<p>Thank you John,</p><p> </p><p>I am not sure how many times I had read through the manual and missed that.  That line has been added to the Tranflt.mer file.  </p><p> </p><p> </p>

<p style="margin: 0cm 0cm 10pt;"><font face="Calibri" size="3">Good day one and all.   Once again I have to turn to the forum to see if there is somebody that can tell me as to what I am doing wrong.</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3"> </font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">Since my last post, I have been checking the logs and overall I am a happy chappy.   Things are being processed as I have wanted and expect.  With the Exception being  the Content Control blacklist.  I have just one entry in there, at the present time, but it is not being caught by my blacklist.  It is being caught by SpamHouse , dropped and blocked.  This is a snippet from the SMTP log:</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">T 20161108 054127 582058f1 Connection from 198.148.80.98</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">T 20161108 054128 582058f1 EHLO 192.168.0.171</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">T 20161108 054128 582058f1 MAIL FROM: xo@ore.net</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">E 20161108 054128 582058f1 Host 198.148.80.98 blocked by SpamHaus-2-8 - dropped and blocked.</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">T 20161108 054128 582058f1 Connection closed with 198.148.80.98, 1 sec. elapsed.</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">E 20161108 054129 0 Connection from 198.148.80.98 refused because of short-term restriction.</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">T 20161108 054223 582058f2 Connection from 186.218.212.56</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3"> </font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">Session log shows</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:27.376: --- 8 Nov 2016, 5:41:27.376 ---</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:27.376: Accepted connection from '198.148.80.98', timeout 30 seconds.</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:27.376: Connection from 198.148.80.98, Tue Nov 08 05:41:27 2016<lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:27.376: << 220 xxxx.xxx ESMTP server ready.<cr><lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.016: >> EHLO 192.168.0.171<cr><lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.016: << 250-xxxxxx.xxx Hello 192.168.0.171; ESMTPs are:<cr><lf>250-TIME<cr><lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.016: << 250-SIZE<cr><lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.016: << 250 HELP<cr><lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.657: >> MAIL FROM: xo@ore.net<cr><lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.891: << 551 BARRED: 198.148.80.98 - Blocked by SpamHaus.org See http://spamhaus.org for removal instructions<cr><lf></font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.891: --- Connection closed normally at 8 Nov 2016, 5:41:28.891. ---</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">05:41:28.891:</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3"> </font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">In my blacklist I have </font><a><font face="Calibri" size="3">xo@ore.net</font></a><font face="Calibri" size="3">.   I have even tried different combinations using the wild card placement.  </font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3"> </font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">The reason I have chosen this address is it has shown up numerous times, all from different connection IP address. The Hello greeting just about always has been 192.168.0.171, with a few variances.    </font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3"> </font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">The SMTP Server, Spam Control, Blacklist Definitions order is:</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">Whitelist</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">BlackList</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">SpamHous 2-8</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">SpamCop</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">PSBL</font></p> <p style="margin: 0cm 0cm 0pt;"><font face="Calibri" size="3">SpamHouse Zen PBL</font></p>

<p>Content control is applied to the message by Mercury core after it has been received by MercuryS or MercuryD. To prevent MercuryS from accepting all connections from 198.148.80.98 go to MercuryS configuration / Connection control and add a restriction for that IP address with attribute "Refuse connections".</p><p> </p>

<p>Since you say that the originating IP address changes but the mail address remains the same, you might be better off adding that address to the MercuryS killfile.</p><p> </p><p>Your logs should then look similar to this:-</p><p> </p><p>T 20161111 161712 5823bc3d Connection from 218.38.243.204</p><p><span style="font-size: 10pt;">T 20161111 161713 5823bc3d EHLO mata.com</span></p><p>T 20161111 161713 5823bc3d MAIL FROM: <info@apple.com></p><p>E 20161111 161713 5823bc3d Killfile: Mail from '<info@apple.com>' rejected, talking to 218.38.243.204 </p><p>T 20161111 161714 5823bc3d Connection closed with 218.38.243.204, 2 sec. elapsed.</p><p> </p><p>John. </p>

<p>I am using that for other address and it does work just fine. As I stated mail from xo@ore.net comes from different IP address. So can not block it with IP restriction. </p><p>HELO is usually from 192.168.0.171, but have seen it from 175 and other address too.  </p><p>The only consistent is the marl from.  That is why I want it in the black list.    </p>

<p>Okay, this suggestion just might work. I did not have that checked as an option for MercuryS to use. Just set it up now. Will advise if this works.</p><p> </p><p>Thanks</p><p> </p>

<p>Sr. Grumpy Bear,</p><p>You could also do it using transaction filtering. Add a line to the TRANSFLT.MER file<span style="font-size: 10pt;"> like:-</span></p><p>M, "<span style="font-family: Tahoma, Arial, Helvetica; font-size: 12.096px;">xo@ore.net</span><span style="font-size: 10pt;">", BS, "554 XO@ORE.NET Not Welcome Here - connection dropped." </span></p><p>and make sure you have transaction level filtering enabled under MercuryS Compliance.</p><p><span style="font-size: 10pt;">John. </span></p>