Milter-greylist

I’ve noticed that the following new top level domains as 100% spam:

.rocks
.click
.xyz

Sad thing is, milter-greylist doesn’t appear to be able to catch them with these configuration settings:
racl blacklist domain /.*\.rocks$/ msg "Sender domain suffix .rocks is full of spammers”

or

racl blacklist from /.rocks$/ msg “Sender domain suffix .rocks is full of spammers”

Am I doing something wrong with either of those rules and are there others that you have seen?

Bill

On 1/17/2015 12:35 PM, Bill Levering yidbill@... [milter-greylist] 
wrote:
> I\u2019ve noticed that the following new top level domains as 100% spam:
>
> .rocks
> .click
> .xyz
>
>
We flat block these in sendmail access file:

link
website
berlin
email
guru
wang
xn-3ds443g
xyz
rocks
click

There are times when I think about adding .us and .eu as well.
But there is SOME legit stuff there.  So we mildly penalize score
in our spamassassin layer instead.   Been thinking about making
US and EU people also wait longer on the greylist before sending
but I haven't gotten around to it yet.

Bill Levering yidbill@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> Am I doing something wrong with either of those rules and are there others
> that you have seen?

Is the envelope sender address really in .rock? Perhaps envelope and
header sender address do not match?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

> racl blacklist from /.rocks$/ msg “Sender domain suffix .rocks is full of spammers”
> 
> Am I doing something wrong with either of those rules and are there others that you have seen?
> 
> Bill
> 
Hi Bill,

I would rather do

racl blacklist from /\.rocks[ 	>]*$/ msg “Sender domain suffix .rocks is full of spammers”

mostly there is a closing ">" in the e-mail address which makes your extended  regexp do not match.

(There is a space and a tab character in addition to ">" between [ ].)

Best,
Attila

PS:

By the way space, tab character never goes to any milter in address fields, at least sendmail stupidly transform them into underscore. No data transparency. :-(

On 01/17/2015 02:56 PM, Vincent Fox vbfox@... [milter-greylist]
wrote:
> There are times when I think about adding .us and .eu as well.
> But there is SOME legit stuff there.  So we mildly penalize score
> in our spamassassin layer instead.   Been thinking about making
> US and EU people also wait longer on the greylist before sending
> but I haven't gotten around to it yet.

I sympathize with that inclination. But I assure you that the domains
".xx.us", where "xx" is a two letter abbreviation for a US state, are
legitimate domains. :)

There does seem to be a bit of compromised account trouble out of of
".k12.xx.us" domains, but that is a drop in the bucket compared to the
"name@..." type spam. Similarly, quit a bit of spam comes from
the .edu TLD.

On 1/20/2015 7:39 AM, Mike Grau m.grau@... [milter-greylist] 
wrote:
> On 01/17/2015 02:56 PM, Vincent Fox vbfox@... [milter-greylist]
> wrote:
>> There are times when I think about adding .us and .eu as well.
>> But there is SOME legit stuff there.  So we mildly penalize score
>> in our spamassassin layer instead.   Been thinking about making
>> US and EU people also wait longer on the greylist before sending
>> but I haven't gotten around to it yet.
> I sympathize with that inclination. But I assure you that the domains
> ".xx.us", where "xx" is a two letter abbreviation for a US state, are
> legitimate domains. :)
>
> There does seem to be a bit of compromised account trouble out of of
> ".k12.xx.us" domains, but that is a drop in the bucket compared to the
> "name@..." type spam. Similarly, quit a bit of spam comes from
> the .edu TLD.
>
I see the problem as quite different.

EDU spam is compromised accounts, on legitimate servers with
previously decent reputations.  We have it here on a semi-regular basis
that phished account credentials are used to send spam from our
mail routing pool, which may result in some of our servers appearing
in blacklists and then we run around dealing with the mess.

I've never seem torrents of spam from .k12.xx.us compromises.
I'd be perfectly willing to give extra credit to y'all so you are not
tarred with the same brush.

The *.us and *.eu spam I see, is usually from servers set up for that
purpose in bought domains, with legit DNS & SPF provisioned. They pop up
and blast out spam as fast as they can.  The half-life on all these newly
provisioned domains before they start appearing in everyone's blacklist
is quite short, but it's CHEAP they can just write off the cost of having
to constantly repeat this process.

Consequently I've started to rely more and more, on the Day Old Bread idea
of penalizing brand-spanking-new domains in our SpamAssassin scoring.
Between DOB and the various SEM-FRESH lists it helps.

