# [SOLVED]Postfix/amavis blacklist domains?

## epig

Hi all

I have user that are getting a fair amount of spam with subject and body in Norwegian. 

Needless to say, this has no problem in bypassing my amavisd-new spam checks. 

This spam is, however, somewhat atypical since it seems to originate from just a few domains. 

I have tried to blacklist this in /usr/share/spamassassin/user_prefs with no luck. 

```

blacklist_from *@luxury-pesos.com

blacklist_from *@luxurious-cow.com

blacklist_from *@new.coinletters2.com

blacklist_from *@anonhost.org

blacklist_from *@daytoanyway.co.uk

blacklist_from *@dainty-pirate-money.net

blacklist_from *@green-mango-bargain.org

blacklist_from *@norgesautomatencasino.no

blacklist_from *@daytoanyway.co.uk

blacklist_from *@ladivaoutlet.comi

blacklist_from *@vip-erbjudande.net

blacklist_from *@knowledgeways.date

```

So my question is: 

where, if anywhere can I put this file or such a blacklist? Does anyone know?Last edited by epig on Thu May 12, 2016 2:01 pm; edited 1 time in total

----------

## Duncan Mac Leod

 *epig wrote:*   

> So my question is: 
> 
> where, if anywhere can I put this file or such a blacklist? Does anyone know?

 

Just put your blacklist entries in /etc/spamassassin/local.cf

----------

## epig

 *Duncan Mac Leod wrote:*   

> 
> 
> Just put your blacklist entries in /etc/spamassassin/local.cf

 

That does not seem to work: 

```

blacklist_from *@luxury-pesos.com

blacklist_from *@luxurious-cow.com

blacklist_from *@new.coinletters2.com

blacklist_from *@anonhost.org

blacklist_from *@daytoanyway.co.uk

blacklist_from *@dainty-pirate-money.net

blacklist_from *@green-mango-bargain.org

blacklist_from *@norgesautomatencasino.no

blacklist_from *@daytoanyway.co.uk

blacklist_from *@ladivaoutlet.comi

blacklist_from *@vip-erbjudande.net

blacklist_from *@knowledgeways.date

```

Gives the log entry: 

```

May 10 11:34:11 [postfix/smtpd] connect from guild.gasseaplane.com[208.76.251.230]

May 10 11:34:12 [postfix/smtpd] NOQUEUE: client=guild.gasseaplane.com[208.76.251.230]

May 10 11:34:12 [amavis] (03840-14) ESMTP:[127.0.0.1]:10024 /var/amavis/tmp/amavis-20160509T200903-03840-VbgpJ5lG: <s129@anonhost.org> -> <someone@domain.net> SIZE=8880 BODY=8BITMIME Received: from grond.domain.net ([127.0.0.1]) by localhost (grond.domain.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <someone@domain.net>; Tue, 10 May 2016 11:34:12 +0200 (CEST)

May 10 11:34:12 [amavis] (03840-14) Checking: zNWWxMHugJF1 [208.76.251.230] <s129@anonhost.org> -> <someone@domain.net>

May 10 11:34:12 [amavis] (03840-14) p003 1 Content-Type: multipart/alternative

May 10 11:34:12 [amavis] (03840-14) p001 1/1 Content-Type: text/plain, size: 331 B, name:

May 10 11:34:12 [amavis] (03840-14) p002 1/2 Content-Type: text/html, size: 7170 B, name:

May 10 11:34:12 [postfix/smtpd] connect from localhost[127.0.0.1]

May 10 11:34:12 [postfix/smtpd] 876A9202754: client=localhost[127.0.0.1]

May 10 11:34:12 [postfix/cleanup] 876A9202754: message-id=<8768b8f38d7aa2c5924c8173aaa0a01c@s129.anonhost.org>

May 10 11:34:12 [postfix/smtpd] disconnect from localhost[127.0.0.1] ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5

May 10 11:34:12 [postfix/qmgr] 876A9202754: from=<s129@anonhost.org>, size=9464, nrcpt=1 (queue active)

May 10 11:34:12 [amavis] (03840-14) FWD from <s129@anonhost.org> -> <someone@domain.net>,BODY=7BIT 250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as 876A9202754

May 10 11:34:12 [amavis] (03840-14) Passed CLEAN {RelayedInbound}, [208.76.251.230]:60029 [208.76.251.230] <s129@anonhost.org> -> <someone@domain.net>, Message-ID: <8768b8f38d7aa2c5924c8173aaa0a01c@s129.anonhost.org>, mail_id: zNWWxMHugJF1, Hits: -0.917, size: 9030, queued_as: 876A9202754, 549 ms

May 10 11:34:12 [amavis] (03840-14) TIMING-SA total 203 ms - parse: 2.5 (1.2%), extract_message_metadata: 17 (8.4%), get_uri_detail_list: 2.9 (1.4%), tests_pri_-1000: 10 (4.7%), tests_pri_-950: 0.98 (0.5%), tests_pri_-900: 1.03 (0.5%), tests_pri_-400: 22 (10.9%), check_bayes: 21 (10.4%), b_tokenize: 8 (4.1%), b_tok_get_all: 6 (3.0%), b_comp_prob: 4.4 (2.2%), b_tok_touch_all: 0.35 (0.2%), b_finish: 0.49 (0.2%), tests_pri_0: 129 (63.4%), check_dkim_signature: 0.88 (0.4%), check_dkim_adsp: 26 (13.0%), check_pyzor: 0.11 (0.1%), tests_pri_500: 2.2 (1.1%), get_report: 0.55 (0.3%)

May 10 11:34:12 [postfix/local] 876A9202754: to=<someone@domain.net>, relay=local, delay=0.02, delays=0.01/0/0/0, dsn=2.0.0, status=sent (delivered to maildir)

May 10 11:34:12 [postfix/qmgr] 876A9202754: removed

