Back to Community Threads
4
Is there a way, at the server level, to block all email from a specific TLD for instance *@*.bar
Question asked by Michael Gillespie - 8/11/2021 at 8:15 AM
Answered
Been seeing a lot of "Once a squirter...." email all coming from *@*.bar and while it is obviously spam, it is not being caught.  Currently have the trial versions of Message Sniffer  and Cyren Premium Antispam enabled and while I am seeing a lot of possible spam coming through, these are not being blocked and I don't want each user to have to block each different sender.

7 Replies

Reply to Thread
1
Tony Scholz Replied
8/11/2021 at 9:07 AM
Employee Post Marked As Answer
Hello Michael, 

Yes, If you wish to block all incoming messages from *.TLD you can add this to the SMTP block list


In the SMTP session, you will see this

Connecting to mail server.
Connected.
220 ascholz.local
EHLO ascholz
250-sup-ascholz.st.local Hello [10.1.9.0]
250-SIZE 139810133
250-AUTH LOGIN CRAM-MD5
250-8BITMIME
250-DSN
250 OK
RSET
250 OK
MAIL FROM: <tony@domain.com>
550 Sender is not allowed.

Error: SMTP protocol error. 550 Sender is not allowed..
Failed to send message
And in the server SMTP logs you will see this

[2021.08.11] 09:02:12.883 [10.1.9.0][40218278] rsp: 220 ascholz.local
[2021.08.11] 09:02:12.899 [10.1.9.0][40218278] connected at 8/11/2021 9:02:12 AM
[2021.08.11] 09:02:12.930 [10.1.9.0][40218278] Country code: Unknown
[2021.08.11] 09:02:12.946 [10.1.9.0][40218278] cmd: EHLO sup-ascholz
[2021.08.11] 09:02:12.946 [10.1.9.0][40218278] rsp: 250-ascholz.local Hello [10.1.9.0]250-SIZE 139810133250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
[2021.08.11] 09:02:13.055 [10.1.9.0][40218278] cmd: RSET
[2021.08.11] 09:02:13.055 [10.1.9.0][40218278] rsp: 250 OK
[2021.08.11] 09:02:13.055 [10.1.9.0][40218278] cmd: MAIL FROM: <tony@domain.com>
[2021.08.11] 09:02:13.071 [10.1.9.0][40218278] senderEmail(1): tony@domain.com parsed using: <tony@domain.com>
[2021.08.11] 09:02:13.086 [10.1.9.130][40218278] rsp: 550 Sender is not allowed.
[2021.08.11] 09:02:13.086 [10.1.9.130][40218278] disconnected at 8/11/2021 9:02:13 AM

Here is a better shot of the SMTP BLOCK



I  hope this helps. 
Tony Scholz
System/Network Administrator
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Michael Gillespie Replied
8/11/2021 at 1:33 PM
Thanks for the help, easy enough to add the rule.
0
Hasham Wahaib Replied
8/21/2021 at 12:44 PM
Is it Possible to Add Multiple Domains in one entry ?
0
Rene Eisenmann Replied
9/13/2023 at 10:46 PM
we receive spam from .su Domain(s) and using Smartermail 8629 August 2023 and i cant find the SMTP Block option :) Where can i find SMTP Block in the Administration
1
J. LaDow Replied
9/14/2023 at 2:18 AM
Logged in as an Administrator, Go to the Settings tab at the top, then Security on the left, then SMTP Blocks will be in the bar across the top.
MailEnable survivor / convert --
0
Rene Eisenmann Replied
9/15/2023 at 2:20 AM
Hi i added an  Ehlo Block to SMTP Blocks as on my screenshot unfortunally i get the following when check the smtp log . Does the Smtp Block not work or do i need to add something else?

>>

[2023.09.15] 11:08:55.541 [85.25.43.147][13921684] rsp: 220 Start TLS negotiation
[2023.09.15] 11:08:55.572 [85.25.43.147][13921684] cmd: EHLO mail.code-poetry.de
[2023.09.15] 11:08:55.572 [85.25.43.147][13921684] rsp: 250-mail.xodox.de Hello [85.25.43.147]250-SIZE 142606336250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
[2023.09.15] 11:08:55.572 [85.25.43.147][13921684] cmd: MAIL FROM:<ezxypjk@vikliss.azerbaijan.su> SIZE=175639
[2023.09.15] 11:08:55.572 [85.25.43.147][13921684] senderEmail(1): ezxypjk@vikliss.azerbaijan.su
[2023.09.15] 11:08:55.572 [85.25.43.147][13921684] rsp: 250 OK <ezxypjk@vikliss.azerbaijan.su> Sender ok
[2023.09.15] 11:08:55.572 [85.25.43.147][13921684] Sender accepted. Weight: 0. Block threshold: 35. 
[2023.09.15] 11:08:55.588 [85.25.43.147][13921684] cmd: RCPT TO:<email > ORCPT=rfc822;email
[2023.09.15] 11:08:55.588 [85.25.43.147][13921684] rsp: 452 <email> Domain size limit exceeded
[2023.09.15] 11:08:55.635 [85.25.43.147][13921684] cmd: RSET
[2023.09.15] 11:08:55.635 [85.25.43.147][13921684] rsp: 250 OK
[2023.09.15] 11:08:55.651 [85.25.43.147][13921684] cmd: QUIT

<
1
Howell Dell Replied
9/17/2023 at 8:07 PM
Keep in mind that you can also filter on EHLO Domain option. While spammers often send fake EHLO content and often are not a valid FQDN. 

Sometimes you also might find that they use a "standard" default EHLO text which you can filter out given the rise of off-the-shelf spammer software.  Keep in mind that spammers can also generate random content for a per period of time or even on each eMail or Session.

This is just another way to keep some eMails out...
Back to Community Threads

Reply to Thread

Related Knowledge Base Articles

554 Error - MTA Poor Reputation FixesSmarterMail > Troubleshooting
Recommended SPAM SettingsSmarterMail > Antispam and Antivirus
Deploying Rspamd For Use With SmarterMailSmarterMail > Server Configuration and Management
Legal Holds and LitigationSmarterMail > Installation and Configuration
Upgrading SmarterMail (Domain Conversion)SmarterMail > Installation and Configuration