rule based on domain age

[Tracy Greggs via users <us...@spamassassin.apache.org>]

My apologies if that has been asked and or answered previously.

I would love to have a rule to score up messages from domains registered 
in the past X configurable days.

We rarely receive legit email from domains newer than 1 year old, but we 
get spoofs daily from domains that are less than 1 year old.

I would like to score all of the less than 1 year old domains up and 
quarantine them for review.

Does such a rule already exist?

Thanks in advance for any direction any of you may have.

Regards

RE: Re[8]: rule based on domain age

[Marc <Ma...@f1-outsourcing.eu>]

> IP ranges and country connections are of no help.  These criminals use
> outlook, gmail, vps servers and everything under the sun.

So they register new domains, link them to gmail (outlook) and send spam with envelope of the domain via the google network, and google does nothing and keeps giving this service to them?

I assume this service is offered for free by google/outlook?

Re[8]: rule based on domain age

[Tracy Greggs via users <us...@spamassassin.apache.org>]

IP ranges and country connections are of no help.  These criminals use 
outlook, gmail, vps servers and everything under the sun.

The spameatingmonkey.com rbl was suggested to me for domains reg'd in 
the past 30 days will be quite helpful, already implemented.

I am also looking at getting the feed from zonefiles.io and I can 
potentially use that data and some coding on my end to create my own 180 
or whatever day list fairly easily and query it locally with an in house 
RBL.

I appreciate your input and suggestions Marc.




------ Original Message ------
From "Marc" <Ma...@f1-outsourcing.eu>
To "Tracy Greggs" <po...@insuredaircraft.com>; 
"users@spamassassin.apache.org" <us...@spamassassin.apache.org>
Date 5/10/2023 4:57:21 PM
Subject RE: Re[6]: rule based on domain age

>
>
>>  What I am targeting will not be on an abusive domains on any RBL
>>  anywhere as they buy these domains for the sole purpose of targeting our
>>  company and our clients.  They only have to succeed once where I have to
>>  succeed every time to keep them from stealing large sums.
>
>What about the ip ranges? I have the impression that once you register these, it gets less. There are specific providers offering their networks for such services. Legitimate providers do not want to get involved with such networks, because they will end up on blacklists.
>
>I am having a combination of ip ranges that I have registered, these get from me an url in a confirmation, only when this url is clicked the email is accepted.
>You could tune this for your environment.
>
>Maybe you can do something with the connection country
>
>[@]# dig +short -t txt https://urldefense.proofpoint.com/v2/url?u=http-3A__95.80.124.107.origin.asn.cymru.com&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=30424yrS-9EgmTKE1eBweU94kLZa7u_GLzgvVe6Np9o&m=LXUC6fBevzoGP-DHdTSkBn2kczQixB-XLpKmQzKF_Zk&s=lujgLOURlWXAvVUGVSQ1Fc1-4ZDVA73VF_4gTf2pZuk&e=
>"7018 | https://urldefense.proofpoint.com/v2/url?u=http-3A__107.64.0.0_10&d=DwIGaQ&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=30424yrS-9EgmTKE1eBweU94kLZa7u_GLzgvVe6Np9o&m=LXUC6fBevzoGP-DHdTSkBn2kczQixB-XLpKmQzKF_Zk&s=jo8mFV_zmsrMXzYKy4mfFbBtVAygJ585ORp5oAdb7Ts&e= | US | arin | 2011-02-04"
>

RE: Re[6]: rule based on domain age

[Marc <Ma...@f1-outsourcing.eu>]

> What I am targeting will not be on an abusive domains on any RBL
> anywhere as they buy these domains for the sole purpose of targeting our
> company and our clients.  They only have to succeed once where I have to
> succeed every time to keep them from stealing large sums.

What about the ip ranges? I have the impression that once you register these, it gets less. There are specific providers offering their networks for such services. Legitimate providers do not want to get involved with such networks, because they will end up on blacklists.

I am having a combination of ip ranges that I have registered, these get from me an url in a confirmation, only when this url is clicked the email is accepted.
You could tune this for your environment.

Maybe you can do something with the connection country

[@]# dig +short -t txt 95.80.124.107.origin.asn.cymru.com
"7018 | 107.64.0.0/10 | US | arin | 2011-02-04"

Re[6]: rule based on domain age

[Tracy Greggs via users <us...@spamassassin.apache.org>]

We are specifically targeted Marc.  We have 130 domains on the shelf via 
UDRP disputes right now and 30 more in progress.

