Need to refine how I try to block senders/from

[MiamiJack]

@dcsapak
Thanks for the response.
Having said that, why are my newer rules not blocking these if I'm using them as shown above for both mediaware-news.com and embluetnt.com as well as several variations of those 2 names?
My previous rules did work, but we improved them in theory by making it more flexible to match the base domain and anything sub or otherwise, as well as putting in 2 entries for everyone we want to block with:

Who Object: BL-WO-RDomains -
.*@(\w+\.)?mediaware-news\.com

What Object: BL-WT-MFrom - Match Field from
.*@(\w+\.)*mediaware-news\.com

WHAT Object OLDER, but still active
BL-WHAT-MatchFrom - Match field from
.+@mediaware-news.com

Who Object - BL-WO-RDomains - Regular expression ( 2 entries )
.*@(\w+\.)?embluejet\.com
.*@(\w+\.)?embluemail\.com

 

[dcsapak]

can you post the complete log from the tracking center (+the relevant mail headers) from when an old rule matched + when a new rule did not match?
the regex alone looks ok, but without the logs/headers i cannot verify that

 

[MiamiJack]

@dcsapak Thanks for your help!!!
I have written a script currently which I enter a domain name like the above ( those are real spammers domains ) and it builds the multiple rules for me, this takes out any typos etc from the equation, and I'm logging now when I added the domain so when I see it come through I know from when it was created and didn't work.

Since we don't have the magic bullet of just if this name is anywhere in the header reject it, what rules do you think I should build to accomplish a similar goal, where I can hopefully just block them?

What I'm currently doing:
OBJ: BL-WO-RDomains - Blocking Who Regular Expression Domain names -> .*@(\w+\.)?mediaware-news\.com
OBJ: BL-WT-MFrom - Blocking What Matchfield From -> from=.*@(\w+\.)*mediaware-news\.com

What I did before:
OBJ: BL-What-MatchFrom - Blocking Matchfield-> from=.+@mediaware-news.com
OBJ: BL-MatchReplyTo - Blocking Matchfield -> reply_to=.+@mediaware-news.com (this is still active and can upgrade once I figure out best method)

The above example for the headers should be the same scenario, maybe I just have to diversify the rule and add a couple more.
Let me know your thoughts on how I can improve the above.

 

[MiamiJack]

Got a fresh one! Here are the details (we did change destination emails):

For reference the sender email is the mediaware-news.com.

This will show they added another "blue" domain to send from which I will add to my objects.
I do have these in my config: .*@(\w+\.)?embluemail\.com and .*@(\w+\.)?embluejet\.com

The same way I have above.

