I’m seeing an uptick in a particular type of spam that I would very much like
to filter. Fortunately, the spam has a quite distinctive fingerprint: the
envelope sender of each message matches the regex:
^[A-Za-z0-9_-]+-realuser=realdomain\.realtld\@[a-z0-9-]+\.[a-z]{2,4}$
(where ‘realuser’, ‘realdomain’ and ‘realtld’ jointly match an email address
hosted on my server.
For example, if I had a user ‘[email protected]’, the envelope sender on the
spams might look like:
[email protected]
The ‘fred=example.com@’ is pretty distinctive for this spammer. There are a few
legitimate domains that use an approximately similar convention, but the regex
above will not match them.
spammydomain.com, obviously, changes from run to run. They seem to be
snowshoe’ing their way all over Cloudflare, with a few instances on HiVelocity.
My impression is that Spamdyke’s sender blacklists only allow simplified
wildcards, i.e. specifying @example.com to block all email from the
‘example.com’, so that’s probably not an option. Spamdyke’s header blacklist
feature is slightly more complex/capable, but doesn’t match on the envelope
sender (or allow me the full expressiveness I need).
I could add a SpamAssassin rule to take care of these cases, but the way my
system is configured, SpamAssassin will only flag spam, not delete it. Some of
the addresses targeted by this particular spammer are set to forward to
external systems, so — in order to preserve the reputation of my mail server —
I’d like to kill this spam dead.
I could use procmail, but this is something of a hassle. So before I go down
that route, I wanted to ask whether there’s anything in the qmailtoaster
toolbox that would allow me to block email based on applying the regex above to
the envelope sender.
I could also just use iptables to block CloudFlare entirely, but that seems a
little extreme.
Any suggestions would be gratefully received.
Angus
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
