Re: namechep and DOB

2024-07-08 Thread Alex 
On Mon, Jul 8, 2024 at 7:33 PM Matija Nalis 
wrote:

> On Mon, Jul 08, 2024 at 05:13:29PM -0400, Alex wrote:
> > Are there RBLs available that can be used to determine registrar or date
> of
> > registration? I understand the limits of querying a registrar but thought
> > there might be an RBL out there with this info?
>
> https://spameatingmonkey.com/services  lists folowing RBLs:
>
> SEM-FRESHZERO — Domains never seen before (typically registered in the
> last 24 hours)
> SEM-FRESH — Domains registered in the last 5 days
> SEM-FRESH10 — Domains registered in the last 10 days
> SEM-FRESH15 — Domains registered in the last 15 days
> SEM-FRESH30 — Domains registered in the last 30 days
>
> perhaps that might help?
>

I do have the SEM rules in place (it's been a while, yikes) but they didn't
hit here.

It also look like it's really only the SEM_FRESH rules that are hitting
anything, and not any of the others, like SEM_URI or SEM_URIRED, etc. Also
not updates on their site since 2017.

Re: namechep and DOB

2024-07-08 Thread Matija Nalis 
On Mon, Jul 08, 2024 at 05:13:29PM -0400, Alex wrote:
> Are there RBLs available that can be used to determine registrar or date of
> registration? I understand the limits of querying a registrar but thought
> there might be an RBL out there with this info?

https://spameatingmonkey.com/services  lists folowing RBLs:

SEM-FRESHZERO — Domains never seen before (typically registered in the last 24 
hours)
SEM-FRESH — Domains registered in the last 5 days
SEM-FRESH10 — Domains registered in the last 10 days
SEM-FRESH15 — Domains registered in the last 15 days
SEM-FRESH30 — Domains registered in the last 30 days

perhaps that might help?

-- 
Opinions above are GNU-copylefted.

Re: namechep and DOB

2024-07-08 Thread Alex 
Hi,

Alex - Check out the FROM_FMBLA_NEWDOM rules.  Are you seeing any emails
> hitting them?
>

Yes, got them, from here:
https://github.com/fmbla/spamassassin/blob/master/FMBLA.cf

Didn't hit.
Jul  8 18:02:53.537 [4189153] dbg: dnseval: checking [sendersrv.com] /
FROM_NEWDOMAIN_FMBLA / blfmbla / bl.fmb.la
Jul  8 18:02:53.537 [4189153] dbg: dns: launching rule
FROM_NEWDOMAIN_FMBLA, set blfmbla, type A, subtest 127.0.0.2
Jul  8 18:02:53.537 [4189153] dbg: async: query 41110/IN/A/
sendersrv.com.bl.fmb.la already underway, adding no.4, rules:
FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.537 [4189153] dbg: dnseval: checking [smartlendingclub.com]
/ FROM_NEWDOMAIN_FMBLA / blfmbla / bl.fmb.la
Jul  8 18:02:53.538 [4189153] dbg: dns: launching rule
FROM_NEWDOMAIN_FMBLA, set blfmbla, type A, subtest 127.0.0.2
Jul  8 18:02:53.538 [4189153] dbg: async: query 43398/IN/A/
smartlendingclub.com.bl.fmb.la already underway, adding no.4, rules:
FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.638 [4189153] dbg: async: calling callback on key A/
sendersrv.com.bl.fmb.la, rules: FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.639 [4189153] dbg: async: calling callback on key A/
smartlendingclub.com.bl.fmb.la, rules: FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.782 [4189153] dbg: async: completed in 0.137 s: DNSBL, A/
sendersrv.com.bl.fmb.la, rules: FROM_URIBL_COMMUNICADO_FMBLA,
FROM_URIBL_FMBLA, FROM_NEWDOMAIN_14_FMBLA, FROM_NEWDOMAIN_FMBLA
Jul  8 18:02:53.787 [4189153] dbg: async: completed in 0.137 s: DNSBL, A/
smartlendingclub.com.bl.fmb.la, rules: FROM_URIBL_FMBLA,
BODY_NEWDOMAIN_14_FMBLA, BODY_NEWDOMAIN_FMBLA,
FROM_URIBL_COMMUNICADO_FMBLA, FROM_NEWDOMAIN_FMBLA,
FROM_NEWDOMAIN_14_FMBLA, BODY_URIBL_FMBLA, BODY_URIBL_COMMUNICADO_FMBLA

