Mailing List Archive

AJ Weber wrote:
> I want to try adding a score for a sender whose address uses a TLD with
> > 3 chars.
>
> I realize there are some legit ones, but I'm going to test it with a low
> score and see what it catches.
>
> Is it just something like:
> header   From =~   /\.\w{4,}$/

You'll probably want to use the :addr specifier to match only on the
actual address:

header LONG_TLD From:addr /\.\w{4,}$/

Otherwise your rule won't match much mail at all unless the From: header
consists of a completely bare email address.

-kgd

Cool.  Thanks.


On 6/12/2020 11:04 AM, Kris Deugau wrote:
> AJ Weber wrote:
>> I want to try adding a score for a sender whose address uses a TLD
>> with  > 3 chars.
>>
>> I realize there are some legit ones, but I'm going to test it with a
>> low score and see what it catches.
>>
>> Is it just something like:
>> header   From =~   /\.\w{4,}$/
>
> You'll probably want to use the :addr specifier to match only on the
> actual address:
>
> header LONG_TLD    From:addr /\.\w{4,}$/
>
> Otherwise your rule won't match much mail at all unless the From:
> header consists of a completely bare email address.
>
> -kgd

On Fri, 12 Jun 2020 09:22:40 -0400
AJ Weber wrote:

> I want to try adding a score for a sender whose address uses a TLD
> with > 3 chars.
>
> I realize there are some legit ones, but I'm going to test it with a
> low score and see what it catches.


What I did was grep my mail for TLDs seeen in ham and then create a
rule __NORMAL_TLD

I then score a point for:

__HAS_FROM && ! __NORMAL_TLD


This probably wont scale well beyond a few users though.


If I were a bit more energetic I'd autogenerate the rule from cron.

On Sat, 13 Jun 2020, RW wrote:

> On Fri, 12 Jun 2020 09:22:40 -0400
> AJ Weber wrote:
>
>> I want to try adding a score for a sender whose address uses a TLD
>> with > 3 chars.
>>
>> I realize there are some legit ones, but I'm going to test it with a
>> low score and see what it catches.
>
>
> What I did was grep my mail for TLDs seeen in ham and then create a
> rule __NORMAL_TLD
>
> I then score a point for:
>
> __HAS_FROM && ! __NORMAL_TLD
>
>
> This probably wont scale well beyond a few users though.
>
>
> If I were a bit more energetic I'd autogenerate the rule from cron.

This sounds like a perfect application for a custom DNS-bl lookup/list.

Create a local custom rbldnsd server "dnset" zone from a data file with your
blessed TLDs, then a rule doing a rbl check using the hostname from the From
address with custom scoring.

You can easily update the rbldnsd zone data (just write/update the data file, no
need to restart spamd) and could create a custom scoring value based on the DNS
data (EG 127.0.0.2 for really 'good' TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8
for truely spammy names).




--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

On 2020-06-13 03:02, Dave Funk wrote:

> This sounds like a perfect application for a custom DNS-bl lookup/list.
>
> Create a local custom rbldnsd server "dnset" zone from a data file
> with your blessed TLDs, then a rule doing a rbl check using the
> hostname from the From address with custom scoring.
>
> You can easily update the rbldnsd zone data (just write/update the
> data file, no need to restart spamd) and could create a custom scoring
> value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs,
> 127.0.0.4 for 'so-so' and 127.0.0.8 for truely spammy names).

https://www.isc.org/blogs/qname-minimization-and-privacy/

lets hope rbldnsd is soon to handle that

i have disabled this breaking dnsbl feature in bind9

You can easily update the rbldnsd zone data (just write/update the
> data file, no need to restart spamd) and could create a custom scoring
> value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs,
> 127.0.0.4 for 'so-so' and 127.0.0.8
> for truely spammy names).
>
A blocklist system that would be a little harder to write, but MUCH
easier to maintain, would be to put the list in a lightweight database,
e.g. MariaDB, and use a Perl plugin module to interface it to SA. The
easy way to do this is to find a similar Perl plugin and hack it to suit
- thats not hard to do.

The database is dead simple: one table containing one column to hold
unwanted domains/addresses declared as the prime key to index it.
Something like:

create table blacklist
{
domain varchar(80) primary key;
};

The advantage of this approach is that if you use a less-than-basic
database, i.e. one that allows multiple simultaneous connections, rather
than a single connection DBMS like sqlite, you can share it between
several SA instances aand use anything from an interactive SQL tool to a
mobile app to maintain the blacklist. And there's no need stop anything
to update the database content.

Martin



>
>
>
> --
> Dave Funk University of Iowa
> <dbfunk (at) engineering.uiowa.edu> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center, 103 S
> Capitol St.
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include <std_disclaimer.h>
> Better is not better, 'standard' is better. B{

On Sat, 13 Jun 2020 03:10:52 +0100
Martin Gregorie wrote:

> You can easily update the rbldnsd zone data (just write/update the
> > data file, no need to restart spamd) and could create a custom
> > scoring value based on the DNS data (EG 127.0.0.2 for really 'good'
> > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8
> > for truely spammy names).

> The advantage of this approach is that if you use a less-than-basic
> database, i.e. one that allows multiple simultaneous connections,
> rather than a single connection DBMS like sqlite, you can share it
> between several SA instances aand use anything from an interactive
> SQL tool to a mobile app to maintain the blacklist. And there's no
> need stop anything to update the database content.

FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.

On Sat, 2020-06-13 at 15:25 +0100, RW wrote:
> On Sat, 13 Jun 2020 03:10:52 +0100
> Martin Gregorie wrote:
>
> > You can easily update the rbldnsd zone data (just write/update the
> > > data file, no need to restart spamd) and could create a custom
> > > scoring value based on the DNS data (EG 127.0.0.2 for really
> > > 'good'
> > > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8
> > > for truely spammy names).
> > The advantage of this approach is that if you use a less-than-basic
> > database, i.e. one that allows multiple simultaneous connections,
> > rather than a single connection DBMS like sqlite, you can share it
> > between several SA instances aand use anything from an interactive
> > SQL tool to a mobile app to maintain the blacklist. And there's no
> > need stop anything to update the database content.
>
> FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.
>
I did wonder how many 4+ character TLDs there are - Can't remember when
I last saw one, but my main point was that the sort of setup I described
is easy and pretty quick to set up if you know a bit of Perl and -
equally important - is very easy to replicate for a different spam type
once you've got one running. Its also a lot less of a kludge than the
'portmanteau rules' I use, with maintenance being simple in both cases.

Martin

On Sat, 13 Jun 2020 18:44:46 +0100
Martin Gregorie wrote:


> > FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.
> >
> I did wonder how many 4+ character TLDs there are - Can't remember
> when I last saw one,

As I said I have a list of TLDs that have been seen in my ham and
penalize the others a bit (without regard to length). As I don't put
mailing lists through SA the list is quite short.