Digression:  I get a kick out of my campus department "IT people" busybodies
who regularly propose SPF or DKIM whitelisting since "it's secure and 
trusted".
Most of the spam I see these days has SPF provisioned, and forges DKIM.

Vincent Fox vbfox@... [milter-greylist]
<milter-greylist@yahoogroups.com> wrote:

> Consequently I've started to rely more and more, on the Day Old Bread idea
> of penalizing brand-spanking-new domains in our SpamAssassin scoring.
> Between DOB and the various SEM-FRESH lists it helps.

Cheking for sender domain registration age would be an interesting
feature in milter-greylist, unfortunately the information is scattered
in vraious Whois registries with different formats, so it seems a job
for a scripting language. If someone has ideas on how to implement that
reliabily, I am interested.

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@...

> Cheking for sender domain registration age would be an interesting
> feature in milter-greylist, unfortunately the information is scattered
> in vraious Whois registries with different formats, so it seems a job
> for a scripting language. If someone has ideas on how to implement that
> reliabily, I am interested.
> 

I think this should be done via simple DNS query.
An example: if you are interested in the registration date of example.com
you do a TXT query of example.com.domainage.org an that returns
its registration date in a standard format.

The script you mentioned should just populate the domain domainage.org.

I do not know is there any such service already existing?

If not, may be I am the first having this idea?

Best,
Attila

On 22 January 2015 08:47:54 CET, "'Bruncsak, Attila' attila.bruncsak@... [milter-greylist]" <milter-greylist@yahoogroups.com> wrote:
>> Cheking for sender domain registration age would be an interesting
>> feature in milter-greylist, unfortunately the information is
>scattered
>> in vraious Whois registries with different formats, so it seems a job
>> for a scripting language. If someone has ideas on how to implement
>that
>> reliabily, I am interested.
>> 
>
>I think this should be done via simple DNS query.
>An example: if you are interested in the registration date of
>example.com
>you do a TXT query of example.com.domainage.org an that returns
>its registration date in a standard format.
>
>The script you mentioned should just populate the domain domainage.org.
>
>I do not know is there any such service already existing?
>
>If not, may be I am the first having this idea?
>
>Best,
>Attila

Actually, this is called WHOIS, and there are some 30 years worth of standards, protocols, clients and multiple dispersed public servers in a fashion similar and related to DNS registration/referral system. Scripts to parse the web-forms are not the only way to do it, nor the preferred way ;)

You can start with an overview on Wikipedia, it is pretty informative. Indeed, such an optional feature seems useful for spam filtering.

HTH,
Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

On Thu, Jan 22, 2015 at 10:20:53AM +0100, Jim Klimov jimklimov@... [milter-greylist] wrote:
> Actually, this is called WHOIS, and there are some 30 years worth of standards, protocols, clients and multiple dispersed public servers in a fashion similar and related to DNS registration/referral system. Scripts to parse the web-forms are not the only way to do it, nor the preferred way ;)

Problem is: creation date field and format is different in each WHOIS server.

-- 
Emmanuel Dreyfus
manu@...

On 22 janv. 2015, at 11:04, "Emmanuel Dreyfus manu@... [milter-greylist]" <milter-greylist@yahoogroups.com> wrote:

> On Thu, Jan 22, 2015 at 10:20:53AM +0100, Jim Klimov jimklimov@... [milter-greylist] wrote:
>> Actually, this is called WHOIS, and there are some 30 years worth of standards, protocols, clients and multiple dispersed public servers in a fashion similar and related to DNS registration/referral system. Scripts to parse the web-forms are not the only way to do it, nor the preferred way ;)
> 
> Problem is: creation date field and format is different in each WHOIS server.


Another problem is you won't be allowed to query WHOIS servers at fast rate. On a medium sized MX server you'll get blacklisted/blocked very quickly by WHOIS servers.
One could choose to use fresh.spameatingmonkey.net (rhsbl), but it does not include many top level DN (<http://spameatingmonkey.com/lists.html>).

patpro

Sorry about the delay, but I haven’t seen a rocks domain, to verify.

But I believe your assumption is correct.

Bill

> On Jan 17, 2015, at 4:39 PM, manu@... [milter-greylist] <milter-greylist@yahoogroups.com> wrote:
> 
> Bill Levering yidbill@... [milter-greylist]
> <milter-greylist@yahoogroups.com> wrote:
> 
> > Am I doing something wrong with either of those rules and are there others
> > that you have seen?
> 
> Is the envelope sender address really in .rock? Perhaps envelope and
> header sender address do not match?
> 
> -- 
> Emmanuel Dreyfus
> http://hcpnet.free.fr/pubz
> manu@...
> 
>