blog

TLD block how to on CPanel & why it matters

TLD – that means “Top Level Domain” like .com, .net, .edu, and the like…all TLD’s we’re familiar with.  In their infinite wisdom ICAAN started allowing anyone and their brother with $100k to make their own (partly a money grab, partly needed with IPv6’s expansion of available IP’s on the interwebs).

This means TLD’s are ever expanding and that’s the problem.  The regularly updated list is here:  https://data.iana.org/TLD/tlds-alpha-by-domain.txt

A problem with this are the hacker losers.  I mean…am I right or am I right…AAAAAAA!  Dumb movie quote but gimmicks aside TLD’s are a real problem because it is being abused by the hacker loser community.  They can buy cheap  “.xyz” domains for .99 cents thanks to GoDaddy and other cheap hosting companies.

For an inexpensive amount of money I can stand up a cheap spamyouhackyou.xyz domain and start a phishing campaign or spamming campaign.  I can even put my bot net on it and start attacking servers online.

To stop this abuse you should block TLD’s that are straight silly.  Who does business with anyone who has an “.xyz” or “.link” domain?  No legitimate business should AND if you find you actually do because I think I have one client who actually does with a firm who uses .link then you can white list that one but forget the rest.  This is akin to “country blocking” where you block countries your firm doesn’t do business with nor sees themselves doing business with in the future.

Email is a terribly porous gateway into your network.  You need to definitely add TLD blocking to the mix.  OK, now…how to?

Well in CPanel you can add it to a custom filter.  With other email systems I’m sure there’s a mechanism so you’ll need to let me know but in CPanel this is what you do (I also have another post to Ubuntu & POSTFIX to block TLD’s):

SSH to your CPanel server

touch /usr/local/cpanel/etc/exim/sysfilter/options/global_tld_block

nano /usr/local/cpanel/etc/exim/sysfilter/options/global_tld_block

Past the contents of this file into it:  File <– Click to download

ctl + x (to save and exit, hit “y” to say yes)

Log into your CPanel control panel:  Service Configuration => Exim Configuration Manager => Filters => Custom Filter: [your unique file]

Restart exim:  Mail Server (Exim)

tail -f /var/log/exim_mainlog

** You’ll want to tail your exim_mainlog and MAKE SURE you’re not blocking legit domains.

Watch the log for lines similar to this:

2015-11-07 12:49:07 1Zv7bv-0006qC-Nm => discarded (system filter)

Here's an actual full discard:
2016-08-22 11:11:53 1bbqtF-0008Kv-52 <= pimpmsqs@han.aserv.co.za H=han.aserv.co.za [154.0.168.133]:57842 P=esmtps X=TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no S=1760 id=1a049f4a019761b993c43959791e4abe@www.pimpmybook.co.za T="simone.taljaard9@gmail.com wrote a note - Pimp My Book" for online@pimpmybook.com
2016-08-22 11:11:53 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1bbqtF-0008Kv-52
2016-08-22 11:11:53 1bbqtF-0008Kv-52 => discarded (system filter)
2016-08-22 11:11:53 1bbqtF-0008Kv-52 Completed
2016-08-22 11:11:53 SMTP connection from han.aserv.co.za [154.0.168.133]:57842 closed by QUIT

That means it was discarded due to your system filter – the TLD block we just put in.  The only problem is, if the syntax is wrong in the file you MIGHT block .com, .net, etc.  That’s bad so check your log!

This process was found on a CPanel form noted in my file.  Give credit where credit is due and it’s nice to refer back to it once in a while if you need to make changes.  Again, I’d make updates to it from time to time OR possibly script out the update which I might do some day soon so I don’t have to think about it anymore 😉

 

One thought on “TLD block how to on CPanel & why it matters

  1. Good Day,
    This script has served me well for about a year now however I found an issue and looking for advice.. One snipit of your code is
    or (“$h_from:” matches “.+@.+\\\\.fedex[^a-zA-Z0-9_]”)
    This line unfortunately discarded legitimate emails from firstnamelastname@ftn.fedex.com. Any chance of getting an updated script to look at the tail of the email address instead?
    Thank you in advance…

Leave a Reply

Your email address will not be published. Required fields are marked *

*