Who Objects -> Blacklist-> Domain (Not Working)

MiamiJack said:
Is there a way to avoid having both a regular expression for
Type Reg-Exp: *\.domain\.com ( handles sub-domains )
and
Type Domain: domain.com ( handles the domain itself )

Just thinking a single rule is more efficient...

Thanks
Click to expand...

Try the regex i mentioned above
 
Hello Again,

With my tests forcing the sender info I was able to block e-mail, but much to my surprise today another snuck through.
I do see the sender information containing the domain we are looking for in the regular expression.

Any suggestions?
 

Attachments

  • message.png
    message.png
    21.9 KB · Views: 50
  • who-blacklist.png
    who-blacklist.png
    45 KB · Views: 52
  • Header-Info2.txt
    8.6 KB · Views: 28
Additional issue with regular expressions.
This worked 100% I literally sent 30 messages testing this from one of my servers to see the blocks work.
You can see the block information from my tests.

Today after the spam I went to double check some things and when I edited the regular expression under no circumstances does the expression work.

To show that I'm not totally nuts I will attach a small video. ( well I may still be nuts considering I'm in IT )
Video 1 -> https://screenrec.com/share/cWyQD7lKpZ
Video 2 -> https://screenrec.com/share/8elqWFUrTf

I understand what we are doing here, am familiar with regex from perl, and I'm either missing something or something isn't working correctly.

For reference I sent another test from one of my servers with the from containing one of those domains we are testing for and it did block, so the regular expression I'm referencing here (#26) is more about the web gui test of the regex.

This is separate from (#25)
 

Attachments

  • block-text.txt
    6.1 KB · Views: 10
MiamiJack said:
Hello Again,

With my tests forcing the sender info I was able to block e-mail, but much to my surprise today another snuck through.
I do see the sender information containing the domain we are looking for in the regular expression.

Any suggestions?
Click to expand...

Show the mail log for that incoming mail. You can get it under Tracking center.

You choose From or To for your blacklist who object in your filter rules?

1602001360369.png
 
MiamiJack said:
Additional issue with regular expressions.
This worked 100% I literally sent 30 messages testing this from one of my servers to see the blocks work.
You can see the block information from my tests.

Today after the spam I went to double check some things and when I edited the regular expression under no circumstances does the expression work.

To show that I'm not totally nuts I will attach a small video. ( well I may still be nuts considering I'm in IT )
Video 1 -> https://screenrec.com/share/cWyQD7lKpZ
Video 2 -> https://screenrec.com/share/8elqWFUrTf

I understand what we are doing here, am familiar with regex from perl, and I'm either missing something or something isn't working correctly.

For reference I sent another test from one of my servers with the from containing one of those domains we are testing for and it did block, so the regular expression I'm referencing here (#26) is more about the web gui test of the regex.

This is separate from (#25)
Click to expand...

Save your regex pattern then test string again. I remember it happen before on me. Some time a restart do help.
 
@hata_ph FIRST thanks for taking the time to help me!

Amazingly the messgage does not show up in tracking center.
I do see it here in maillog:
Oct 6 11:19:32 mgw pmg-smtp-filter[22699]: 813695F7C8B04AC9EF: new mail message-id=<2aD-5545610baa-F@embluemail.com>#012
Oct 6 11:19:33 mgw pmg-smtp-filter[22699]: 813695F7C8B04AC9EF: SA score=1/5 time=1.023 bayes=undefined autolearn=no autolearn_force=no hits=AWL(-0.815),DKIM_SIGNED(0.1),DKIM_VALID(-0.1),DKIM_VALID_AU(-0.1),HEADER_FROM_DIFFERENT_DOMAINS(0.249),HTML_MESSAGE(0.001),SPF_HELO_NONE(0.001),SPF_PASS(-0.001),T_REMOTE_IMAGE(0.01),URIBL_BLACK(1.7)
Oct 6 11:19:33 mgw pmg-smtp-filter[22699]: 813695F7C8B04AC9EF: accept mail to <accounting@test-domain.com> (CA5A1814E2) (rule: default-accept)
Oct 6 11:19:33 mgw pmg-smtp-filter[22699]: 813695F7C8B04AC9EF: processing time: 1.175 seconds (1.023, 0.063, 0)
Oct 6 11:19:33 mgw postfix/lmtp[22765]: 2F7D38002D: to=<accounting@test-domain.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=5.2, delays=4/0/0.01/1.2, dsn=2.5.0, status=sent (250 2.5.0 OK (813695F7C8B04AC9EF))

* on a side note, the only blocked domain emails from all of our blacklist configuration and such are the ones we sent for testing...
I also added bluejet and bluemail to the who regex


Adding another email here in the headers.txt file, I can clearly see the sender, but tracking center won't matching anything in the header.
 

Attachments

  • headers.txt
    2.8 KB · Views: 10
Last edited:
1. Show all your blacklist content and your mail filter.
2. Search by recipient email or filter in Tracking Center to show the details.
 
Hello,

I found the email in the tracking center, the email has no FROM according to tracking center and it showed up when I selected with empty sender.
The message does however have a from when you receive it.
I know in postfix we have some options for blocking empty sender, but I believe it was frowned upon.
 

Attachments

  • what-objects.png
    what-objects.png
    95 KB · Views: 42
  • blacklist-who.png
    blacklist-who.png
    181.8 KB · Views: 42
  • tracking-center.png
    tracking-center.png
    251.5 KB · Views: 38
Last edited:
I will try that, thank you.

On a side note, here is another where the from shows as empty sender in Tracking center.
Header and tracking attached.
 

Attachments

  • Quarantine - Headers.png
    Quarantine - Headers.png
    87.7 KB · Views: 21
  • Tracking center.png
    Tracking center.png
    115.9 KB · Views: 24
Last edited:
Last edited:
Not having success with the additional who/what references.

Several similar to this got through:
subject: SPAM: Do This Immediately To Remove Nail Fungus (Try It)
From: "Fungus Eliminator" <BKQ5HYR1.BKQ5HYR1@96S9.brimmats.com>
To: alic@wber556.net
Content-Type: text/html; charset=utf-8;


We have who - blacklist reg-ex
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}brimmats\.com(\W|$)

We have What - Match fields from
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}brimmats\.com(\W|$)

Any suggestions?

They are actually hitting several email accounts from that sender domain.

Thanks!
 
Last edited:
MiamiJack said:
Not having success with the additional who/what references.

Several similar to this got through:
subject: SPAM: Do This Immediately To Remove Nail Fungus (Try It)
From: "Fungus Eliminator" <BKQ5HYR1.BKQ5HYR1@96S9.brimmats.com>
To: alicia@web56.net
Content-Type: text/html; charset=utf-8;


We have who - blacklist reg-ex
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}brimmats\.com(\W|$)

We have What - Match fields from
(\W|^)[\w.+\-]{0,50}@[\w.+\-]{0,50}brimmats\.com(\W|$)

Any suggestions?

They are actually hitting several email accounts from that sender domain.

Thanks!
Click to expand...

Does your rules work just by using the From who object?

1602289629296.png
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back