[GLLUG] blacklist *-gov.uk

Tim Woodall t at woodall.me.uk
Wed Jul 11 19:35:13 UTC 2018


On Wed, 11 Jul 2018, Chris Bell via GLLUG wrote:

> On Wednesday, 11 July 2018 13:38:28 BST Tim Woodall via GLLUG wrote:
>> Hi all,
>>
>> I'm getting quite a lot of phishing emails suddenly from *-gov.uk.
>> Today's was @ebilling-companieshouse-gov.uk.
>>
>> Is there an easy way to block these in sendmail (or bind)?
>>
>> My googling for pattern-matching in sendmail and bind isn't finding
>> anything. I want a two minute fix, it's not important enough to spend
>> too much time on
>>
>> I wish the registrar would just reject any -gov.uk domain request
>> though.
>>
>> Tim.
>>
>> p.s. Within about 24hrs these domains are dead anyway. Todays is the
>> first one of these emails that I saw while the domain is live so I guess
>> it was registered today.
>
> Are you judging the sender by the (easily forged) From: line or the real IP
> address of the sender?
> A true ".gov.uk" is exactly that, no hyphen.

Yes. And that's why I'd like to block *-gov.uk.



> I have a RaspberryPi sitting in my DMZ running exim4-heavy, clam anti-virus,
> and the SA-exim version of spamassassin, as a mail gateway separate from my
> mailserver, which is also running exim4-heavy, in a protected network. The
> mail gateway asks the mail server (a hubbed host) to check that the
> destination exists, and the mail server sends a call-out request to the
> gateway to run a full series of checks on the incoming email and sender,
> including DNS and spam reference site checks before the email is accepted. If
> the email is definitely identified as junk it will not be accepted but may not
> actually be rejected by the gateway, which just sends repeated requests to
> wait for a few hours. My email reject logs are interesting, containing only
> email headers with reasons for rejection, or single line non-email (hacking)
> or relay rejection reports.
>
Todays is the first one that has actually made it into my inbox. The
previous ones have all been successfully marked as spam.

But because I got this one straight away I was able to look at the DNS
before it was turned off. (It's already been disabled)

Everything matches. Valid SPF (which is how it bypassed greylisting)

X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
     DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_SBL_CSS,RDNS_NONE
     autolearn=no autolearn_force=no version=3.4.1


Anyway, it's not common enough to be worth spending much time on. But if
someone knew a two minute hack to block these domains (in dns or mail)
then it would be good not to be accepting them. Even just breaking the
spf lookup would probably be enough to trigger greylisting which would
probably stop it arriving.

Tim.




More information about the GLLUG mailing list