Solved: Re: Easiest way to block email from *@*.us

keithsauer507 · ‎12-02-2013

I wanted to add *@*.us to our dictionary called blocked senders which for the most part has just e-mail addresses in it.

Reason is there has been an increase in spam from a random address@random.us. To examples are adtauthorizeddealer@phyner.us and arpmortgage@paramar.us. Both have identical format with "Can't see the images in this e-mail? click here to view online., then a one liner such as "ADT Dealer Installed security system $99" then an image of an advertisement. That's all it is.

Since I can't think of any legitimate e-mail providers that have a .us at the end. I can only think of .com, .org, .edu, .gov that we would do buisness with. - I want to block anything@anything.us, Hence my trial of industry standard wildcard symbols *@*.us.

Anyway I tried adding *@*.us hoping it would take wildcards but I get an error message "One or more items were not added because they are either invalid terms, or already exist in the Dictionary with a different weight."

Robert Sherwin · ‎12-03-2013

Yes - that would work.

I added to test dictionary, and passed through my appliance --->

Contents of dictionary 'blocked_senders':

[^@]+@[^@]+\.us+, 1

Filter applied against:

Filter Name: blocked_senders

Conditions:

mail-from-dictionary-match("blocked_senders", 1)

Actions:

drop()

Description:

testing blocked_senders dictionary

Results of testing, from mail_logs:

Tue Dec 3 11:10:24 2013 Info: MID 496 ICID 373 From: <robert@local.us>

Tue Dec 3 11:10:30 2013 Info: MID 496 ICID 373 RID 0 To: <robsherw@cisco.com>

Tue Dec 3 11:10:37 2013 Info: MID 496 Message-ID '<63272c$fg@myesa_2.local>'

Tue Dec 3 11:10:37 2013 Info: MID 496 Subject 'test'

Tue Dec 3 11:10:37 2013 Info: MID 496 ready 114 bytes from <robert@local.us>

Tue Dec 3 11:10:37 2013 Info: MID 496 matched all recipients for per-recipient policy DEFAULT in the outbound table

Tue Dec 3 11:10:40 2013 Info: MID 496 interim verdict using engine: CASE spam negative

Tue Dec 3 11:10:40 2013 Info: MID 496 using engine: CASE spam negative

Tue Dec 3 11:10:40 2013 Info: Message aborted MID 496 Dropped by content filter 'blocked_senders' in the outbound table

Tue Dec 3 11:10:40 2013 Info: Message finished MID 496 done

Tue Dec 3 11:14:09 2013 Info: MID 499 ICID 375 From: <robert@local.local.us>

Tue Dec 3 11:14:13 2013 Info: MID 499 ICID 375 RID 0 To: <robsherw@cisco.com>

Tue Dec 3 11:14:24 2013 Info: MID 499 Message-ID '<63272c$fj@myesa_2.local>'

Tue Dec 3 11:14:24 2013 Info: MID 499 Subject 'Test'

Tue Dec 3 11:14:24 2013 Info: MID 499 ready 114 bytes from <robert@local.local.us>

Tue Dec 3 11:14:24 2013 Info: MID 499 matched all recipients for per-recipient policy DEFAULT in the outbound table

Tue Dec 3 11:14:25 2013 Info: MID 499 interim verdict using engine: CASE spam negative

Tue Dec 3 11:14:25 2013 Info: MID 499 using engine: CASE spam negative

Tue Dec 3 11:14:25 2013 Info: Message aborted MID 499 Dropped by content filter 'blocked_senders' in the outbound table

Tue Dec 3 11:14:25 2013 Info: Message finished MID 499 done

Tue Dec 3 11:15:44 2013 Info: MID 500 ICID 376 From: <joe@fbi.test.lab.us>

Tue Dec 3 11:15:50 2013 Info: MID 500 ICID 376 RID 0 To: <robsherw@cisco.com>

Tue Dec 3 11:15:59 2013 Info: MID 500 Message-ID '<63272c$fk@myesa_2.local>'

Tue Dec 3 11:15:59 2013 Info: MID 500 Subject 'Test'

Tue Dec 3 11:15:59 2013 Info: MID 500 ready 114 bytes from <joe@fbi.test.lab.us>

Tue Dec 3 11:15:59 2013 Info: MID 500 matched all recipients for per-recipient policy DEFAULT in the outbound table

Tue Dec 3 11:16:00 2013 Info: MID 500 interim verdict using engine: CASE spam negative

Tue Dec 3 11:16:00 2013 Info: MID 500 using engine: CASE spam negative

Tue Dec 3 11:16:00 2013 Info: Message aborted MID 500 Dropped by content filter 'blocked_senders' in the outbound table

Tue Dec 3 11:16:00 2013 Info: Message finished MID 500 done

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

View solution in original post

keithsauer507 · ‎12-02-2013

If its python, would this work?

[^@]+@[^@]+\.us+

Seems to match on this site:

http://pythonregex.com/

Robert Sherwin · ‎12-03-2013

Yes - that would work.