2024-02-14T07:11:41.349996-05:00 mgw postfix/smtpd[74142]: connect from emark26.emblueusp.com[185.98.147.26]
2024-02-14T07:11:42.192375-05:00 mgw postfix/smtpd[74142]: Anonymous TLS connection established from emark26.emblueusp.com[185.98.147.26]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2024-02-14T07:11:42.640700-05:00 mgw postfix/smtpd[74142]: NOQUEUE: client=emark26.emblueusp.com[185.98.147.26]
2024-02-14T07:11:43.175979-05:00 mgw pmg-smtp-filter[75371]: A0E6265CCADFF23B37: new mail message-id=<fwc-f83d3ee3d8-@embluemail.com>#012
2024-02-14T07:11:47.654540-05:00 mgw pmg-smtp-filter[75371]: A0E6265CCADFF23B37: SA score=1/5 time=4.240 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(-2.165),BAYES_00(-1.9),DKIMWL_WL_MED(-0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DMARC_PASS(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.248),HTML_MESSAGE(0.001),HTML_TAG_BALANCE_BODY(0.1),MIME_HTML_MOSTLY(0.1),MPART_ALT_DIFF(0.79),RCVD_IN_MSPIKE_BL(5),RCVD_IN_MSPIKE_L4(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_DBL_BLOCKED_OPENDNS(0.001)
2024-02-14T07:11:47.660155-05:00 mgw postfix/smtpd[75127]: connect from localhost.localdomain[127.0.0.1]
2024-02-14T07:11:47.663669-05:00 mgw postfix/smtpd[75127]: A1EE280A3D: client=localhost.localdomain[127.0.0.1], orig_client=emark26.emblueusp.com[185.98.147.26]
2024-02-14T07:11:47.670368-05:00 mgw postfix/cleanup[75239]: A1EE280A3D: message-id=<fwc-f83d3ee3d8-@embluemail.com>
2024-02-14T07:11:47.755283-05:00 mgw postfix/smtpd[75127]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-02-14T07:11:47.756027-05:00 mgw postfix/qmgr[1071]: A1EE280A3D: from=<emblue3prd_user2@emark9.embluejet.com>, size=79952, nrcpt=1 (queue active)
2024-02-14T07:11:47.756233-05:00 mgw pmg-smtp-filter[75371]: A0E6265CCADFF23B37: accept mail to <Client@Receiver.com> (A1EE280A3D) (rule: WL-WT-MFrom)
2024-02-14T07:11:47.760740-05:00 mgw pmg-smtp-filter[75371]: A0E6265CCADFF23B37: processing time: 4.604 seconds (4.24, 0.149, 0)
2024-02-14T07:11:47.762256-05:00 mgw postfix/smtpd[74142]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (A0E6265CCADFF23B37); from=<emblue3prd_user2@emark9.embluejet.com> to=<Client@Receiver.com> proto=ESMTP helo=<emark26.emblueusp.com>
2024-02-14T07:11:47.878996-05:00 mgw postfix/smtpd[74142]: disconnect from emark26.emblueusp.com[185.98.147.26] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2024-02-14T07:11:48.432198-05:00 mgw postfix/smtp[74265]: Trusted TLS connection established to receiver-com.mail.protection.outlook.com[52.101.41.4]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
2024-02-14T07:11:50.466188-05:00 mgw postfix/smtp[74265]: A1EE280A3D: to=<Client@Receiver.com>, relay=receiver-com.mail.protection.outlook.com[52.101.41.4]:25, delay=2.8, delays=0.09/0/0.78/1.9, dsn=2.6.0, status=sent (250 2.6.0 <fwc-f83d3ee3d8-@embluemail.com> [InternalId=22780506544306, Hostname=MN0PR19MB6309.namprd19.prod.outlook.com] 91013 bytes in 0.250, 354.207 KB/sec Queued mail for delivery)
2024-02-14T07:11:50.467275-05:00 mgw postfix/qmgr[1071]: A1EE280A3D: removed

 

[dcsapak]

What I'm currently doing:
OBJ: BL-WO-RDomains - Blocking Who Regular Expression Domain names -> .*@(\w+\.)?mediaware-news\.com
OBJ: BL-WT-MFrom - Blocking What Matchfield From -> from=.*@(\w+\.)*mediaware-news\.com

so that should probably be sufficient

Got a fresh one! Here are the details (we did change destination emails):

For reference the sender email is the mediaware-news.com.

This will show they added another "blue" domain to send from which I will add to my objects.
I do have these in my config: .*@(\w+\.)?embluemail\.com and .*@(\w+\.)?embluejet\.com

The same way I have above.

do you mean that you already had the rules when the mails was going through? if yes, where is the rule 'WL-WT-MFrom' (the one that matched) ? is it before the BL rules?

 

[MiamiJack]

Yes, all the rules where there for those domains mentioned, but emblueusp.com was new at that time.
Both rules for this domain now exist as well.

The main question is for those domains which are worth blocking because of how much they mail, what rules should I build like my 2 to block them?

 

[MiamiJack]

Here is another fresh one, I will show again all the details of the filters to be thorough.
I have attached screenshots of all the rules & Objects so you can visualize it.

Images of the tracking center well as the header from it, and outlook.

