Block top level domains with ironport

chevymannie · ‎12-16-2013

I'm new to ironport and I'm trying to help someone block some SPAM they are receiving from foreign domains. They have a blacklist definied on their incoming mail policies, but it would not allow me to add a wildcard user such as *@*.ru. What I ended up doing was editing their content filter to block any envelope sender that ends in .ru. That's the only thing I've found close to what I'm trying to do in my searches. Anyone have any suggestions?

Robert Sherwin · ‎12-16-2013

There are 2 options:

Write a filter.
Refer to a dictionary text file in a message filter.

1. You can write either a content filter or a message filter to catch these charsets if your business does not interact with Russian / Cyrillic / Ukranian senders.

Here is an outline for a filter.

quarantine_russian_spam:

if (recv-listener == "InboundMail") AND ((body-contains("windows-1251")) OR (header("Content-type") == "(?i)windows-1251")) {

quarantine ("Policy");

}

You may want to place this in the content filters since content filters occur after the anti-spam scanning. Placing this filter in the message filters may be resource-expensive in order to scan the body of the email for the charsets.

2. Another option is to add the list of character sets to a dictionary text file and refer to that in your message filter.

Full KB article for assistance:

http://tools.cisco.com/squish/aA327

Article 808 from the Customer KB:

https://ironport.custhelp.com/app/answers/list

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin