On 30/01/2021 20:22, Viktor Dukhovni wrote:
On Sat, Jan 30, 2021 at 01:20:13PM -0500, Phil Stracchino wrote:
I'm looking at implementing a rule to discard all
four-letter-and-above TLDs except whitelisted ones, because I'm tired
of playing whack-a-mole.
I'd like to strongly advise against filtering by TLD. This is a very
low quality signal. There is no shortage of abuse mail from the
traditional gTLDs, and also a non-trivial quantity of legitimate
email from new gTLDs.
Most of the ".brand" gTLDs are not open for public registration of
subdomains, and if say citibank decided to send email from a ".citi"
subdomain, that'd be just fine. They should be able to use the gTLD
they control.
For example, the ".info" and ".name" gTLDs are established sources of
legitimate email. Looking at DANE-enabled domains, which junk mail
senders are unlikely to bother setting up, I see the following top 30
domain counts by TLD, indicating a population of non-abusive domains.
...
Viktor's advice is (as always) sound. My original reply was a
non-advisory answer to OP's question.
FWIW my approach is a bespoke header test within SpamAssassin (local.cf)
against 'EnvelopeFrom' and 'From' which adds a heavy point penalty for
TLDs that are - for us - out of the ordinary, with a few special
exceptions. My welcome-listed TLDs do not include any of those listed by
Viktor except for '.email'. But I am running private mail servers with
active quarantine management so I can tweak these settings when FPs
occur without significant risk of rejecting ham.