On Wed, 2014-10-15 at 17:01 -0400, Ken Bass wrote: > On 10/15/2014 4:52 PM, Kevin A. McGrail wrote: > > On 10/15/2014 4:49 PM, Ken Bass wrote: > >> 1) My local.cf has a rule to address the new .link domain which > >> spammers appear to be using recently: > >> > >> uri LR_LINK_TLD /^(?:https?:\/\/|mailto:)[^\/]+\.link(?:\/|$)/i > >> describe LR_LINK_TLD Contains a URL in the LINK top-level domain > >> score LR_LINK_TLD 3.0 > >> > >> 2) The URIDNSBL rules are not being executed for these email either. > >> > >> Debug of SA shows an empty domains to query: Huh? > >> Oct 15 16:24:55.416 [15519] dbg: uridnsbl: domains to query: > >> > >> Here is the pastebin link to the full spam email: > >> > >> http://pastebin.com/RJWyGkKB > > The TLDs are hardcoded in SA 3.3.2. We are working on not having > > them hard-coded in 3.4.1. > > > > I believe someone made a patch suitable for 3.3.2 but I can't find it > > at the moment. > > Sorry but I think you might be confusing some specific TLD related rule > issues rather than the more generic custom uri rules and uridnsbl rules > that I am using. Because these work fine on OTHER emails. Something in > specific emails, like the one in the above pastebin are causing the > issue. I've got lots of other emails that hit the above LR_LINK_TLD > and/or URIBL_DBL_SPAM. > I'm certain KAM is right and here's why.
: I recently wrote a set of three experimental rules to detect *.link Rules in body text, Received headers and From headers and set up some test messages since I've yet to see any .link TLDs . The body text rule was, of course, a URI rule. It didn't work though the other two rules, which used ordinary regexes with \.link as part of the expression, worked as expected. Eventually, as a debugging aid I changed the rules and the test messages to search for \.com and all three rules worked as expected. IOW, uri rules depend on matching the terminal part of the domain name with an entry in SA's built-in TLD list and my version, installed from the Fedora repo, doesn't yet include .link. I reverted my rules and test messages to test for the .link TLD and am now waiting for a TLD list that contains .link to percolate through the Fedora update process. HTH Martin
