How to Block all email from a top level domain

[bradz]

Do we have a way to block all emails from a top level domain name in the Server wide Black List?
For example, I am seeing many return emails from random .tk fake domains.
I would like to block any thing from .tk
I tried entering *.tk as a domain to Black List, but it does not take it.

Thanks for any help.
Brad

 

[IgorG]

I'm afraid that it is impossible to block top level domain with black list. But you can block mail from this top level domain - Spam Filter Settings -> Black List -> Add -> *@*.tk
Also I suggest you greylisting. You can use it with something like:

#/usr/local/psa/admin/sbin/glmng --add --black-list --address="*.tk"

 

[bradz]

Thanks so much! Very good point, I did not think of doing it in the spam filter.
I have not been using GrayListing, but looks like time to try it!

 

[hamsi]

hello i have it try to plesk 18.0.23 but its not function... the command : #/usr/local/psa/admin/sbin/glmng --add --black-list --address="*.tk"
i have it try this too /usr/local/psa/admin/sbin/glmng --add --black-list --address=example.com"*.xyz" and with i server ip: but the mail come again.
can i list in the console black-list?
thx for support

 

[G J Piper]

It can't be done using Plesk's implementations, but at the server level you can do it.
I'm using postfix and dovecot and implemented it easily as follows:

# modify postfix settings a bit:
vi /etc/postfix/main.cf
# change: smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, permit_sasl_authenticated
# to:

smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, check_sender_access hash:/var/spool/postfix/plesk/custom-added-blacklist, permit_sasl_authenticated

# create a new blacklist
vi /var/spool/postfix/plesk/custom-added-blacklist
# fill with your lists of TLDs as follows:

adult     REJECT 'BLOCKED: The ADULT top level domain (TLD) is currently sending too much spam.'
xxx     REJECT 'BLOCKED: The XXX top level domain (TLD) is currently sending too much spam.'
click     REJECT 'BLOCKED: The CLICK top level domain (TLD) is currently sending too much spam.'

# run these commands and you're good to go.
postmap /var/spool/postfix/plesk/custom-added-blacklist
service postfix restart

No reason Plesk couldn't easily implement this along side the blacklist they already do in the GUI but maybe they can't do it on all systems.
Seems like the only reason it can't be done in Plesk is because the form simply won't let you submit a TLD by itself without a dot.
My changes don't get overwritten by any Plesk or postfix updates so far and I implemented it back in Plesk 12, through Onyx, and now it still works in Obsidian.

 

[G J Piper]

hello piper. i have the configuration. what do you write. but after 1 hour is the spam again coming. i think plesk change the configuration. have you a idea for me?
thx hamsi

You'll want to make sure the paths are correct for your system of course.

 

[hamsi]

i copie the line here

/etc/postfix/main.cf
smtpd_sender_restrictions = check_sender_access hash:/var/spool/postfix/plesk/blacklists, check_sender_access hash:/var/spool/postfix/plesk/custom-added-blacklist, permit_sasl_authenticated

/var/spool/postfix/plesk/custom-added-blacklist
/\.xyz$/ REJECT
/\.kz$/ REJECT
/\.co$/ REJECT
/\.icu$/ REJECT

postmap hash:/var/spool/postfix/plesk/custom-added-blacklist

service postfix restart

after 1 houch come the next ltd mails. here is the log

/var/log/maillog
Feb 9 20:10:26 panel postfix/smtpd[7608]: warning: 93.248.xxx.xx.sbl.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=93.248.178.51.sbl.spamhaus.org type=A: Host not found, try again
Feb 9 20:10:26 panel postfix/smtpd[7608]: warning: 93.248.xxx.xx.zen.spamhaus.org: RBL lookup error: Host or domain name not found. Name service error for name=93.248.178.51.zen.spamhaus.org type=A: Host not found, try again
Feb 9 20:10:26 panel postfix/smtpd[7608]: 1987419E1B1F: client=ip93.ip-XX-XXX-XXX.eu[XX.-XX.XXX.XX]
Feb 9 20:10:26 panel postfix/cleanup[7613]: 1987419E1B1F: message-id=<[email protected]>
Feb 9 20:10:26 panel check-quota[7616]: Starting the check-quota filter...
Feb 9 20:10:26 panel psa-pc-remote[28642]: handlers_stderr: SKIP
Feb 9 20:10:26 panel psa-pc-remote[28642]: SKIP during call 'check-quota' handler
Feb 9 20:10:26 panel spf[7617]: Starting the spf filter...
Feb 9 20:10:26 panel spf[7617]: Error code: (2) Could not find a valid SPF record
Feb 9 20:10:26 panel spf[7617]: Failed to query MAIL-FROM: No DNS data for 'haircounter.xyz'.
Feb 9 20:10:26 panel spf[7617]: SPF result: none
Feb 9 20:10:26 panel spf[7617]: SPF status: PASS
Feb 9 20:10:26 panel psa-pc-remote[28642]: handlers_stderr: PASS
Feb 9 20:10:26 panel psa-pc-remote[28642]: PASS during call 'spf' handler
Feb 9 20:10:26 panel postfix/qmgr[3026]: 1987419E1B1F: from=<[email protected]>, size=4802, nrcpt=1 (queue active)
Feb 9 20:10:26 panel postfix-local[7619]: postfix-local: from=[email protected], to=[email protected], dirname=/var/qmail/mailnames

