Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

Just spotted my first snow with the TLD ".jetzt".
It's selling for $1.88 at NameCheap so should become widespread.

On Sat, 05 Nov 2016, at 11:54, @lbutlr (kreme.com) wrote:
>We get some (very little) real mail from info, biz, and name domains.
>All the other new domains are on a "prove you're not terrible"
>status. So far the only one to graduated is .name.

Yes, that's pretty much my approach. :)

Note that the ratio of ham to spam for ".email" has risen 
significantly, with several legit Muggle organizations 
(e.g. acronis, movietickets) buying and using that TLD of their
base name.
Even otherwise-Giga-Geeky "stackoverflow" has joined that trend.

I'm still killing that TLD by default, but have significantly
dropped its score in my FP pipeline.
- "Chip"

Re: Anyone else just blocking the ".top" TLD?

[@lbutlr]

On 05 Nov 2016, at 11:54, @lbutlr  wrote:
> 
> tad’s will be quite efferent

tld’s will be quite different

dunno what happened there.

Re: Anyone else just blocking the ".top" TLD?

[@lbutlr]

On 03 Nov 2016, at 10:27, Vincent Fox  wrote:
> XYZ insights anyone?  They have been on my reject list
> for a long time, but claim to be cleaning it up.  Thinking to
> drop my shields on this one.

I am still blocking most any TLDs via postfix:

/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp)$/
 DUNNO
/.*\.*/ 550 Mail for this TLD is not allowed

We get some (very little) real mail from info, biz, and name domains. All the 
other new domains are on a “prove you’re not terrible” status. So far the only 
one to graduated is .name.

(Of course your list of acceptable tad’s will be quite efferent, I’m sure. I 
don’t have users who get mail from France, for example).

Re: Anyone else just blocking the ".top" TLD?

[Shawn Bakhtiar]

1:22 smtp sendmail[14469]: u9GKpGUY014469: 
from=<t...@leaders2016.xyz>, size=0, class=0, nrcpts=0, proto=ESMTP, 
daemon=MTA, relay=[69.94.151.220]
Oct 16 14:40:48 smtp sendmail[15615]: u9GLehHT015615: 
from=<j...@leaders2016.xyz>, size=0, class=0, nrcpts=0, proto=ESMTP, 
daemon=MTA, relay=[69.94.151.222]

The IP range belongs to:  Lanset America Corporation (LANA)  which is a second 
rate email marketing corp.

I would suggest, if the need is there to open up individual domains, not the 
entire TLD, unless you are certainly your other counter measures will be 
sufficient in catching spam.



On Nov 3, 2016, at 9:40 AM, Vincent Fox 
<vb...@ucdavis.edu<mailto:vb...@ucdavis.edu>> wrote:

Indeed, that is what is happening.  I have had requests for
overrides.  I hate maintaining overrides if I no longer need to
even list the domain.  See driver.xyz for example which is legit.

This is an interesting statistics page I had not seen before:

https://ntldstats.com/fraud


[https://ntldstats.com/img/meta/fraud.jpg]<https://ntldstats.com/fraud>

Statistic of suspicious/fraudulent Domains in new gTLDs 
...<https://ntldstats.com/fraud>
ntldstats.com<http://ntldstats.com/>
Suspicious Domains in new gTLDs namespace ... TLDs with suspicious Domains: 209 
(17.59%)


Per that, TOP accounts for 64% of the problem.

SCIENCE is next at a mere 8%.

While XYZ comes in at #15 on the SURBL abused domains list
at present in raw numbers, as a percentage of it's email volume
it seems it's abuse is quite low.
________
From: Shawn Bakhtiar <shashan...@hotmail.com<mailto:shashan...@hotmail.com>>
Sent: Thursday, November 3, 2016 9:33:59 AM
To: users@spamassassin.apache.org<mailto:users@spamassassin.apache.org>
Subject: Re: Anyone else just blocking the ".top" TLD?

Unless you have customers/employees/vendors complaining that they are not 
receiving legitimate email from that TLD why would you un block it??


On Nov 3, 2016, at 9:27 AM, Vincent Fox 
<vb...@ucdavis.edu<mailto:vb...@ucdavis.edu>> wrote:

Resurrecting thread

TOP remains at the err... top of abuse heap.

XYZ insights anyone?  They have been on my reject list
for a long time, but claim to be cleaning it up.  Thinking to
drop my shields on this one.

https://gen.xyz/blog/antiabuse

.

My current total-block list:
From:link   REJECT
From:websiteREJECT
From:berlin REJECT
From:club   REJECT
From:email  REJECT
From:csr24.emailOK
From:guru   REJECT
From:wang   REJECT
From:xyzREJECT
From:driver.xyz ACCEPT
From:photographyREJECT
From:rocks  REJECT
From:click  REJECT
From:xn--czrs0t REJECT
From:xn--hxt814eREJECT
From:xn--flw351eREJECT
From:xn--qcka1pmc   REJECT
From:xn--45q11c REJECT
From:xn--vermgensberatung-pwb   REJECT
From:xn--vermgensberater-ctbREJECT
From:xn--p1acf  REJECT
From:xn--vhquv  REJECT
From:xn--xhq521bREJECT
From:xn--1qqw23aREJECT
From:xn--kput3i REJECT
From:xn--4gbrim REJECT
From:xn--czr694bREJECT
From:xn--80adxhks   REJECT
From:xn--ses554gREJECT
From:xn--czru2d REJECT
From:xn--rhqv96gREJECT
From:xn--nqv7f  REJECT
From:xn--i1b6b1a6a2eREJECT
From:xn--nqv7fs00emaREJECT
From:xn--c1avg  REJECT
From:xn--d1acj3bREJECT
From:xn--mgbab2bd   REJECT
From:xn--6frz82gREJECT
From:xn--io0a7i REJECT
From:xn--55qx5d REJECT
From:xn--fiq64b REJECT
From:xn--3bst00mREJECT
From:xn--6qq986b3xl REJECT
From:xn--fiq228c5hs REJECT
From:xn--3ds443gREJECT
From:xn--55qw42gREJECT
From:xn--zfr164bREJECT
From:xn--q9jyb4cREJECT
From:xn--ngbc5azd   REJECT
From:xn--80asehdb   REJECT
From:xn--80aswg REJECT
From:xn--unup4y REJECT
From:ninja  REJECT
From:gripe  REJECT
From:loans  REJECT
From:luxury REJECT
From:market REJECT
From:marketing  REJECT
From:pink   REJECT
From:whoswhoREJECT
From:work   REJECT
From:cricketREJECT
From:xn--plai   REJECT
From:review REJECT
From:countryREJECT
From:kimREJECT
From:scienceREJECT
From:party  REJECT
From:gq REJECT
From:topREJECT
From:unoREJECT
From:winREJECT
From:download   REJECT
From:tk REJECT
From:pw REJECT
From:international  REJECT
From:slice.internationalOK
From:date   REJECT
From:gdnREJECT
From:proREJECT
From:mm.law.pro OK
From:npocpa.pro OK
From:bidREJECT
From:trade  REJECT
From:press  REJECT
From:faith  REJECT
From:racing REJECT
From:stream REJECT
From:diet   REJECT
From:tokyo  REJECT
From:accountant REJECT
From:webcam REJECT
From:help   REJECT
From:space  REJECT
From:menREJECT

Re: Anyone else just blocking the ".top" TLD?

[John Hardin]

On Thu, 3 Nov 2016, Vincent Fox wrote:


TOP remains at the err... top of abuse heap.

XYZ insights anyone?  They have been on my reject list for a long time


This is an interesting statistics page I had not seen before:
https://ntldstats.com/fraud


Hmm. Autoforward them all to the ICANN board members' email addresses? 
They caused the problem in the first place, after all, with their 
promiscuous creation of new TLDs.


(I kid (sorta))

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
   -- Peter da Silva in a.s.r
---
 3 days until Daylight Saving Time ends in U.S. - Fall Back

Re: Anyone else just blocking the ".top" TLD?

[Vincent Fox]

Indeed, that is what is happening.  I have had requests for

overrides.  I hate maintaining overrides if I no longer need to

even list the domain.  See driver.xyz for example which is legit.


This is an interesting statistics page I had not seen before:


https://ntldstats.com/fraud


[https://ntldstats.com/img/meta/fraud.jpg]<https://ntldstats.com/fraud>

Statistic of suspicious/fraudulent Domains in new gTLDs 
...<https://ntldstats.com/fraud>
ntldstats.com
Suspicious Domains in new gTLDs namespace ... TLDs with suspicious Domains: 209 
(17.59%)


Per that, TOP accounts for 64% of the problem.

SCIENCE is next at a mere 8%.


While XYZ comes in at #15 on the SURBL abused domains list

at present in raw numbers, as a percentage of it's email volume

it seems it's abuse is quite low.


