SMTP - EHLO selective Blocking -

HI !

I have a question, more so probably an idea.

We are using Smarter mail 14. Can 15, 16 or 17 do this ? Or if not, can it be implemented ?

We have various EHLO SMTP blocking set up (*.date, *.top, *.ninja) In total we have about 50 of them blocked as they are pretty much guaranteed spam.

I would also LOVE to block *.us as the bulk of it is spam, since places like Godaddy are selling .us domains for 99 cents each, this is cost effected for spammers to buy these domains up as burners

However, about 10% of the .us email coming in is legitimate.

What i would love to do is :

1) set up SMTP EHLO blocking (graylisting ?) on *.us domains,

2) and then tell smartermail if an email comes in from a *.us domain, to have smartermail send an email back to the sender requesting whitelist status or requesting a send verification. something like

--- Notice : You are sending from a domain that has been flagged on our servers as a potential spammer, Please click this link below and answer the captcha to verify this is a legitimate email contact.

(EDIT:)

3) If you get a legit authentication response (or maybe 2 or 3), then it could white list or flag that domain so it does not consider it as a blocked one any more.

This way we could block the vast amount of garbage and still let the legitimate email come in.

www.HawaiianHope.org - Providing technology services to non profit organizations, homeless shelters, clean and sober houses and prisoner reentry programs. in 2018, in just one year, we gave away 1,000 Free Computers !

Scarab Replied

9/20/2018 at 4:41 PM

I do wish there were more options in SmarterMail for SMTP Greylisting & Blocking. So, I'm not opposed to the idea overall.

However, it is important to note that most official municipal and state organizations use *.us domains, which is a primary reason you'd want to hesitate before using SMTP Blocking for that domain specifically. Honestly, using SMTP Blocking for any *.tld domain is risky, even if the majority of them are used primarily by spammers (for example, I know a lot of legitimate businesses and individuals that use the .info, .guru, and .ninja domains, for example). I tend to use Spam Filtering for these tld domains and only use SMTP Blocking for the ones that are clearly from spambot-nets. For example, here is a list of SMTP EHLO Blocks that we use for troublesome .tld domains:

ads*.*.work

aisle*.*.work

aleph*.*.work

alpha*.*.work

arccot*.*.us

arccot*.*.work

arcsin*.*.us

arcsin*.*.work

arctan*.*.us

asymp*.*.us

asymp*.*.work

axes*.*.us

axes*.*.work

beta*.*.work

blink*.*.org

brace*.*.work

cevian*.*.us

cevian*.*.work

complex*.*.org

convex*.*.work

core*.*.work

cosec*.*.work

cst*.*.press

cube*.*.work

cuboid*.*.work

cvf*.*.work

deca*.*.work

dew.*.link

dre.*.us

ebx*.*.ninja

echelon*.*.work

ede.*.link

edv*.*.work

enc.*.us

entrix*.*.work

ert.*.us

euler*.*.work

factor*.*.work

fes.*.us

fns.*.us

fractal*.*.work

fst*.*.click

gkr*.*.work

heliq*.*.work

hgb*.*.rocks

host.*.link

host.*.us

hype*.*.work

iax*.*.ninja

info.*.com

iqh*.*.work

isomet*.*.work

jwu*.*.work

kappa*.*.work

lemma*.*.work

mars.*.us

midpt*.*.us

nhj*.*.work

nis.*.link

norm*.*.work

ns*.ztomy.com

omega*.*.work

oval*.*.work

pappus*.*.work

polar*.*.work

post.*.us

prism*.*.us

prism*.*.work

prs.*.link

pwt*.*.work

radian*.*.us

radian*.*.work

radius*.*.work

range.*.com

ratio*.*.work

res.*.us

rhk*.*.ninja

rye*.*.work

sdf.*.rocks

sgd.*.us

slope*.*.work

srv.*.us

sxo*.*.work

tcd.*.us

theta*.*.work

torus*.*.work

tuple*.*.work

udr.*.us

ute*.*.work

vector*.*.work

venn*.*.work

wen.*.rocks

wer*.*.us

wer*.*.work

wer.*.rocks

witt*.*.work

xbu*.*.work

xen*.*.work

xmh*.*.work

xpe*.*.ninja

xyth*.*.work

Almost all spambot networks use a naming convention for their HELO/EHLO and can be reduced down to a common string without resorting to blocking the entire .tld domain (the smarter ones will use randomly generated domains or subdomains but there is almost always a set string within them that you can use with wildcards). We get ours from parsing our SMTP logs with a grep statement to find the commonly used HELO/EHLO combinations and tracking them over time (most return once every 60-90 days).

SMTP Blocking should only be used when you are absolutely, positively sure that no legitimate mail will ever come from that source. For everything else use Filtering instead. It's easier to explain to a customer to look for their missing email in their Junk E-Mail folder than it is to explain to them why you are bouncing their Contract Bids or Permit Renewal emails from City Hall by blocking *.us domains.

Curtis Kropar www.HawaiianHope.org Replied

9/20/2018 at 5:57 PM

Yep, That is the issue we are running into. The .us ones that are legit are really important ones. We work with a lot of schools and other non profit orgs. they are our clients. All of the schools here in Hawaii are "notes.k12.hi.us" and a few of the government agencies are .us as well. Then we had a few national non profits show up as .us too since it was so cheap to register the domain. And there are more starting to show up because it is so cheap to buy them.

That is why i want to implement some type of greylisting or validated authorization or something where we can prevent the spam but let the new emerging legit domains through.

We have recently been considering swithcing over to something that does total whitelist only. so every email that comes in has to click a link to verify they are legit at least once before it gets delivered. I really do not wnat to do that though as i can see some of our clients freaking out over it.. including us, as we have over 12,000 emails on our client mailing list. Making 12,000 people authenticate (just for our domain) ? there will be a LOT of unhappy people !

Regarding you and GREP, the list. I do something similar i guess... I take the logs and put them into a spreadsheet and run conditionals and formulas on them. basically build a database and do extractions

2 Replies

Reply to Thread

Related Knowledge Base Articles

2 Replies

Reply to Thread

Tags

Related Knowledge Base Articles