 

[G J Piper]

/\.xyz$/ REJECT
/\.kz$/ REJECT
/\.co$/ REJECT
/\.icu$/ REJECT

Not sure what the slashes and "$" is doing here... this should not be. View my example and see. Only the XYZ by itself with no dots, slashes, or regex:

xyz      REJECT
kz       REJECT
co       REJECT
icu      REJECT

 

[JohnBee]

I just wanted to update that you can block or blacklist a top level domain in Plesk using the following format:
@.icu
@.xyz
...

This was provided by Plesk support, ans has been verified /tested

 

[G J Piper]

I just wanted to update that you can block or blacklist a top level domain in Plesk using the following format:
@.icu
@.xyz
...
This was provided by Plesk support, ans has been verified /tested

Are you talking about the Server-Wide Mail Settings blacklist or the Spam Filter Settings blacklist?

 

[JohnBee]

Are you talking about the Server-Wide Mail Settings blacklist or the Spam Filter Settings blacklist?

To my knowledge, this works on all blacklist/whitelist locations - server-wide, as well as the domain level

 

[Viktor Vogel]

I just wanted to update that you can block or blacklist a top level domain in Plesk using the following format:
@.icu
@.xyz
...

This was provided by Plesk support, and has been verified /tested

Just a small clarification: This is the valid format for the Plesk Email Security extension - Plesk Email Security

 

[G J Piper]

Just a small clarification: This is the valid format for the Plesk Email Security extension - Plesk Email Security

It works on all blacklist/whitelist locations - server-wide or domain

Thank you. These settings will not work in all the Server-Wide Mail Settings blacklist or the Spam Filter Settings blacklist when not using Plesk Email Security.

 

[JohnBee]

Thank you. These settings will not work in all the Server-Wide Mail Settings blacklist or the Spam Filter Settings blacklist when not using Plesk Email Security.

Good catch - I had not tried without the extension

 

[smdgfX]

I just wanted to update that you can block or blacklist a top level domain in Plesk using the following format:
@.icu
@.xyz
...

This was provided by Plesk support, ans has been verified /tested

Is it possible to block more than one tld?
Currently I get SPAM in the following format:
[email protected]
[email protected]
[email protected]
[email protected]

Is something like Vulkan@*.com working?


Regards,
Oliver

 

[Viktor Vogel]

Hi Oliver,

do not use * (asterisk) in Plesk Email Security.

Use this for your case:

[email protected]

The . (dot) stays for any character (as in regular expressions).

Cheers

 

[smdgfX]

Hi Viktor, thx for your answer. That's perfect...

 

[revvluvv]

So I have been able to blacklist and block all top level domains using *@*.TLD format works perfectly except those monkeys keep drawing new TLD's from the list.
I have a list of all of them I created in this format, but PLESK restricts the # of black listed items. So I'm just guessing as to what one will pop up next..... What I want to to is either inject the list manually to work around the # of items blacklisted restriction or create an "all but .TLD" so I could block all but .com, .net, .edu etc. you get the idea..This would forever head off any new spam TLD's that get added in the future.. any ideas from the brain trust?

 

[Ksech]

I tried something like hamsi had:

/\.xyz$/ REJECT
/\.kz$/ REJECT
/\.co$/ REJECT
/\.icu$/ REJECT

But with this in the main.cf:

pcre:/etc/postfix/reject_domains

(note the prcre)

It works for domains I add like the following but not for the TLDs added like above.

/spammersandhackers\.xyz/

I'd like to try G J Piper's solution, but I'm worried that this code will do partial matches - I don't see anything that restricts it to matching tld only - am I missing something?

Not sure what the slashes and "$" is doing here... this should not be. View my example and see. Only the XYZ by itself with no dots, slashes, or regex:

xyz      REJECT
kz       REJECT
co       REJECT
icu      REJECT

 

[G J Piper]

I tried something like hamsi had:

/\.xyz$/ REJECT
/\.kz$/ REJECT
/\.co$/ REJECT
/\.icu$/ REJECT

But with this in the main.cf:

pcre:/etc/postfix/reject_domains

(note the prcre)

It works for domains I add like the following but not for the TLDs added like above.

/spammersandhackers\.xyz/

I'd like to try G J Piper's solution, but I'm worried that this code will do partial matches - I don't see anything that restricts it to matching tld only - am I missing something?

I've been researching why mine works (it doesn't do partial matches on mine) and I think it has something to do with the difference between using unhashed "pcre" instead of postmap "hash" lists. I found one person commenting that you shouldn't use regex with hash lists but with pcre it is ok.