You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "Chip M." <sa...@IowaHoneypot.com> on 2016/07/09 14:14:09 UTC
Re: Anyone else just blocking the ".top" TLD?
Thanks for all the lists and references, everyone! :)
+1 on block-by-default combined with "skips" for the VERY rare
exceptions.
I'm scoring (poison pill level), not gateway blocking (more about
that in a later post).
*** New Snow TLD sighting:
Since June 30, the TLD ".stream" has been snowballing, and
now (in my data) is occuring at a greater volume than ".top".
As of July 7, it's present in more than half of _ALL_ my
snowshoe spam.
While researching it, I found this handy "Cheapest Domain
Prices" site:
https://www.domcomp.com/tld/stream
https://www.domcomp.com/tld/top
The ever-anti-reliable NameCheap is beating the pack at $0.88 per
.stream domain (same as their price for .top), so I expect the
popularity of .stream to continue.
- "Chip"
Re: Anyone else just blocking the ".top" TLD?
Posted by "@lbutlr" <kr...@kreme.com>.
On 09 Jul 2016, at 08:32, jasonsu@mail-central.com wrote:
>
> Fwiw, atm I block all of the following TLDs
> [big list]
> That list is auto-generated. Any & all TLDs that have sent > 100 messages within the last year *AND* have a spam/reject rate >= 99% get blocked by TLD, never get past by mail server's 'edge', and don't impose any further load on my server.
That’s a good list, but I take a different approach, I block ALL tlds except for a few that I actually get mail from.
(com|net|org|edu|gov|mx|de|dk|uk|us|info|biz|eu|es|il|it|nl|name|jp)
(and I’m not sure about name anymore, I don’t think I get legit mail from that anymore.)
Of course, other people will have other lists, but this one works well for me.
.top is the biggest offender though, we get thousands of those.
I should write up an awk script that searches my maillog for all the tlds that try to connect. Well, I can throw something together in a
Here are all the tlds that I’ve seen in the last week (only searching in from=<…> not helo):
.ae, .ar, .at, .au, .bd, .be, .bg, .bid, .biz, .bo, .br, .ca, .cc, .ch, .cl, .club, .cn, .co, .com, .coop, .cz, .date, .de, .dk, .ec, .edu, .es, .eu, .fi, .firewall, .fr, .gdn, .gov, .gr, .hk, .hr, .hu, .id, .ie, .il, .in, .info, .ir, .is, .it, .jp, .kh, .kornet, .kr, .lan, .localdomain, .lt, .lv, .ma, .mail, .md, .me, .men, .mk, .mobi, .mv, .mx, .my, .name, .net, .ng, .nl, .no, .nz, .online, .org, .orgt, .pa, .pe, .pl, .pt, .pw, .ro, .rs, .ru, .se, .sk, .stream, .tk, .tn, .top, .tr, .tw, .uk, .us, .vn, .website, .win, .xyz, .za
And this is the list from helo (ignoring all the IPs):
adsl, ae, ao, ar, arpa, au, bd, be, bg, bid, biz, bo, br, c, ca, cc, cl, club, cm, cn, co, com, cy, date, de, do, ec, edu, eg, es, eu, fi, firewall, gdn, gh, gov, gr, hu, id, il, in, info, internal, io, ir, it, jp, ke, kh, kornet, kr, la, lan, local, localdomain, lt, lv, ly, ma, mail, md, me, men, mobi, mv, mx, my, name, net, ni, nl, no, np, online, org, orgt, pe, pk, pl, pt, pw, rs, ru, sg, sk, so, space, stream, th, tk, top, tr, tv, tw, uk, us, uy, vn, website, win, ws, xyz, za, zw
How are people doing spam counts on a tld basis?
Re: Anyone else just blocking the ".top" TLD?
Posted by Jari Fredriksson <ja...@bitwell.biz>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
jasonsu@mail-central.com kirjoitti 9.7.2016 18:41:
> With what's left, I'm "99% sure(tm)" I could probably run my server on
> an RPi ;-)
>
> Bottom line is, it costs me less time, resource & effort, and my users
> are happy. Which makes me happy.
