Jun 3, 2025: iRedMail-1.7.4 has been released.

**lexx063** · 2025-06-19 15:21:26

lexx063
Member
Offline

Registered: 2016-11-22
Posts: 8

Topic: Blacklist

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 1.7.4
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Good day. I added two addresses to the blacklist
python3 /opt/iredapd/tools/wblist_admin.py --add --blacklist @XXX.com
but the letters still come from this domain, they are marked as spam. Is it possible to block them so as not to receive these letters at all? Thanks

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

**iamapo** · 2025-11-18 12:16:09

iamapo
Member
Offline

Registered: 2023-07-03
Posts: 13

Re: Blacklist

I have same issue, no solution ? Thanks all.

**WhoAmI68** · 2025-11-19 20:39:55

WhoAmI68
Member
Offline

Registered: 2024-11-12
Posts: 27

Re: Blacklist

You can add a bad domain to SpamAssassin. Below is an example.

sudo nano /etc/spamassassin/header-keywords.cf

header DOMAINE_FROM_01 From =~ /\@badguys\.de|\@badguys\.com/i
header DOMAINE_FROM_02 From =~ /\@badguys\.es|\@badguys\.net/i
meta DOMAINE_FROM (( DOMAINE_FROM_01 + DOMAINE_FROM_02 ))
score DOMAINE_FROM  10.1

Also add a score to the Sieve filter.

sudo nano /var/vmail/sieve/dovecot.sieve

if header :contains "X-Spam-Level" "**********" {
    discard;
    stop;
}

**WhoAmI68** · 2025-11-19 21:02:31

WhoAmI68
Member
Offline

Registered: 2024-11-12
Posts: 27

Re: Blacklist

SpamAssassin is more flexible for these bad guys . You can check the body and discard emails based on body keywords or by top-level domains.

# Body Checks
body BODY_CHECKS_RULE_01 /\CANNABIS|viagra|free.hr\b/i
body BODY_CHECKS_RULE_02 /\ZENTIVA|velko-mix.cz\b/i
meta BODY_CHECKS_RULE (( BODY_CHECKS_RULE_01 + BODY_CHECKS_RULE_02 ))
score BODY_CHECKS_RULE 10.1

# Blacklist Top-Level-Domains
header   TLD_BLOCK From =~ /@([a-zA-Z0-9-]+\.)?(top|shop|live|io|biz)\b/i
describe TLD_BLOCK Blacklisted TLDs
score    TLD_BLOCK 10.1

**WhoAmI68** · 2025-11-19 22:06:20

WhoAmI68
Member
Offline

Registered: 2024-11-12
Posts: 27

Re: Blacklist

My personal recommendations about phishing .
This rule blocks around 90% of one-off hacks cases where an attacker compromises someone’s VPS and sends messages with their own Reply-To address. However, be careful: some older ISPs and hosting providers still legitimately use different domains for the From and Reply-To fields.

1 - sudo nano /etc/spamassassin/plugins/FromAndReplyToIsNotSameDomain.pm

package FromAndReplyToIsNotSameDomain;
use Mail::SpamAssassin::Plugin;

our @ISA = qw(Mail::SpamAssassin::Plugin);

sub new {
    my ( $class, $mailsa ) = @_;

    # the usual perlobj boilerplate to create a subclass object
    $class = ref($class) || $class;
    my $self = $class->SUPER::new($mailsa);
    bless( $self, $class );

    # then register an eval rule, if desired...
    $self->register_eval_rule("check_for_from_and_reply_to_is_not_same_domain");

    # and return the new plugin object
    return $self;
}

sub check_for_from_and_reply_to_is_not_same_domain {
    my ( $self, $msg ) = @_;
    my $check_from = lc( $msg->get('From:addr') );
    $check_from =~ s/.*@//;

    my $check_replyTo = lc( $msg->get('Reply-To:addr') );
    $check_replyTo =~ s/.*@//;

    Mail::SpamAssassin::Plugin::dbg(
        "FromAndReplyToIsNotSameDomain: Comparing '$check_from'/'$check_replyTo"
    );

    if ( ( $check_from eq '' ) || ( $check_replyTo eq '' ) ) {
        return 0;    #PASS, empty from or reply to
    }

    my ( @check_fromParts, @check_replyToParts );

