On 6/30/19 11:00 AM, Grant Taylor wrote:
On 6/30/19 10:08 AM, Sean Lynch wrote:
Hi, everyone! I used to run my own mail servers back in the mid '90s
and even worked as the postmaster for a regional ISP and worked on
mail servers for some large corporations and even a small national
ISP as a consultant. After a hiatus where I drank the hosted email
kool-aid, I'm back to hosting my own email.
Welcome back to the fray. :-)
At the moment I'm using a combination of SMTP-time DNSBL and other
checks and SpamAssassin at delivery time for spam filtering. Very few
spams are even making it to SpamAssassin, but many that do make it
all the way through into my inbox.
:-(
A very large number (nearly all, in fact) of the spams I receive
these days involve domains registered with Namecheap. I've received
hundreds of spams involving .icu domains from what appear to be the
same spammer. I also receive a large number of scams impersonating
Bitmain, again using domains involving Namecheap.
Is Namecheap just the registrar? Or are they also hosting the DNS
service?
Ah, I should have mentioned that. Unfortunately, they're just the
registrar. I suspect the spammers use DNS servers they can update
quickly, but since it's slower to update NS records and glue records,
the nameserver IPs and names might make interesting extra signals to
score on.
While Namecheap does suspend at least some domains within days of
their being used in a campaign, it's clear that these are being
treated as single-use domains, so this has very little impact on the
spammers. Since for whatever reason they're so attractive to spammers
that they seem to be a nearly universal choice, at least for spams I
get, I'd like to add a spam score to any message using a domain
registered with them.
Does such functionality already exist in SpamAssassin? Is there an
RHSBL or some other simple mechanism I could use to look up the
registrar for a domain?
I'm not sure how to check for Namecheap as the domain registrar. I
think it should be relatively easy to check if the Namecheap is being
used for the DNS service by checking what DNS servers are used.
Perhaps you could alter the score that way.
I think you could likely take this a step further and use something
like BIND's features to alter responses to DNS queries based on the
DNS server the information comes from. Meaning you could break email
from domains using specific DNS servers. }:-) This means that you
could configure your MTA to require valid DNS (which it should be
doing anyway). Thus your email server would not accept email from
domains that use Namecheap DNS servers. }:-D
I think there are also lists of domains that have been recently
registered. Which might help if the single use domains were recently
registered.
I do plan to set up a DNS server at some point in order to implement my
own DNSBLs among other things.
About 1/3 of both the .icu and Bitmain spams do hit one of the
FROM_FMBLA_NEWDOM rules. I've bumped the scores up for those so that any
recently-registered .icu domain will always go to my junk folder.
One of my goals is to incentivize Namecheap to make themselves less
attractive to spammers. Having one person use their being the registrar
as a spam signal doesn't accomplish that, but inspiring many people to
might.
Even better would be to use signals like that as an SMTP-time test so
that senders will (hopefully) see a bounce message that says they need
to register with dnswl.org if they want to be able to send email from a
Namecheap-registered domain. I should probably investigate mtpolicyd a
little more closely; right now I just use policyd-spf-python to reject
any messages that fail SPF, but that catches almost nothing because the
spammers who are able to get past the DNSBLs I use typically have set up
all the right records for their throwaway domains, including SPF and DKIM.