O.o
That's what I do. Agreed the front end nowadays is a VPS in Internet and
is powered by some Xeon vcpu, but the back end(s) doing SA & ClamAV &
maildrop & Dovecot Sieve are run in a Rpi2.
The thing is that an Rpi2 or 3 are equally powerful as some 2005
Proliant that I also have. Difference is that Proliant sleeps 20 hours a
day while the Rpi(s) are always on and wake up the said Proliant plus a
Core i7 plus a Google Cloud VM for RuleQA masscheck plus what not.
That is all the end result of my 2014 project for minimizing the
electrity bills ;)
(And my email is quite much: I have quite an amount of ruleqa masscheck
ham corpus!)
- --
Jari Fredriksson
Bitwell Oy
+358 400 779 440
jarif@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAleBIp8ACgkQKL4IzOyjSrZq+wCfY75NDI3KhuhA5N/zBBOq4pvw
oZ4AmwdP5ujpMZa2t9U4+9tJQ34OsBQq
=/6UT
-----END PGP SIGNATURE-----
Re: Anyone else just blocking the ".top" TLD?
Posted by ja...@mail-central.com.
On Sat, Jul 9, 2016, at 08:28 AM, Groach wrote:
> But that said, in fairness, of all the spam we do receive, from what I
> can tell, is already handled and dealt with by the usual DNSBL, SURBLs
> and spamassassin (with SPF and DKIM checking encompassed). Ive never
> had to use/block these TLDs and, in fact, I cant actually say that I
> have every seen one, genuine or otherwise (other than our accountant of
> course).
Generally, agreed. Though every once in awhile, a few would sneak through -- afaict, not YET on one of the major DNSBLs (guess I've got the 'privilege' of being an early send target ).
Blocking the TLDs simply reduces the load even further -- no lookups, no A/V or SA processing, nada. Just dropped into a hole early.
For my use, there's no harm done to my end. And I'll sure admit to getting satisfaction by not supporting the TLD-hawking parasites :-)
With what's left, I'm "99% sure(tm)" I could probably run my server on an RPi ;-)
Bottom line is, it costs me less time, resource & effort, and my users are happy. Which makes me happy.
Re: Anyone else just blocking the ".top" TLD?
Posted by Groach <gr...@yahoo.com>.
Correction: Sorry I was wrong. Or accountant uses ".accountants" (I
just checked).
When I first read the list of TLDs being blocked by default my first
thought was "Yeah, quite right too". Ive never like the idea of these
new TLD's when they were introduced and think they would only ever be
used for non-genuine use as genuine businesses would never use them.
(Thats why I was surprised out account chose to move to one).
But that said, in fairness, of all the spam we do receive, from what I
can tell, is already handled and dealt with by the usual DNSBL, SURBLs
and spamassassin (with SPF and DKIM checking encompassed). Ive never
had to use/block these TLDs and, in fact, I cant actually say that I
have every seen one, genuine or otherwise (other than our accountant of
course).
On 09/07/2016 17:15, jasonsu@mail-central.com wrote:
> On Sat, Jul 9, 2016, at 07:52 AM, Groach wrote:
>> Our accountants are actually using '.account' TLD and they are a very reputable business. A surprise when they changed to it, maybe, but change to it they did.
> My stats provide all the 'evidence' I need. So far, it seems I'm not auto-blocking "*.account" ...
>
> And, like I said, "YMMV".
>
> Personally, I find that holding people to account for their actions & decisions in 'email-land' is a pretty good strategy. That includes 'reputable businesses' choosing to move into a 'bad neighborhood', particularly if they haven't done their homework first.
>
> SA plus SPF/DKIM/DMARC, and a good set of DNSBLs helps immensely. Add to that some "This is obviously a sewer" heuristic decisions about TLDs, and my spam leak-thru rate is miniscule.
>
> Then again, I can choose to do that, as I'm not an ISP providing freemail with more holes than a colander to the unwashed ...
Re: Anyone else just blocking the ".top" TLD?
Posted by ja...@mail-central.com.
On Sat, Jul 9, 2016, at 07:52 AM, Groach wrote:
> Our accountants are actually using '.account' TLD and they are a very reputable business. A surprise when they changed to it, maybe, but change to it they did.
