Re: score sender domains with 4+ chars in TLD?
On Sat, 13 Jun 2020 18:44:46 +0100 Martin Gregorie wrote: > > FWIW I've added 6 TLDs and 2 exceptions in the past 5 years. > > > I did wonder how many 4+ character TLDs there are - Can't remember > when I last saw one, As I said I have a list of TLDs that have been seen in my ham and penalize the others a bit (without regard to length). As I don't put mailing lists through SA the list is quite short.
Re: score sender domains with 4+ chars in TLD?
On Sat, 2020-06-13 at 15:25 +0100, RW wrote: > On Sat, 13 Jun 2020 03:10:52 +0100 > Martin Gregorie wrote: > > > You can easily update the rbldnsd zone data (just write/update the > > > data file, no need to restart spamd) and could create a custom > > > scoring value based on the DNS data (EG 127.0.0.2 for really > > > 'good' > > > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 > > > for truely spammy names). > > The advantage of this approach is that if you use a less-than-basic > > database, i.e. one that allows multiple simultaneous connections, > > rather than a single connection DBMS like sqlite, you can share it > > between several SA instances aand use anything from an interactive > > SQL tool to a mobile app to maintain the blacklist. And there's no > > need stop anything to update the database content. > > FWIW I've added 6 TLDs and 2 exceptions in the past 5 years. > I did wonder how many 4+ character TLDs there are - Can't remember when I last saw one, but my main point was that the sort of setup I described is easy and pretty quick to set up if you know a bit of Perl and - equally important - is very easy to replicate for a different spam type once you've got one running. Its also a lot less of a kludge than the 'portmanteau rules' I use, with maintenance being simple in both cases. Martin
Re: score sender domains with 4+ chars in TLD?
On Sat, 13 Jun 2020 03:10:52 +0100 Martin Gregorie wrote: > You can easily update the rbldnsd zone data (just write/update the > > data file, no need to restart spamd) and could create a custom > > scoring value based on the DNS data (EG 127.0.0.2 for really 'good' > > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 > > for truely spammy names). > The advantage of this approach is that if you use a less-than-basic > database, i.e. one that allows multiple simultaneous connections, > rather than a single connection DBMS like sqlite, you can share it > between several SA instances aand use anything from an interactive > SQL tool to a mobile app to maintain the blacklist. And there's no > need stop anything to update the database content. FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.
Re: score sender domains with 4+ chars in TLD?
You can easily update the rbldnsd zone data (just write/update the > data file, no need to restart spamd) and could create a custom scoring > value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs, > 127.0.0.4 for 'so-so' and 127.0.0.8 > for truely spammy names). > A blocklist system that would be a little harder to write, but MUCH easier to maintain, would be to put the list in a lightweight database, e.g. MariaDB, and use a Perl plugin module to interface it to SA. The easy way to do this is to find a similar Perl plugin and hack it to suit - thats not hard to do. The database is dead simple: one table containing one column to hold unwanted domains/addresses declared as the prime key to index it. Something like: create table blacklist { domain varchar(80) primary key; }; The advantage of this approach is that if you use a less-than-basic database, i.e. one that allows multiple simultaneous connections, rather than a single connection DBMS like sqlite, you can share it between several SA instances aand use anything from an interactive SQL tool to a mobile app to maintain the blacklist. And there's no need stop anything to update the database content. Martin > > > > -- > Dave Funk University of Iowa > College of Engineering > 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S > Capitol St. > Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 > #include > Better is not better, 'standard' is better. B{
Re: score sender domains with 4+ chars in TLD?
On 2020-06-13 03:02, Dave Funk wrote: This sounds like a perfect application for a custom DNS-bl lookup/list. Create a local custom rbldnsd server "dnset" zone from a data file with your blessed TLDs, then a rule doing a rbl check using the hostname from the From address with custom scoring. You can easily update the rbldnsd zone data (just write/update the data file, no need to restart spamd) and could create a custom scoring value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 for truely spammy names). https://www.isc.org/blogs/qname-minimization-and-privacy/ lets hope rbldnsd is soon to handle that i have disabled this breaking dnsbl feature in bind9
Re: score sender domains with 4+ chars in TLD?
On Sat, 13 Jun 2020, RW wrote: On Fri, 12 Jun 2020 09:22:40 -0400 AJ Weber wrote: I want to try adding a score for a sender whose address uses a TLD with > 3 chars. I realize there are some legit ones, but I'm going to test it with a low score and see what it catches. What I did was grep my mail for TLDs seeen in ham and then create a rule __NORMAL_TLD I then score a point for: __HAS_FROM && ! __NORMAL_TLD This probably wont scale well beyond a few users though. If I were a bit more energetic I'd autogenerate the rule from cron. This sounds like a perfect application for a custom DNS-bl lookup/list. Create a local custom rbldnsd server "dnset" zone from a data file with your blessed TLDs, then a rule doing a rbl check using the hostname from the From address with custom scoring. You can easily update the rbldnsd zone data (just write/update the data file, no need to restart spamd) and could create a custom scoring value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 for truely spammy names). -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St. Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: score sender domains with 4+ chars in TLD?
On Fri, 12 Jun 2020 09:22:40 -0400 AJ Weber wrote: > I want to try adding a score for a sender whose address uses a TLD > with > 3 chars. > > I realize there are some legit ones, but I'm going to test it with a > low score and see what it catches. What I did was grep my mail for TLDs seeen in ham and then create a rule __NORMAL_TLD I then score a point for: __HAS_FROM && ! __NORMAL_TLD This probably wont scale well beyond a few users though. If I were a bit more energetic I'd autogenerate the rule from cron.
Re: score sender domains with 4+ chars in TLD?
Cool. Thanks. On 6/12/2020 11:04 AM, Kris Deugau wrote: AJ Weber wrote: I want to try adding a score for a sender whose address uses a TLD with > 3 chars. I realize there are some legit ones, but I'm going to test it with a low score and see what it catches. Is it just something like: header From =~ /\.\w{4,}$/ You'll probably want to use the :addr specifier to match only on the actual address: header LONG_TLD From:addr /\.\w{4,}$/ Otherwise your rule won't match much mail at all unless the From: header consists of a completely bare email address. -kgd
Re: score sender domains with 4+ chars in TLD?
AJ Weber wrote: I want to try adding a score for a sender whose address uses a TLD with > 3 chars. I realize there are some legit ones, but I'm going to test it with a low score and see what it catches. Is it just something like: header From =~ /\.\w{4,}$/ You'll probably want to use the :addr specifier to match only on the actual address: header LONG_TLDFrom:addr /\.\w{4,}$/ Otherwise your rule won't match much mail at all unless the From: header consists of a completely bare email address. -kgd
score sender domains with 4+ chars in TLD?
I want to try adding a score for a sender whose address uses a TLD with > 3 chars. I realize there are some legit ones, but I'm going to test it with a low score and see what it catches. Is it just something like: header From =~ /\.\w{4,}$/ Thanks in advance. - AJ