You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by "@lbutlr" <kr...@kreme.com> on 2020/07/01 16:01:37 UTC
Re: Frequency of SUSP_NTLD updates
On 30 Jun 2020, at 09:31, RW <rw...@googlemail.com> wrote:
> On Tue, 30 Jun 2020 11:30:17 +0000
> Roald Stolte wrote:
>
>
>> These mails were all using TLDs such as .site and .online and were
>> getting marked because of it.
Are others seeing a decrease in spam from .site and .online? All I see from these TLD is 100% spam. They are not at the volume that .top was when this free-for all on TLDs started, but they are not generating any legitimate mail on my servers. I've loosened some restrictions on .fm tv and ,info, since there are legitimate senders there, but even those are still mostly spam.
I see connections from domains like server.creativecabin.online, mail.mobile-advertising.site, mail.freebitcoins.site, dand fame.servetxt.online, and most of it is coming in to spam-trap email addresses.
> You could just drop the score for FROM_SUSPICIOUS_NTLD &
> FROM_SUSPICIOUS_NTLD_FP.
This is probably the best way, but I'd be wary of dropping it too much.
--
Good old Dame Fortune. You can _depend_ on her.
Re: Frequency of SUSP_NTLD updates
Posted by RW <rw...@googlemail.com>.
On Wed, 1 Jul 2020 10:20:50 -0700 (PDT)
John Hardin wrote:
> I realize this isn't really a welcome solution per the original note
> but until the legitimate use of those TLDs grows the rules punishing
> them do have value.
There ought to be delist version of enlist_addrlist though.
Re: Frequency of SUSP_NTLD updates
Posted by John Hardin <jh...@impsec.org>.
On Wed, 1 Jul 2020, @lbutlr wrote:
> On 30 Jun 2020, at 09:31, RW <rw...@googlemail.com> wrote:
>> On Tue, 30 Jun 2020 11:30:17 +0000
>> Roald Stolte wrote:
>>
>>> These mails were all using TLDs such as .site and .online and were
>>> getting marked because of it.
>
> Are others seeing a decrease in spam from .site and .online? All I see
> from these TLD is 100% spam. They are not at the volume that .top was
> when this free-for all on TLDs started, but they are not generating any
> legitimate mail on my servers.
That matches my experience.
>> You could just drop the score for FROM_SUSPICIOUS_NTLD &
>> FROM_SUSPICIOUS_NTLD_FP.
>
> This is probably the best way, but I'd be wary of dropping it too much.
Especially as the rule covers *other* rarely-legit TLDs as well, and that
would impact their scoring.
I'd suggest instead a rule with an offsetting negative score (not
necessarily an actual whitelist/accept entry as that's *too* generous) for
the TLDs (or if possible the specific domains in those TLDs) that are
causing problems.
I realize this isn't really a welcome solution per the original note but
until the legitimate use of those TLDs grows the rules punishing them do
have value.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Microsoft is not a standards body.
-----------------------------------------------------------------------
3 days until the 244th anniversary of the Declaration of Independence