I can't block domainX sender who is using amazonses

NethServer Version: 7.9.2009
Module: EMail

Good day,

Thanks to the TLD level blocking I have managed to block a lot of malicious mail.
But I have an annoyance with the emails coming from amazon, of which some are valid and acceptable, except this example (and it is not the only one).

I have already tried to filter (Deny from) the whole address or just the shopology domain; although the mail comes in and is sent to spam, I would like to block this annoying sender completely.

Thanks in advance
Enrique

Return-Path: <01000183b33d9fa8-208679ee-af83-476d-810a-d34262a678d3-000000@amazonses.com>
Delivered-To: myuser@mydomain.com
Received: from mail.mydomain.com
	by mail.mydomain.com with LMTP id 8MADAFJRQGOpUwAAoNHYhA
	for <myuser@mydomain.com>; Fri, 07 Oct 2022 10:18:26 -0600
Received: from a48-94.smtp-out.amazonses.com (gateway [10.20.30.40])
	by mail.mydomain.com (Postfix) with ESMTPS id 241DEE101D
	for <email@mydomain.com>; Fri,  7 Oct 2022 10:18:25 -0600 (MDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=2nqc2bjzivauveqgxqhyccbufufddfm3; d=shopology.com.mx;
	t=1665159504;
	h=Content-Type:MIME-Version:Message-Id:From:Subject:Reply-To:To:Date;
	bh=qyKi4vG0TnGZ7Yqhmhm0RQ+hHz+uojhuebGonbSVVCo=;
	b=WimombtyLf5mkagV7xgIzPzdy0XRZ7Q+X7PWnZsrnQ/0BuNSrYmmmsAcc5aKlAmR
	a5mG2m8RhYr4yfPgpaENaOukTHtR2wNf54Twh46i7bKv2yAE5jWFZlRDQvLlIhaAil6
	UJh2g4fGhzG51HS2JSkP7JBrFpGFDxZ8c7hNR2Q4=
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple;
	s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1665159504;
	h=Content-Type:MIME-Version:Message-Id:From:Subject:Reply-To:To:Date:Feedback-ID;
	bh=qyKi4vG0TnGZ7Yqhmhm0RQ+hHz+uojhuebGonbSVVCo=;
	b=Xmqe0V5KtSjor2YVto/CFZZry0hHn+hTi2mK1inFXBLi8bXcxV1gk/mNHWAFsdfJ
	Qoui7OtMl6a580h1Orgr64CX/flLzcLJJxGUJnT+RdPK2M51v/+tIUOpyf8/VeNtilH
	/EIFpP0gDFgPQ8olMMTsJQhxO/3OhfdGdDzbJxUk=
Content-Type: multipart/mixed; boundary="===============5162931314022000922=="
MIME-Version: 1.0
Message-ID: <01000183b33d9fa8-208679ee-af83-476d-810a-d34262a678d3-000000@email.amazonses.com>
From: Annoying Sender <annoying.sender@shopology.com.mx>
Subject: =?UTF-8?Q?=7E_=E2=80=9CSe_ten=C3=ADa_que_dec?= =?UTF-8?Q?ir_y_se_dijo=E2=80=9D?=
Reply-To: Annoying Sender <annoying.sender@shopology.com.mx>
To: email@mydomain.com
Date: Fri, 7 Oct 2022 16:18:23 +0000
X-Odoo-Objects: mailing.contact-36871
Feedback-ID: 1.us-east-1.H1+7jaezTqdOsnvexYius9/W988VH1g7Oz4xpj84c9w=:AmazonSES
X-SES-Outgoing: 2022.10.07-54.240.48.94
X-Spamd-Result: default: False [8.65 / 13.00];
	BAYES_SPAM(5.10)[100.00%];
	VIOLATED_DIRECT_SPF(3.50)[];
	R_SPF_FAIL(1.00)[-all];
	CTYPE_MIXED_BOGUS(1.00)[];
	DKIM_REPUTATION(-0.90)[-0.89941541696509];
	DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[];
	FORGED_SENDER(0.30)[annoying.sender@shopology.com.mx,01000183b33d9fa8-208679ee-af83-476d-810a-d34262a678d3-000000@amazonses.com];
	GENERIC_REPUTATION(-0.29)[-0.29021572412895];
	R_DKIM_ALLOW(-0.29)[shopology.com.mx:s=2nqc2bjzivauveqgxqhyccbufufddfm3,amazonses.com:s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw];
	IP_REPUTATION_HAM(-0.27)[ip: 10.20.30.40(-0.27)];
	MIME_GOOD(-0.10)[multipart/mixed,multipart/alternative,text/plain];
	MIME_BASE64_TEXT(0.10)[];
	MX_GOOD(-0.01)[];
	REPLYTO_EQ_FROM(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	HAS_REPLYTO(0.00)[annoying.sender@shopology.com.mx];
	FROM_NEQ_ENVFROM(0.00)[annoying.sender@shopology.com.mx,01000183b33d9fa8-208679ee-af83-476d-810a-d34262a678d3-000000@amazonses.com];
	DKIM_TRACE(0.00)[shopology.com.mx:+,amazonses.com:+];
	TO_DN_NONE(0.00)[];
	DWL_DNSWL_NONE(0.00)[amazonses.com:dkim];
	DMARC_POLICY_ALLOW(0.00)[shopology.com.mx,none];
	MIME_TRACE(0.00)[0:+,1:+,2:+,3:~];
	RCVD_COUNT_ZERO(0.00)[0];
	NEURAL_HAM(-0.00)[-0.991]
X-Spam-Flag: Yes
X-Rspamd-Queue-Id: 241DEE101D