In my case, URIBL_RHS_DOB is no longer working at all.   Is this still
> working? - Mark
>
>
It doesn't appear to be working here, either.

ifplugin Mail::SpamAssassin::Plugin::URIDNSBL
urirhssub URIBL_RHS_DOB dob.sibl.support-intelligence.net  A   2
body URIBL_RHS_DOB  eval:check_uridnsbl('URIBL_RHS_DOB')
describe URIBL_RHS_DOB  Contains an URI of a new domain (Day Old
Bread)
tflags URIBL_RHS_DOBnet
endif

$ spamassassin -t -D plugin < notice-lending-spam 2>&1|grep URIDNSBL
Jul  8 18:16:22.404 [480] dbg: plugin: loading
Mail::SpamAssassin::Plugin::URIDNSBL from @INC
Jul  8 18:16:28.366 [480] dbg: plugin:
Mail::SpamAssassin::Plugin::URIDNSBL=HASH(0x558387e6dea0) implements
'check_dnsbl', priority 0

Re: namechep and DOB

2024-07-08 Thread Mark London 
Alex - Check out the FROM_FMBLA_NEWDOM rules.  Are you seeing any emails 
hitting them?


In my case, URIBL_RHS_DOB is no longer working at all.   Is this still 
working? - Mark


On 7/8/2024 5:13 PM, Alex wrote:

Hi,

I'm seeing emails from smartlendingclub dot com getting through that 
are clearly spam. It's a namecheap domain registered in the last two 
weeks or so.


IIRC, in the past there was more flexibility with the URIBL_RHS_DOB 
rules to penalize domains recently registered, but now it doesn't 
appear to have hit any rules related to registration dates.


Domain name: smartlendingclub dot com
Registry Domain ID: 2891563192_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com 
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2024-06-17T18:42:01.00Z
Registrar Registration Expiration Date: 2025-06-17T18:42:01.00Z

This email also hit the following rules:
describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for sender

But this rule has virtually 0 score?
describe RCVD_IN_IADB_DOPTIN_LT50  IADB: Confirmed opt-in used less 
than 50% of the time


It hit some other IADB rules like RCVD_IN_IADB_SENDERID but not any 
DOB rules. Am I missing something? Maybe it was the HOSTKARMA rules 
I'm remembering?


Are there RBLs available that can be used to determine registrar or 
date of registration? I understand the limits of querying a registrar 
but thought there might be an RBL out there with this info?

namechep and DOB

2024-07-08 Thread Alex 
Hi,

I'm seeing emails from smartlendingclub dot com getting through that are
clearly spam. It's a namecheap domain registered in the last two weeks or
so.

IIRC, in the past there was more flexibility with the URIBL_RHS_DOB rules
to penalize domains recently registered, but now it doesn't appear to have
hit any rules related to registration dates.

Domain name: smartlendingclub dot com
Registry Domain ID: 2891563192_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 0001-01-01T00:00:00.00Z
Creation Date: 2024-06-17T18:42:01.00Z
Registrar Registration Expiration Date: 2025-06-17T18:42:01.00Z

This email also hit the following rules:
describe RCVD_IN_IADB_VOUCHED   ISIPP IADB lists as vouched-for sender

But this rule has virtually 0 score?
describe RCVD_IN_IADB_DOPTIN_LT50  IADB: Confirmed opt-in used less than
50% of the time

It hit some other IADB rules like RCVD_IN_IADB_SENDERID but not any DOB
rules. Am I missing something? Maybe it was the HOSTKARMA rules I'm
remembering?

Are there RBLs available that can be used to determine registrar or date of
registration? I understand the limits of querying a registrar but thought
there might be an RBL out there with this info?