Perl programmer for hire: download my resume (PDF).
John Bokma's Hacking & Hiking

Blocklisting top level domains with Postfix

May 13, 2019

My experience is that top level domains like .icu, .win, .trade, etc. are a source of spam. Because I don't expect actual email from those domains I decided to blocklist those domains as well as several countries in Postfix.

I used vi to open main.cf located in /etc/postfix on my VPS and added the following line:

smtpd_sender_restrictions =
    check_sender_access pcre:/etc/postfix/reject_domains.pcre

I actually did this two days ago, so I could test this before blogging about it.

Next, I created a new file reject_domains.pcre inside the same directory blocking one domain per line. As of today this file is as follows:

/\.(asia)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(bg)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(bid)$/    REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(biz)$/    REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(br)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(cl)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(cn)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(co)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(date)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(faith)$/  REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(hk)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(icu)$/    REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(il)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(in)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(info)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(ir)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(link)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(loan)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(my)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(pe)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(ph)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(pl)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(pro)$/    REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(review)$/ REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(ro)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(ru)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(site)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(stream)$/ REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(tech)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(th)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(top)$/    REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(trade)$/  REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(tw)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(us)$/     REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(win)$/    REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(work)$/   REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com
/\.(xyz)$/    REJECT TLD $1 is blacklisted, use jjjbokma at gmail dot com

Inside the regular expression the part between parenthesis is captured and assigned to the variable $1. It's possible to put multiple domains inside one regular expression, for example:

/\.(win|work|xyz)$/

Which matches any of the top-level domains win, work, xyz.

Note that I provide an alternative email to contact me for those rare (if ever) cases someone actually wants to contact me using a blacklisted domain.

Next, I restarted Postfix:

/etc/init.d/postfix restart

Instructions for your set up might differ.

You can find blacklisted entries using:

grep blacklisted /var/log/mail.log

Two examples of obvious spam that got blocked:

May 13 15:14:17 johnbokma postfix/smtpd[22184]: NOQUEUE: reject: RCPT from unkno
wn[23.95.121.81]: 554 5.7.1 <ElonMuskNoElectricityBill@bioticproductus.icu>: Sen
der address rejected: TLD icu is blacklisted, use jjjbokma at gmail dot com; fro
m=<ElonMuskNoElectricityBill@bioticproductus.icu> to=<contact@johnbokma.com> pro
to=ESMTP helo=<09a19a2a.bioticproductus.icu>
May 13 15:33:14 johnbokma postfix/smtpd[22600]: NOQUEUE: reject: RCPT from unkno
wn[23.95.121.80]: 554 5.7.1 <RussianGirlForU@bellydietguide.icu>: Sender address
rejected: TLD icu is blacklisted, use jjjbokma at gmail dot com; from=<RussianGi
rlForU@bellydietguide.icu> to=<contact@johnbokma.com> proto=ESMTP helo=<09a19a2d
.bellydietguide.icu>

Both from the .icu top-level domain which recently, in my experience, has become a victim of spammers.