```

It looks like SA is ignoring the local.cf file all together.

I also put some BAYES_ scores in a while ago to test, with no reslult. 

Does the default Gentoo installation  (I installed it all through Portage) hode its config somewhere else?

----------

## freke

I *think* amavis-new and maia (a fork of amavis-new which I use) only calls specific Spamassassin-modules? 

I *think* if you started spamd and created a content-filter it might work using local.cf?

You could use access-maps in postfix to blacklist - I guess that'll also save CPU-cycles as it's done sooner, ie.:

/etc/postfix/maps/sender_access

```
*@luxury-pesos.com REJECT 

*@luxurious-cow.com REJECT

*@new.coinletters2.com REJECT

...
```

```
postmap hash:sender_access
```

in /etc/postfix/main.cf

```
smtpd_recipient_restrictions =

        check_sender_access hash:/etc/postfix/maps/sender_access

        permit_mynetworks

        permit_sasl_authenticated

...
```

```
postfix reload
```

----------

## epig

 *freke wrote:*   

> 
> 
> You could use access-maps in postfix to blacklist - I guess that'll also save CPU-cycles as it's done sooner, ie.:
> 
> 

 

Thanks. 

I tried that, I will check tomorrow morning  :Smile: 

----------

## silter2

 *epig wrote:*   

> Hi all
> 
> I have user that are getting a fair amount of spam with subject and body in Norwegian. 
> 
> Needless to say, this has no problem in bypassing my amavisd-new spam checks. 
> ...

 

step 1:

in /etc/spamassassin/v320.pre ON:

loadplugin Mail::SpamAssassin::Plugin::Shortcircuit

step 2:

in /etc/spamassassin/local.cf ON:

ifplugin Mail::SpamAssassin::Plugin::Shortcircuit

shortcircuit USER_IN_BLACKLIST       on

shortcircuit USER_IN_BLACKLIST_TO    on

shortcircuit SUBJECT_IN_BLACKLIST    on

endif # Mail::SpamAssassin::Plugin::Shortcircuit

and add this line:

include /etc/spamassassin/my_black_list.cf

step 4:

vi/nano/vim what ever U like  :Wink:  /etc/spamassassin/my_black_list.cf and paste your rules:

blacklist_from *@luxury-pesos.com

blacklist_from *@luxurious-cow.com

blacklist_from *@new.coinletters2.com

blacklist_from *@anonhost.org

blacklist_from *@daytoanyway.co.uk

blacklist_from *@dainty-pirate-money.net

blacklist_from *@green-mango-bargain.org

blacklist_from *@norgesautomatencasino.no

blacklist_from *@daytoanyway.co.uk

blacklist_from *@ladivaoutlet.comi

blacklist_from *@vip-erbjudande.net

blacklist_from *@knowledgeways.date

step 5:

sa-compile

/etc/init.d/amavisd reload

----------

## epig

Thank you!

----------