From: Shawn Bakhtiar <shashan...@hotmail.com>
Sent: Thursday, November 3, 2016 9:33:59 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone else just blocking the ".top" TLD?

Unless you have customers/employees/vendors complaining that they are not 
receiving legitimate email from that TLD why would you un block it??


On Nov 3, 2016, at 9:27 AM, Vincent Fox 
<vb...@ucdavis.edu<mailto:vb...@ucdavis.edu>> wrote:

Resurrecting thread

TOP remains at the err... top of abuse heap.

XYZ insights anyone?  They have been on my reject list
for a long time, but claim to be cleaning it up.  Thinking to
drop my shields on this one.

https://gen.xyz/blog/antiabuse

.

My current total-block list:
From:link   REJECT
From:websiteREJECT
From:berlin REJECT
From:club   REJECT
From:email  REJECT
From:csr24.emailOK
From:guru   REJECT
From:wang   REJECT
From:xyzREJECT
From:driver.xyz ACCEPT
From:photographyREJECT
From:rocks  REJECT
From:click  REJECT
From:xn--czrs0t REJECT
From:xn--hxt814eREJECT
From:xn--flw351eREJECT
From:xn--qcka1pmc   REJECT
From:xn--45q11c REJECT
From:xn--vermgensberatung-pwb   REJECT
From:xn--vermgensberater-ctbREJECT
From:xn--p1acf  REJECT
From:xn--vhquv  REJECT
From:xn--xhq521bREJECT
From:xn--1qqw23aREJECT
From:xn--kput3i REJECT
From:xn--4gbrim REJECT
From:xn--czr694bREJECT
From:xn--80adxhks   REJECT
From:xn--ses554gREJECT
From:xn--czru2d REJECT
From:xn--rhqv96gREJECT
From:xn--nqv7f  REJECT
From:xn--i1b6b1a6a2eREJECT
From:xn--nqv7fs00emaREJECT
From:xn--c1avg  REJECT
From:xn--d1acj3bREJECT
From:xn--mgbab2bd   REJECT
From:xn--6frz82gREJECT
From:xn--io0a7i REJECT
From:xn--55qx5d REJECT
From:xn--fiq64b REJECT
From:xn--3bst00mREJECT
From:xn--6qq986b3xl REJECT
From:xn--fiq228c5hs REJECT
From:xn--3ds443gREJECT
From:xn--55qw42gREJECT
From:xn--zfr164bREJECT
From:xn--q9jyb4cREJECT
From:xn--ngbc5azd   REJECT
From:xn--80asehdb   REJECT
From:xn--80aswg REJECT
From:xn--unup4y REJECT
From:ninja  REJECT
From:gripe  REJECT
From:loans  REJECT
From:luxury REJECT
From:market REJECT
From:marketing  REJECT
From:pink   REJECT
From:whoswhoREJECT
From:work   REJECT
From:cricketREJECT
From:xn--plai   REJECT
From:review REJECT
From:countryREJECT
From:kimREJECT
From:scienceREJECT
From:party  REJECT
From:gq REJECT
From:topREJECT
From:unoREJECT
From:winREJECT
From:download   REJECT
From:tk REJECT
From:pw REJECT
From:international  REJECT
From:slice.internationalOK
From:date   REJECT
From:gdnREJECT
From:proREJECT
From:mm.law.pro OK
From:npocpa.pro OK
From:bidREJECT
From:trade  REJECT
From:press  REJECT
From:faith  REJECT
From:racing REJECT
From:stream REJECT
From:diet   REJECT
From:tokyo  REJECT
From:accountant REJECT
From:webcam REJECT
From:help   REJECT
From:space  REJECT
From:menREJECT

Re: Anyone else just blocking the ".top" TLD?

[Vincent Fox]

Resurrecting thread

TOP remains at the err... top of abuse heap.

XYZ insights anyone?  They have been on my reject list
for a long time, but claim to be cleaning it up.  Thinking to
drop my shields on this one.

https://gen.xyz/blog/antiabuse
[http://gen.xyz/wp-content/themes/xyz/images/facebook-square-logo.png]

XYZ says NO to abuse | .xyz Domain Names | Join Generation 
XYZ
gen.xyz
It's safe to say that almost everyone likes a good party. You invite your 
friends, enjoy the food & festivities, and make sure there's fun to be had for 
everyone ...


My current total-block list:
From:link   REJECT
From:websiteREJECT
From:berlin REJECT
From:club   REJECT
From:email  REJECT
From:csr24.emailOK
From:guru   REJECT
From:wang   REJECT
From:xyzREJECT
From:driver.xyz ACCEPT
From:photographyREJECT
From:rocks  REJECT
From:click  REJECT
From:xn--czrs0t REJECT
From:xn--hxt814eREJECT
From:xn--flw351eREJECT
From:xn--qcka1pmc   REJECT
From:xn--45q11c REJECT
From:xn--vermgensberatung-pwb   REJECT
From:xn--vermgensberater-ctbREJECT
From:xn--p1acf  REJECT
From:xn--vhquv  REJECT
From:xn--xhq521bREJECT
From:xn--1qqw23aREJECT
From:xn--kput3i REJECT
From:xn--4gbrim REJECT
From:xn--czr694bREJECT
From:xn--80adxhks   REJECT
From:xn--ses554gREJECT
From:xn--czru2d REJECT
From:xn--rhqv96gREJECT
From:xn--nqv7f  REJECT
From:xn--i1b6b1a6a2eREJECT
From:xn--nqv7fs00emaREJECT
From:xn--c1avg  REJECT
From:xn--d1acj3bREJECT
From:xn--mgbab2bd   REJECT
From:xn--6frz82gREJECT
From:xn--io0a7i REJECT
From:xn--55qx5d REJECT
From:xn--fiq64b REJECT
From:xn--3bst00mREJECT
From:xn--6qq986b3xl REJECT
From:xn--fiq228c5hs REJECT
From:xn--3ds443gREJECT
From:xn--55qw42gREJECT
From:xn--zfr164bREJECT
From:xn--q9jyb4cREJECT
From:xn--ngbc5azd   REJECT
From:xn--80asehdb   REJECT
From:xn--80aswg REJECT
From:xn--unup4y REJECT
From:ninja  REJECT
From:gripe  REJECT
From:loans  REJECT
From:luxury REJECT
From:market REJECT
From:marketing  REJECT
From:pink   REJECT
From:whoswhoREJECT
From:work   REJECT
From:cricketREJECT
From:xn--plai   REJECT
From:review REJECT
From:countryREJECT
From:kimREJECT
From:scienceREJECT
From:party  REJECT
From:gq REJECT
From:topREJECT
From:unoREJECT
From:winREJECT
From:download   REJECT
From:tk REJECT
From:pw REJECT
From:international  REJECT
From:slice.internationalOK
From:date   REJECT
From:gdnREJECT
From:proREJECT
From:mm.law.pro OK
From:npocpa.pro OK
From:bidREJECT
From:trade  REJECT
From:press  REJECT
From:faith  REJECT
From:racing REJECT
From:stream REJECT
From:diet   REJECT
From:tokyo  REJECT
From:accountant REJECT
From:webcam REJECT
From:help   REJECT
From:space  REJECT
From:menREJECT

Re: Anyone else just blocking the ".top" TLD?

[Shawn Bakhtiar]

Unless you have customers/employees/vendors complaining that they are not 
receiving legitimate email from that TLD why would you un block it??


On Nov 3, 2016, at 9:27 AM, Vincent Fox 
> wrote:

Resurrecting thread

TOP remains at the err... top of abuse heap.

XYZ insights anyone?  They have been on my reject list
for a long time, but claim to be cleaning it up.  Thinking to
drop my shields on this one.

https://gen.xyz/blog/antiabuse

.

