[GLLUG] blacklist *-gov.uk
Dave Lambley
dave.lambley at gmail.com
Wed Jul 11 19:45:39 UTC 2018
On 11 July 2018 at 20:34, Tim Woodall via GLLUG
<gllug at mailman.lug.org.uk> wrote:
> On Wed, 11 Jul 2018, Chris Bell via GLLUG wrote:
>
>> On Wednesday, 11 July 2018 13:38:28 BST Tim Woodall via GLLUG wrote:
>>>
>>> Hi all,
>>>
>>> I'm getting quite a lot of phishing emails suddenly from *-gov.uk.
>>> Today's was @ebilling-companieshouse-gov.uk.
>>>
>>> Is there an easy way to block these in sendmail (or bind)?
>>>
>>> My googling for pattern-matching in sendmail and bind isn't finding
>>> anything. I want a two minute fix, it's not important enough to spend
>>> too much time on
>>>
>>> I wish the registrar would just reject any -gov.uk domain request
>>> though.
>>>
>>> Tim.
>>>
>>> p.s. Within about 24hrs these domains are dead anyway. Todays is the
>>> first one of these emails that I saw while the domain is live so I guess
>>> it was registered today.
>>
>>
>> Are you judging the sender by the (easily forged) From: line or the real
>> IP
>> address of the sender?
>> A true ".gov.uk" is exactly that, no hyphen.
>
>
> Yes. And that's why I'd like to block *-gov.uk.
>
>
>
>> I have a RaspberryPi sitting in my DMZ running exim4-heavy, clam
>> anti-virus,
>> and the SA-exim version of spamassassin, as a mail gateway separate from
>> my
>> mailserver, which is also running exim4-heavy, in a protected network. The
>> mail gateway asks the mail server (a hubbed host) to check that the
>> destination exists, and the mail server sends a call-out request to the
>> gateway to run a full series of checks on the incoming email and sender,
>> including DNS and spam reference site checks before the email is accepted.
>> If
>> the email is definitely identified as junk it will not be accepted but may
>> not
>> actually be rejected by the gateway, which just sends repeated requests to
>> wait for a few hours. My email reject logs are interesting, containing
>> only
>> email headers with reasons for rejection, or single line non-email
>> (hacking)
>> or relay rejection reports.
>>
> Todays is the first one that has actually made it into my inbox. The
> previous ones have all been successfully marked as spam.
>
> But because I got this one straight away I was able to look at the DNS
> before it was turned off. (It's already been disabled)
>
> Everything matches. Valid SPF (which is how it bypassed greylisting)
>
> X-Spam-Status: No, score=4.8 required=5.0 tests=BAYES_50,DKIM_SIGNED,
> DKIM_VALID,DKIM_VALID_AU,HTML_MESSAGE,RCVD_IN_SBL_CSS,RDNS_NONE
> autolearn=no autolearn_force=no version=3.4.1
Aha, you're running spamassassin. It may be worth telling it that the
mail is spam, so as to train the classifier for next time.
https://spamassassin.apache.org/full/3.1.x/doc/sa-learn.html
If you break all SPF records, it may no longer know to reject some
kinds of spoofed email, which may be counter productive!
Dave
More information about the GLLUG
mailing list