Re: Looking for assist on a rule

Wed, 01 Nov 2017 16:18:00 -0700 

On Wed, 1 Nov 2017, Gary Smith wrote:


We have recently seen a huge uptick in spam from a bunch of different TLD's.  
Bayes has been a little whacky with them as well.  Our install is 3.3.1 (we're 
going to be replacing it soon).

I'm looking to implement a rule that will assign a higher score to specific 
TLD's.  I tried the rule below based upon the guidelines from 
https://wiki.apache.org/spamassassin/WritingRules.  Nothing seems to hit it 
though.

header HS_BAD_DOMAIN From =~ 
/^\.(top|study|click|party|link|stream|info|trade|bid|xxx)/i
describe HS_BAD_DOMAIN Contains one of the bad domains that commonly spams
score HS_BAD_DOMAIN 0.1 0.1 0.1 0.1


Here is what I have (after adding the ones you list that I don't):

header     FROM_RARE_TLD    From:addr =~ 
/\.(?:wor(?:k|ld)|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review|download|top|global|(?:web)?site|tech|party|pro|bid|trade|win|moda|news|online|biz|host|loan|study|click|stream|xxx)$/i
describe   FROM_RARE_TLD    From address in rarely-nonspam TLD
score      FROM_RARE_TLD    3.000

header     REPTO_RARE_TLD   Reply-To =~ 
/\.(?:wor(?:k|ld)|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review|download|top|global|(?:web)?site|tech|party|pro|bid|trade|win|moda|news|online|biz|host|loan|study|click|stream|xxx)>?$/i
describe   REPTO_RARE_TLD   Reply-To address in rarely-nonspam TLD
score      REPTO_RARE_TLD   3.000

uri        URI_RARE_TLD     
m;://[^/]+\.(?:wor(?:k|ld)|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review|download|top|global|(?:web)?site|tech|party|pro|bid|trade|win|moda|news|online|biz|host|loan|study|click|stream|xxx)(?:/|$);i
describe   URI_RARE_TLD     URI refers to rarely-nonspam TLD
score      URI_RARE_TLD     3.000
.info has too many legit domains now that I don't think it's justified to block that entire TLD. 

--
 John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
 jhar...@impsec.org    FALaholic #11174     pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
                                           -- Peter da Silva in a.s.r
-----------------------------------------------------------------------
 4 days until Daylight Saving Time ends in U.S. - Fall Back

Reply via email to