Block e-mail addresses from e-mailing any user on server

[jtgroup]

Hello everyone,

We have been having a lot of issues with spam recently and have decided to start managing some of it in house rather than relying on automatic filters.

This morning I have created a block list based on the instructions here ( WHM - Block server from receiving e-mails from particular domains ) to block particular domains from e-mailing anyone on the server.

My next step is to block individual accounts from being able to contact anyone on any domain hosted on our server. The problem being that we still get the occasional person spamming from say a Yahoo account. Obviously we do not want to block every Yahoo account from being able to send us messages but it would be helpful if we could block individual ones.

Would it be possible to add individual e-mail addresses to the same blacklist (as I created earlier using those steps) or is that one only suitable for full domains?

I hope that makes sense.

Kind regards


James

 

[keat63]

Youre creating a rod for your own back and an almost impossible task.
Compiling lists of offending spammers would be all but impossible.
You might get 10 spam emails from one sender and none ever again.
They tend to use bots, with throw away email addresses.

An easier solution for starters would be to use RBL's.
In Exim Config under RBL's, click manage custome rbl's and add the following few entries.

AbuseAT                cbl.abuseat.org      https://www.abuseat.org/
Barracuda             b.barracudacentral.org      http://www.barracudacentral.org/rbl/removal-request
SemFresh30         fresh30.spameatingmonkey.net      https://spameatingmonkey.com/services/SEM-FRESH30
SemURIBL            uribl.spameatingmonkey.net      https://spameatingmonkey.com/services/SEM-URI
semblack              bl.spameatingmonkey.net      https://spameatingmonkey.com/services/SEM-BLACK
spamcop              bl.spamcop.net      http://spamcop.net/bl.shtml

screenshot attached

 

[keat63]

Also, CSF mailscanner has tools built in to block specific email addresses.
You can blacklist at the click of a button.
It's not free, but it's not expensive either.

 

[jtgroup]

Hi Keat,

Thank you. I agree and we do use RBLs but some of the time we notice that it takes weeks for them to catch up and block some of the spammers. We'd like to have this in our arsenal as well if possible.

Would it be possible to add e-mail addresses to that list as well or will it only work with domains?

Kind regards


James

 

[keat63]

Maybe it's possible to create your own RBL and configure exim to use that as well.
Just point the url to your own file.
You could 'I guess' put anything you want in your own RBL, but this really would be a thankless task one of which which you will soon get bored of, im sure.

CSF mailscanner has a gui, you select the email you wish to blacklist and click the blacklist button, but even that is tiresome.

Some spammers set up an email, use it for a few days, get blacklisted and dump it in favour of another. Those spameatingmonket RBL's look at the age of a domain and block based on this.

I've also changed the scores on some of the spamassasin rules which has helped a little.

 

[cPanelMichael]

Hello James,

Have you considered some of the other SPAM prevention methods first to see if blacklisting individual email accounts is still necessary? For instance, the Greylisting feature is very effective tool to preventing incoming SPAM.

Otherwise, one available option to block an individual email account is to simply setup a custom Exim system filter rule using the instructions on the document below:

How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation

This won't add it to your custom RBL list, but it's able to effectively prevent an individual email account from sending emails to any of the domains hosted on the server.

Thank you.

 

[Gino Viroli]

An easier solution for starters would be to use RBL's.
In Exim Config under RBL's, click manage custome rbl's and add the following few entries.

AbuseAT                cbl.abuseat.org      https://www.abuseat.org/
Barracuda             b.barracudacentral.org      http://www.barracudacentral.org/rbl/removal-request
SemFresh30         fresh30.spameatingmonkey.net      https://spameatingmonkey.com/services/SEM-FRESH30
SemURIBL            uribl.spameatingmonkey.net      https://spameatingmonkey.com/services/SEM-URI
semblack              bl.spameatingmonkey.net      https://spameatingmonkey.com/services/SEM-BLACK
spamcop              bl.spamcop.net      http://spamcop.net/bl.shtml

I thought AbuseAT Info Url is http://cbl.abuseat.org (not https://www.abuseat.org/)

Out of curiosity, I can see you are not using sorbs, is there a reason for this choice?

 

[keat63]

I believe the http's are purely for reference, so don't really matter.
These are the ones I currently use.

AbuseAT         cbl.abuseat.org     https://www.abuseat.org/   
Barracuda     b.barracudacentral.org     http://www.barracudacentral.org/rbl/removal-request   
SemFresh30     fresh30.spameatingmonkey.net     https://spameatingmonkey.com/services/SEM-FRESH30   
SemURIBL     uribl.spameatingmonkey.net     https://spameatingmonkey.com/services/SEM-URI   
semblack     bl.spameatingmonkey.net     https://spameatingmonkey.com/services/SEM-BLACK   
spamcop         bl.spamcop.net     http://spamcop.net/bl.shtml   
spamhaus     zen.spamhaus.org     http://www.spamhaus.org/zen/index.lasso

which works well, I couldn't quite figure out how to use sorbs.
I'd be interested to see the Custom RBL entries for this.

 

[Gino Viroli]

SemFresh30     fresh30.spameatingmonkey.net     https://spameatingmonkey.com/services/SEM-FRESH30 
SemURIBL     uribl.spameatingmonkey.net     https://spameatingmonkey.com/services/SEM-URI

Isn't fresh30.spameatingmonkey.net too strict, I read List includes domains first registered in the last 30 days what if a potential customer try to contact you with his new domain (registerd in the last 30 days)?

uribl.spameatingmonkey.net lists domains, I thought WHM RBL would work only looking for IPs, not domains

I couldn't quite figure out how to use sorbs.
I'd be interested to see the Custom RBL entries for this.

Don't we need to just add dnsbl.sorbs.net ? (Using SORBS)

 

[keat63]

I feel that using any technique for reducing unwanted spam is down to how far you want to personally go, you mitigate your own risk.

30 days might be a little strict, but i work on the basis that any domain less than 30 days old, has a high chance of being a spamming domain.
A risk I'm prepared to take.
I'm sure if a customer wanted to contact us and couldn't, he'd probably call instead.

 

[Gino Viroli]

I feel that using any technique for reducing unwanted spam is down to how far you want to personally go, you mitigate your own risk.

30 days might be a little strict, but i work on the basis that any domain less than 30 days old, has a high chance of being a spamming domain.
A risk I'm prepared to take.
I'm sure if a customer wanted to contact us and couldn't, he'd probably call instead.

I agree with you, I'm still surprised that fresh30.spameatingmonkey.net works, as I said I thought WHM > Exim > RBL could only look for IPs, not domains.
Anyway I have just seen there are also SEM-FRESH, SEM-FRESH10, SEM-FRESH15 to reject messages coming from domain registered in the last 5, 10, 15 days.

 

[keat63]

I believe this might be a little overkill.
I'm under the impression that the 15-day list contains those that are in both the 5 and 10-day list, so there would be no need for the 5 and 10-day lists if you're utilising the 15 day one