How to block entire top-level domain?

One particular class of spam that just won’t get filtered by SpamAssassin seems to be “newsletters” I’m getting in foreign languages, to the tune of ten or so a day.

The spammers are very kind, however, and send from email addresses almost always in Brazil. How might I instruct my server to simply reject ANY emails where the sender has a .br domain? Yes, I realize the implications here - on this server, I am comfortable doing such a solid block.

At which point would I want to configure this, and perhaps a pointer to how? At the MTA level and simply drop the mail on the floor? Or at the SMTP level and reject it with hopes that the sender stops trying?

See How can individual users configure spamassassin?

Simply create a filter:
For incoming mail: * matching all of the following rules

  • To . matches expression *.br
    … execute the following action
    Discard with message: - / or Delete Message

So this is exactly what I want to do - but where?

Which file do I edit to do this for the WHOLE SERVER? Not individual users, but tell my server that if the mail is coming from a .br address (even if forged - I’m cool with that), reject it?

Your response indicates I can do it, but having never done it before, your instructions are a few steps down the road.

You can edit the sieve-spam.sieve file located at /etc/dovecot/sieve-spam.sieve on the server, but I don’t know what happend if you update miab. So the easiest way I see is to use iptables Block entier country using iptables.

You misunderstand.

I don’t want to block the country. I want to block all MAIL that CLAIMS to come from a particular TLD. That could be .br, or .us, or even a gTLD like .info

I want all mail with a From address that ends in a particular TLD to simply be noted as spam and rejected. For the whole server.

Sorry, for the second part. I think its not that big issue to extend the script to block only the incoming traffic on port 25. But as I said (first part) you can only do it by editing the sieve-spam.sieve file located at /etc/dovecot/sieve-spam.sieve on the server.

For example:

require ["reject"];
# rule:[BR-TLDs]
if allof (header :matches "from" "*.(br|us|info)")
        reject "REJECTED";

Is there a GUI way of doing this?

Yes GUI…

From the mail page
select filter set
select “+” (add filter)
fill in the details

That GUI approach only works for a single email address, not entire domains or the server. You need to do what @h8h said.

I found a nice guide to writing sieve rules here: