> On Aug 19, 2015, at 4:23 PM, Alice Wonder <[email protected] > <mailto:[email protected]>> wrote: > > > > On 08/19/2015 01:14 PM, Ben Greenfield wrote: >> >>> On Aug 19, 2015, at 4:08 PM, Viktor Dukhovni <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> On Wed, Aug 19, 2015 at 04:07:27PM -0400, Ben Greenfield wrote: >>> >>>>>> /^Received:\b.*\.eu\b REJECT >>>>>> >>>>>> Is that correct or could someone point out what I'm doing wrong. >>>>> >>>>> What you're doing wrong deciding that all mail from a .eu domain >>>>> should be blocked and trying to block said mail by looking at >>>>> Received headers. >>>>> >>>>> Both the decision and the methodology are wrong. >>>> >>>> I'm open to suggestions. >>> >>> First explain the problem, rather than the solution. >> >> We receive a lot of spam that have very rare top level domains .site, .link, >> .website, .eu. >> >> I have been using the custom header checks which appeared to working for me >> until I started trying to reject the .eu mail. I was actually blocking all >> mail that had .eu somewhere in the name. >> >> I decided i needed a regex that would only match patterns at the end of the >> url. > > Do you have a honeypot address?
no. > > I do that but still manually check them, as soon as I get 3 different spammer > IP addresses on same /24 I I block the /24 for two weeks. I do similar things. The problem I have is that one user will get one email from many different domains all ending with one of those top level domains. For example that have gotten 16 emails from domains ending in .eu today. Other users on this domain are not faced with the same issues. > > Are you using any of the dns blacklists? That cut down on my spam > tremendously. I’m using zen.spamhaus.org <http://zen.spamhaus.org/> Thanks, Ben