My current total-block list:
From:link   REJECT
From:websiteREJECT
From:berlin REJECT
From:club   REJECT
From:email  REJECT
From:csr24.emailOK
From:guru   REJECT
From:wang   REJECT
From:xyzREJECT
From:driver.xyz ACCEPT
From:photographyREJECT
From:rocks  REJECT
From:click  REJECT
From:xn--czrs0t REJECT
From:xn--hxt814eREJECT
From:xn--flw351eREJECT
From:xn--qcka1pmc   REJECT
From:xn--45q11c REJECT
From:xn--vermgensberatung-pwb   REJECT
From:xn--vermgensberater-ctbREJECT
From:xn--p1acf  REJECT
From:xn--vhquv  REJECT
From:xn--xhq521bREJECT
From:xn--1qqw23aREJECT
From:xn--kput3i REJECT
From:xn--4gbrim REJECT
From:xn--czr694bREJECT
From:xn--80adxhks   REJECT
From:xn--ses554gREJECT
From:xn--czru2d REJECT
From:xn--rhqv96gREJECT
From:xn--nqv7f  REJECT
From:xn--i1b6b1a6a2eREJECT
From:xn--nqv7fs00emaREJECT
From:xn--c1avg  REJECT
From:xn--d1acj3bREJECT
From:xn--mgbab2bd   REJECT
From:xn--6frz82gREJECT
From:xn--io0a7i REJECT
From:xn--55qx5d REJECT
From:xn--fiq64b REJECT
From:xn--3bst00mREJECT
From:xn--6qq986b3xl REJECT
From:xn--fiq228c5hs REJECT
From:xn--3ds443gREJECT
From:xn--55qw42gREJECT
From:xn--zfr164bREJECT
From:xn--q9jyb4cREJECT
From:xn--ngbc5azd   REJECT
From:xn--80asehdb   REJECT
From:xn--80aswg REJECT
From:xn--unup4y REJECT
From:ninja  REJECT
From:gripe  REJECT
From:loans  REJECT
From:luxury REJECT
From:market REJECT
From:marketing  REJECT
From:pink   REJECT
From:whoswhoREJECT
From:work   REJECT
From:cricketREJECT
From:xn--plai   REJECT
From:review REJECT
From:countryREJECT
From:kimREJECT
From:scienceREJECT
From:party  REJECT
From:gq REJECT
From:topREJECT
From:unoREJECT
From:winREJECT
From:download   REJECT
From:tk REJECT
From:pw REJECT
From:international  REJECT
From:slice.internationalOK
From:date   REJECT
From:gdnREJECT
From:proREJECT
From:mm.law.pro OK
From:npocpa.pro OK
From:bidREJECT
From:trade  REJECT
From:press  REJECT
From:faith  REJECT
From:racing REJECT
From:stream REJECT
From:diet   REJECT
From:tokyo  REJECT
From:accountant REJECT
From:webcam REJECT
From:help   REJECT
From:space  REJECT
From:menREJECT

RE: Anyone else just blocking the ".top" TLD?

[Motty Cruz]

Getting tons of this: 

 

top.professional.wo...@ub6eual.cpatter.top

 

 

I am Just blocking  "*.top" 

 

 

From: Vincent Fox [mailto:vb...@ucdavis.edu] 
Sent: Thursday, November 03, 2016 9:27 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone else just blocking the ".top" TLD?

 

Resurrecting thread 

 

TOP remains at the err... top of abuse heap.

 

XYZ insights anyone?  They have been on my reject list

for a long time, but claim to be cleaning it up.  Thinking to

drop my shields on this one.

 

https://gen.xyz/blog/antiabuse 


 <https://gen.xyz/blog/antiabuse> 

 <https://gen.xyz/blog/antiabuse> XYZ says NO to abuse | .xyz Domain Names |
Join Generation XYZ

gen.xyz

It's safe to say that almost everyone likes a good party. You invite your
friends, enjoy the food & festivities, and make sure there's fun to be had
for everyone ...

 

My current total-block list:

From:link   REJECT

From:websiteREJECT

From:berlin REJECT

From:club   REJECT

From:email  REJECT

From:csr24.emailOK

From:guru   REJECT

From:wang   REJECT

From:xyzREJECT

From:driver.xyz ACCEPT

From:photographyREJECT

From:rocks  REJECT

From:click  REJECT

From:xn--czrs0t REJECT

From:xn--hxt814eREJECT

From:xn--flw351eREJECT

From:xn--qcka1pmc   REJECT

From:xn--45q11c REJECT

From:xn--vermgensberatung-pwb   REJECT

From:xn--vermgensberater-ctbREJECT

From:xn--p1acf  REJECT

From:xn--vhquv  REJECT

From:xn--xhq521bREJECT

From:xn--1qqw23aREJECT

From:xn--kput3i REJECT

From:xn--4gbrim REJECT

From:xn--czr694bREJECT

From:xn--80adxhks   REJECT

From:xn--ses554gREJECT

From:xn--czru2d REJECT

From:xn--rhqv96gREJECT

From:xn--nqv7f  REJECT

From:xn--i1b6b1a6a2eREJECT

From:xn--nqv7fs00emaREJECT

From:xn--c1avg  REJECT

From:xn--d1acj3bREJECT

From:xn--mgbab2bd   REJECT

From:xn--6frz82gREJECT

From:xn--io0a7i REJECT

From:xn--55qx5d REJECT

From:xn--fiq64b REJECT

From:xn--3bst00mREJECT

From:xn--6qq986b3xl REJECT

From:xn--fiq228c5hs REJECT

From:xn--3ds443gREJECT

From:xn--55qw42gREJECT

From:xn--zfr164bREJECT

From:xn--q9jyb4cREJECT

From:xn--ngbc5azd   REJECT

From:xn--80asehdb   REJECT

From:xn--80aswg REJECT

From:xn--unup4y REJECT

From:ninja  REJECT

From:gripe  REJECT

From:loans  REJECT

From:luxury REJECT

From:market REJECT

From:marketing  REJECT

From:pink   REJECT

From:whoswhoREJECT

From:work   REJECT

From:cricketREJECT

From:xn--plai   REJECT

From:review REJECT

From:countryREJECT

From:kimREJECT

From:scienceREJECT

From:party  REJECT

From:gq REJECT

From:topREJECT

From:unoREJECT

From:winREJECT

From:download   REJECT

From:tk REJECT

From:pw REJECT

From:international  REJECT

From:slice.internationalOK

From:date   REJECT

From:gdnREJECT

From:proREJECT

From:mm.law.pro OK

From:npocpa.pro OK

From:bidREJECT

From:trade  REJECT

From:press  REJECT

From:faith  REJECT

From:racing REJECT

From:stream REJECT

From:diet   REJECT

From:tokyo  REJECT

From:accountant REJECT

From:webcam REJECT

From:help   REJECT

From:space  REJECT

From:menREJECT

 

 

 

Re: Anyone else just blocking the ".top" TLD?

[Lindsay Haisley]

On Thu, 2016-09-08 at 13:44 +, Chip M. wrote:
> On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
> > 
> > i get a diff-output per mail each time the mailserver configs
> > are changing
> That's a completely valid approach, and I am a big fan of
> pre-emptive first strike (only as applied to potentially evil
> email).
> 
> However, the vast majority of those TLDs will never
> "go rogue", so I prefer to block on actual abuse
> (Jason's approach), or likelihood of abuse, specifically, very
> low cost.  Jason appears to have much higher volume than I do,
> so he'd be a good source of data for me and others.

The issue is much more nuanced. There are registrars who offer what's
called "domain name tasting", on newly created TLDs. Under this policy,
a name may be registered and put into service _before_ payment is made
for the registration. At one time Network Solutions had this policy
even for the common TLDs, .com, .org, etc. Spammers pay nothing for the
use of such a name, and discard it for a new one before payment for the
name is required.

One of the choke-points for commercial spammers is the provision of an
authoritative name server for their domain names, and I've found it
very effective to do a recursive sequence of server look-ups on the DN
in the helo or ehelo addresses until a name server is found with a DN
for which the authoritative name server has the same DN. This boils
down to a list of less than 10 domain names. I apply a rather strict
form of rate limiting to messages originating from the same /24 IP
address group if the helo DN gets resolved to a name on this list. This
has so far been 100% effective with no evidence of false positives.

This may be out of the realm of SA. I apply this test using a python
program written to work with Gordon Messmer's courier-pythonfilter for
Courier-MTA.

-- 
Lindsay Haisley   | "We have met the enemy and he is us."
FMP Computer Services |
512-259-1190  |  -- Pogo
http://www.fmp.com|

Re: Anyone else just blocking the ".top" TLD?

[@lbutlr]

On 09 Jul 2016, at 08:32, jaso...@mail-central.com wrote:
> 
> Fwiw, atm I block all of the following TLDs

> [big list]

> That list is auto-generated.  Any & all TLDs that have sent > 100 messages 
> within the last year *AND* have a spam/reject rate >= 99% get blocked by TLD, 
> never get past by mail server's 'edge', and don't impose any further load on 
> my server.

That’s a good list, but I take a different approach, I block ALL tlds except 
for a few that I actually get mail from.

(com|net|org|edu|gov|mx|de|dk|uk|us|info|biz|eu|es|il|it|nl|name|jp)

(and I’m not sure about name anymore, I don’t think I get legit mail from that 
anymore.)

Of course, other people will have other lists, but this one works well for me.

.top is the biggest offender though, we get thousands of those.

