Blacklist my domain except from when mail is sent from within our IP range - ORF Forums

Blacklist my domain except from when mail is sent from within our IP range RSS Back to forum

1

We are getting a lot of SPAM that appears to be coming from genuine internal mailboxes. Obviously the SPAM is being sent from IP's outside our IP range so is it possible to blacklist all mail from @ourdomain.co.uk unless they are sent from an IP address within our IP range? Or is there another solution?
We have tried selfspam etc but to no avail.

Thanks in advance.

by joegibson 8 years ago
2

Hello joegibson,

The best you can do is to publish an SPF policy for your domain (see http://en.wikipedia.org/wiki/Sender_Policy_Framework), which allows you to specify the hosts that are allowed to send emails in the name of your domain. Once you have an SPF policy in place (published in DNS as a TXT record), the SPF Test of ORF will take care of the forged emails.

For more information, please visit http://www.openspf.org and consult our related article at http://www.vamsoft.com/howto-blacklist-self-spam.asp#solution-2

If you have any other questions or would like me to clarify anything else, please let me know. I will be happy to help.

by Daniel Novak (Vamsoft) 8 years ago
3

@Daniel Novak (Vamsoft): Hi Daniel,

Thanks for the info. I was looking for a similar solution as joegibson. I followed your instructions and published an SPF policy as a DNS record but the SPAM emails are still coming through because the email addresses are auto-whitelisted.

I just changed the SPF Test to occur before arrival, in addition to on arrival. I didn't see any other options to force the SPF Test on whitelisted email address. Can you suggest any other changes?

Thanks,
Mike

by Mike 8 years ago
(in reply to this post)

4

Hello Mike,

You can 'force' the SPF Test to run before the whitelists in the Whitelist Test Exceptions dialog (Filtering > Tests > Whitelist Test Exceptions (at the bottom of the page) | Configure), but I would rather suggest that you investigate how your domain ended up on a whitelist in the first place.

When a spam email gets whitelisted by ORF, that indicates a configuration problem most of the time. Please consult the "Whitelist Issues" section of the following article for instructions on how to troubleshoot this issue: http://vamsoft.com/support/docs/articles/how-to-blacklist-self-spam#whitelist-issues

If you need further assistance, just let me know.

by Daniel Novak (Vamsoft) 8 years ago
5

In addition to Daniel's suggestions another possible step, with some small risk of false positives, is to tag email that claims to be from your domain but arrives via ORF is spam. This works for us since we send our own email from our internal servers.

A sender regex rule with a few exceptions could be:
(?=.*yourdomain.*\@)(?!.*(dynect|\@.+\.uber\.|\@.+\.groups.\yahoo\.))

A Keyword regex rule, Email Header raw/MIME only, could be:
.*^From\:[^\r\n]+\@yourdomain\.com>

Monitor your results.
Hope this helps

by Sam Russo 8 years ago
6

Daniel and Sam,

Thanks for taking the time to reply.

Daniel- I believe my domain was added to the whitelist when I initially setup Exchange and ORF. I added my main domain, which doesn't get a ton of spam, to the Exchange server and then installed ORF Fusion. I wasn't getting enough spam on that domain to properly evaluate your software so I added a second domain to my Exchange server that receives a ton spam. I think I sent an email from the first domain to the second during the initial setup and while it was not hosted on my server, which is what led to that email address getting whitelisted.

I followed the steps you outlined above about getting an SPF policy setup and changed the whitelist test exceptions and that seems to have solved the issue. I missed that configure button on the bottom of the window.

Sam- It appears the SPF policy has fixed the issue. I added your suggestion just in case it fails and I'll monitor it to see if it ever kicks in. I use the regex rule for certain top level domains (i.e. .top) but I hadn't thought of applying it to my domain. I appreciate your help!

Thanks,
Mike

by Mike 8 years ago

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2