Fighting Spam: Block entire (T)TLD with Postfix

Oct 25, 2016 | Blog, Technical, Website Security

A Top-Level Domain (TLD) is at the highest level of the Domain Name System (DNS) structure. The domain .com is a TLD. So is .org, .net, and .biz.

I’ve presented on DNS (and BIND) – you can click the link to view my PDF slides (and you can view a listing of all of my posted workshops at https://barredowlweb.com/knowledge-base/#workshops). You can also read an old blog post I wrote on an introduction to DNS & IPv6 at https://barredowlweb.com/2013/10/28/introduction-dns-ipv6/.

But back to this topic… There are a lot of new TLDs, such as .bid and .science. At Barred Owl Web, we’ve noticed that spammers are the only ones sending email from domain names inside many of these TLDs.

In an effort to curb this spam, we block email coming from many of these TLDs completely. Here’s how you can too (these instructions are for CentOS servers, but can of course be adapted to your your particular Linux distribution and wherever your Postfix configuration files are located).

1. Create a file in /etc/postfix, and name it “reject_domains”
(vim /etc/postfix/reject_domains)

2. Here are the current contents of our reject_domains file – it’s growing, but we currently are blocking email from 15 different TLDs:

/\.pro$/ REJECT We reject all .pro domains
/\.date$/ REJECT We reject all .date domains
/\.science$/ REJECT We reject all .science domains
/\.top$/ REJECT We reject all .top domains
/\.download$/ REJECT We reject all .download domains
/\.work$/ REJECT We reject all .work domains
/\.click$/ REJECT We reject all .click domains
/\.link$/ REJECT We reject all .link domains
/\.diet$/ REJECT We reject all .diet domains
/\.review$/ REJECT We reject all .review domains
/\.party$/ REJECT We reject all .party domains
/\.zip$/ REJECT We reject all .zip domains
/\.xyz$/ REJECT We reject all .xyz domains
/\.stream$/ REJECT We reject all .stream domains
/\.bid$/ REJECT We reject all .bid domains

3. Edit /etc/postfix/main.cf and add the following line:
smtpd_sender_restrictions =
check_sender_access pcre:/etc/postfix/reject_domains

4. Reload Postfix:
postfix reload

You’re done. Hopefully this will help you combat spam too.

Need help with your Linux web or email server? Contact me at https://barredowlweb.com/contact/ to start a conversation.

14 Comments

  1. Jacques

    Hi All,

    I use Postfix v2.10.1 and I followed your tutorial.
    My /etc/postfix/access file :
    /\.date$/ REJECT

    When I try this conf file with the next command, it seems that the regular expression doesn’t work :
    postmap -q “toto@test.date” hash:/etc/postfix/access

    But if I modified access file with an entry as follow :
    toto@test.date REJECT

    The test command works.

    Maybe any ideas ?

    Jacques

    Reply
    • Lishack the Fox

      Hi,
      postmap is for hash (or lmdb files), but this is pcre (Perl Compatible Regular Expression).
      You may also need to install postfix-prce package.

      Regads, Lishack the Fox.

      Reply
    • David

      Lishack is correct.
      You need to put the code I provided above into a new file, and then point to that file with the following configuration parameter: check_sender_access pcre

      Reply
  2. Thorsten Gust

    Hi David,

    Build my first own Mail-Server and realized how many things must be done to get that running, including
    fighting spam. In the past I’ve supported SUN Microsystems Mail Server and does not know how many stress it is to have an own one.

    So thanks for that blog it helps me so much !

    Thanks and best regards
    Thorsten

    Reply
  3. sophie

    1. I use a .xyz for my businness. Like many others. The domain was cheap to register a few years ago. Instead of blocking entire domains, why not be a little more intelligent in this?
    2. Postfix is not meant to be a spam filter, per se. It’s an MTA. Take the time to configure SpamAssasin or RSPAMD. Also chain in the clamav-milter. Maybe you’ll have fewer false positives.
    Regards..

    Funnily I knew a sys admin in the Netherlands who blocked the whole *.uk TLD, and then wondered why his email alerts from amazon.co.uk never arrived in his mailbox.