I should write up an awk script that searches my maillog for all the tlds that 
try to connect. Well, I can throw something together in a 

Here are all the tlds that I’ve seen in the last week (only searching in 
from=<…> not helo):

.ae, .ar, .at, .au, .bd, .be, .bg, .bid, .biz, .bo, .br, .ca, .cc, .ch, .cl, 
.club, .cn, .co, .com, .coop, .cz, .date, .de, .dk, .ec, .edu, .es, .eu, .fi, 
.firewall, .fr, .gdn, .gov, .gr, .hk, .hr, .hu, .id, .ie, .il, .in, .info, .ir, 
.is, .it, .jp, .kh, .kornet, .kr, .lan, .localdomain, .lt, .lv, .ma, .mail, 
.md, .me, .men, .mk, .mobi, .mv, .mx, .my, .name, .net, .ng, .nl, .no, .nz, 
.online, .org, .orgt, .pa, .pe, .pl, .pt, .pw, .ro, .rs, .ru, .se, .sk, 
.stream, .tk, .tn, .top, .tr, .tw, .uk, .us, .vn, .website, .win, .xyz, .za

And this is the list from helo (ignoring all the IPs):

adsl, ae, ao, ar, arpa, au, bd, be, bg, bid, biz, bo, br, c, ca, cc, cl, club, 
cm, cn, co, com, cy, date, de, do, ec, edu, eg, es, eu, fi, firewall, gdn, gh, 
gov, gr, hu, id, il, in, info, internal, io, ir, it, jp, ke, kh, kornet, kr, 
la, lan, local, localdomain, lt, lv, ly, ma, mail, md, me, men, mobi, mv, mx, 
my, name, net, ni, nl, no, np, online, org, orgt, pe, pk, pl, pt, pw, rs, ru, 
sg, sk, so, space, stream, th, tk, top, tr, tv, tw, uk, us, uy, vn, website, 
win, ws, xyz, za, zw

How are people doing spam counts on a tld basis?

Re: Anyone else just blocking the ".top" TLD?

[li...@rhsoft.net]

Am 08.09.2016 um 15:44 schrieb Chip M.:

On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:

i get a diff-output per mail each time the mailserver configs
are changing


That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).

However, the vast majority of those TLDs will never
"go rogue", so I prefer to block on actual abuse
(Jason's approach), or likelihood of abuse, specifically, very
low cost.  Jason appears to have much higher volume than I do,
so he'd be a good source of data for me and others.


we require at least SPF or DNSWL for them instead unconditonal reject 
and the reject text contains a link to wikipedia what SPF is


the other part of using that file is to "DUNNO" specific tld's in front 
of the checks and put a final line into helo-restrictions when no DUNNO 
at all matched


/.*\.*/ REJECT Unacceptable HELO (Invalid TLD) see 
https://www.ietf.org/rfc/rfc2821.txt and 
https://www.ietf.org/rfc/rfc1912.txt


 Weitergeleitete Nachricht 
Betreff: Cron /usr/local/bin/update-spamfilter.sh
Datum: Mon, 29 Aug 2016 16:30:03 +0200 (CEST)

UPDATED: /etc/postfix/blacklist_generic_ptr.cf
 1484a1485
 > /\.eco$/ DUNNO
 2375a2377
 > /\.vanguard$/ DUNNO
-
UPDATED: /etc/postfix/blacklist_helo.cf
 382a383
 > /\.eco$/ DUNNO
 1273a1275
 > /\.vanguard$/ DUNNO
-
UPDATED: /etc/postfix/blacklist_tld.cf
 271a272
 > /\.eco$/ REJECT Spam-TLD (SPF Required: .eco - see 
http://en.wikipedia.org/wiki/Sender_Policy_Framework)

 904a906
 > /\.vanguard$/ REJECT Spam-TLD (SPF Required: .vanguard - see 
http://en.wikipedia.org/wiki/Sender_Policy_Framework)

-

OK: /usr/bin/systemctl reload postfix.service

Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

On Thu, 8 Sep 2016, "lists [at] rhsoft.net" wrote:
>i get a diff-output per mail each time the mailserver configs
>are changing

That's a completely valid approach, and I am a big fan of
pre-emptive first strike (only as applied to potentially evil
email).

However, the vast majority of those TLDs will never
"go rogue", so I prefer to block on actual abuse
(Jason's approach), or likelihood of abuse, specifically, very
low cost.  Jason appears to have much higher volume than I do,
so he'd be a good source of data for me and others.

IDIC... or to each his/her own preferred approach. :)
- "Chip"

Re: Anyone else just blocking the ".top" TLD?

[li...@rhsoft.net]

Am 08.09.2016 um 10:33 schrieb Chip M.:

On Sat, 09 Jul 2016, jasonsu wrote:

Fwiw, atm I block all of the following TLDs

...

men,

..

That list is auto-generated.  Any & all TLDs that have
sent > 100 messages within the last year *AND* have a


Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
on that Surbl tld page.

Please do share any more that you notice. :)


just download https://data.iana.org/TLD/tlds-alpha-by-domain.txt in a 
cronjob, compare it with the last version and re-generate your configs


i get a diff-output per mail each time the mailserver configs are changing

Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

On Sat, 09 Jul 2016, jasonsu wrote:
>Fwiw, atm I block all of the following TLDs
...
>men,
..
>That list is auto-generated.  Any & all TLDs that have 
>sent > 100 messages within the last year *AND* have a 

Great approach Jason! :)
".men" just recently appeared in my data, and is not showing up
on that Surbl tld page.

Please do share any more that you notice. :)

".men" is going for as low as $1.49.
It's only appearing in some of my domains, but is running
between about 8% and 34% of their snowshoe spam.
- "Chip"

Re: Anyone else just blocking the ".top" TLD?

[Reindl Harald]

Am 16.07.2016 um 21:48 schrieb Jonathan Nichols:

I’m just blocking them. .top has been nothing but spam. Looking at my logs, 
.top accounts for over 90% of the rejected email nowadays.

But I’m just doing it in Postfix and this has been working fine. Any ones that 
I need to whitelist, I just add to the OK line. The handful of users know about 
this as well, and are ok with it.

# Permit .us and .ca TLDs
/\.us$/ OK  
/\.ca$/ OK
/\.jobs$/   OK  # .jobs is mostly legit


that's pure nonsense because you skip anything below with "OK"
what you want here is DUNNO - means "make no decision at this point"



signature.asc
Description: OpenPGP digital signature

Re: Anyone else just blocking the ".top" TLD?

[jasonsu]

On Sat, Jul 16, 2016, at 12:48 PM, Jonathan Nichols wrote:
> I’m just blocking them. .top has been nothing but spam. Looking at my logs, 
> .top accounts for over 90% of the rejected email nowadays.

you can of course do what you want, but IMO it bears mention for others' 
awareness that

# Block two letter TLDs.
/\.[a-z][a-z]$/ REJECT Spam 

is, in effect

# Block every country's email
/\.[a-z][a-z]$/ REJECT mail from every A2 (ISO) country code

Here's a pretty complete list

http://www.worldatlas.com/aatlas/ctycodes.htm A2 (ISO)

Re: Anyone else just blocking the ".top" TLD?

[Jonathan Nichols]

>> 
>> On Wed, Apr 27, 2016 at 5:39 PM, @lbutlr  wrote:
>> On Apr 27, 2016, at 2:06 PM, Olivier Coutu  wrote:
>> > I have affected a hefty penalty in SA to any mail that comes from one of 
>> > these TLDs:
>> >
>> > (party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online)
>> 
>> Are you doing this with the cooperation of Amavis?
>> 
>> (I’ve had no luck with adding scoring rules to local.cf that amavis 
>> recognizes.)
>> 
>> --
>> Friends help you move. Real friends help you move bodies.
>> 
>> 


I’m just blocking them. .top has been nothing but spam. Looking at my logs, 
.top accounts for over 90% of the rejected email nowadays.

But I’m just doing it in Postfix and this has been working fine. Any ones that 
I need to whitelist, I just add to the OK line. The handful of users know about 
this as well, and are ok with it.

# Permit .us and .ca TLDs
/\.us$/ OK   
/\.ca$/ OK
/\.jobs$/   OK  # .jobs is mostly legit

# Block TLDs of 4 characters or more.
/.[a-z]{4,20}$/ REJECT Spam 

# Block two letter TLDs.
/\.[a-z][a-z]$/ REJECT Spam 

# Block .top
/\.top$/REJECT  # Useless TLD full of spam

Re: Anyone else just blocking the ".top" TLD?

[Reindl Harald]

Am 16.07.2016 um 16:43 schrieb Max Watkins aka Maciej Hryckiewicz:

What will be best approach to block it in EXIM ?
Ack rule with lookup in text file ?
How would you prevent legit domain from being blocked for example block
.book but not book.com?


http://www.gossamer-threads.com/lists/exim/users/98599



signature.asc
Description: OpenPGP digital signature

Re: Anyone else just blocking the ".top" TLD?

[Antony Stone]

On Saturday 16 July 2016 at 16:43:00, Max Watkins aka Maciej Hryckiewicz 
wrote:

> What will be best approach to block it in EXIM ?
> Ack rule with lookup in text file ?

Good plan.  Here's what I found from a Google search for "exim block domain":

https://www.tekovic.com/exim-acl-for-blocking-certain-senders

> How would you prevent legit domain from being blocked for example block
> .book but not book.com?

