Mailing List Archive

.science the new leper of TLD's?
No offense to lepers, but is .science to be avoided? I’ve had email this week from about 17 different .science domain names, and 13 were blocked because of ZenBL and the rest turned out to be SPAM anyway.

I’m thinking that I should just refuse connections from any host whose rDNS is .science…

Has anyone had any POSITIVE experiences with .science domain names?
Re: .science the new leper of TLD's? [ In reply to ]
On 19.06.2015 19:42, Philip Prindeville wrote:
> No offense to lepers, but is .science to be avoided? I’ve had email this week from about 17 different .science domain names, and 13 were blocked because of ZenBL and the rest turned out to be SPAM anyway.
>
> I’m thinking that I should just refuse connections from any host whose rDNS is .science…
>
> Has anyone had any POSITIVE experiences with .science domain names?
>

nuke it... till you hear of an FP

and if you run a local NS BL: ns1.alpnames.com
Re: .science the new leper of TLD's? [ In reply to ]
* Philip Prindeville <philipp_subx@redfish-solutions.com>:
> No offense to lepers, but is .science to be avoided? I’ve had email this week from about 17 different .science domain names, and 13 were blocked because of ZenBL and the rest turned out to be SPAM anyway.
>
> I’m thinking that I should just refuse connections from any host whose rDNS is .science…
>
> Has anyone had any POSITIVE experiences with .science domain names?

They have been a PITA and I've started to block them completely.

p@rick

--
[*] sys4 AG

https://sys4.de, +49 (89) 30 90 46 64
Franziskanerstraße 15, 81669 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
Re: .science the new leper of TLD's? [ In reply to ]
On 19/06/15 18:46, Axb wrote:
> On 19.06.2015 19:42, Philip Prindeville wrote:
>> No offense to lepers, but is .science to be avoided? I’ve had email
>> this week from about 17 different .science domain names, and 13 were
>> blocked because of ZenBL and the rest turned out to be SPAM anyway.
>>
>> I’m thinking that I should just refuse connections from any host whose
>> rDNS is .science…
>>
>> Has anyone had any POSITIVE experiences with .science domain names?
>>

KAM's rules have rules for these suspect TLDs already.

I've attached a small bit of config for my personal DNSBL for newly
registered domains in these TLDs - I find it helps for domains not found
by other URIBLs yet. The zonefiles are updated and diff'd daily.

It'd be interesting to see other people's success with this list.

Thanks,

Paul
--
Paul Stead
Systems Engineer
Zen Internet
RE: .science the new leper of TLD's? [ In reply to ]
Ditto here. Along with a handful of other junk domains like the colors (.red, .blue, etc.) and a couple of country codes. Some I kill at the MTA, some I just poison pill with spam scores.

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4500
Registered Linux User No: 307357


> -----Original Message-----
> From: Patrick Ben Koetter [mailto:p@sys4.de]
> Sent: Friday, June 19, 2015 10:23 AM
> To: users@spamassassin.apache.org
> Subject: Re: .science the new leper of TLD's?
>
> * Philip Prindeville <philipp_subx@redfish-solutions.com>:
> > No offense to lepers, but is .science to be avoided? I’ve had email
> this week from about 17 different .science domain names, and 13 were
> blocked because of ZenBL and the rest turned out to be SPAM anyway.
> >
> > I’m thinking that I should just refuse connections from any host whose
> rDNS is .science…
> >
> > Has anyone had any POSITIVE experiences with .science domain names?
>
> They have been a PITA and I've started to block them completely.
>
> p@rick
>
> --
> [*] sys4 AG
>
> https://sys4.de, +49 (89) 30 90 46 64
> Franziskanerstraße 15, 81669 München
>
> Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
> Vorstand: Patrick Ben Koetter, Marc Schiffbauer
> Aufsichtsratsvorsitzender: Florian Kirstein
>
Re: .science the new leper of TLD's? [ In reply to ]
for convenience, postfix & SA TLD-blocking snippets together:

in postfix

/etc/postfix/main.cf
...
smtpd_sender_restrictions =
...
+ check_sender_access pcre:/etc/postfix/reject_TLDs.pcre
permit_mynetworks
permit_tls_clientcerts
reject_non_fqdn_sender
reject_unknown_sender_domain
...

/etc/postfix/reject_TLDs.pcre
/\.science$/ REJECT 554 5.7.1 Mail from .science TLD not accepted

in spamassassin

/etc/spamassassin/local.cf
...
loadplugin Mail::SpamAssassin::Plugin::WLBLEval
loadplugin Mail::SpamAssassin::Plugin::Shortcircuit
...
blacklist_uri_host science
...
body URI_HOST_IN_BLACKLIST eval:check_uri_host_in_blacklist()
describe URI_HOST_IN_BLACKLIST domain is in the URL's black-list
tflags URI_HOST_IN_BLACKLIST userconf noautolearn
score URI_HOST_IN_BLACKLIST 100.0
shortcircuit URI_HOST_IN_BLACKLIST spam
priority URI_HOST_IN_BLACKLIST -700
...

Effective & easily extended to multiple TLDs.

Our growing list includes:

adult, audio, click, club, lgbt, link, mobi, ninja, porn, pw, rocks, science, sexy, space, sucks, website, work, xxx, xyz

For our usage, "0% false positives". YMMV.
Re: .science the new leper of TLD's? [ In reply to ]
On 19 Jun 2015, at 13:46, Axb wrote:

> On 19.06.2015 19:42, Philip Prindeville wrote:
>> No offense to lepers, but is .science to be avoided? I’ve had
>> email this week from about 17 different .science domain names, and 13
>> were blocked because of ZenBL and the rest turned out to be SPAM
>> anyway.
>>
>> I’m thinking that I should just refuse connections from any host
>> whose rDNS is .science…
>>
>> Has anyone had any POSITIVE experiences with .science domain names?

