Block all domain extensions but a few

jacobbell1 · ‎01-07-2016

We get A LOT of SPAM and malicious email from domain extensions that are...strange, to say the least. I've seen: .star, .idea, .lol, .xxx, and even .sex on our message reporting. We're running a set-up of twin Cisco IronPort C170s. Instead of trying to block each of these, one-by-one, is there a way for me to block all domain extensions but for a few that we would need (.com, .org, .net, .gov, etc.)? That would be much easier, and I wouldn't have to worry about trying to keep my eye open for another rogue domain extension that someone thought up.

Thanks,

exMSW4319 · ‎01-07-2016

I do some of that with a content rule:

Sender-blacklist: if (mail-from-dictionary-match("blocked-senders", 1)) { drop(); }

In the blocked-senders dictionary you would then probably need a regex to avoid lots of false positives, perhaps \.sex$ for one of your examples; fortunately there isn't that many of them.

My example uses a drop(), and if experimenting you'd probably want to start with something less permanent, say a quarantine action. There will also be more efficient ways of coding this if you're into message filters.

Is there a list of hopeless TLDs? Not that I know of, and with a few notorious exceptions the real reason the industry keeps dreaming up these new ones is to sell them to the nuisance brigade. If considering reversing my logic with a dictionary of good TLDs skipping a subsequent unconditional drop action, beware that there may be more valid TLDs than you expect.

Looking at alternatives, do you have Envelope Sender Verification turned on?

Mathew Huynh · ‎01-08-2016

Hello Jacob,

Just wanted to also check for these emails passing, what's the SBRS score reading for them?

Regards,

Matthew