Re: score sender domains with 4+ chars in TLD?
On Sat, 13 Jun 2020 18:44:46 +0100 Martin Gregorie wrote: > > FWIW I've added 6 TLDs and 2 exceptions in the past 5 years. > > > I did wonder how many 4+ character TLDs there are - Can't remember > when I last saw one, As I said I have a list of TLDs that have been seen in my ham and penalize the others a bit (without regard to length). As I don't put mailing lists through SA the list is quite short.
Re: score sender domains with 4+ chars in TLD?
On Sat, 2020-06-13 at 15:25 +0100, RW wrote: > On Sat, 13 Jun 2020 03:10:52 +0100 > Martin Gregorie wrote: > > > You can easily update the rbldnsd zone data (just write/update the > > > data file, no need to restart spamd) and could create a custom > > > scoring value based on the DNS data (EG 127.0.0.2 for really > > > 'good' > > > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 > > > for truely spammy names). > > The advantage of this approach is that if you use a less-than-basic > > database, i.e. one that allows multiple simultaneous connections, > > rather than a single connection DBMS like sqlite, you can share it > > between several SA instances aand use anything from an interactive > > SQL tool to a mobile app to maintain the blacklist. And there's no > > need stop anything to update the database content. > > FWIW I've added 6 TLDs and 2 exceptions in the past 5 years. > I did wonder how many 4+ character TLDs there are - Can't remember when I last saw one, but my main point was that the sort of setup I described is easy and pretty quick to set up if you know a bit of Perl and - equally important - is very easy to replicate for a different spam type once you've got one running. Its also a lot less of a kludge than the 'portmanteau rules' I use, with maintenance being simple in both cases. Martin
Re: score sender domains with 4+ chars in TLD?
On Sat, 13 Jun 2020 03:10:52 +0100 Martin Gregorie wrote: > You can easily update the rbldnsd zone data (just write/update the > > data file, no need to restart spamd) and could create a custom > > scoring value based on the DNS data (EG 127.0.0.2 for really 'good' > > TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 > > for truely spammy names). > The advantage of this approach is that if you use a less-than-basic > database, i.e. one that allows multiple simultaneous connections, > rather than a single connection DBMS like sqlite, you can share it > between several SA instances aand use anything from an interactive > SQL tool to a mobile app to maintain the blacklist. And there's no > need stop anything to update the database content. FWIW I've added 6 TLDs and 2 exceptions in the past 5 years.
Re: score sender domains with 4+ chars in TLD?
You can easily update the rbldnsd zone data (just write/update the
> data file, no need to restart spamd) and could create a custom scoring
> value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs,
> 127.0.0.4 for 'so-so' and 127.0.0.8
> for truely spammy names).
>
A blocklist system that would be a little harder to write, but MUCH
easier to maintain, would be to put the list in a lightweight database,
e.g. MariaDB, and use a Perl plugin module to interface it to SA. The
easy way to do this is to find a similar Perl plugin and hack it to suit
- thats not hard to do.
The database is dead simple: one table containing one column to hold
unwanted domains/addresses declared as the prime key to index it.
Something like:
create table blacklist
{
domain varchar(80) primary key;
};
The advantage of this approach is that if you use a less-than-basic
database, i.e. one that allows multiple simultaneous connections, rather
than a single connection DBMS like sqlite, you can share it between
several SA instances aand use anything from an interactive SQL tool to a
mobile app to maintain the blacklist. And there's no need stop anything
to update the database content.
Martin
>
>
>
> --
> Dave Funk University of Iowa
> College of Engineering
> 319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S
> Capitol St.
> Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
> #include
> Better is not better, 'standard' is better. B{
Re: score sender domains with 4+ chars in TLD?
On 2020-06-13 03:02, Dave Funk wrote: This sounds like a perfect application for a custom DNS-bl lookup/list. Create a local custom rbldnsd server "dnset" zone from a data file with your blessed TLDs, then a rule doing a rbl check using the hostname from the From address with custom scoring. You can easily update the rbldnsd zone data (just write/update the data file, no need to restart spamd) and could create a custom scoring value based on the DNS data (EG 127.0.0.2 for really 'good' TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8 for truely spammy names). https://www.isc.org/blogs/qname-minimization-and-privacy/ lets hope rbldnsd is soon to handle that i have disabled this breaking dnsbl feature in bind9
Re: score sender domains with 4+ chars in TLD?
On Sat, 13 Jun 2020, RW wrote:
On Fri, 12 Jun 2020 09:22:40 -0400
AJ Weber wrote:
I want to try adding a score for a sender whose address uses a TLD
with > 3 chars.
I realize there are some legit ones, but I'm going to test it with a
low score and see what it catches.
What I did was grep my mail for TLDs seeen in ham and then create a
rule __NORMAL_TLD
I then score a point for:
__HAS_FROM && ! __NORMAL_TLD
This probably wont scale well beyond a few users though.
If I were a bit more energetic I'd autogenerate the rule from cron.
This sounds like a perfect application for a custom DNS-bl lookup/list.
Create a local custom rbldnsd server "dnset" zone from a data file with your
blessed TLDs, then a rule doing a rbl check using the hostname from the From
address with custom scoring.
You can easily update the rbldnsd zone data (just write/update the data file, no
need to restart spamd) and could create a custom scoring value based on the DNS
data (EG 127.0.0.2 for really 'good' TLDs, 127.0.0.4 for 'so-so' and 127.0.0.8
for truely spammy names).
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-05491256 Seamans Center, 103 S Capitol St.
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: score sender domains with 4+ chars in TLD?
On Fri, 12 Jun 2020 09:22:40 -0400 AJ Weber wrote: > I want to try adding a score for a sender whose address uses a TLD > with > 3 chars. > > I realize there are some legit ones, but I'm going to test it with a > low score and see what it catches. What I did was grep my mail for TLDs seeen in ham and then create a rule __NORMAL_TLD I then score a point for: __HAS_FROM && ! __NORMAL_TLD This probably wont scale well beyond a few users though. If I were a bit more energetic I'd autogenerate the rule from cron.
Re: score sender domains with 4+ chars in TLD?
Cool. Thanks.
On 6/12/2020 11:04 AM, Kris Deugau wrote:
AJ Weber wrote:
I want to try adding a score for a sender whose address uses a TLD
with > 3 chars.
I realize there are some legit ones, but I'm going to test it with a
low score and see what it catches.
Is it just something like:
header From =~ /\.\w{4,}$/
You'll probably want to use the :addr specifier to match only on the
actual address:
header LONG_TLD From:addr /\.\w{4,}$/
Otherwise your rule won't match much mail at all unless the From:
header consists of a completely bare email address.
-kgd
Re: score sender domains with 4+ chars in TLD?
AJ Weber wrote:
I want to try adding a score for a sender whose address uses a TLD with
> 3 chars.
I realize there are some legit ones, but I'm going to test it with a low
score and see what it catches.
Is it just something like:
header From =~ /\.\w{4,}$/
You'll probably want to use the :addr specifier to match only on the
actual address:
header LONG_TLDFrom:addr /\.\w{4,}$/
Otherwise your rule won't match much mail at all unless the From: header
consists of a completely bare email address.
-kgd
score sender domains with 4+ chars in TLD?
I want to try adding a score for a sender whose address uses a TLD with
> 3 chars.
I realize there are some legit ones, but I'm going to test it with a low
score and see what it catches.
Is it just something like:
header From =~ /\.\w{4,}$/
Thanks in advance.
- AJ