Should be obvious from the above guide.


Regards,


Antony.

> > On Apr 28, 2016, at 12:40 AM, Sergio wrote:
> > 
> > This is what I block:
> > (bid|book|click|club|cricket|date|democrat|directory|download|faith|help|
> > link|ninja|party|press|pro|racing|reviews?|rocks|science|site|social|spac
> > e|top|uno|webcam|website|work|win|xyz)
> > 
> > I will add some from what you have posting, thanks.
> > 
> > Sergio
> > 
> >> On Wed, Apr 27, 2016 at 5:39 PM, @lbutlr wrote:
> >> 
> >> On Apr 27, 2016, at 2:06 PM, Olivier Coutu wrote:
> >> > I have affected a hefty penalty in SA to any mail that comes from one
> >> > of these TLDs:
> >> > 
> >> > (party|science|click|link|faith|racing|win|zip|review|country|kim|cric
> >> > ket|work|gq|date|lol|top|download|space|site|online)
> >> 
> >> Are you doing this with the cooperation of Amavis?
> >> 
> >> (I’ve had no luck with adding scoring rules to local.cf that amavis
> >> recognizes.)

-- 
"If I've told you once, I've told you a million times - stop exaggerating!"

   Please reply to the list;
 please *don't* CC me.

Re: Anyone else just blocking the ".top" TLD?

[Max Watkins aka Maciej Hryckiewicz]

What will be best approach to block it in EXIM ? 
Ack rule with lookup in text file ? 
How would you prevent legit domain from being blocked for example block .book 
but not book.com?

Thanks,
Max 

> On Apr 28, 2016, at 12:40 AM, Sergio  wrote:
> 
> This is what I block:
> (bid|book|click|club|cricket|date|democrat|directory|download|faith|help|link|ninja|party|press|pro|racing|reviews?|rocks|science|site|social|space|top|uno|webcam|website|work|win|xyz)
> 
> 
> I will add some from what you have posting, thanks.
> 
> Sergio
> 
>> On Wed, Apr 27, 2016 at 5:39 PM, @lbutlr  wrote:
>> On Apr 27, 2016, at 2:06 PM, Olivier Coutu  wrote:
>> > I have affected a hefty penalty in SA to any mail that comes from one of 
>> > these TLDs:
>> >
>> > (party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online)
>> 
>> Are you doing this with the cooperation of Amavis?
>> 
>> (I’ve had no luck with adding scoring rules to local.cf that amavis 
>> recognizes.)
>> 
>> --
>> Friends help you move. Real friends help you move bodies.
>> 
> 

Re: Anyone else just blocking the ".top" TLD?

[Jari Fredriksson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

jaso...@mail-central.com kirjoitti 9.7.2016 18:41:
> With what's left, I'm "99% sure(tm)" I could probably run my server on
> an RPi  ;-)
> 
> Bottom line is, it costs me less time, resource & effort, and my users
> are happy.  Which makes me happy.

O.o

That's what I do. Agreed the front end nowadays is a VPS in Internet and
is powered by some Xeon vcpu, but the back end(s) doing SA & ClamAV &
maildrop & Dovecot Sieve are run in a Rpi2.

The thing is that an Rpi2 or 3 are equally powerful as some 2005
Proliant that I also have. Difference is that Proliant sleeps 20 hours a
day while the Rpi(s) are always on and wake up the said Proliant plus a
Core i7 plus a Google Cloud VM for RuleQA masscheck plus what not.

That is all the end result of my 2014 project for minimizing the
electrity bills ;)

(And my email is quite much: I have quite an amount of ruleqa masscheck
ham corpus!)

- -- 
Jari Fredriksson
Bitwell Oy
+358 400 779 440
ja...@bitwell.biz
https://www.bitwell.biz - cost effective hosting and security for
ecommerce
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iEYEARECAAYFAleBIp8ACgkQKL4IzOyjSrZq+wCfY75NDI3KhuhA5N/zBBOq4pvw
oZ4AmwdP5ujpMZa2t9U4+9tJQ34OsBQq
=/6UT
-END PGP SIGNATURE-

Re: Anyone else just blocking the ".top" TLD?

[jasonsu]

On Sat, Jul 9, 2016, at 08:28 AM, Groach wrote:
> But that said, in fairness, of all the spam we do receive, from what I 
> can tell, is already handled and dealt with by the usual DNSBL, SURBLs 
> and spamassassin (with SPF and DKIM checking encompassed).  Ive never 
> had to use/block these TLDs and, in fact, I cant actually say that I 
> have every seen one, genuine or otherwise (other than our accountant of 
> course).

Generally, agreed.  Though every once in awhile, a few would sneak through -- 
afaict, not YET on one of the major DNSBLs (guess I've got the 'privilege' of 
being an early send target ).

Blocking the TLDs simply reduces the load even further -- no lookups, no A/V or 
SA processing, nada.  Just dropped into a hole early.

For my use, there's no harm done to my end.  And I'll sure admit to getting 
satisfaction by not supporting the TLD-hawking parasites :-)

With what's left, I'm "99% sure(tm)" I could probably run my server on an RPi  
;-)

Bottom line is, it costs me less time, resource & effort, and my users are 
happy.  Which makes me happy.

Re: Anyone else just blocking the ".top" TLD?

[Groach]

Correction: Sorry I was wrong.  Or accountant uses ".accountants"  (I 
just checked).


When I first read the list of TLDs being blocked by default my first 
thought was "Yeah, quite right too".  Ive never like the idea of these 
new TLD's when they were introduced and think they would only ever be 
used for non-genuine use as genuine businesses would never use them.  
(Thats why I was surprised out account chose to move to one).


But that said, in fairness, of all the spam we do receive, from what I 
can tell, is already handled and dealt with by the usual DNSBL, SURBLs 
and spamassassin (with SPF and DKIM checking encompassed).  Ive never 
had to use/block these TLDs and, in fact, I cant actually say that I 
have every seen one, genuine or otherwise (other than our accountant of 
course).






On 09/07/2016 17:15, jaso...@mail-central.com wrote:

On Sat, Jul 9, 2016, at 07:52 AM, Groach wrote:

Our accountants are actually using '.account' TLD and they are a very reputable 
business. A surprise when they changed to it, maybe, but change to it they did.

My stats provide all the 'evidence' I need.  So far, it seems I'm not auto-blocking 
"*.account" ...

And, like I said, "YMMV".

Personally, I find that holding people to account for their actions & decisions 
in 'email-land' is a pretty good strategy.  That includes 'reputable businesses' 
choosing to move  into a 'bad neighborhood', particularly if they haven't done 
their homework first.

SA plus SPF/DKIM/DMARC, and a good set of DNSBLs helps immensely.  Add to that some 
"This is obviously a sewer" heuristic decisions about TLDs, and my spam 
leak-thru rate is miniscule.

Then again, I can choose to do that, as I'm not an ISP providing freemail with 
more holes than a colander to the unwashed ...

Re: Anyone else just blocking the ".top" TLD?

[jasonsu]

On Sat, Jul 9, 2016, at 07:52 AM, Groach wrote:
> Our accountants are actually using '.account' TLD and they are a very 
> reputable business. A surprise when they changed to it, maybe, but change to 
> it they did.

My stats provide all the 'evidence' I need.  So far, it seems I'm not 
auto-blocking "*.account" ...

And, like I said, "YMMV".

Personally, I find that holding people to account for their actions & decisions 
in 'email-land' is a pretty good strategy.  That includes 'reputable 
businesses' choosing to move  into a 'bad neighborhood', particularly if they 
haven't done their homework first.

SA plus SPF/DKIM/DMARC, and a good set of DNSBLs helps immensely.  Add to that 
some "This is obviously a sewer" heuristic decisions about TLDs, and my spam 
leak-thru rate is miniscule.

Then again, I can choose to do that, as I'm not an ISP providing freemail with 
more holes than a colander to the unwashed ... 

Re: Anyone else just blocking the ".top" TLD?

[Groach]

Our accountants are actually using '.account' TLD and they are a very reputable 
business. A surprise when they changed to it, maybe, but change to it they did.

