiki.contribs.org/Email_Statistics#Useful_Commands
-
*^.*\-.*\=smedomain\.tld\@.*\..*$ check_badmailfrom_patterns-^.*\-.*\=smedomain\.tld\@.*\..*$
You are blocking the clean and legitimate way that should use a mailing list to transfer email in name of the poster respecting dmarc
-
You are blocking the clean and legitimate way that should use a mailing list to transfer email in name of the poster respecting dmarc
I suspected as much -- but that particular server was getting hundreds of spam emails per day that I could block using this pattern, and only had 3 domains that needed whitelisting (craigslist, ruthschrismail, and bloomingdales).
When I say "hundreds of spam", I really mean it. These were not mailing lists that the recipients didn't know how to unsubscribe from; in most cases the sending server was listed in multiple RBL lists within hours.
-
In qpsmtpd badmailfrom add this:
^.*@.*\.icu$
This is great and should be mentioned in https://wiki.contribs.org/Email_Whitelist-Blacklist_Control
It took me quite a while to realize that you were qouting from badmailfrom and I don't need check_badpatterns plugin :)
Thanks
-
Apologies.
I discovered that my earlier post in this topic (https://forums.contribs.org/index.php/topic,53984.msg281574.html#msg281574) was causing fatal errors in my badmailfrom plugin due to a copy/paste error - I somehow acquired an extra asterisk at the beginning of each line.
Here is the same list in a format that can be copy/pasted into the server-panel field for qmail badmailfrom:
^.*\.accountant$ check_badmailfrom_patterns-^.*\.accountant$
^.*\.asia$ check_badmailfrom_patterns-^.*\.asia$
^.*\.bid$ check_badmailfrom_patterns-^.*\.bid$
^.*\.biz$ check_badmailfrom_patterns-^.*\.biz$
^.*\.cf$ check_badmailfrom_patterns-^.*\.cf$
^.*\.club$ check_badmailfrom_patterns-^.*\.club$
^.*\.cricket$ check_badmailfrom_patterns-^.*\.cricket$
^.*\.date$ check_badmailfrom_patterns-^.*\.date$
^.*\.de$ check_badmailfrom_patterns-^.*\.de$
^.*\.download$ check_badmailfrom_patterns-^.*\.download$
^.*\.eu$ check_badmailfrom_patterns-^.*\.eu$
^.*\.faith$ check_badmailfrom_patterns-^.*\.faith$
^.*\.fr$ check_badmailfrom_patterns-^.*\.fr$
^.*\.ga$ check_badmailfrom_patterns-^.*\.ga$
^.*\.gq$ check_badmailfrom_patterns-^.*\.gq$
^.*\.help$ check_badmailfrom_patterns-^.*\.help$
^.*\.in\.net$ check_badmailfrom_patterns-^.*\.in\.net$
^.*\.info$ check_badmailfrom_patterns-^.*\.info$
^.*\.internal$ check_badmailfrom_patterns-^.*\.internal$
^.*\.ip-pool.com$ check_badmailfrom_patterns-^.*\.ip-pool.com$
^.*\.loan$ check_badmailfrom_patterns-^.*\.loan$
^.*\.lol$ check_badmailfrom_patterns-^.*\.lol$
^.*\.ml$ check_badmailfrom_patterns-^.*\.ml$
^.*\.news.*\.de$ check_badmailfrom_patterns-^.*\.news.*\.de$
^.*\.ninja$ check_badmailfrom_patterns-^.*\.ninja$
^.*\.party$ check_badmailfrom_patterns-^.*\.party$
^.*\.pw$ check_badmailfrom_patterns-^.*\.pw$
^.*\.racing$ check_badmailfrom_patterns-^.*\.racing$
^.*\.review$ check_badmailfrom_patterns-^.*\.review$
^.*\.ru$ check_badmailfrom_patterns-^.*\.ru$
^.*\.rx\.com$ check_badmailfrom_patterns-^.*\.rx\.com$
^.*\.sales.*\.hk$ check_badmailfrom_patterns-^.*\.sales.*\.hk$
^.*\.science$ check_badmailfrom_patterns-^.*\.science$
^.*\.site$ check_badmailfrom_patterns-^.*\.site$
^.*\.space$ check_badmailfrom_patterns-^.*\.space$
^.*\.tk$ check_badmailfrom_patterns-^.*\.tk$
^.*\.top$ check_badmailfrom_patterns-^.*\.top$
^.*\.trade$ check_badmailfrom_patterns-^.*\.trade$
^.*\.uno$ check_badmailfrom_patterns-^.*\.uno$
^.*\.wan$ check_badmailfrom_patterns-^.*\.wan$
^.*\.wang$ check_badmailfrom_patterns-^.*\.wang$
^.*\.webcam$ check_badmailfrom_patterns-^.*\.webcam$
^.*\.website$ check_badmailfrom_patterns-^.*\.website$
^.*\.win$ check_badmailfrom_patterns-^.*\.win$
^.*\.work$ check_badmailfrom_patterns-^.*\.work$
^.*\.xyz$ check_badmailfrom_patterns-^.*\.xyz$
^.*special.*\.net$ check_badmailfrom_patterns-^.*special.*\.net$