My stats provide all the 'evidence' I need. So far, it seems I'm not auto-blocking "*.account" ...
And, like I said, "YMMV".
Personally, I find that holding people to account for their actions & decisions in 'email-land' is a pretty good strategy. That includes 'reputable businesses' choosing to move into a 'bad neighborhood', particularly if they haven't done their homework first.
SA plus SPF/DKIM/DMARC, and a good set of DNSBLs helps immensely. Add to that some "This is obviously a sewer" heuristic decisions about TLDs, and my spam leak-thru rate is miniscule.
Then again, I can choose to do that, as I'm not an ISP providing freemail with more holes than a colander to the unwashed ...
Re: Anyone else just blocking the ".top" TLD?
Posted by Groach <gr...@yahoo.com>.
Our accountants are actually using '.account' TLD and they are a very reputable business. A surprise when they changed to it, maybe, but change to it they did.
On 9 July 2016 16:32:51 CEST, jasonsu@mail-central.com wrote:
>
>
>On Sat, Jul 9, 2016, at 07:14 AM, Chip M. wrote:
>> Thanks for all the lists and references, everyone! :)
>
>Fwiw, atm I block all of the following TLDs
>
> accountant, accountants, adult, aero, agency, apartments, app, asia,
>associates, audio, baby, bargains, bid, bike, bingo, blog, boutique,
>builders, business, cab, cafe, cam, camera, camp, capital, cards, care,
>careers, cash, casino, catering, center, charity, chat, cheap, church,
>city, claims, cleaning, click, clinic, clothing, club, coach, codes,
>coffee, community, company, computer, condos, construction,
>contractors, cool, country, coupons, credit, creditcard, cricket,
>cruises, date, dating, deals, delivery, dental, diamonds, digital,
>direct, directory, discount, dog, domains, dot, download, email,
>energy, engineering, enterprises, equipment, estate, events, exchange,
>expert, exposed, express, fail, faith, farm, finance, financial, fish,
>fitness, flights, florist, football, foundation, fund, furniture, fyi,
>gallery, game, games, gifts, glass, gmbh, gold, golf, gq, graphics,
>gratis, gripe, group, guide, guru, healthcare, hockey, holdings,
>holiday, host, hotel, house, immo, industries, institute, insure,
>international, investments, jewelry, kim, kitchen, la, land, lease,
>legal, lgbt, life, lighting, limited, limo, link, loan, loans, ltd,
>maison, management, marketing, mba, media, memorial, men, mobi, money,
>movie, museum, music, network, news, ninja, online, partners, parts,
>party, photography, photos, pictures, pizza, place, plumbing, plus,
>porn, pro, productions, properties, pw, racing, realestate, recipes,
>reise, reisen, rentals, repair, report, restaurant, review, rocks,
>rodeo, rugby, run, salon, sarl, school, schule, science, search,
>services, sexy, shoes, shop, shop, shopping, show, singles, soccer,
>solar, solutions, space, sport, stream, style, sucks, supplies, supply,
>support, surgery, systems, tax, taxi, team, tech, technology, tennis,
>theater, tienda, tips, tires, today, tools, top, tours, town, toys,
>trade, training, tv, uno, vacations, ventures, viajes, villas, vin,
>vision, voyage, watch, webcam, website, win, wine, work, works, world,
>wtf, xxx, xyz, zip
>
>That list is auto-generated. Any & all TLDs that have sent > 100
>messages within the last year *AND* have a spam/reject rate >= 99% get
>blocked by TLD, never get past by mail server's 'edge', and don't
>impose any further load on my server.
>
>Afaict, I've *never* seen a legitimate &/or opted-in email from any of
>them.
>
>Couldn't be happier!
>
>YMMV.
Re: Anyone else just blocking the ".top" TLD?
Posted by "lists@rhsoft.net" <li...@rhsoft.net>.
Am 08.09.2016 um 15:44 schrieb Chip M.:
> On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
>> i get a diff-output per mail each time the mailserver configs
>> are changing
>
> That's a completely valid approach, and I am a big fan of
> pre-emptive first strike (only as applied to potentially evil
> email).
