Block ICU
Question asked by John Marx - 7/19/2019 at 12:40 PM
Answered
In our headers 90% of all spam is coming from .ICU domains. How can we prevent? Declude cannot be an option as we are on the latest version of SmarterMail.

Received: from harmonyrational.icu (hostmaster.netbudur.com [193.31.119.173])  

11 Replies

Reply to Thread
3
Steve Norton Replied
I use a four-pronged attack on high probability domains via custom filters (edit: Antispam 'custom rules');
  1. Rule Name: .icu
    Rule Source: Body
    Rule Source: Contains
    Rule Text: .icu/
    .icu"
                     .icu "
  2. Rule Name: Return-Path
    Rule Source: Header
    Header: Return-Path
    Rule Source: Contains
    Rule Text: ..excerpt from long list..
    .hk>
    .host>
    .hu>
    .icu>
    .id>
    .in>
    .ir>
                     ..excerpt from long list..
  3. Rule Name: MAIL FROM
    Rule Source: Header
    Header: From
    Rule Source: Contains
    Rule Text: ..excerpt from long list..
    .hk>
    .host>
    .hu>
    .icu>
    .id>
    .in>
    .ir>
                ..excerpt from long list..
  4. Rule Name: Received domain high
    Rule Source: Header
    Header: Received
    Rule Source: Contains
    Rule Text: ..excerpt from long list..
    .hu]
    .icu [
    .icu (
    .icu?)
    .icu]
    .id [
    ..excerpt from long list..
    Let me know if providing the JSON would be better.


0
John Marx Replied
I am missing something Steve. I see where I can do some filtering at the domain level. I know I can do at the user level. I have no problem creating the first and then exporting and doing for all users. I just don't see where to do this as there is no import/export option for wherever I am looking. I don't see an area on the spam settings (server wide) that would allow this either.

Although I know I want to block all of these at times I could see not wanting that and it would be a domain level type of setting.
1
Steve Norton Replied
Sorry, I've said 'custom filters' rather than Antispam 'custom rules', which may have confused you?
0
Employee Replied
Employee Post Marked As Answer
Hi John.  At the system level, you can go to Settings >> Security >> SMTP Blocks.  Add a domain block for *.icu
0
Jill Stevens Replied
Hi Rod. I'm having the same issue with enormous amounts daily of spam from .icu, .best and .monster. SMTP Blocks are requiring a full domain or email address (when entering *.icu = This is not a valid domain or email address.)  therefore this solution cannot be enabled. Any other suggestions? I appreciate your help!!
2
steve Replied
We have the same problem, with mainly .icu .top and .best domains.

There needs to be a much easier way to block these
2
Patrick Mattson Replied
There is a link on an older thread that talks about adding on additional definitions for Clam. I found this company has some pretty good definitions and I see a lot of those same TLDs in my list. They charge something but it is not a lot per year. https://www.securiteinfo.com I do not use all the signatures they have, I found some are a little aggressive. My server updates signatures two times a day.

If you need help with the set up I can see if I have my old instructions and all the old set up files.
0
same issue here...
1
Steve Norton Replied
Hi to those still having issues, I gave a solution that adds weight to a weight based approach. There is more overhead in this solution but is good for service providers that cannot just 'hard block' domains..
'Employee Replied' gave a simple 'hard block' for domains, I've tested this functionality in 7242 without any issues.
"At the system level, you can go to Settings >> Security >> SMTP Blocks.  Add a domain block for *.icu"  
Are any of you having issues with the simple approach, if so, what version are you running?
0
Patrick Mattson Replied
Just added a few TLDs and saw a few already blocked. Thanks, they really had this useful feature buried, when I saw the post originally I did not see it, but I was on an older version.

My list so far is: *.icu, *.best, *.top, and *.xyz I know it will grow.
0
Now after a reboot it's functional even for me...

Reply to Thread