Fighting Spam: Block entire (T)TLD with Postfix

Oct 25, 2016 | Blog, Technical, Website Security

A Top-Level Domain (TLD) is at the highest level of the Domain Name System (DNS) structure. The domain .com is a TLD. So is .org, .net, and .biz.

I’ve presented on DNS (and BIND) – you can click the link to view my PDF slides (and you can view a listing of all of my posted workshops at https://barredowlweb.com/knowledge-base/#workshops). You can also read an old blog post I wrote on an introduction to DNS & IPv6 at https://barredowlweb.com/2013/10/28/introduction-dns-ipv6/.

But back to this topic… There are a lot of new TLDs, such as .bid and .science. At Barred Owl Web, we’ve noticed that spammers are the only ones sending email from domain names inside many of these TLDs.

In an effort to curb this spam, we block email coming from many of these TLDs completely. Here’s how you can too (these instructions are for CentOS servers, but can of course be adapted to your your particular Linux distribution and wherever your Postfix configuration files are located).

1. Create a file in /etc/postfix, and name it “reject_domains”
(vim /etc/postfix/reject_domains)

2. Here are the current contents of our reject_domains file – it’s growing, but we currently are blocking email from 15 different TLDs:

/\.pro$/ REJECT We reject all .pro domains
/\.date$/ REJECT We reject all .date domains
/\.science$/ REJECT We reject all .science domains
/\.top$/ REJECT We reject all .top domains
/\.download$/ REJECT We reject all .download domains
/\.work$/ REJECT We reject all .work domains
/\.click$/ REJECT We reject all .click domains
/\.link$/ REJECT We reject all .link domains
/\.diet$/ REJECT We reject all .diet domains
/\.review$/ REJECT We reject all .review domains
/\.party$/ REJECT We reject all .party domains
/\.zip$/ REJECT We reject all .zip domains
/\.xyz$/ REJECT We reject all .xyz domains
/\.stream$/ REJECT We reject all .stream domains
/\.bid$/ REJECT We reject all .bid domains

3. Edit /etc/postfix/main.cf and add the following line:
smtpd_sender_restrictions =
check_sender_access pcre:/etc/postfix/reject_domains

4. Reload Postfix:
postfix reload

You’re done. Hopefully this will help you combat spam too.

Need help with your Linux web or email server? Contact me at https://barredowlweb.com/contact/ to start a conversation.

Contact Us

P.O. Box 21514
Chattanooga, TN 37424