    Reply
    • David

      Those are certainly good points. And you are correct: Postfix is an MTA. You’ll get no argument from me there.
      However, as you likely know, the volume of spam that the typical MTA receives is absurd. We have made the decision to block these TTLDs because there has never been a use case for us, or any of our clients whose email is hosted on our infrastructure, to communicate with others who have an email address at one of those TTLDs mentioned. Here’s a nice article from Brian Krebs on the subject of TLDs and spam: https://krebsonsecurity.com/tag/new-tld-spam/

      Reply
  4. Perry

    Nice tutorial, works perfect! Those new TLD’s are a pain in the ass.

    Reply
  5. Xaeus

    I’m currently testing how to allow an exception.
    I mean if I block a domain called .blocked with /\.blocked$/ REJECT I want to previously allow one exception for something like exception.blocked.

    Reply
    • David

      You can whitelist senders by hostname or IP address by using setting a smtpd_recipient_restrictions stanza, and adding the following to that stanza:

      check_client_access hash:/etc/postfix/rbl_override

      In your rbl_override file, it might look like something like this:
      1.1.1.1 OK
      mail.example.com OK

      Then do a “postmap /etc/postfix/rbl_override”, reload Postfix, and you’re good to go!

      Reply
  6. William Keeley

    Today I just banned an entire ISP from sending me email. In fact it happens to have over 1000 CIDR’s I had to sift through. What is much different than usual is the fact that I put a referral to the spam supporting ISP’s toll free number for assistance in resolving the issue. I want to put the onus and responsibility for the cost of spam BACK ON the spammers and their supporting ISP’s where it belongs.
    The list I use is in the following format:
    23.228.77.0/24 REJECT You are blocked for network abuse: Spamming – Contact Globalfrag/LayerHost Technical Support 1-833-247-HOST to resolve issue.

    Reply
  7. lbutlr

    I check my logs for mails that are rejected because of their TLD and sometimes make exceptions or even allow a TLD I’d previous;y blocked. I’ve never seen anything that looked even vaguely like it might be legit from .xyz .top or many others.

    (I take a different tact, I block ALL TLDs and then white list the ones I will accept mail from, this way new TLDs do not get an opportunity to spam my server.)

    Reply
  8. Stan Williams

    Those are new tld’s and people are buying them . I wish i had seen this before I bought my stan.stream domain what a load of crap to happen to people like me who HATE spammers. Spammers should be prosecuted.

    Reply
  9. jnewman67

    You have NO IDEA how long I’ve been searching for this solution! Cannot believe it took years of googling to find this – just had to use the right of guess-words to search for (“wildcards” was the key!).
    I had a SENDER_CHECKS file that was 22,250 lines long trying to keep the spam in check – created 270 entries in my reject_domains file, and the sender_checks is now down to 7770 after removing duplicates.
    Thank you, thank you, THANK YOU!!!!!

    Reply
    • David

      I’m glad it was helpful! 🙂

      Reply

Submit a Comment

Your email address will not be published. Required fields are marked *

Why Choose Barred Owl Web?

The Barred Owl Web team is technically proficient, extremely responsive and provides a high level of customer satisfaction.  We highly recommend Barred Owl Web for web development, technical, and customer support.
– Enrique Fiallo, Director of Technology, NET Institute

Barred Owl Web is the hosting company to call first for nonprofits. Their solutions-oriented, customer – and client – focused approach to web hosting provides agencies the ability to consistently and reliably get their messages out to those who need to hear it. You can count on Barred Owl Web to be responsive to the unique needs of your agency. Barred Owl Web’s customer service is exceptional, and it is kind. Contact them and see for yourself!
Rebecca Whelchel, Executive Director, Metropolitan Ministries (MetMin)

Barred Owl Web has always been responsive to our needs as a small nonprofit. They have helped us immensely with issues like Web server security updates and PCI compliance.
Evan Donovan, Web Developer, Tech Mission

Contact Us

423.693.4234
info@barredowlweb.com

P.O. Box 21514
Chattanooga, TN 37424

3 + 2 =