>
> However, the vast majority of those TLDs will never
> "go rogue", so I prefer to block on actual abuse
> (Jason's approach), or likelihood of abuse, specifically, very
> low cost. Jason appears to have much higher volume than I do,
> so he'd be a good source of data for me and others.
we require at least SPF or DNSWL for them instead unconditonal reject
and the reject text contains a link to wikipedia what SPF is
the other part of using that file is to "DUNNO" specific tld's in front
of the checks and put a final line into helo-restrictions when no DUNNO
at all matched
/.*\.*/ REJECT Unacceptable HELO (Invalid TLD) see
https://www.ietf.org/rfc/rfc2821.txt and
https://www.ietf.org/rfc/rfc1912.txt
-------- Weitergeleitete Nachricht --------
Betreff: Cron /usr/local/bin/update-spamfilter.sh
Datum: Mon, 29 Aug 2016 16:30:03 +0200 (CEST)
UPDATED: /etc/postfix/blacklist_generic_ptr.cf
1484a1485
> /\.eco$/ DUNNO
2375a2377
> /\.vanguard$/ DUNNO
---------------------------------------------------------------------
UPDATED: /etc/postfix/blacklist_helo.cf
382a383
> /\.eco$/ DUNNO
1273a1275
> /\.vanguard$/ DUNNO
---------------------------------------------------------------------
UPDATED: /etc/postfix/blacklist_tld.cf
271a272
> /\.eco$/ REJECT Spam-TLD (SPF Required: .eco - see
http://en.wikipedia.org/wiki/Sender_Policy_Framework)
904a906
> /\.vanguard$/ REJECT Spam-TLD (SPF Required: .vanguard - see
http://en.wikipedia.org/wiki/Sender_Policy_Framework)
---------------------------------------------------------------------
OK: /usr/bin/systemctl reload postfix.service
Re: Anyone else just blocking the ".top" TLD?
Posted by Lindsay Haisley <fm...@fmp.com>.
On Thu, 2016-09-08 at 13:44 +0000, Chip M. wrote:
> On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
> >
> > i get a diff-output per mail each time the mailserver configs
> > are changing
> That's a completely valid approach, and I am a big fan of
> pre-emptive first strike (only as applied to potentially evil
> email).
>
> However, the vast majority of those TLDs will never
> "go rogue", so I prefer to block on actual abuse
> (Jason's approach), or likelihood of abuse, specifically, very
> low cost.��Jason appears to have much higher volume than I do,
> so he'd be a good source of data for me and others.
The issue is much more nuanced. There are registrars who offer what's
called "domain name tasting", on newly created TLDs. Under this policy,
a name may be registered and put into service _before_ payment is made
for the registration. At one time Network Solutions had this policy
even for the common TLDs, .com, .org, etc. Spammers pay nothing for the
use of such a name, and discard it for a new one before payment for the
name is required.
One of the choke-points for commercial spammers is the provision of an
authoritative name server for their domain names, and I've found it
very effective to do a recursive sequence of server look-ups on the DN
in the helo or ehelo addresses until a name server is found with a DN
for which the authoritative name server has the same DN. This boils
down to a list of less than 10 domain names. I apply a rather strict
form of rate limiting to messages originating from the same /24 IP
address group if the helo DN gets resolved to a name on this list. This
has so far been 100% effective with no evidence of false positives.
This may be out of the realm of SA. I apply this test using a python
program written to work with Gordon Messmer's courier-pythonfilter for
Courier-MTA.
--
Lindsay Haisley | "We have met the enemy and he is us."
FMP Computer Services |
512-259-1190 | -- Pogo
http://www.fmp.com |
Re: Anyone else just blocking the ".top" TLD?
Posted by "Chip M." <sa...@IowaHoneypot.com>.
On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
>i get a diff-output per mail each time the mailserver configs
>are changing
That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).
However, the vast majority of those TLDs will never
"go rogue", so I prefer to block on actual abuse
(Jason's approach), or likelihood of abuse, specifically, very
low cost. Jason appears to have much higher volume than I do,
so he'd be a good source of data for me and others.
