Exim blacklist not working

[Richard G]

Seems the Exim blacklist is not working. We get regularly phishing mails so called from KVK netherlands.
However, the helo is almost always the same on the servers they use.

They use helo=duwhetdoorXX.com where the XX stands for a number.

So we got bord of them and then we blocked duwhetdoor*.com in:
/etc/virtual/bad_sender_hosts
/etc/virtual/blacklist_domains
/etc/virtual/blacklist_senders

And today....
Received: from blue-zebra-35563.zap.cloud ([191.101.206.232] helo=duwhetdoor4.com) (envelope-from <[email protected]>) Received: from duwhetdoor13.com (246.60.197.35.bc.googleusercontent.com

This header was from 1 mail.

So how come if I block duwhetdoor*.com that this message still comes through? While mentioned in all blacklist files?

 

[MisterM]

Hello
After the update, what errors do you display?

 

[Richard G]

What update and what errors are you talking about? There are no updates and no errors.
Exim is just letting these mails pass through.

 

[Richard G]

Up, still issues with blacklisting. The blacklist_domains file for example is not working.

For example we had this in our blacklist_domains:
koopfans.*
koopfan.*

and this is what came in today:

(envelope-from <[email protected]>)]

How can this happen or should I use *.koopfans.* in my blacklist? Should not be necessary.

 

[Ohm J]

should I use *.koopfans.* in my blacklist?

That's the correct logics of regex pattern,

could put it like this too.

@*koopfans*

this will ensure, all multiple fake domains will filter.

 

[Richard G]

Oke thank you, I will try and see if that works.
I thought sinds it was the domains blacklist file it would only look at domain name, but you're right, most likely I need to use it that way.

could put it like this too.

Yes in the blacklist_senders we can use the @ so in there I have it already with *@*.koopfans.* to block it.
I used dots in there to prevent other domains with koopfans anywhere in the name to be blocked.