What I am trying to accomplish with this issue at hand is to score up 
and quarantine all domains newer than 380 days.  I am fully aware that 
there will be some legit email quarantined and I am fine with that, 
those can be vetted and released.

What I am targeting will not be on an abusive domains on any RBL 
anywhere as they buy these domains for the sole purpose of targeting our 
company and our clients.  They only have to succeed once where I have to 
succeed every time to keep them from stealing large sums.

I may need to look at this differently, more like checking against a DNS 
based list of domains over a year old for example and giving those a 
negative score if necessary.




------ Original Message ------
From "Marc" <Ma...@f1-outsourcing.eu>
To "Tracy Greggs" <po...@insuredaircraft.com>; 
"users@spamassassin.apache.org" <us...@spamassassin.apache.org>
Date 5/10/2023 3:50:06 PM
Subject RE: Re[4]: rule based on domain age

>Yes some already block/timeout with the 2nd lookup. But there is a flip side. There are dns blacklists that have domainnames that are currently being abused.
>
>
>>
>>  I hadn't considered being blocked by the TLD's from doing the lookups.
>>  Good point.  We probably do about 2K per day so not sure that is enough
>>  to be blocked but it certainly could be.
>>
>>
>>  >
>>  >>
>>  >>  Why would it have to have to be specific per TLD?  Why I have in
>>  mind is
>>  >>  looking at the creation date of the sending domain and scoring it up
>>  if
>>  >>  it is newer than 12 months, no matter what the TLD is.
>>  >
>>  >I totally get it. I was thinking of incorporating this in a service for
>>  a European project. And even going further, querying owner information.
>>  >
>>  >>  Am I missing something?
>>  >
>>  >Because this information is only available at tld's and just querying
>>  the whois endlessly will be blocked. Every tld registry has their own
>>  operating rules.

RE: Re[4]: rule based on domain age

[Marc <Ma...@f1-outsourcing.eu>]

Yes some already block/timeout with the 2nd lookup. But there is a flip side. There are dns blacklists that have domainnames that are currently being abused.


> 
> I hadn't considered being blocked by the TLD's from doing the lookups.
> Good point.  We probably do about 2K per day so not sure that is enough
> to be blocked but it certainly could be.
> 
> 
> >
> >>
> >>  Why would it have to have to be specific per TLD?  Why I have in
> mind is
> >>  looking at the creation date of the sending domain and scoring it up
> if
> >>  it is newer than 12 months, no matter what the TLD is.
> >
> >I totally get it. I was thinking of incorporating this in a service for
> a European project. And even going further, querying owner information.
> >
> >>  Am I missing something?
> >
> >Because this information is only available at tld's and just querying
> the whois endlessly will be blocked. Every tld registry has their own
> operating rules.

Re[4]: rule based on domain age

[Tracy Greggs via users <us...@spamassassin.apache.org>]

I hadn't considered being blocked by the TLD's from doing the lookups.  
Good point.  We probably do about 2K per day so not sure that is enough 
to be blocked but it certainly could be.


------ Original Message ------
From "Marc" <Ma...@f1-outsourcing.eu>
To "Tracy Greggs" <po...@insuredaircraft.com>
Date 5/10/2023 3:32:05 PM
Subject RE: Re[2]: rule based on domain age

>
>>
>>  Why would it have to have to be specific per TLD?  Why I have in mind is
>>  looking at the creation date of the sending domain and scoring it up if
>>  it is newer than 12 months, no matter what the TLD is.
>
>I totally get it. I was thinking of incorporating this in a service for a European project. And even going further, querying owner information.
>
>>  Am I missing something?
>
>Because this information is only available at tld's and just querying the whois endlessly will be blocked. Every tld registry has their own operating rules.

RE: rule based on domain age

[Marc <Ma...@f1-outsourcing.eu>]

> 
> My apologies if that has been asked and or answered previously.
> 
> I would love to have a rule to score up messages from domains registered
> in the past X configurable days.
> 
> We rarely receive legit email from domains newer than 1 year old, but we
> get spoofs daily from domains that are less than 1 year old.
> 
> I would like to score all of the less than 1 year old domains up and
> quarantine them for review.
> 
> Does such a rule already exist?
> 
> Thanks in advance for any direction any of you may have.
> 

I don't think this is available. All this would be also specific per tld. So everyone needed to agree on participating in some system and then you also have different judicial areas.