Re: Scoring by registrar?

Sun, 30 Jun 2019 11:00:54 -0700 

On 6/30/19 10:08 AM, Sean Lynch wrote:
Hi, everyone! I used to run my own mail servers back in the mid '90s and even worked as the postmaster for a regional ISP and worked on mail servers for some large corporations and even a small national ISP as a consultant. After a hiatus where I drank the hosted email kool-aid, I'm back to hosting my own email. 

Welcome back to the fray.  :-)


At the moment I'm using a combination of SMTP-time DNSBL and other 
checks and SpamAssassin at delivery time for spam filtering. Very 
few spams are even making it to SpamAssassin, but many that do make 
it all the way through into my inbox.


:-(


A very large number (nearly all, in fact) of the spams I receive these 
days involve domains registered with Namecheap. I've received hundreds 
of spams involving .icu domains from what appear to be the same spammer. 
I also receive a large number of scams impersonating Bitmain, again 
using domains involving Namecheap.


Is Namecheap just the registrar?  Or are they also hosting the DNS service?


While Namecheap does suspend at least some domains within days of their 
being used in a campaign, it's clear that these are being treated as 
single-use domains, so this has very little impact on the spammers. 
Since for whatever reason they're so attractive to spammers that they 
seem to be a nearly universal choice, at least for spams I get, I'd like 
to add a spam score to any message using a domain registered with them.



Does such functionality already exist in SpamAssassin? Is there an RHSBL 
or some other simple mechanism I could use to look up the registrar for 
a domain?



I'm not sure how to check for Namecheap as the domain registrar.  I 
think it should be relatively easy to check if the Namecheap is being 
used for the DNS service by checking what DNS servers are used.  Perhaps 
you could alter the score that way.



I think you could likely take this a step further and use something like 
BIND's features to alter responses to DNS queries based on the DNS 
server the information comes from.  Meaning you could break email from 
domains using specific DNS servers.  }:-)  This means that you could 
configure your MTA to require valid DNS (which it should be doing 
anyway).  Thus your email server would not accept email from domains 
that use Namecheap DNS servers.  }:-D



I think there are also lists of domains that have been recently 
registered.  Which might help if the single use domains were recently 
registered.




--
Grant. . . .
unix || die




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature






















					Reply via email to