On 9 July 2016 16:32:51 CEST, jaso...@mail-central.com wrote:
>
>
>On Sat, Jul 9, 2016, at 07:14 AM, Chip M. wrote:
>> Thanks for all the lists and references, everyone! :)
>
>Fwiw, atm I block all of the following TLDs
>
>   accountant, accountants, adult, aero, agency, apartments, app, asia,
>associates, audio, baby, bargains, bid, bike, bingo, blog, boutique,
>builders, business, cab, cafe, cam, camera, camp, capital, cards, care,
>careers, cash, casino, catering, center, charity, chat, cheap, church,
>city, claims, cleaning, click, clinic, clothing, club, coach, codes,
>coffee, community, company, computer, condos, construction,
>contractors, cool, country, coupons, credit, creditcard, cricket,
>cruises, date, dating, deals, delivery, dental, diamonds, digital,
>direct, directory, discount, dog, domains, dot, download, email,
>energy, engineering, enterprises, equipment, estate, events, exchange,
>expert, exposed, express, fail, faith, farm, finance, financial, fish,
>fitness, flights, florist, football, foundation, fund, furniture, fyi,
>gallery, game, games, gifts, glass, gmbh, gold, golf, gq, graphics,
>gratis, gripe, group, guide, guru, healthcare, hockey, holdings,
>holiday, host, hotel, house, immo, industries, institute, insure,
>international, investments, jewelry, kim, kitchen, la, land, lease,
>legal, lgbt, life, lighting, limited, limo, link, loan, loans, ltd,
>maison, management, marketing, mba, media, memorial, men, mobi, money,
>movie, museum, music, network, news, ninja, online, partners, parts,
>party, photography, photos, pictures, pizza, place, plumbing, plus,
>porn, pro, productions, properties, pw, racing, realestate, recipes,
>reise, reisen, rentals, repair, report, restaurant, review, rocks,
>rodeo, rugby, run, salon, sarl, school, schule, science, search,
>services, sexy, shoes, shop, shop, shopping, show, singles, soccer,
>solar, solutions, space, sport, stream, style, sucks, supplies, supply,
>support, surgery, systems, tax, taxi, team, tech, technology, tennis,
>theater, tienda, tips, tires, today, tools, top, tours, town, toys,
>trade, training, tv, uno, vacations, ventures, viajes, villas, vin,
>vision, voyage, watch, webcam, website, win, wine, work, works, world,
>wtf, xxx, xyz, zip
>
>That list is auto-generated.  Any & all TLDs that have sent > 100
>messages within the last year *AND* have a spam/reject rate >= 99% get
>blocked by TLD, never get past by mail server's 'edge', and don't
>impose any further load on my server.
>
>Afaict, I've *never* seen a legitimate &/or opted-in email from any of
>them.
>
>Couldn't be happier!
>
>YMMV.

Re: Anyone else just blocking the ".top" TLD?

[jasonsu]

On Sat, Jul 9, 2016, at 07:14 AM, Chip M. wrote:
> Thanks for all the lists and references, everyone! :)

Fwiw, atm I block all of the following TLDs

accountant, accountants, adult, aero, agency, apartments, app, asia, 
associates, audio, baby, bargains, bid, bike, bingo, blog, boutique, builders, 
business, cab, cafe, cam, camera, camp, capital, cards, care, careers, cash, 
casino, catering, center, charity, chat, cheap, church, city, claims, cleaning, 
click, clinic, clothing, club, coach, codes, coffee, community, company, 
computer, condos, construction, contractors, cool, country, coupons, credit, 
creditcard, cricket, cruises, date, dating, deals, delivery, dental, diamonds, 
digital, direct, directory, discount, dog, domains, dot, download, email, 
energy, engineering, enterprises, equipment, estate, events, exchange, expert, 
exposed, express, fail, faith, farm, finance, financial, fish, fitness, 
flights, florist, football, foundation, fund, furniture, fyi, gallery, game, 
games, gifts, glass, gmbh, gold, golf, gq, graphics, gratis, gripe, group, 
guide, guru, healthcare, hockey, holdings, holiday, host, hotel, house, immo, 
industries, institute, insure, international, investments, jewelry, kim, 
kitchen, la, land, lease, legal, lgbt, life, lighting, limited, limo, link, 
loan, loans, ltd, maison, management, marketing, mba, media, memorial, men, 
mobi, money, movie, museum, music, network, news, ninja, online, partners, 
parts, party, photography, photos, pictures, pizza, place, plumbing, plus, 
porn, pro, productions, properties, pw, racing, realestate, recipes, reise, 
reisen, rentals, repair, report, restaurant, review, rocks, rodeo, rugby, run, 
salon, sarl, school, schule, science, search, services, sexy, shoes, shop, 
shop, shopping, show, singles, soccer, solar, solutions, space, sport, stream, 
style, sucks, supplies, supply, support, surgery, systems, tax, taxi, team, 
tech, technology, tennis, theater, tienda, tips, tires, today, tools, top, 
tours, town, toys, trade, training, tv, uno, vacations, ventures, viajes, 
villas, vin, vision, voyage, watch, webcam, website, win, wine, work, works, 
world, wtf, xxx, xyz, zip

That list is auto-generated.  Any & all TLDs that have sent > 100 messages 
within the last year *AND* have a spam/reject rate >= 99% get blocked by TLD, 
never get past by mail server's 'edge', and don't impose any further load on my 
server.

Afaict, I've *never* seen a legitimate &/or opted-in email from any of them.

Couldn't be happier!

YMMV.

Re: Anyone else just blocking the ".top" TLD?

[Chip M.]

Thanks for all the lists and references, everyone! :)

+1 on block-by-default combined with "skips" for the VERY rare
exceptions.
I'm scoring (poison pill level), not gateway blocking (more about
that in a later post).

*** New Snow TLD sighting:
Since June 30, the TLD ".stream" has been snowballing, and 
now (in my data) is occuring at a greater volume than ".top".
As of July 7, it's present in more than half of _ALL_ my
snowshoe spam.

While researching it, I found this handy "Cheapest Domain
Prices" site:
https://www.domcomp.com/tld/stream
https://www.domcomp.com/tld/top
The ever-anti-reliable NameCheap is beating the pack at $0.88 per
.stream domain (same as their price for .top), so I expect the
popularity of .stream to continue.
- "Chip"

Re: Anyone else just blocking the ".top" TLD?

[Sergio]

This is what I block:
(bid|book|click|club|cricket|date|democrat|directory|download|faith|help|link|ninja|party|press|pro|racing|reviews?|rocks|science|site|social|space|top|uno|webcam|website|work|win|xyz)


I will add some from what you have posting, thanks.

Sergio

On Wed, Apr 27, 2016 at 5:39 PM, @lbutlr  wrote:

> On Apr 27, 2016, at 2:06 PM, Olivier Coutu 
> wrote:
> > I have affected a hefty penalty in SA to any mail that comes from one of
> these TLDs:
> >
> >
> (party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online)
>
> Are you doing this with the cooperation of Amavis?
>
> (I’ve had no luck with adding scoring rules to local.cf that amavis
> recognizes.)
>
> --
> Friends help you move. Real friends help you move bodies.
>
>

Re: Anyone else just blocking the ".top" TLD?

[@lbutlr]

On Apr 27, 2016, at 2:06 PM, Olivier Coutu  wrote:
> I have affected a hefty penalty in SA to any mail that comes from one of 
> these TLDs:
> 
> (party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online)

Are you doing this with the cooperation of Amavis?

(I’ve had no luck with adding scoring rules to local.cf that amavis recognizes.)

-- 
Friends help you move. Real friends help you move bodies.

Re: Anyone else just blocking the ".top" TLD?

[Olivier Coutu]

I have affected a hefty penalty in SA to any mail that comes from one of 
these TLDs:


(party|science|click|link|faith|racing|win|zip|review|country|kim|cricket|work|gq|date|lol|top|download|space|site|online)

.xyz used to be on the list but I have started seeing more legitimate 
traffic from there.


Domains are being added and removed as new TLDs are added or 
false-positives are detected.


On 2016-04-27 15:57, Vincent Fox wrote:

The ".top" subject, reminded to go check my stats since April 1st.
Yes indeedy .top is on TOP by a mile!  Rejecting over 2 million!
ICANN should shut them down or do SOMETHING.

I bow my head only for the shattered ruins of .science.

2013500 top
  627059 download
  400169  (assorted specific rejections)
  277597 date
  254568 science
  148238 xyz
   49299 pro
   26324 bid
   22645 tk
   22456 website
   14679 email
   11988 link
8490 uno
8306 win
6463 trade
6153 click
4855 ninja
3087 review
2517 club
1566 pw


From: Reindl Harald <h.rei...@thelounge.net>
Sent: Tuesday, April 26, 2016 2:55:46 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone else just blocking the ".top" TLD?

Am 26.04.2016 um 11:23 schrieb Heinrich Boeder:

Hi,


On Apr 21, 2016, at 3:43 PM, Vincent Fox <vb...@ucdavis.edu> wrote:

Recently seeing increase in spam from these gTLD:

pro
bid
trade

I didn´t see any spam from .pro, .bid or .trade gTLDs either. I was just
wondering if it doesn´t make more sense to just give those domains a
higher score in SA instead of blocking them right away with a MTA based
REJECT Policy

just enforce SPF in the MTA with a clear reject message as first step

we do do that for all new gTLDs for a long time now automated by fetch
current list from IANA every 24 hours and write MTA configs

   check_policy_service unix:private/spf-policy
   check_sender_access proxy:pcre:/etc/postfix/blacklist_tld.cf

Re: Anyone else just blocking the ".top" TLD?

