On Tue Sep 20 2016 14:10:17 li...@lazygranch.com <li...@lazygranch.com> said: > > ‎After studying these spam messages, I think postfix blocking via tld is the > only solution. The problem is the message is embedded in graphics with brief > text regarding "if you can't view this click here". There isn't enough to > trip the spam bot. > > What is the simplest way to block a TLD?
This is what I am doing, and it is working (for me) great. helo_checks.pcre: /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|eu|es|jp|il|it|nl|info|biz|name)$/ DUNNO /.*\.*/ 550 Mail for this TLD is not allowed Obviously, you will need to see what TLDs are used for valid mail on your system, but that list works for me. grep -o "helo=<.*>" /var/log/maillog* | egrep -o "\.[^.]+>" | cut -c 2- | sed 's/[0-9]*\]*>//' | sort -u That will give you all your TLDs without showing if they are valid mail. I am still getting hammered with spammers using .top .stream and .xyz, but if they make it past post screen, they get dropped ny helo_checks. I am probably removing biz from my exclusion list. I do have some valid mail from .biz, but it looks like it is exclusively list mail, so the helo checks would not come into play. I will check the logs again in a couple of months and see how much, if any, is valid.
