On 14/08/15 02:19, Alex wrote: >>>> in the .cf file I addes blacklist_from *.review >>>> blacklist_from *.work blacklist_from *.date >>> >>> I would use the following: >>> >>> blacklist_uri_host review blacklist_uri_host work >>> blacklist_uri_host date >> >> you want both: a bad sender using the domain as well a URI to the >> domain and without having tested it at my own: make sure it does >> only match when the domain ends with "review", "work", "date" to >> prevent FP > > Are you talking about it somehow matching "123review", for example? > It appears that it refers to only the rhs of the address. For > example "blacklist_from *.review" catches user@123test.review but > not u...@123review.com or user@123review.123review or > 123test.review.com. Are there any other variations to be concerned > with, or could someone else confirm?
That looks right, checking Conf/Parser.pm. blacklist_from internally adds a "$" so it must match the rightmost part of any address. > So while blacklist_from requires the wildcard match, > blacklist_uri_host does not. Indeed blacklist_uri_host does not permit wildcards. It must be an exact match with the top 1-10 parts (labels). > Also, at some time, Axb had posted a list of the new TLDs that are > a significant source of spam and included domains like xxx and xyz. > Does anyone have an updated list that might be helpful? Try http://rss.uribl.com/tlds/index.html (it's percentages per domain, rather than per email) .uno, .red, .black, .blue, .pink, .click, .xyz all seem significantly abused. .asia and .link seems to have cleaned up a bit in the last few months, .science less so. xxx probably isn't very useful to spammers. Also 20_aux_tlds.cf contains a link to the full IANA gTLD list. If you want to be less severe, maybe a meta rule using Paul's BODY_NEWDOMAIN_14_FMBLA with enlist_uri_host setting a range of scores as described at https://bz.apache.org/SpamAssassin/show_bug.cgi?id=6458#c3 CK