adding TLD to Exim Blacklist

[keat63]

For a few years I've been using exim_blacklist to block domains, which has worked well.

Block receiving emails from specific domain to any mailing list?

However, I have one TLD that i'm struggling with.
We see a lot of spam coming from the .date TLD.

I'm unable to block this as the sender, domain name and IP are always different.
eg: [email protected] or [email protected]

How would i block the tld .date

I've tried adding date, .date, *.date *@*.date to the exim blacklist, but nothing seems to stop these getting through.

Mailscanner is doing it's job, but i'd prefer if exim blocked them first.

 

[keat63]

I found this on another site, whilst not exactly what I was looking to achieve, it should hopefully provide the same result.

cPanel comes stock with a number of ACLs and tuneables to help reduce the amount of unwanted email into your server. At present, there are not a lot of controls on the Exim side that allow for blocking specific email addresses or servers. While you can easily use the integrated SpamAssassin controls on a per-cPanel account basis, it’s generally less resource-intensive to handle these blocks at SMTP time.

cPanel’s implementation of Exim is set to automatically load filters from an include directory. This directory is located here:

/usr/local/cpanel/etc/exim/sysfilter/options/

Any files you drop in here will be included into the Exim filter. First, create a file in this folder. You can name it anything you want, but we’ll call ours inbound_tld_block:

/usr/local/cpanel/etc/exim/sysfilter/options/inbound_tld_block

In this file, add the following filter, replacing .tld with the actual TLD you want to block:
if first_delivery
and ("$h_to:, $h_cc:" contains ".tld")
or ("$h_from:" contains ".tld")
then
seen finish
endif
Now go into WHM -> Exim Configuration Manager -> Basic Editor -> Filters, and you should see the new filter listed:

** Custom Filter: inbound_tld_block

If it’s not already enabled, enable it here and then save.

 

[cPanelMichael]

Hello,

Let us know if that solution helps.

Thank you.

 

[Script]

Hello,

Let us know if that solution helps.

Thank you.

I am not OP, but I had the similar issue, and the provided solution works like a charm (I've blocked .top .xyz .pw .icu TLDs)
So yes, it works for me.
Thank you!

 

[keat63]

I now use CSF mailscanner.
It makes the job so much easier.

 

[CharlesGLondon]

How do we block all domains which have only numbers in it? Can we add regex in this script?
E.g. 1234.com, 2319.com etc

 

[scurrell]

I am not OP, but I had the similar issue, and the provided solution works like a charm (I've blocked .top .xyz .pw .icu TLDs)
So yes, it works for me.
Thank you!

How do you add multiple tld's using that code?

 

[rclemings]

There might be a better way but this appears to work for multiple tlds:

if first_delivery
and ("$h_to:, $h_cc:" contains ".xyz")
or ("$h_from:" contains ".xyz")
then
seen finish
endif
if first_delivery
and ("$h_to:, $h_cc:" contains ".top")
or ("$h_from:" contains ".top")
then
seen finish
endif

A question though: How can I stop the system from sending "delivery cancelled" bounces to the sender for those tlds? A lot of them are undeliverable and just sit in the queue until they time out.

 

[keat63]

I don't work for or acsscociated with CSF, but mailscanner is about $60.
It makes this job so much easier.

 

[megahost]

It is a bit easier, but how about the resources?
Will it need more CPU/RAM to add the rules in MailScanner or in Exim?

 

[keat63]

Good question.
All I can add to this is that I don't see any adverse performance.
However, I only have about 10 domains, and 8 of those see very little traffic.

 

[quietFinn]

I don't work for or acsscociated with CSF, but mailscanner is about $60.
It makes this job so much easier.

Yes it does, and it's just one time payment. I always order ConfigServer Server Services + MailScanner to every new server.

 

[megahost]

i have one WHM server and this solution doesn't work for me. I tried using the filters and I also tried Mailscanner to deny .icu extension.
In this moment i have both exim filter and mailscanner blacklist for *@*.icu but i still see a lot of emails daily form .icu domains in the queue. Any ideeas what to do?
Thanks.

 

[sierrablue]

i have one WHM server and this solution doesn't work for me. I tried using the filters and I also tried Mailscanner to deny .icu extension.
In this moment i have both exim filter and mailscanner blacklist for *@*.icu but i still see a lot of emails daily form .icu domains in the queue. Any ideeas what to do?
Thanks.

WHM > Email > Filter Incoming Emails by Domain
*.example.com
*.icu

etc...

 

[megahost]

ok, i will try this. thanks.