[GLLUG] blacklist *-gov.uk
chrisbell at chrisbell.org.uk
Wed Jul 11 18:01:39 UTC 2018
On Wednesday, 11 July 2018 13:38:28 BST Tim Woodall via GLLUG wrote:
> Hi all,
> I'm getting quite a lot of phishing emails suddenly from *-gov.uk.
> Today's was @ebilling-companieshouse-gov.uk.
> Is there an easy way to block these in sendmail (or bind)?
> My googling for pattern-matching in sendmail and bind isn't finding
> anything. I want a two minute fix, it's not important enough to spend
> too much time on
> I wish the registrar would just reject any -gov.uk domain request
> p.s. Within about 24hrs these domains are dead anyway. Todays is the
> first one of these emails that I saw while the domain is live so I guess
> it was registered today.
Are you judging the sender by the (easily forged) From: line or the real IP
address of the sender?
A true ".gov.uk" is exactly that, no hyphen.
I have a RaspberryPi sitting in my DMZ running exim4-heavy, clam anti-virus,
and the SA-exim version of spamassassin, as a mail gateway separate from my
mailserver, which is also running exim4-heavy, in a protected network. The
mail gateway asks the mail server (a hubbed host) to check that the
destination exists, and the mail server sends a call-out request to the
gateway to run a full series of checks on the incoming email and sender,
including DNS and spam reference site checks before the email is accepted. If
the email is definitely identified as junk it will not be accepted but may not
actually be rejected by the gateway, which just sends repeated requests to
wait for a few hours. My email reject logs are interesting, containing only
email headers with reasons for rejection, or single line non-email (hacking)
or relay rejection reports.
More information about the GLLUG