You may increase the score for the blacklist symbols to “drop” the spam completely.

In the rspamd UI go to symbols and search for “blacklist”:

Set a high score for FROM_DOMAINS_BLACKLIST and FROM_SUBDOMAINS_BLACKLIST, in my case 20 because I set the “Deny message spam threshold” to 20 and spam higher than 20 will be dropped.

This will drop all spam of blacklisted domains and subdomains.

2 Likes

I got this errors:

–
And after click the blue button “Update”:

It seems that it did accept the changes, I will be monitoring the mail for a few hours.

Thank you @MrMarkuz

1 Like

Update:
So far everything is going very well, we have received few mails, so it is too early to claim victory.

In your experience, what level would you recommend to use in “Spam flag threshold”? at the moment I have it at 7.

1 Like

I have it at 6 but it depends, I guess there’s no general recommendation. I’d check the incoming mails (sort by score) in the rspamd history to get an overview of which mails would have been marked as spam when the wanted threshold is set.

3 Likes

@mrmarkuz
The TLDs block and this are working miracles! I’m finally stopping a lot of virus/phishing/spam mails.

A small additional doubt.
I see that ovh is being used to send viruses and spam; how can I create the TLD for all its domains/sub?

[.]ovh[.]{*}$
[.]ovh[.]*$

At the moment I have all of these in /etc/rspamd/blacklist_from_tld.map but it does not seem efficient to me:

...
[.]ovh.accountant$
...
[.]ovh.audio$
[.]ovh.co.ag$
[.]ovh.com.ag$
[.]ovh.net.ag$
[.]ovh.nom.ag$
[.]ovh.org.ag$

Regards

Greetings @mrmarkuz

I managed to create the filters using kate’s documentation.

[.]domain[.][a-z]{2,}$ -> .domain.|aa|ab|..|zz|aaa|bbb|..|zzzzz ..
[.]numbered[0-9]{1,}.org$ -> .numbered|0|9|01|..|99999.org
[.]other.[a-z]{2}$ -> .other.|aa|bb|zz
[.]com.[^b][^r]$ -> com.|aa|..|us|..|zz (except br)

But, for the last filter filter, what if I want to filter everything at .com.xx and allow .br, .uk, how to write it?

[.]com[.][^br|^uk]$ -> .bu|bk|ru|rk ?
[.]com[.]^(br|uk)$
[.]com[.](^!br|uk)$

Does anyone know of a tool (link) to test these filters and have them work with rspamd?

Regards

Search for online regex tester. In the past I used regexr.com (for general regular expressions, not tested specifically for rspamd) where you input a sample text where the regular expresion will be applied.

https://rspamd.com/doc/modules/regexp.html

3 Likes

Thank you! @dnutan, @capote

I found some web regex tools with yours suggestion, but I can’t test my TLD filters, because I think I need to know the regex that NethServer/Mail/RSpamd uses to process the entries in the file: /etc/rspamd/blacklist_from_tld.map

Without the regex used, my tests will be wrong.

Good news is, by testing in NS I have managed to get most of my filters working.
The bad news is that I’ve managed to block things I don’t want to block; now it’s a matter of being careful not to use very lax filters.

Regards