any way to block .tlds?

Discuss the ConfigServer MailScanner Front-End script
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: any way to block .tlds?

Post by Sergio »

espinosap wrote:I love you Sergio
Glad you like it, I could accept an amazon gift, hahaha, is a joke.
I have a lot of antispam rules and this one is one of my favorites with another that I use to block all mailchimp campaings and that is really great. No mailchimp campaings in my server, lol.
lolopc
Junior Member
Posts: 1
Joined: 03 Nov 2017, 12:35

Re: any way to block .tlds?

Post by lolopc »

Hello,
The script of Sergio works like a charm.
I'm always a bit scared of banning emails, I prefer to make a forward to a Spam mailbox.
How can I do that ?
Regards,
LOLOPC
v3_exceed
Junior Member
Posts: 2
Joined: 07 Oct 2019, 18:57

Re: any way to block .tlds?

Post by v3_exceed »

Hi,
I joined this message board specifically to say thank you to Sergio.
Too many top level domains are being treated like spam fest.

This is an elegant solution which can easily be adjusted to simply add to the score, or to block permanently.
What actual business would use the domain extension ".monster"?

Thank you for taking the time to create a rule that doesn't suck.

In return for this rule I give you this.

##body Bitcoin_rule
body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body __BTC3 /\b\W*b\W*t\W*c\W*\b/i
body __BTC4 /bt[c\x{0441}]/i
body __BTC5 /b[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n/i
meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 || __BTC5 ) )
score LOCAL_BITCOIN 10.2
describe LOCAL_BITCOIN This is to stop bitcoin ransomware idiots
##Stop bitcoin spam

This rule looks for a bitocin wallet and adds 10.2 points if the wallet is present. So far it has made my clients very happy without blocking any valid mail..

As always, use at your own risk.


Quick question... why does "reviews?" have a ?

thanks

..ex
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: any way to block .tlds?

Post by Sergio »

@v3_exceed
Thank you for the rule and your kind words. I like your rule and I will give it a try.

For BitCoins I use an advanced one that blocks the email and blocks the IP of the server that sent the ransomware.

So, I use MailScanner to block the email and customer will never receive it and in the background CSF blocks the IP and if there are more than N times IPs blocked from the same CIDR the complete CIDR is blocked with a DO NOT DELETE tag so no more ransomwares from that IP range.

Sergio
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: any way to block .tlds?

Post by Sergio »

v3_exceed wrote: 07 Oct 2019, 19:03
Quick question... why does "reviews?" have a ?

thanks

..ex
Ok, I have seen on my servers domains that end in "review" and another domains that ends with "reviews", the last "s?" is to block both of them, That is the regular expression to have or not to have the preceded letter.

Sergio
v3_exceed
Junior Member
Posts: 2
Joined: 07 Oct 2019, 18:57

Re: any way to block .tlds?

Post by v3_exceed »

Sergio wrote: 07 Oct 2019, 20:03
v3_exceed wrote: 07 Oct 2019, 19:03
Quick question... why does "reviews?" have a ?

thanks

..ex
Ok, I have seen on my servers domains that end in "review" and another domains that ends with "reviews", the last "s?" is to block both of them, That is the regular expression to have or not to have the preceded letter.

Sergio
Ahhhh awesome.... I get the ? now.. that's a handy addition.

The problem with blocking the cidr is a lot of systems sending ransomware aren't aware they are sending ransomeware.. By blocking the email with the wallet, we are sure that the email is crap.. for the one false positive i may get, I can whitelist that one email address. It's been working great so far ;)

thanks
..ex
Sergio
Junior Member
Posts: 1712
Joined: 12 Dec 2006, 14:56

Re: any way to block .tlds?

Post by Sergio »

v3_exceed wrote: 09 Oct 2019, 19:22 Ahhhh awesome.... I get the ? now.. that's a handy addition.

The problem with blocking the cidr is a lot of systems sending ransomware aren't aware they are sending ransomeware.. By blocking the email with the wallet, we are sure that the email is crap.. for the one false positive i may get, I can whitelist that one email address. It's been working great so far ;)

thanks
..ex
Oh, I don't block CIDRs just because, no. I block CIDRs if 10 or more IPs are blocked on certain frame of time and in case of doubt I use talosintelligence dot com / reputation_center to check if the CIDR is in a good standing, give it a try.

Sergio
Post Reply