Re: Scoring by registrar?

Sun, 30 Jun 2019 10:52:05 -0700 


On 6/30/19 9:51 AM, Martin Gregorie wrote:

On Sun, 2019-06-30 at 09:08 -0700, Sean Lynch wrote:

A very large number (nearly all, in fact) of the spams I receive
these days involve domains registered with Namecheap. I've received
hundreds of spams involving .icu domains from what appear to be the
same spammer.


Write a local rule that adds points for mails from .icu


Such a rule already exists. I've bumped up its score already.




I also receive a large number of scams impersonating Bitmain, again
using domains involving Namecheap.


As above, but for Bitmain.


Thanks. I'm aware I can do this.




While Namecheap does suspend at least some domains within days of
their being used in a campaign, it's clear that these are being
treated as single-use domains, so this has very little impact on the
spammers. Since for whatever reason they're so attractive to spammers
that they seem to be a nearly universal choice, at least for spams I
get, I'd like to add a spam score to any message using a domain
registered with them.


If you don't mind a delay in receiving mail from hosts you've never seen
before, why not implement a greylister?

https://en.wikipedia.org/wiki/Greylisting


Thanks. I'm aware of greylisting already.



Does such functionality already exist in SpamAssassin?

Defining local rules has always been possible.



Thanks. I'm aware of this. I was asking what functionality exists, if 
any, for determining who a domain's registrar is.




Greylisters are used to front end your MTA, so work independently of
Spamassassin.

I find combinations of rules can be surprisingly specific, e.g. to catch
sales spam:

- write a rule that contains a list of selling terms with a very small
   positive score (0.001)
- write another rule that contains a list of products pushed by
   spammers, again with a very small positive score
- write a meta rule the triggers only when both the previous rules
   are hit and give it a significant score

   
If you avoid sales terms and product names/descriptions that are in

common use the meta rule will cause few false positives.



Thanks. As I said, been using SpamAssassin (and generally fighting spam) 
for years, so I'm already aware of this.



  
Martin

























					Reply via email to