[Vincent Fox]

The ".top" subject, reminded to go check my stats since April 1st.
Yes indeedy .top is on TOP by a mile!  Rejecting over 2 million!
ICANN should shut them down or do SOMETHING.

I bow my head only for the shattered ruins of .science.

2013500 top
 627059 download
 400169  (assorted specific rejections)
 277597 date
 254568 science
 148238 xyz
  49299 pro
  26324 bid
  22645 tk
  22456 website
  14679 email
  11988 link
   8490 uno
   8306 win
   6463 trade
   6153 click
   4855 ninja
   3087 review
   2517 club
   1566 pw


From: Reindl Harald <h.rei...@thelounge.net>
Sent: Tuesday, April 26, 2016 2:55:46 AM
To: users@spamassassin.apache.org
Subject: Re: Anyone else just blocking the ".top" TLD?

Am 26.04.2016 um 11:23 schrieb Heinrich Boeder:
> Hi,
>
>> On Apr 21, 2016, at 3:43 PM, Vincent Fox <vb...@ucdavis.edu> wrote:
>>> Recently seeing increase in spam from these gTLD:
>>>
>>> pro
>>> bid
>>> trade
>
> I didn´t see any spam from .pro, .bid or .trade gTLDs either. I was just
> wondering if it doesn´t make more sense to just give those domains a
> higher score in SA instead of blocking them right away with a MTA based
> REJECT Policy

just enforce SPF in the MTA with a clear reject message as first step

we do do that for all new gTLDs for a long time now automated by fetch
current list from IANA every 24 hours and write MTA configs

  check_policy_service unix:private/spf-policy
  check_sender_access proxy:pcre:/etc/postfix/blacklist_tld.cf

Re: Anyone else just blocking the ".top" TLD?

[Reindl Harald]

Am 26.04.2016 um 11:23 schrieb Heinrich Boeder:

Hi,


On Apr 21, 2016, at 3:43 PM, Vincent Fox  wrote:

Recently seeing increase in spam from these gTLD:

pro
bid
trade


I didn´t see any spam from .pro, .bid or .trade gTLDs either. I was just
wondering if it doesn´t make more sense to just give those domains a
higher score in SA instead of blocking them right away with a MTA based
REJECT Policy


just enforce SPF in the MTA with a clear reject message as first step

we do do that for all new gTLDs for a long time now automated by fetch 
current list from IANA every 24 hours and write MTA configs


 check_policy_service unix:private/spf-policy
 check_sender_access proxy:pcre:/etc/postfix/blacklist_tld.cf



signature.asc
Description: OpenPGP digital signature

Re: Anyone else just blocking the ".top" TLD?

[Heinrich Boeder]

Hi,


On Apr 21, 2016, at 3:43 PM, Vincent Fox  wrote:

Recently seeing increase in spam from these gTLD:

pro
bid
trade


I didn´t see any spam from .pro, .bid or .trade gTLDs either. I was just 
wondering if it doesn´t make more sense to just give those domains a 
higher score in SA instead of blocking them right away with a MTA based 
REJECT Policy.


- heinrich

heinr...@heinrichboeder.com -- www.heinrichboeder.com
key: 0xC15DAD56 -- 363D 5BC3 9C45 9D09 3D78  1C28 DB68 F047 C15D AD56

Re: Anyone else just blocking the ".top" TLD?

[@lbutlr]

On Apr 21, 2016, at 3:43 PM, Vincent Fox  wrote:
> Recently seeing increase in spam from these gTLD:
> 
> pro
> bid
> trade

I haven’t seen .pro myself, and all the .trade and .bid attempts have hit zen 
and been rejected in post screen before the DATA connection is even established.

-- 
Everything that was magical was just a way of describing the world in
words it couldn't ignore.

Re: Anyone else just blocking the ".top" TLD?

[Vincent Fox]

Resurrecting thread

Recently seeing increase in spam from these gTLD:

pro
bid
trade

I'm adding them to my reject list,  do with this information what you will.

-hth

Re: Anyone else just blocking the ".top" TLD?

[Thomas Cameron]

On 03/28/2016 05:23 AM, Reindl Harald wrote:
> 
> 
> Am 28.03.2016 um 05:24 schrieb Bill Cole:
>> On 27 Mar 2016, at 21:58, Thomas Cameron wrote:
>>
>>> Has anyone actually gotten a single legit message from that domain?
>>
>> IMHO we're close to the point where it will make sense to make email
>> default-deny and to build standard protocols for senders to be returned
>> to the traditional trust model on a domainwise basis for each receiving
>> system or domain. The authentication methods already exist, there just
>> isn't enough adoption (for some good reasons) and we don't have usable
>> authorization models
> 
> what we do is:
> 
> * reject every non-existent tld
> * download http://data.iana.org/TLD/tlds-alpha-by-domain.txt daily
> * if new domains arrived allow them as sender/helo in theory
> * BUT blacklist_tld.cf comes after the spf-policyd
> * old gTLD and ccTLD are excluded here
> * some speical friends like .top and *.xyz* are in a own sender-access
>   and even in a unconditional helo-reject
> 
>  Weitergeleitete Nachricht 
> Betreff: Cron  update-spamfilter.sh
> Datum: Sat, 26 Mar 2016 02:40:03 +0100 (CET)
> Von: (Cron Daemon)
> UPDATED: /etc/postfix/blacklist_generic_ptr.cf
> 1145a1146
>> /.*\.ally$/ DUNNO
> 1189a1191
>> /.*\.barefoot$/ DUNNO
> -
> UPDATED: /etc/postfix/blacklist_helo.cf
> 44a45
>> /.*\.ally$/ DUNNO
> 88a90
>> /.*\.barefoot$/ DUNNO
> -
> UPDATED: /etc/postfix/blacklist_tld.cf
> 22a23
>> /.*\.ally$/ REJECT Spam-TLD (SPF Required: .ally - see
> http://en.wikipedia.org/wiki/Sender_Policy_Framework)
> 51a53
>> /.*\.barefoot$/ REJECT Spam-TLD (SPF Required: .barefoot - see
> http://en.wikipedia.org/wiki/Sender_Policy_Framework)
> -
> 
> OK: /usr/bin/systemctl reload postfix.service
> 

Wow! I almost didn't post this, I figured I'd get yelled at for such a
heavy-handed approach. Thanks for letting me know I'm not completely nuts.

Well, at least not as regards to this particular subject! :-)

Thomas



signature.asc
Description: OpenPGP digital signature

Re: Anyone else just blocking the ".top" TLD?

[Bill Cole]

On 28 Mar 2016, at 15:06, Vincent Fox wrote:

> Whoops, list truncated.  Continuing
>
> From:work   REJECT
> From:cricketREJECT
> From:xn--plai   REJECT
> From:review REJECT
> From:countryREJECT
> From:kimREJECT
> From:scienceREJECT
> From:party  REJECT
> From:gq REJECT
> From:topREJECT
> From:unoREJECT
> From:winREJECT
> From:download   REJECT
> From:tk REJECT
> From:pw REJECT
> From:international  REJECT
> From:slice.internationalOK
> From:date   REJECT
>
> Backtracking.  I did have a SINGLE complaint about blocking
> the gTLD .international, thus accept email from slice.international.

Yeah, one more: .science is a shattered ruin.

Nope, I'm not crying at all. Why would I be?

Re: Anyone else just blocking the ".top" TLD?

[Vincent Fox]

On 03/28/2016 12:35 PM, Reindl Harald wrote:


nothing easier than that with postfix, just start with.


I wish my EDU was cool with Postfix or Exim.

However our routing pool is Sendmail, and the PHB here are
determined to "upgrade" to Proofpoint which is Sendmail based.

Re: Anyone else just blocking the ".top" TLD?

[shanew]

On Mon, 28 Mar 2016, Vincent Fox wrote:




On 03/27/2016 06:58 PM, Thomas Cameron wrote:

 Has anyone actually gotten a single legit message from that domain?


Never. WTF was ICANN thinking?

I occasionally go through the lists of abused gTLD here:
http://www.surbl.org/tld/


Thanks for that link.  If there were a nice source for how many total
domains were in each TLD you could calculate a useful signal to noise
ratio.

I was recently surprised when I had a user complain that a known
correspondent with a .xyz TLD was being blocked by our filter.  I
added a whitelist entry in the user's settings, but also explained
that the domain was _the_ primary reason it was blocked because all we
ever see from it is spam.

So apparently there are some legit (if clueless) users of some of
these TLDs.


--
Public key #7BBC68D9 at| Shane Williams
http://pgp.mit.edu/|  System Admin - UT CompSci
=--+---
All syllogisms contain three lines |  sha...@shanew.net
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew

Re: Anyone else just blocking the ".top" TLD?

