Sender address blacklist convert to one file - ORF Forums

Sender address blacklist convert to one file RSS Back to forum

1

Hello
I got lots of spam emails from company users to add email addresses to black list.
Now I have a long list of them. Usually I add just domain name from email address only if it's not from gmail or hotmail or something like that.
Is it possible to create one file with this list of domains\emails and connect it to ORF?

Thanks

by alexei.tchernobrivets 7 years ago
2

@alexei.tchernobrivets: Yes, you can create a csv, txt, or xml list (see 'List Import and Export Formats': https://vamsoft.com/support/docs/orf-help/5.4.1/adm-exportformats) and import it into ORF with just a few clicks:

1. Start the ORF Administration Tool and connect to the local or a remote instance
2. Navigate to the Blacklists > Sender Blacklist page
3. Right-click anywhere in the list and select "Import list...".
** Alternatively, you can do this from the menu, select File > Import > Sender blacklist...
4. Browse to the file that you want to import
5. On the “Do you want to overwrite the current list with the imported” prompt, click “No”.
6. Click OK, and save the ORF configuration (Ctrl + S -or- File > Save Configuration) to apply the new settings.

That said, I think this is the wrong approach - as it will not solve the problem of spam getting through. The fact that you have to keep blacklisting senders manually seems to imply that ORF is not set up according to our recommendations (see our 'Best Practices Guide': https://vamsoft.com/support/docs/how-tos/best-practices-5.4.1). With the proper settings, ORF's automated tests should be able to block 95-98% of the incoming spam.

I think it would be best if you would send us (to ) your ORF configuration file (orfent.ini) and logs (e.g. orfee-2017-08-13.log) for a review. In turn, we could provide suggestions on how to improve the filtering performance your ORF installation. You may find the requested files in the ORF program directory by default (\Program Files (x86)\ORF Fusion).

by Daniel Novak (Vamsoft) 7 years ago
(in reply to this post)

3

@Daniel Novak (Vamsoft): Hello !

Thanks for this solution. I meant that I had a lot of records with only restricted domains and may be it would be simple to create regex and added it to Keyword BlackList.

Thnaks

by alexei.tchernobrivets 7 years ago
(in reply to this post)

4

@alexei.tchernobrivets: Are you trying to blacklist emails that are sent from certain domains - or - based on URLs that appear in the mail body? If the latter, you need to add the regex to 'Keyword Blacklist'. If the former, then you need to add it to the 'Sender Blacklist'. The final regex pattern depends on the use case.

by Daniel Novak (Vamsoft) 7 years ago
(in reply to this post)

5

@Daniel Novak (Vamsoft): Hello Daniel and thanks.

I am not a profi in Regex but if I have lots of records in sendert BlackList like : *@domain.com
where "domain" is a different ones. What kind of regex for Keyword Blacklist should be? Could you give me an example, pls?

Thanks

by alexei.tchernobrivets 7 years ago
(in reply to this post)

6

@alexei.tchernobrivets: Hello Alexei,

You can use this kind of regex to block multiple domains with one rule:
.*[@.-](domainone|domaintwo|domainthree)\.(com|net|org)

The only disadvantage to this method is that the ORF log will not show which domain matched. The advantage is many less rules to manage. I recommend you add a date to the rule name (example: 20170830) and over time you can clean them up if you find old rules are no longer needed. I will tend to add domains to the same rule as needed, stop any changes once it grows too large and start a new one, typically once per month.

Consider all your options for blacklist rules: keywords (header, body), sender domain and even IP ranges are sometimes useful.

Good luck,
Sam

by Sam Russo 7 years ago
(in reply to this post)

7

@alexei.tchernobrivets: Hello Alexei,

To reduce the number of "*@domain.com" items on the Sender Blacklist, just use the regex pattern suggested above by Sam Russo - it will do the trick:

1. Start the ORF Administration Tool and connect to the local or a remote ORF instance
2. Navigate to the 'Blacklists > Sender Blacklist' page
3. Click 'New'
4. In the 'Email Address Expression' dialog select the ‘Regular expression (Perl-compatible)’ mask type
5. Modify Sam's regex pattern as needed, and copy it into the ‘Email address/mask’ field.
Hint: Use the “|” (bar) character to add additional domains to the blacklist.
6. Enter a comment text into the ‘Comment’ field to help you identify blacklist hits later in the ORF logs
7. Click 'OK'
8. Save the ORF configuration to apply the new settings ('Ctrl + S' or 'File > Save Configuration')

by Daniel Novak (Vamsoft) 7 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2