I added to test dictionary, and passed through my appliance --->

Contents of dictionary 'blocked_senders':

[^@]+@[^@]+\.us+, 1

Filter applied against:

Filter Name: blocked_senders

Conditions:

mail-from-dictionary-match("blocked_senders", 1)

Actions:

drop()

Description:

testing blocked_senders dictionary

Results of testing, from mail_logs:

Tue Dec 3 11:10:24 2013 Info: MID 496 ICID 373 From: <robert@local.us>

Tue Dec 3 11:10:30 2013 Info: MID 496 ICID 373 RID 0 To: <robsherw@cisco.com>

Tue Dec 3 11:10:37 2013 Info: MID 496 Message-ID '<63272c$fg@myesa_2.local>'

Tue Dec 3 11:10:37 2013 Info: MID 496 Subject 'test'

Tue Dec 3 11:10:37 2013 Info: MID 496 ready 114 bytes from <robert@local.us>

Tue Dec 3 11:10:37 2013 Info: MID 496 matched all recipients for per-recipient policy DEFAULT in the outbound table

Tue Dec 3 11:10:40 2013 Info: MID 496 interim verdict using engine: CASE spam negative

Tue Dec 3 11:10:40 2013 Info: MID 496 using engine: CASE spam negative

Tue Dec 3 11:10:40 2013 Info: Message aborted MID 496 Dropped by content filter 'blocked_senders' in the outbound table

Tue Dec 3 11:10:40 2013 Info: Message finished MID 496 done

Tue Dec 3 11:14:09 2013 Info: MID 499 ICID 375 From: <robert@local.local.us>

Tue Dec 3 11:14:13 2013 Info: MID 499 ICID 375 RID 0 To: <robsherw@cisco.com>

Tue Dec 3 11:14:24 2013 Info: MID 499 Message-ID '<63272c$fj@myesa_2.local>'

Tue Dec 3 11:14:24 2013 Info: MID 499 Subject 'Test'

Tue Dec 3 11:14:24 2013 Info: MID 499 ready 114 bytes from <robert@local.local.us>

Tue Dec 3 11:14:24 2013 Info: MID 499 matched all recipients for per-recipient policy DEFAULT in the outbound table

Tue Dec 3 11:14:25 2013 Info: MID 499 interim verdict using engine: CASE spam negative

Tue Dec 3 11:14:25 2013 Info: MID 499 using engine: CASE spam negative

Tue Dec 3 11:14:25 2013 Info: Message aborted MID 499 Dropped by content filter 'blocked_senders' in the outbound table

Tue Dec 3 11:14:25 2013 Info: Message finished MID 499 done

Tue Dec 3 11:15:44 2013 Info: MID 500 ICID 376 From: <joe@fbi.test.lab.us>

Tue Dec 3 11:15:50 2013 Info: MID 500 ICID 376 RID 0 To: <robsherw@cisco.com>

Tue Dec 3 11:15:59 2013 Info: MID 500 Message-ID '<63272c$fk@myesa_2.local>'

Tue Dec 3 11:15:59 2013 Info: MID 500 Subject 'Test'

Tue Dec 3 11:15:59 2013 Info: MID 500 ready 114 bytes from <joe@fbi.test.lab.us>

Tue Dec 3 11:15:59 2013 Info: MID 500 matched all recipients for per-recipient policy DEFAULT in the outbound table

Tue Dec 3 11:16:00 2013 Info: MID 500 interim verdict using engine: CASE spam negative

Tue Dec 3 11:16:00 2013 Info: MID 500 using engine: CASE spam negative

Tue Dec 3 11:16:00 2013 Info: Message aborted MID 500 Dropped by content filter 'blocked_senders' in the outbound table

Tue Dec 3 11:16:00 2013 Info: Message finished MID 500 done

Hope this helps!

-Robert

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin

keithsauer507 · ‎12-03-2013

Thank you for that verification.

We will keep this in place until there is a business need to converse with a .us domain. With the high increase in spam image e-mails from .us domains, we feel this block is more beneficial at this time.

Sylvia · ‎11-03-2017

Hello Robert,

I know it's an old thread but i am facing the same issue on my Ironport so i applied the solution that you've mentioned earlier using the dictionary term [^@]+@[^@]+\.xx+, weight 1 and followed the steps that follow but i am still receiving spam emails from sender@random.xx

Do you have any suggestion?

Thank you in advance!

paul.fritzsche1 · ‎11-16-2017

Hi Sylvia,

we had the same problem with *.co.ua senders. We created a content filter which ...

Conditions: Envelope Sender mail-from == ".co.ua$"

Action: Final Drop (Final Action) drop()

... and added this filter to our incoming mail policies.

Would this be a possible solution for your case? Why you want to do this with message filters? This drops all mails from this sender TLD/domain too. You are able to define other regex filters and exceptions via content filter.

Sylvia · ‎11-23-2017

@paul.fritzsche1

Hi Paul!

You can either create a dictionary with the specified terms and call it in the content filter or configure the terms directly in the content filter. Both will work as expected. My mistake was applying the content filter to the wrong mail policy but now it's working perfectly except for the email format: sender@random.random.xx