Re: PatioDeals@****** how to get high score

[Reindl Harald <h....@thelounge.net>]

Am 13.08.2015 um 21:52 schrieb Alex:
>> Thanks all, for your support.
>> I did fed spammy emails, most are blocked but users still get bunch of those
>> emails a day. I added this in MTA:
>>
>> smtpd_sender_restrictions = reject_unknown_sender_domain
>>
>> in the .cf file I addes
>> blacklist_from *.review
>> blacklist_from *.work
>> blacklist_from *.date
>
> I would use the following:
>
> blacklist_uri_host review
> blacklist_uri_host work
> blacklist_uri_host date

you want both: a bad sender using the domain as well a URI to the domain 
and without having tested it at my own: make sure it does only match 
when the domain ends with "review", "work", "date" to prevent FP

P.S.: i wonder why people still can reply with the original thread 
subject - no way that a response with that domain would pass our 
submission server because URIBL

Re: PatioDeals@****** how to get high score

[Cedric Knight <ce...@gn.apc.org>]

On 14/08/15 02:19, Alex wrote:
>>>> in the .cf file I addes blacklist_from *.review 
>>>> blacklist_from *.work blacklist_from *.date
>>> 
>>> I would use the following:
>>> 
>>> blacklist_uri_host review blacklist_uri_host work 
>>> blacklist_uri_host date
>> 
>> you want both: a bad sender using the domain as well a URI to the
>> domain and without having tested it at my own: make sure it does
>> only match when the domain ends with "review", "work", "date" to
>> prevent FP
> 
> Are you talking about it somehow matching "123review", for example?
> It appears that it refers to only the rhs of the address. For
> example "blacklist_from *.review" catches user@123test.review but
> not user@123review.com or user@123review.123review or
> 123test.review.com. Are there any other variations to be concerned
> with, or could someone else confirm?

That looks right, checking Conf/Parser.pm.  blacklist_from internally
adds a "$" so it must match the rightmost part of any address.

> So while blacklist_from requires the wildcard match, 
> blacklist_uri_host does not.

Indeed blacklist_uri_host does not permit wildcards.  It must be an
exact match with the top 1-10 parts (labels).

> Also, at some time, Axb had posted a list of the new TLDs that are
> a significant source of spam and included domains like xxx and xyz.
> Does anyone have an updated list that might be helpful?

Try http://rss.uribl.com/tlds/index.html (it's percentages per domain,
rather than per email)
.uno, .red, .black, .blue, .pink, .click, .xyz all seem significantly
abused.
.asia and .link seems to have cleaned up a bit in the last few months,
.science less so. xxx probably isn't very useful to spammers.

Also 20_aux_tlds.cf contains a link to the full IANA gTLD list.

If you want to be less severe, maybe a meta rule using Paul's
BODY_NEWDOMAIN_14_FMBLA with enlist_uri_host setting a range of scores
as described at https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6458#c3

CK

Re: PatioDeals@****** how to get high score

[Alex <my...@gmail.com>]

Hi,

>>> in the .cf file I addes
>>> blacklist_from *.review
>>> blacklist_from *.work
>>> blacklist_from *.date
>>
>> I would use the following:
>>
>> blacklist_uri_host review
>> blacklist_uri_host work
>> blacklist_uri_host date
>
> you want both: a bad sender using the domain as well a URI to the domain and
> without having tested it at my own: make sure it does only match when the
> domain ends with "review", "work", "date" to prevent FP

Are you talking about it somehow matching "123review", for example? It
appears that it refers to only the rhs of the address. For example
"blacklist_from *.review" catches user@123test.review but not
user@123review.com or user@123review.123review or 123test.review.com.
Are there any other variations to be concerned with, or could someone
else confirm?

So while blacklist_from requires the wildcard match,
blacklist_uri_host does not.

Also, at some time, Axb had posted a list of the new TLDs that are a
significant source of spam and included domains like xxx and xyz. Does
anyone have an updated list that might be helpful?

Thanks,
Alex