[GLLUG] blacklist *-gov.uk

Chris Bell chrisbell at chrisbell.org.uk
Wed Jul 11 18:01:39 UTC 2018

On Wednesday, 11 July 2018 13:38:28 BST Tim Woodall via GLLUG wrote:
> Hi all,
> I'm getting quite a lot of phishing emails suddenly from *-gov.uk.
> Today's was @ebilling-companieshouse-gov.uk.
> Is there an easy way to block these in sendmail (or bind)?
> My googling for pattern-matching in sendmail and bind isn't finding
> anything. I want a two minute fix, it's not important enough to spend
> too much time on
> I wish the registrar would just reject any -gov.uk domain request
> though.
> Tim.
> p.s. Within about 24hrs these domains are dead anyway. Todays is the
> first one of these emails that I saw while the domain is live so I guess
> it was registered today.

Are you judging the sender by the (easily forged) From: line or the real IP 
address of the sender?
A true ".gov.uk" is exactly that, no hyphen.
I have a RaspberryPi sitting in my DMZ running exim4-heavy, clam anti-virus, 
and the SA-exim version of spamassassin, as a mail gateway separate from my 
mailserver, which is also running exim4-heavy, in a protected network. The 
mail gateway asks the mail server (a hubbed host) to check that the 
destination exists, and the mail server sends a call-out request to the 
gateway to run a full series of checks on the incoming email and sender, 
including DNS and spam reference site checks before the email is accepted. If 
the email is definitely identified as junk it will not be accepted but may not 
actually be rejected by the gateway, which just sends repeated requests to 
wait for a few hours. My email reject logs are interesting, containing only 
email headers with reasons for rejection, or single line non-email (hacking) 
or relay rejection reports.

Chris Bell
Website http://chrisbell.org.uk

More information about the GLLUG mailing list