[GLLUG] blacklist *-gov.uk

Wed Jul 11 19:45:39 UTC 2018

On 11 July 2018 at 20:34, Tim Woodall via GLLUG
<gllug at mailman.lug.org.uk> wrote:
> On Wed, 11 Jul 2018, Chris Bell via GLLUG wrote:
>
>> On Wednesday, 11 July 2018 13:38:28 BST Tim Woodall via GLLUG wrote:
>>>
>>> Hi all,
>>>
>>> I'm getting quite a lot of phishing emails suddenly from *-gov.uk.
>>> Today's was @ebilling-companieshouse-gov.uk.
>>>
>>> Is there an easy way to block these in sendmail (or bind)?
>>>
>>> My googling for pattern-matching in sendmail and bind isn't finding
>>> anything. I want a two minute fix, it's not important enough to spend
>>> too much time on
>>>
>>> I wish the registrar would just reject any -gov.uk domain request
>>> though.
>>>
>>> Tim.
>>>
>>> p.s. Within about 24hrs these domains are dead anyway. Todays is the
>>> first one of these emails that I saw while the domain is live so I guess
>>> it was registered today.
>>
>>
>> Are you judging the sender by the (easily forged) From: line or the real
>> IP
>> address of the sender?
>> A true ".gov.uk" is exactly that, no hyphen.
>
>
> Yes. And that's why I'd like to block *-gov.uk.
>
>
>
>> I have a RaspberryPi sitting in my DMZ running exim4-heavy, clam
>> anti-virus,
>> and the SA-exim version of spamassassin, as a mail gateway separate from
>> my
>> mailserver, which is also running exim4-heavy, in a protected network. The
>> mail gateway asks the mail server (a hubbed host) to check that the
>> destination exists, and the mail server sends a call-out request to the
>> gateway to run a full series of checks on the incoming email and sender,
>> including DNS and spam reference site checks before the email is accepted.
>> If
>> the email is definitely identified as junk it will not be accepted but may
>> not
>> actually be rejected by the gateway, which just sends repeated requests to
>> wait for a few hours. My email reject logs are interesting, containing
>> only
>> email headers with reasons for rejection, or single line non-email
>> (hacking)
>> or relay rejection reports.
>>
> Todays is the first one that has actually made it into my inbox. The
> previous ones have all been successfully marked as spam.
>
> But because I got this one straight away I was able to look at the DNS
> before it was turned off. (It's already been disabled)
>
> Everything matches. Valid SPF (which is how it bypassed greylisting)
>
> X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
>     DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_SBL_CSS,RDNS_NONE
>     autolearn=no autolearn_force=no version=3.4.1

Aha, you're running spamassassin. It may be worth telling it that the
mail is spam, so as to train the classifier for next time.
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html

If you break all SPF records, it may no longer know to reject some
kinds of spoofed email, which may be counter productive!

Dave