• The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

E-Mail address blacklist help

S

slayer1ss

Basic Pleskian
Hi, almost all mail adresses on my server is getting a spam mail from same mail marketing company everyday and i want to block them... Normall i just add the mail address to blacklist from "Spam Filter Settings" but this company is opening new addresses everyday and it is impossible to add all of them to blacklist so i need your help adding it as a regex to the blacklist...

The company i am talking about is opening mail addresses every day like below...
[email protected]
[email protected]
[email protected]
[email protected]


As you can see all mail addresses begin with "nrt"+"6 digits of day"+"free mail provider", so right now i am using the regex below and it is already added to the blacklist but they are still able to send me... What can i do now?

nrt??????@*.com
 
@slayer1ss,

You can undertake the following:

1) try to determine the IPs for the specific spammer (it can be the case that these mails come from a couple servers, that function as a mail relay) and block those IPs in the firewall and/or use Fail2Ban module to blacklist those IPs,

2) use the regexp nrt*@*.com OR (better) the regexps:

- *@yandex.com
- *@mynet.com
- nrt*@gmail.com
- nrt*@hotmail.com

(note: you should not blacklist *@hotmail.com and/or *@gmail.com)

3) enable greylisting (if that is not already enabled)

4) configure spf spamprotection and/or enable DNSBL (add zen.spamhause.org) blacklisting (both in settings, mail server settings)

5) experimental (!) - you should be able to make a regexp that can be used in a specific Fail2Ban jail, with the result that specific mails are not received (note: Fail2Ban should be able to identify IPs and block them temporarily). The temporary IP block by Fail2Ban does have the advantage that a genuine mail server will try again to deliver a mail, while a spam mail server often does not. That is, if the Fail2Ban block time is short enough (1 or 2 days), you should barely notice anything.
 
Thank you for your response;

1- Wouldnt blacklisting the ip that the mail is coming from also blacklist all hotmail,gmail etc.?

2- Previously i was using nrt*@hotmail.com etc. but they were still able to send, i changed nrt??????@*.com to nrt*@*.com now and i hope this will work

3- Greylisting is already on

4- SPF and DNSBL is already on

trialotto said:
@slayer1ss,

You can undertake the following:

1) try to determine the IPs for the specific spammer (it can be the case that these mails come from a couple servers, that function as a mail relay) and block those IPs in the firewall and/or use Fail2Ban module to blacklist those IPs,

2) use the regexp nrt*@*.com OR (better) the regexps:

- *@yandex.com
- *@mynet.com
- nrt*@gmail.com
- nrt*@hotmail.com

(note: you should not blacklist *@hotmail.com and/or *@gmail.com)

3) enable greylisting (if that is not already enabled)

4) configure spf spamprotection and/or enable DNSBL (add zen.spamhause.org) blacklisting (both in settings, mail server settings)

5) experimental (!) - you should be able to make a regexp that can be used in a specific Fail2Ban jail, with the result that specific mails are not received (note: Fail2Ban should be able to identify IPs and block them temporarily). The temporary IP block by Fail2Ban does have the advantage that a genuine mail server will try again to deliver a mail, while a spam mail server often does not. That is, if the Fail2Ban block time is short enough (1 or 2 days), you should barely notice anything.
Click to expand...
 
@slayer1ss,

It is very likely that the spammers do not actually send from the mentioned domains, but use a hacked account (solution: blacklist the account) OR a mail relay (i.e. forwarding or sending mails, as if they are coming from the mentioned domain(s); solution: blacklist the IP of the server that functions as a relay).

Hence, it is not very likely that IP blacklisting would result in blocking all traffic from gmail or hotmail.

Furthermore, spammers do not tend to retry any failed mail deliveries, implying that a short-term IP Blacklist can be very handy (genuine mails will be delivered afterwards).

It sometimes even helps to shutdown a mail server for a couple of minutes, but that seems unnecessary at this moment.

As a general note, you are spending a lot of time in order to prevent spam mail from a couple of mail addresses.

It should not be a problem to blacklist IPs or accounts, even if you are missing some genuine mails (remember: a good mail server will retry in case of a bounce, a spammer will not) and therefore it is often better to take a crude, fast approach that saves time.

In short, have a look at your maillogs and identify DNS and/or IPs from the servers that try to send the spam mails and just block those IPs. No harm there, saves a lot of time.

Kind regards.....
 
You must log in or register to reply here.

Similar threads

W
Question Mail Server configuration so it does not end up as spam?
Replies
2
Views
688
wyga
W
F
Resolved System mails (MAILER-DAEMON) Undelivered Mail Returned to Sender
Replies
6
Views
2K
fvrk4n
F
C
Question Analysing Sender IP in Mail Headers
Replies
0
Views
543
Change Maker
C
B
Question IP Address Mail Blacklisted SORBS- Cannot remove
Replies
3
Views
1K
Peter Debik
P
B
Issue Undelivered Mail Returned to Sender
Replies
7
Views
2K
sysbitnet
sysbitnet
Back
Top