[BlueOnyx:22892] Re: ban e-mails from *.icu domains

Meaulnes Legler @ MailList bluelist at waveweb.ch
Fri May 10 02:40:29 -05 2019 

hey Michael

thanks for the reply.

I edited /etc/mail/access with
icu	<TAB>	550 Mail rejected from junk TLD

but the `make` command didn't work:
[root at vs /etc/mail] 09:25:55 462# make -C all
make: *** all: No such file or directory.  Stop.

neither the make* script in that directory
[root at vs /etc/mail] 09:26:31 463# ./make -C all
Don't know how to make -C

so I went to the GUI, made some changes in «Block Email From Hosts/Domains» and saved. Hope that helps.

regarding inbound or outbound, I guess those mails are incoming, different users are accepting them, see truncated output:

cat /var/log/maillog | grep "\.icu"
May 10 03:36:59 vs milter-geoip: No STMP-Auth used. Accepting email rule at templeborder.icu -> yve.
May 10 03:36:59 vs milter-geoip: Connect from provoke at templeborder.icu - 194.62.55.178 with message for dany
May 10 03:36:59 vs milter-geoip: No STMP-Auth used. Accepting email provoke at templeborder.icu -> dany.
May 10 03:36:59 vs sendmail[2162]: x4A1axQm002162: from=<provoke at templeborder.icu>, size=3376, class=0, nrcpts=1,
May 10 03:36:59 vs spamd[10265]: spamd: processing message <ICRXjs5QeSPMvkMLvJS1PeP7X27NqnKGu4_jd_hmQv4.tulFRe9Zvp
May 10 03:36:59 vs sendmail[2168]: x4A1ax1R002168: from=<provoke at templeborder.icu>, size=3269, class=0, nrcpts=1,
May 10 03:37:00 vs spamd[30582]: spamd: processing message <QIOfr9SXhgzK-KrHmc7xVu2WMHUaVHLZt01qXxbuTwg.Zg27pDWcIE
May 10 03:37:00 vs spamd[10265]: spamd: result: Y 9 - DCC_CHECK,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_
May 10 03:37:01 vs spamd[30582]: spamd: result: Y 7 - BAYES_00,DCC_CHECK,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DK
May 10 03:37:01 vs sendmail[2165]: x4A1axUQ002165: from=<rule at templeborder.icu>, size=3287, class=0, nrcpts=1, msg
May 10 03:37:01 vs spamd[10265]: spamd: processing message <wXceUWlDw209ylYB0IClBdmxfChwix9-ejqNn2o6z1I.MaNXHLWpUF
May 10 03:37:04 vs spamd[10265]: spamd: result: Y 5 - AWL,DCC_CHECK,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_BULK_
May 10 03:37:06 vs milter-geoip: Connect from tile at templeborder.icu - 194.62.55.178 with message for janis
May 10 03:37:06 vs milter-geoip: No STMP-Auth used. Accepting email tile at templeborder.icu -> janis.
May 10 03:37:08 vs sendmail[2165]: x4A1axUR002165: from=<tile at templeborder.icu>, size=3299, class=0, nrcpts=1, msg
May 10 03:37:08 vs spamd[10265]: spamd: processing message <Uf59o7GzabEm_K72QD8DQrTKuZ-H33Z5LEQHqlSmnDo.q6WSf4LlSt
May 10 03:37:10 vs spamd[10265]: spamd: result: . 4 - BAYES_00,DCC_CHECK,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,FSL_
May 10 03:37:10 vs milter-geoip: Connect from rule at templeborder.icu - 194.62.55.178 with message for olga
May 10 03:37:10 vs milter-geoip: No STMP-Auth used. Accepting email rule at templeborder.icu -> olga.
May 10 03:37:10 vs sendmail[2165]: x4A1axUS002165: from=<rule at templeborder.icu>, size=3249, class=0, nrcpts=1, msg
May 10 03:37:11 vs spamd[10265]: spamd: processing message <LsdtoXFQ0EmJ0zWgR7Nzv0Yjajp3EFWg_NOAxYEUlOA.pN-6KEQSd2
May 10 03:37:12 vs spamd[10265]: spamd: result: Y 5 - AWL,BAYES_40,DCC_CHECK,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,
May 10 03:37:18 vs sendmail[2115]: x4A1aHYb002115: to=<rule at templeborder.icu>, delay=00:01:01, xdelay=00:01:01, ma
May 10 03:38:06 vs sendmail[2212]: x4A1b6UQ002212: to=<rule at templeborder.icu>, delay=00:01:00, xdelay=00:01:00, ma
May 10 04:04:13 vs milter-geoip: Connect from imogen at chancedilute.icu - 194.62.55.177 with message for mishka
May 10 04:04:13 vs milter-geoip: No STMP-Auth used. Accepting email imogen at chancedilute.icu -> mishka.
May 10 04:04:13 vs sendmail[6052]: x4A24DSZ006052: from=<imogen at chancedilute.icu>, size=4096, class=0, nrcpts=1, m
May 10 04:04:13 vs spamd[10265]: spamd: processing message <5D0prSOuZjEqznd4twApFOMasEEKBdOPSRz5DHBflNI.7Uqmid9EIk
May 10 04:04:14 vs spamd[10265]: spamd: result: Y 14 - DCC_CHECK,DIGEST_MULTIPLE,DKIM_SIGNED,DKIM_VALID,DKIM_VALID
May 10 04:04:15 vs milter-geoip: Connect from anxiety at chancedilute.icu - 194.62.55.177 with message for mishka

Thank you and best regards

_⌢_  Meaulnes Legler
'¿') Zurich, Switzerland
`-´  +41¦0 44 260-1660

On 10.05.19 05:14, Michael Stauber wrote:
> Hi Meaulnes,
> 
>> lately the Mail Delivery Subsystem gets flooded with e-mails sent to
>> none existing addresses, all ending in .icu
> 
> Yeah, the GUI doesn't allow to block entire TLD's. It was never thought
> to be necessary or a good idea. But that was before the advent of junk
> TLD's such as this one. I just looked at the GUI page and it's not easy
> to extend that form field, as the regular expression for that checks for
> valid domains, so there has to be at least one dot in it. It doesn't
> accept wildcards, so *.icu won't work. I can't extend this regular
> expression to accept wildcards, as we use it elsewhere in place where we
> absolutely cannot accept wildcards.
> 
> If we add GUI support for this, then it would need to be a separate form
> field like "Block Emails from these TLDs".
> 
> But maybe you're looking at it from the wrong end. You say your maillog
> is full with these. Are these *.icu emails inbound or outbound emails?
> 
> If these are outbound, then this would indicate a problem on your
> server. Like a compromised user account use for spamming or an abused
> script.
> 
> 
> If you want to manually add a block for *.icu, you can do this:
> 
> Edit /etc/mail/access and put this line into it:
> 
> icu     550 Mail rejected from junk TLD
> 
> Between "icu" and "550" aren't 3-4 spaces. That's a single TAB
> (tabulator key).
> 
> Save the changes and then run this command:
> 
> cd /etc/mail
> make -C all
> 
> That will put that change into effect.
>

More information about the Blueonyx mailing list