Nope. None of the recent crop of new gTLDs has been the source of
measurable legitimate mail. The .science sewer is the latest in a steady
stream of gTLDs to be poisoned by spammers taking advantage of an
inherently irresponsible registry business model.

> nuke it... till you hear of an FP
>
> and if you run a local NS BL: ns1.alpnames.com

FWIW: this particular flow of coagulated pink slime (~87% EHLO ~=
/^[0-9a-f]{8}.[a-z0-9]{4,9}.science$/ )started in March and got an order
of magnitude boost in number of connections in the past week. Sadly for
the idiots driving it, the junk doesn't even get to SpamAssassin if you
have a smart greeting pause (i.e. postscreen) in place. For sites with
less crafty connection handling, it is taking Spamhaus about a minute to
notice and list both new sending IPs for this stuff (in their CSS) and
URL domains (in the DBL.) I also have yet to see one hitting the systems
I administer and reaching SA scanning before its body URLs trigger
URIBL_BLACK, but that's probably just site luck: no domains
alphabetically ahead of 'c'. The MIDs for this spammer are also
idiosyncratic enough that it is simple to write a local rule that
matches them only, score it 20, and force auto-learning.

Or, shorter: slaughter it and use the DNA to identify its descendants.
Re: .science the new leper of TLD's? [ In reply to ]
On 21/06/2015 06:46, Bill Cole wrote:

> Nope. None of the recent crop of new gTLDs has been the source of measurable legitimate mail. The .science sewer is the latest in a steady stream of gTLDs to be poisoned by spammers taking advantage of an inherently irresponsible registry business model.
>
> Has anyone had any POSITIVE experiences with .science domain names?

.science
.red
.blue
.green
all sewer rats
Re: .science the new leper of TLD's? [ In reply to ]
On 19/06/15 18:46, Axb wrote:

>
> and if you run a local NS BL: ns1.alpnames.com
>

Some of these domains look legit, not sure about sources of spam, mind?

anyhuman.digital. 86400 in ns ns1.alpnames.com.
cricket.global. 3600 in ns ns1.alpnames.com.
gib.website. 3600 in ns ns1.alpnames.com.
jiverman.website. 3600 in ns ns1.alpnames.com.
swingdance.website. 3600 in ns ns1.alpnames.com.
swingirl.website. 3600 in ns ns1.alpnames.com.
swingjive.website. 3600 in ns ns1.alpnames.com.
fionacollins.space. 3600 in ns ns1.alpnames.com.
lakey.space. 3600 in ns ns1.alpnames.com.
polandinto.space. 3600 in ns ns1.alpnames.com.
desmondtutu.today. 86400 in ns ns1.alpnames.com.
lfb.today. 86400 in ns ns1.alpnames.com.
tutu.today. 86400 in ns ns1.alpnames.com.
directonline.marketing. 86400 in ns ns1.alpnames.com.
kumala.red. 3600 in ns ns1.alpnames.com.
draincare.cleaning. 86400 in ns ns1.alpnames.com.
adultinflatable.events. 86400 in ns ns1.alpnames.com.
corporateevents.events. 86400 in ns ns1.alpnames.com.
funday.events. 86400 in ns ns1.alpnames.com.
midlanditsaknockout.events. 86400 in ns ns1.alpnames.com.
midlandphotobooth.events. 86400 in ns ns1.alpnames.com.
midlandsbouncycastle.events. 86400 in ns ns1.alpnames.com.
midlandsphotobooth.events. 86400 in ns ns1.alpnames.com.
midlandsphotoboothhire.events. 86400 in ns ns1.alpnames.com.
mojito.events. 86400 in ns ns1.alpnames.com.
partysuppliesleeds.events. 86400 in ns ns1.alpnames.com.
rodeobull.events. 86400 in ns ns1.alpnames.com.
wakest.xyz. 3600 in ns ns1.alpnames.com.
anyhumandesign.rodeo. 86400 in ns ns1.alpnames.com.
thedesignexperiment.rodeo. 86400 in ns ns1.alpnames.com.
--
Paul Stead
Systems Engineer
Zen Internet
Re: .science the new leper of TLD's? [ In reply to ]
On 23.06.2015 08:44, Paul Stead wrote:
>
>
> On 19/06/15 18:46, Axb wrote:
>
>>
>> and if you run a local NS BL: ns1.alpnames.com
>>
>
> Some of these domains look legit, not sure about sources of spam, mind?

maybe, possibly, probably.......

a NS BL entry can add a score - doesn't have to be poison pill.

"serious" sites won't stick to that NS anyway.
Re: .science the new leper of TLD's? [ In reply to ]
On Tue, Jun 23, 2015 at 09:11:27AM +0200, Axb wrote:
> "serious" sites won't stick to that NS anyway.

And private sites should not be sending e-mail anyway?
Please don't throw out the baby with the bathwater.
Re: .science the new leper of TLD's? [ In reply to ]
On 23.06.2015 09:18, Marc Selig wrote:
> On Tue, Jun 23, 2015 at 09:11:27AM +0200, Axb wrote:
>> "serious" sites won't stick to that NS anyway.
>
> And private sites should not be sending e-mail anyway?
> Please don't throw out the baby with the bathwater.

have you missed the point?

If someone wants to add a score of X to any URL domain on
ns1.alpnames.com, why not do it?

I just wanted to point out that the common denominator of a whole of
crap is being hosted on that NS.
It's a choice you have to do whatever you want with the info provided.