IDIC... or to each his/her own preferred approach. :)
- "Chip"
Re: Anyone else just blocking the ".top" TLD?
Posted by "lists@rhsoft.net" <li...@rhsoft.net>.
Am 08.09.2016 um 10:33 schrieb Chip M.:
> On Sat, 09 Jul 2016, jasonsu wrote:
>> Fwiw, atm I block all of the following TLDs
> ...
>> men,
> ..
>> That list is auto-generated. Any & all TLDs that have
>> sent > 100 messages within the last year *AND* have a
>
> Great approach Jason! :)
> ".men" just recently appeared in my data, and is not showing up
> on that Surbl tld page.
>
> Please do share any more that you notice. :)
just download https://data.iana.org/TLD/tlds-alpha-by-domain.txt in a
cronjob, compare it with the last version and re-generate your configs
i get a diff-output per mail each time the mailserver configs are changing
Re: Anyone else just blocking the ".top" TLD?
Posted by "Chip M." <sa...@IowaHoneypot.com>.
On Sat, 09 Jul 2016, jasonsu wrote:
>Fwiw, atm I block all of the following TLDs
...
>men,
..
>That list is auto-generated. Any & all TLDs that have
>sent > 100 messages within the last year *AND* have a
Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
on that Surbl tld page.
Please do share any more that you notice. :)
".men" is going for as low as $1.49.
It's only appearing in some of my domains, but is running
between about 8% and 34% of their snowshoe spam.
- "Chip"
Re: Anyone else just blocking the ".top" TLD?
Posted by ja...@mail-central.com.
On Sat, Jul 9, 2016, at 07:14 AM, Chip M. wrote:
> Thanks for all the lists and references, everyone! :)
Fwiw, atm I block all of the following TLDs
accountant, accountants, adult, aero, agency, apartments, app, asia, associates, audio, baby, bargains, bid, bike, bingo, blog, boutique, builders, business, cab, cafe, cam, camera, camp, capital, cards, care, careers, cash, casino, catering, center, charity, chat, cheap, church, city, claims, cleaning, click, clinic, clothing, club, coach, codes, coffee, community, company, computer, condos, construction, contractors, cool, country, coupons, credit, creditcard, cricket, cruises, date, dating, deals, delivery, dental, diamonds, digital, direct, directory, discount, dog, domains, dot, download, email, energy, engineering, enterprises, equipment, estate, events, exchange, expert, exposed, express, fail, faith, farm, finance, financial, fish, fitness, flights, florist, football, foundation, fund, furniture, fyi, gallery, game, games, gifts, glass, gmbh, gold, golf, gq, graphics, gratis, gripe, group, guide, guru, healthcare, hockey, holdings, holiday, host, hotel, house, immo, industries, institute, insure, international, investments, jewelry, kim, kitchen, la, land, lease, legal, lgbt, life, lighting, limited, limo, link, loan, loans, ltd, maison, management, marketing, mba, media, memorial, men, mobi, money, movie, museum, music, network, news, ninja, online, partners, parts, party, photography, photos, pictures, pizza, place, plumbing, plus, porn, pro, productions, properties, pw, racing, realestate, recipes, reise, reisen, rentals, repair, report, restaurant, review, rocks, rodeo, rugby, run, salon, sarl, school, schule, science, search, services, sexy, shoes, shop, shop, shopping, show, singles, soccer, solar, solutions, space, sport, stream, style, sucks, supplies, supply, support, surgery, systems, tax, taxi, team, tech, technology, tennis, theater, tienda, tips, tires, today, tools, top, tours, town, toys, trade, training, tv, uno, vacations, ventures, viajes, villas, vin, vision, voyage, watch, webcam, website, win, wine, work, works, world, wtf, xxx, xyz, zip
That list is auto-generated. Any & all TLDs that have sent > 100 messages within the last year *AND* have a spam/reject rate >= 99% get blocked by TLD, never get past by mail server's 'edge', and don't impose any further load on my server.
Afaict, I've *never* seen a legitimate &/or opted-in email from any of them.
Couldn't be happier!
YMMV.