    #short-circuit logic
    if ( $check_from ne $check_replyTo ) {

        #create arrays to make life easier
        @check_fromParts    = split( /\./, $check_from );
        @check_replyToParts = split( /\./, $check_replyTo );

        if ( ( $#check_fromParts ge 1 ) && ( $#check_fromParts ge 1 ) ) {
            if ( $check_fromParts[-1] ne $check_replyToParts[-1] ) {
                return 1;    #fail, not the same .tld
            }
            if ( $check_fromParts[-2] ne $check_replyToParts[-2] ) {
                return 1;    #fail, not the same domain.tld / tld.tld
            }
        }
        if ( ( $#check_fromParts ge 3 ) && ( $#check_fromParts ge 3 ) ) {
            if ( $check_fromParts[-3] ne $check_replyToParts[-3] ) {
                return 1;    #fail,not the same sub.domain.tld / domain.tld.tld
            }
        }
        if ( ( $#check_fromParts ge 4 ) && ( $#check_fromParts ge 4 ) ) {
            if ( ( $#check_fromParts gt 4 ) || ( $#check_fromParts gt 4 ) ) {
                if ( $check_fromParts[-4] ne $check_replyToParts[-4] ) {
                    return
                      1
                      ; #fail,not the same domain sub.sub.sub.domain.tld / sub.sub.domain.tld.tld
                }
            }
            else {
                if ( $check_fromParts[-3] ne $check_replyToParts[-3] ) {
                    return
                      1
                      ; #fail,not the same domain sub.sub.domain.tld / sub.domain.tld.tld
                }
            }
        }
    }
    return 0;           #PASS
}

# This ;1 is importa

1- sudo nano /etc/spamassassin/header-keywords.cf

# Domain does not match Reply-To domain
loadplugin FromAndReplyToIsNotSameDomain /etc/spamassassin/plugins/FromAndReplyToIsNotSameDomain.pm
header FROM_NOT_REPLYTO_SAME_DOMAIN eval:check_for_from_and_reply_to_is_not_same_domain()
score FROM_NOT_REPLYTO_SAME_DOMAIN 10.1
describe FROM_NOT_REPLYTO_SAME_DOMAIN From domain does not match Reply-To domain

2 - Flags messages where the “From” display name looks like a domain that matches the recipient’s domain, indicating possible phishing.

header   __PDS_FROM_NAME_TO_DOMAIN  ALL =~ /From: ["']?([a-z0-9\.-]+\.[0-9a-z\.-]+)["']? [^\n]+\n+To:[^\n]+\@\1/ism
meta     PDS_FROM_NAME_TO_DOMAIN __PDS_FROM_NAME_TO_DOMAIN
score    PDS_FROM_NAME_TO_DOMAIN 10.1
describe PDS_FROM_NAME_TO_DOMAIN From:name looks like To:domain

**iamapo**

iamapo
Member
Offline

Registered: 2023-07-03
Posts: 13

Re: Blacklist

WhoAmI68 wrote:

You can add a bad domain to SpamAssassin. Below is an example.
sudo nano /etc/spamassassin/header-keywords.cf
header DOMAINE_FROM_01 From =~ /\@badguys\.de|\@badguys\.com/i
header DOMAINE_FROM_02 From =~ /\@badguys\.es|\@badguys\.net/i
meta DOMAINE_FROM (( DOMAINE_FROM_01 + DOMAINE_FROM_02 ))
score DOMAINE_FROM  10.1
Also add a score to the Sieve filter.
sudo nano /var/vmail/sieve/dovecot.sieve
if header :contains "X-Spam-Level" "**********" {
    discard;
    stop;
}

Thanks dude, unfortunately, I don't have /etc/spamassassin/header-keywords.cf on my CentOS.

**ZhangHuangbin**

ZhangHuangbin
iRedMail Developers
Offline

Registered: 2009-05-06
Posts: 31,515

Re: Blacklist

Add spamassassin rule to /etc/mail/spamassassin/local.cf.

Jun 3, 2025: iRedMail-1.7.4 has been released.

Blacklist

Posts: 7

1 Topic by lexx063 2025-06-19 15:21:26

Topic: Blacklist

2 Reply by iamapo 2025-11-18 12:16:09

Re: Blacklist

3 Reply by WhoAmI68 2025-11-19 20:39:55

Re: Blacklist

4 Reply by WhoAmI68 2025-11-19 21:02:31 (edited by WhoAmI68 2025-11-19 21:03:44)

Re: Blacklist

5 Reply by WhoAmI68 2025-11-19 22:06:20

Re: Blacklist

6 Reply by iamapo Yesterday 14:15:49

Re: Blacklist

7 Reply by ZhangHuangbin Yesterday 18:28:14

Re: Blacklist

Posts: 7