SMTP - EHLO selective Blocking -
Idea shared by Curtis Kropar www.HawaiianHope.org - September 20 at 9:22 AM
Proposed
HI !
I have a question, more so probably an idea.
We are using Smarter mail 14.  Can 15, 16 or 17 do this ?  Or if not, can it be implemented ?

We have various EHLO SMTP blocking set up (*.date, *.top, *.ninja) In total we have about 50 of them blocked as they are pretty much guaranteed spam.

I would also LOVE to block *.us as the bulk of it is spam, since places like Godaddy are selling .us domains for 99 cents each, this is cost effected for spammers to buy these domains up as burners

However, about 10% of the .us email coming in is legitimate.
What i would love to do is :
1) set up SMTP EHLO blocking (graylisting ?)  on *.us domains, 
2) and then tell smartermail if an email comes in from a *.us domain, to have smartermail send an email back to the sender requesting whitelist status or requesting a send verification.  something like
--- Notice : You are sending from a domain that has been flagged on our servers as a potential spammer, Please click this link below and answer the captcha to verify this is a legitimate email contact.
(EDIT:)
3) If you get a legit authentication response (or maybe 2 or 3), then it could white list or flag that domain so it does not consider it as a blocked one any more.

This way we could block the vast amount of garbage and still let the legitimate email come in.

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

2 Replies

Reply to Thread
0
I do wish there were more options in SmarterMail for SMTP Greylisting & Blocking. So, I'm not opposed to the idea overall.

However, it is important to note that most official municipal and state organizations use *.us domains, which is a primary reason you'd want to hesitate before using SMTP Blocking for that domain specifically. Honestly, using SMTP Blocking for any *.tld domain is risky, even if the majority of them are used primarily by spammers (for example, I know a lot of legitimate businesses and individuals that use the .info, .guru, and .ninja domains, for example).  I tend to use Spam Filtering for these tld domains and only use SMTP Blocking for the ones that are clearly from spambot-nets. For example, here is a list of SMTP EHLO Blocks that we use for troublesome .tld domains:

 
ads*.*.work 
aisle*.*.work 
aleph*.*.work 
alpha*.*.work 
arccot*.*.us 
arccot*.*.work 
arcsin*.*.us 
arcsin*.*.work 
arctan*.*.us 
asymp*.*.us 
asymp*.*.work 
axes*.*.us 
axes*.*.work 
beta*.*.work 
blink*.*.org 
brace*.*.work 
cevian*.*.us 
cevian*.*.work 
complex*.*.org 
convex*.*.work 
core*.*.work 
cosec*.*.work 
cst*.*.press 
cube*.*.work 
cuboid*.*.work 
cvf*.*.work 
deca*.*.work 
dew.*.link 
dew.*.link 
dre.*.us 
ebx*.*.ninja 
echelon*.*.work 
ede.*.link 
edv*.*.work 
enc.*.us 
entrix*.*.work 
ert.*.us 
euler*.*.work 
factor*.*.work 
fes.*.us 
fns.*.us 
fractal*.*.work 
fst*.*.click 
gkr*.*.work 
heliq*.*.work 
hgb*.*.rocks 
host.*.link
host.*.us 
host.*.us 
hype*.*.work 
iax*.*.ninja 
info.*.com 
iqh*.*.work 
isomet*.*.work 
jwu*.*.work 
kappa*.*.work 
lemma*.*.work 
mars.*.us 
midpt*.*.us 
nhj*.*.work 
nis.*.link
norm*.*.work 
ns*.ztomy.com 
omega*.*.work 
omega*.*.work 
oval*.*.work 
pappus*.*.work 
pappus*.*.work 
polar*.*.work 
post.*.us 
prism*.*.us 
prism*.*.work 
prs.*.link
pwt*.*.work 
radian*.*.us 
radian*.*.work 
radius*.*.work 
radius*.*.work 
range.*.com 
ratio*.*.work 
res.*.us 
rhk*.*.ninja 
rye*.*.work 
sdf.*.rocks 
sgd.*.us 
slope*.*.work 
srv.*.us 
sxo*.*.work 
tcd.*.us 
theta*.*.work 
torus*.*.work 
tuple*.*.work 
udr.*.us 
ute*.*.work 
vector*.*.work 
venn*.*.work 
wen.*.rocks 
wer*.*.us 
wer*.*.work 
wer.*.rocks 
witt*.*.work 
xbu*.*.work 
xen*.*.work 
xmh*.*.work 
xpe*.*.ninja 
xyth*.*.work 

Almost all spambot networks use a naming convention for their HELO/EHLO and can be reduced down to a common string without resorting to blocking the entire .tld domain (the smarter ones will use randomly generated domains or subdomains but there is almost always a set string within them that you can use with wildcards). We get ours from parsing our SMTP logs with a grep statement to find the commonly used HELO/EHLO combinations and tracking them over time (most return once every 60-90 days).

SMTP Blocking should only be used when you are absolutely, positively sure that no legitimate mail will ever come from that source. For everything else use Filtering instead. It's easier to explain to a customer to look for their missing email in their Junk E-Mail folder than it is to explain to them why you are bouncing their Contract Bids or Permit Renewal emails from City Hall by blocking *.us domains.
0
Yep, That is the issue we are running into. The .us ones that are legit are really important ones.  We work with a lot of schools and other non profit orgs. they are our clients.  All of the schools here in Hawaii are "notes.k12.hi.us" and a few of the government agencies are .us as well.  Then we had a few national non profits show up as .us too since it was so cheap to register the domain. And there are more starting to show up because it is so cheap to buy them.

That is why i want to implement some type of greylisting or validated authorization or something where we can prevent the spam but let the new emerging legit domains through.

We have recently been considering swithcing over to something that does total whitelist only. so every email that comes in has to click a link to verify they are legit at least once before it gets delivered. I really do not wnat to do that though as i can see some of our clients freaking out over it.. including us, as we have over 12,000 emails on our client mailing list. Making 12,000 people authenticate (just for our domain) ?  there will be a LOT of unhappy people !

Regarding you and GREP, the list. I do something similar i guess... I take the logs and put them into a spreadsheet and run conditionals and formulas on them. basically build a database and do extractions

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. To date we have given away over 1,000 free computers.

Reply to Thread