Back to Community Threads
Block ICU
Question asked by John Marx - 7/19/2019 at 12:40 PM
Answered
In our headers 90% of all spam is coming from .ICU domains. How can we prevent? Declude cannot be an option as we are on the latest version of SmarterMail.

Received: from harmonyrational.icu (hostmaster.netbudur.com [193.31.119.173])  
Steve_N Replied
7/20/2019 at 5:37 AM
I use a four-pronged attack on high probability domains via custom filters (edit: Antispam 'custom rules');
  1. Rule Name: .icu
    Rule Source: Body
    Rule Source: Contains
    Rule Text: .icu/
    .icu"
                     .icu "
  2. Rule Name: Return-Path
    Rule Source: Header
    Header: Return-Path
    Rule Source: Contains
    Rule Text: ..excerpt from long list..
    .hk>
    .host>
    .hu>
    .icu>
    .id>
    .in>
    .ir>
                     ..excerpt from long list..
  3. Rule Name: MAIL FROM
    Rule Source: Header
    Header: From
    Rule Source: Contains
    Rule Text: ..excerpt from long list..
    .hk>
    .host>
    .hu>
    .icu>
    .id>
    .in>
    .ir>
                ..excerpt from long list..
  4. Rule Name: Received domain high
    Rule Source: Header
    Header: Received
    Rule Source: Contains
    Rule Text: ..excerpt from long list..
    .hu]
    .icu [
    .icu (
    .icu?)
    .icu]
    .id [
    ..excerpt from long list..
    Let me know if providing the JSON would be better.
John Marx Replied
7/20/2019 at 7:06 AM
I am missing something Steve. I see where I can do some filtering at the domain level. I know I can do at the user level. I have no problem creating the first and then exporting and doing for all users. I just don't see where to do this as there is no import/export option for wherever I am looking. I don't see an area on the spam settings (server wide) that would allow this either.

Although I know I want to block all of these at times I could see not wanting that and it would be a domain level type of setting.
Steve_N Replied
7/20/2019 at 8:03 AM
Sorry, I've said 'custom filters' rather than Antispam 'custom rules', which may have confused you?
Employee Replied
7/23/2019 at 12:45 PM
Employee Post Marked As Answer
Hi John.  At the system level, you can go to Settings >> Security >> SMTP Blocks.  Add a domain block for *.icu
Jill Stevens Replied
10/16/2019 at 5:44 PM
Hi Rod. I'm having the same issue with enormous amounts daily of spam from .icu, .best and .monster. SMTP Blocks are requiring a full domain or email address (when entering *.icu = This is not a valid domain or email address.)  therefore this solution cannot be enabled. Any other suggestions? I appreciate your help!!
steve Replied
11/13/2019 at 2:49 AM
We have the same problem, with mainly .icu .top and .best domains.

There needs to be a much easier way to block these
Patrick Mattson Replied
11/13/2019 at 5:47 AM
There is a link on an older thread that talks about adding on additional definitions for Clam. I found this company has some pretty good definitions and I see a lot of those same TLDs in my list. They charge something but it is not a lot per year. https://www.securiteinfo.com I do not use all the signatures they have, I found some are a little aggressive. My server updates signatures two times a day.

If you need help with the set up I can see if I have my old instructions and all the old set up files.
same issue here...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Steve_N Replied
11/14/2019 at 5:54 AM
Hi to those still having issues, I gave a solution that adds weight to a weight based approach. There is more overhead in this solution but is good for service providers that cannot just 'hard block' domains..
'Employee Replied' gave a simple 'hard block' for domains, I've tested this functionality in 7242 without any issues.
"At the system level, you can go to Settings >> Security >> SMTP Blocks.  Add a domain block for *.icu"  
Are any of you having issues with the simple approach, if so, what version are you running?
Patrick Mattson Replied
11/15/2019 at 5:10 AM
Just added a few TLDs and saw a few already blocked. Thanks, they really had this useful feature buried, when I saw the post originally I did not see it, but I was on an older version.

My list so far is: *.icu, *.best, *.top, and *.xyz I know it will grow.
Now after a reboot it's functional even for me...
Gabriele Maoret - Head of SysAdmins and CISO at SERSIS Currently manages 6 SmarterMail installations (1 in the cloud for SERSIS which provides services to a few hundred third-party email domains + 5 on-premise for customers who prefer to have their mail server in-house)
Back to Community Threads

Reply to Thread

Enter the verification text
Related Knowledge Base Articles
Slow 250 response after Mail From command is issued during an SMTP session.SmarterMail > Troubleshooting
Remote Server returned: '602' errorSmarterMail > Troubleshooting
SmarterMail for Linux – SSL/TLS & Certificate ReferenceSmarterMail > Server Configuration and Management
Configure an Alternative Linux Web Server for SmarterMailSmarterMail > Server Configuration and Management
Set up Autodiscover for SmarterMailSmarterMail > Installation and Configuration