[Reindl Harald]

Am 28.03.2016 um 21:02 schrieb Vincent Fox:

On 03/27/2016 06:58 PM, Thomas Cameron wrote:

Has anyone actually gotten a single legit message from that domain?


Never. WTF was ICANN thinking?

I occasionally go through the lists of abused gTLD here:
http://www.surbl.org/tld/

It certainly saves a lot of hygiene processing time to just dump
this garbage at the outset.

Now that I think about it, a default block for "fresh" gTLD would be nice


nothing easier than that with postfix, just start with DUNNO fo waht you 
want to accept and add "check_sender_access 
pcre:/etc/postfix/blacklist_tld.cf" to your restrictions


we splitted here even in two regex-files, one before and one after the 
sff-policyd while the one after the spf test clearly states in the 
reject text that SPF is required to use it


that can be re-used for PTR and HELO tests too

you need to list the "old" TLD's with DUNNO rules before the reject, 
stripped that here because the list is long, see 
http://data.iana.org/TLD/tlds-alpha-by-domain.txt and there was also 
some list which has a column stating if it is a country-domain and so on


[admin@mail-gw:~]$ cat /etc/postfix/blacklist_tld.cf
/.*\.(com|net|at|ch|org|de|uk|us|info|biz|eu|edu|gov|wien|asia|bio|global|life|name|pro|city|country|international|science|travel|agency|immobilien)$/ 
DUNNO

/.*\.*/ REJECT Prohibited Domain (Invalid TLD)



signature.asc
Description: OpenPGP digital signature

Re: Anyone else just blocking the ".top" TLD?

[Joe Quinn]

On 3/28/2016 3:02 PM, Vincent Fox wrote:
From:whoswho REJECT 
This is the one that really annoys me. KAM.cf has a 5.0-scored rule 
named exactly that, and there's an entire Wikipedia article on the 
subject! https://en.wikipedia.org/wiki/Who's_Who_scam. It really makes 
ICANN look like they do no research on the TLDs they accept.

Re: Anyone else just blocking the ".top" TLD?

[Vincent Fox]

Whoops, list truncated.  Continuing

From:work   REJECT
From:cricketREJECT
From:xn--plai   REJECT
From:review REJECT
From:countryREJECT
From:kimREJECT
From:scienceREJECT
From:party  REJECT
From:gq REJECT
From:topREJECT
From:unoREJECT
From:winREJECT
From:download   REJECT
From:tk REJECT
From:pw REJECT
From:international  REJECT
From:slice.internationalOK
From:date   REJECT

Backtracking.  I did have a SINGLE complaint about blocking
the gTLD .international, thus accept email from slice.international.

-hth

Re: Anyone else just blocking the ".top" TLD?

[Vincent Fox]

On 03/27/2016 06:58 PM, Thomas Cameron wrote:

Has anyone actually gotten a single legit message from that domain?


Never. WTF was ICANN thinking?

I occasionally go through the lists of abused gTLD here:
http://www.surbl.org/tld/

It certainly saves a lot of hygiene processing time to just dump
this garbage at the outset.

Now that I think about it, a default block for "fresh" gTLD would be nice.
I've never had a complaint about these blocks:

From:link   REJECT
From:websiteREJECT
From:berlin REJECT
From:club   REJECT
From:email  REJECT
From:guru   REJECT
From:wang   REJECT
From:xyzREJECT
From:photographyREJECT
From:rocks  REJECT
From:click  REJECT
From:xn--czrs0t REJECT
From:xn--hxt814eREJECT
From:xn--flw351eREJECT
From:xn--qcka1pmc   REJECT
From:xn--45q11c REJECT
From:xn--vermgensberatung-pwb   REJECT
From:xn--vermgensberater-ctbREJECT
From:xn--p1acf  REJECT
From:xn--vhquv  REJECT
From:xn--xhq521bREJECT
From:xn--1qqw23aREJECT
From:xn--kput3i REJECT
From:xn--4gbrim REJECT
From:xn--czr694bREJECT
From:xn--80adxhks   REJECT
From:xn--ses554gREJECT
From:xn--czru2d REJECT
From:xn--rhqv96gREJECT
From:xn--nqv7f  REJECT
From:xn--i1b6b1a6a2eREJECT
From:xn--nqv7fs00emaREJECT
From:xn--c1avg  REJECT
From:xn--d1acj3bREJECT
From:xn--mgbab2bd   REJECT
From:xn--6frz82gREJECT
From:xn--io0a7i REJECT
From:xn--55qx5d REJECT
From:xn--fiq64b REJECT
From:xn--3bst00mREJECT
From:xn--6qq986b3xl REJECT
From:xn--fiq228c5hs REJECT
From:xn--3ds443gREJECT
From:xn--55qw42gREJECT
From:xn--zfr164bREJECT
From:xn--q9jyb4cREJECT
From:xn--ngbc5azd   REJECT
From:xn--80asehdb   REJECT
From:xn--80aswg REJECT
From:xn--unup4y REJECT
From:ninja  REJECT
From:gripe  REJECT
From:loans  REJECT
From:luxury REJECT
From:market REJECT
From:marketing  REJECT
From:pink   REJECT
From:whoswhoREJECT
From:topREJECT

Re: Anyone else just blocking the ".top" TLD?

[Reindl Harald]

Am 28.03.2016 um 05:24 schrieb Bill Cole:

On 27 Mar 2016, at 21:58, Thomas Cameron wrote:


Has anyone actually gotten a single legit message from that domain?


IMHO we're close to the point where it will make sense to make email
default-deny and to build standard protocols for senders to be returned
to the traditional trust model on a domainwise basis for each receiving
system or domain. The authentication methods already exist, there just
isn't enough adoption (for some good reasons) and we don't have usable
authorization models


what we do is:

* reject every non-existent tld
* download http://data.iana.org/TLD/tlds-alpha-by-domain.txt daily
* if new domains arrived allow them as sender/helo in theory
* BUT blacklist_tld.cf comes after the spf-policyd
* old gTLD and ccTLD are excluded here
* some speical friends like .top and *.xyz* are in a own sender-access
  and even in a unconditional helo-reject

 Weitergeleitete Nachricht 
Betreff: Cron  update-spamfilter.sh
Datum: Sat, 26 Mar 2016 02:40:03 +0100 (CET)
Von: (Cron Daemon)
UPDATED: /etc/postfix/blacklist_generic_ptr.cf
1145a1146
> /.*\.ally$/ DUNNO
1189a1191
> /.*\.barefoot$/ DUNNO
-
UPDATED: /etc/postfix/blacklist_helo.cf
44a45
> /.*\.ally$/ DUNNO
88a90
> /.*\.barefoot$/ DUNNO
-
UPDATED: /etc/postfix/blacklist_tld.cf
22a23
> /.*\.ally$/ REJECT Spam-TLD (SPF Required: .ally - see 
http://en.wikipedia.org/wiki/Sender_Policy_Framework)

51a53
> /.*\.barefoot$/ REJECT Spam-TLD (SPF Required: .barefoot - see 
http://en.wikipedia.org/wiki/Sender_Policy_Framework)

-

OK: /usr/bin/systemctl reload postfix.service



signature.asc
Description: OpenPGP digital signature

Re: Anyone else just blocking the ".top" TLD?

[Bill Cole]

On 27 Mar 2016, at 21:58, Thomas Cameron wrote:


Has anyone actually gotten a single legit message from that domain?


No system I work with ever has. On most of those systems mail from a 
*@*.top envelope sender would need to look quite hammy in other ways to 
be accepted.


Contrary to the hype of the domain huckster industry & their trade org 
ICANN, we have not run low on classical gTLD and ccTLD names. What's in 
short supply are ultra-cheap names offered by naive, spammer-complicit, 
or simply reckless registrars and registries in ways that allow names to 
be registered in huge volumes by spammers who may never even *really* 
pay *anything* for the names they register. The cheaper a domain is to 
register and the easier it is to register it fast and use before 
actually needing to pay for it, the more likely it is to be used for 
spamming. Dumb registrars/registries get abused, smarter ones are 
essentially complicit by pricing new gTLD domains so low for first years 
that it's no big thing for a snowshoe operation to buy them by the 
hundreds or thousands and actually pay the fees, unlike the days when 
some registrars let registrants change their minds on buying domains for 
a few days and get full refunds.


IMHO we're close to the point where it will make sense to make email 
default-deny and to build standard protocols for senders to be returned 
to the traditional trust model on a domainwise basis for each receiving 
system or domain. The authentication methods already exist, there just 
isn't enough adoption (for some good reasons) and we don't have usable 
authorization models.

Re: Anyone else just blocking the ".top" TLD?

[Reindl Harald]

Am 28.03.2016 um 03:58 schrieb Thomas Cameron:

Has anyone actually gotten a single legit message from that domain?


no

blocked on MTA level for envelope as well as helo filters



signature.asc
Description: OpenPGP digital signature