2024-02-19T06:11:29.589135-05:00 mgw postfix/smtpd[232662]: connect from emark68.emblueusp.com[185.98.147.68]
2024-02-19T06:11:30.249876-05:00 mgw postfix/smtpd[232662]: Anonymous TLS connection established from emark68.emblueusp.com[185.98.147.68]: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
2024-02-19T06:11:30.719742-05:00 mgw postfix/smtpd[232662]: NOQUEUE: client=emark68.emblueusp.com[185.98.147.68]
2024-02-19T06:11:31.318542-05:00 mgw pmg-smtp-filter[232696]: A0FB365D3376346FD7: new mail message-id=<7qL-da93182b25-@embluemail.com>#012
2024-02-19T06:11:35.782138-05:00 mgw pmg-smtp-filter[232696]: A0FB365D3376346FD7: SA score=1/5 time=4.212 bayes=0.00 autolearn=no autolearn_force=no hits=AWL(-2.540),BAYES_00(-1.9),DKIMWL_WL_MED(-0.001),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),DMARC_PASS(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.25),HTML_MESSAGE(0.001),HTML_TAG_BALANCE_BODY(0.1),MIME_HTML_MOSTLY(0.1),MPART_ALT_DIFF(0.79),RCVD_IN_MSPIKE_BL(5),RCVD_IN_MSPIKE_L5(0.001),SPF_HELO_PASS(-0.001),SPF_PASS(-0.001),T_KAM_HTML_FONT_INVALID(0.01),T_REMOTE_IMAGE(0.01),T_SCC_BODY_TEXT_LINE(-0.01),URIBL_DBL_BLOCKED_OPENDNS(0.001)
2024-02-19T06:11:35.787413-05:00 mgw postfix/smtpd[232206]: connect from localhost.localdomain[127.0.0.1]
2024-02-19T06:11:35.790770-05:00 mgw postfix/smtpd[232206]: C0F9980DF9: client=localhost.localdomain[127.0.0.1], orig_client=emark68.emblueusp.com[185.98.147.68]
2024-02-19T06:11:35.796775-05:00 mgw postfix/cleanup[232429]: C0F9980DF9: message-id=<7qL-da93182b25-@embluemail.com>
2024-02-19T06:11:35.867348-05:00 mgw postfix/qmgr[1136]: C0F9980DF9: from=<emblue3prd_user2@emark9.embluejet.com>, size=89630, nrcpt=1 (queue active)
2024-02-19T06:11:35.867659-05:00 mgw postfix/smtpd[232206]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
2024-02-19T06:11:35.867940-05:00 mgw pmg-smtp-filter[232696]: A0FB365D3376346FD7: accept mail to <client@client.com> (C0F9980DF9) (rule: WL-WT-MFrom)
2024-02-19T06:11:35.872402-05:00 mgw pmg-smtp-filter[232696]: A0FB365D3376346FD7: processing time: 4.571 seconds (4.212, 0.16, 0)
2024-02-19T06:11:35.873309-05:00 mgw postfix/smtpd[232662]: proxy-accept: END-OF-MESSAGE: 250 2.5.0 OK (A0FB365D3376346FD7); from=<emblue3prd_user2@emark9.embluejet.com> to=<client@client.com> proto=ESMTP helo=<emark68.emblueusp.com>
2024-02-19T06:11:36.029639-05:00 mgw postfix/smtpd[232662]: disconnect from emark68.emblueusp.com[185.98.147.68] ehlo=2 starttls=1 mail=1 rcpt=1 data=1 quit=1 commands=7
2024-02-19T06:11:36.203526-05:00 mgw postfix/smtp[231904]: Trusted TLS connection established to client-com.mail.protection.outlook.com[104.47.55.138]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (secp384r1) server-signature RSA-PSS (2048 bits) server-digest SHA256
2024-02-19T06:11:37.065830-05:00 mgw postfix/smtp[231904]: C0F9980DF9: to=<client@client.com>, relay=client-com.mail.protection.outlook.com[104.47.55.138]:25, delay=1.3, delays=0.08/0/0.4/0.8, dsn=2.6.0, status=sent (250 2.6.0 <7qL-da93182b25-@embluemail.com> [InternalId=8546984924476, Hostname=DM4PR19MB5906.namprd19.prod.outlook.com] 100647 bytes in 0.229, 427.623 KB/sec Queued mail for delivery)
2024-02-19T06:11:37.067802-05:00 mgw postfix/qmgr[1136]: C0F9980DF9: removed

 

[dcsapak]

so looked at the logs and the reason why it was accepted is:

2024-02-19T06:11:35.867940-05:00 mgw pmg-smtp-filter[232696]: A0FB365D3376346FD7: accept mail to <client@client.com> (C0F9980DF9) (rule: WL-WT-MFrom)

you have a rule (WL-WT-MFrom) that has a highter priority and probably the 'ACCEPT' action
so the remaining rules are not checked since the ACCEPT is a final action

i can't see from the screenshots what exactly is in that rule that matches for this mail but the log says that was the rule why it was accepted

 

[MiamiJack]

In previous accepted emails we didn't have that whitelist so one of the team here accidentally added it.
I will monitor to make sure this works as expected, and yes, WL was and should be ahead of BL, makes sense why it happened, thank you!

Based on what we are doing, do you feel its the best way we can accomplish the goal?

 

[dcsapak]

Based on what we are doing, do you feel its the best way we can accomplish the goal?

if you really need to block based on sender/from header, there is no better way to do that AFAICS