ConfigServer Community Forum

espinosap wrote:I love you Sergio

Glad you like it, I could accept an amazon gift, hahaha, is a joke.
I have a lot of antispam rules and this one is one of my favorites with another that I use to block all mailchimp campaings and that is really great. No mailchimp campaings in my server, lol.

Hello,
The script of Sergio works like a charm.
I'm always a bit scared of banning emails, I prefer to make a forward to a Spam mailbox.
How can I do that ?
Regards,
LOLOPC

Hi,
I joined this message board specifically to say thank you to Sergio.
Too many top level domains are being treated like spam fest.

This is an elegant solution which can easily be adjusted to simply add to the score, or to block permanently.
What actual business would use the domain extension ".monster"?

Thank you for taking the time to create a rule that doesn't suck.

In return for this rule I give you this.

##body Bitcoin_rule
body __BTC1 /\b[13][a-km-zA-HJ-NP-Z1-9]{25,34}\b/
body __BTC2 /\b\W*b\W*i\W*t\W*c\W*o\W*i\W*n\W*\b/i
body __BTC3 /\b\W*b\W*t\W*c\W*\b/i
body __BTC4 /bt[c\x{0441}]/i
body __BTC5 /b[i\x{0456}]t[c\x{0441}][o\x{043E}][i\x{0456}]n/i
meta LOCAL_BITCOIN ( __BTC1 && ( __BTC2 || __BTC3 || __BTC4 || __BTC5 ) )
score LOCAL_BITCOIN 10.2
describe LOCAL_BITCOIN This is to stop bitcoin ransomware idiots
##Stop bitcoin spam

This rule looks for a bitocin wallet and adds 10.2 points if the wallet is present. So far it has made my clients very happy without blocking any valid mail..

As always, use at your own risk.


Quick question... why does "reviews?" have a ?

thanks

..ex

@v3_exceed
Thank you for the rule and your kind words. I like your rule and I will give it a try.

For BitCoins I use an advanced one that blocks the email and blocks the IP of the server that sent the ransomware.

So, I use MailScanner to block the email and customer will never receive it and in the background CSF blocks the IP and if there are more than N times IPs blocked from the same CIDR the complete CIDR is blocked with a DO NOT DELETE tag so no more ransomwares from that IP range.

Sergio

v3_exceed wrote: ↑07 Oct 2019, 19:03
Quick question... why does "reviews?" have a ?

thanks

..ex

Ok, I have seen on my servers domains that end in "review" and another domains that ends with "reviews", the last "s?" is to block both of them, That is the regular expression to have or not to have the preceded letter.

Sergio

Sergio wrote: ↑07 Oct 2019, 20:03

v3_exceed wrote: ↑07 Oct 2019, 19:03
Quick question... why does "reviews?" have a ?

thanks

..ex

Ok, I have seen on my servers domains that end in "review" and another domains that ends with "reviews", the last "s?" is to block both of them, That is the regular expression to have or not to have the preceded letter.

Sergio

Ahhhh awesome.... I get the ? now.. that's a handy addition.

The problem with blocking the cidr is a lot of systems sending ransomware aren't aware they are sending ransomeware.. By blocking the email with the wallet, we are sure that the email is crap.. for the one false positive i may get, I can whitelist that one email address. It's been working great so far

thanks
..ex

v3_exceed wrote: ↑09 Oct 2019, 19:22 Ahhhh awesome.... I get the ? now.. that's a handy addition.

The problem with blocking the cidr is a lot of systems sending ransomware aren't aware they are sending ransomeware.. By blocking the email with the wallet, we are sure that the email is crap.. for the one false positive i may get, I can whitelist that one email address. It's been working great so far

thanks
..ex

Oh, I don't block CIDRs just because, no. I block CIDRs if 10 or more IPs are blocked on certain frame of time and in case of doubt I use talosintelligence dot com / reputation_center to check if the CIDR is in a good standing, give it a try.

Sergio