RE: Re[8]: rule based on domain age
> IP ranges and country connections are of no help. These criminals use > outlook, gmail, vps servers and everything under the sun. So they register new domains, link them to gmail (outlook) and send spam with envelope of the domain via the google network, and google does nothing and keeps giving this service to them? I assume this service is offered for free by google/outlook?
Re[8]: rule based on domain age
IP ranges and country connections are of no help. These criminals use outlook, gmail, vps servers and everything under the sun. The spameatingmonkey.com rbl was suggested to me for domains reg'd in the past 30 days will be quite helpful, already implemented. I am also looking at getting the feed from zonefiles.io and I can potentially use that data and some coding on my end to create my own 180 or whatever day list fairly easily and query it locally with an in house RBL. I appreciate your input and suggestions Marc. -- Original Message -- From "Marc" To "Tracy Greggs" ; "users@spamassassin.apache.org" Date 5/10/2023 4:57:21 PM Subject RE: Re[6]: rule based on domain age What I am targeting will not be on an abusive domains on any RBL anywhere as they buy these domains for the sole purpose of targeting our company and our clients. They only have to succeed once where I have to succeed every time to keep them from stealing large sums. What about the ip ranges? I have the impression that once you register these, it gets less. There are specific providers offering their networks for such services. Legitimate providers do not want to get involved with such networks, because they will end up on blacklists. I am having a combination of ip ranges that I have registered, these get from me an url in a confirmation, only when this url is clicked the email is accepted. You could tune this for your environment. Maybe you can do something with the connection country [@]# dig +short -t txt https://urldefense.proofpoint.com/v2/url?u=http-3A__95.80.124.107.origin.asn.cymru.com=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=30424yrS-9EgmTKE1eBweU94kLZa7u_GLzgvVe6Np9o=LXUC6fBevzoGP-DHdTSkBn2kczQixB-XLpKmQzKF_Zk=lujgLOURlWXAvVUGVSQ1Fc1-4ZDVA73VF_4gTf2pZuk= "7018 | https://urldefense.proofpoint.com/v2/url?u=http-3A__107.64.0.0_10=DwIGaQ=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM=30424yrS-9EgmTKE1eBweU94kLZa7u_GLzgvVe6Np9o=LXUC6fBevzoGP-DHdTSkBn2kczQixB-XLpKmQzKF_Zk=jo8mFV_zmsrMXzYKy4mfFbBtVAygJ585ORp5oAdb7Ts= | US | arin | 2011-02-04"
RE: Re[6]: rule based on domain age
> What I am targeting will not be on an abusive domains on any RBL > anywhere as they buy these domains for the sole purpose of targeting our > company and our clients. They only have to succeed once where I have to > succeed every time to keep them from stealing large sums. What about the ip ranges? I have the impression that once you register these, it gets less. There are specific providers offering their networks for such services. Legitimate providers do not want to get involved with such networks, because they will end up on blacklists. I am having a combination of ip ranges that I have registered, these get from me an url in a confirmation, only when this url is clicked the email is accepted. You could tune this for your environment. Maybe you can do something with the connection country [@]# dig +short -t txt 95.80.124.107.origin.asn.cymru.com "7018 | 107.64.0.0/10 | US | arin | 2011-02-04"
Re[6]: rule based on domain age
We are specifically targeted Marc. We have 130 domains on the shelf via UDRP disputes right now and 30 more in progress. What I am trying to accomplish with this issue at hand is to score up and quarantine all domains newer than 380 days. I am fully aware that there will be some legit email quarantined and I am fine with that, those can be vetted and released. What I am targeting will not be on an abusive domains on any RBL anywhere as they buy these domains for the sole purpose of targeting our company and our clients. They only have to succeed once where I have to succeed every time to keep them from stealing large sums. I may need to look at this differently, more like checking against a DNS based list of domains over a year old for example and giving those a negative score if necessary. -- Original Message -- From "Marc" To "Tracy Greggs" ; "users@spamassassin.apache.org" Date 5/10/2023 3:50:06 PM Subject RE: Re[4]: rule based on domain age Yes some already block/timeout with the 2nd lookup. But there is a flip side. There are dns blacklists that have domainnames that are currently being abused. I hadn't considered being blocked by the TLD's from doing the lookups. Good point. We probably do about 2K per day so not sure that is enough to be blocked but it certainly could be. > >> >> Why would it have to have to be specific per TLD? Why I have in mind is >> looking at the creation date of the sending domain and scoring it up if >> it is newer than 12 months, no matter what the TLD is. > >I totally get it. I was thinking of incorporating this in a service for a European project. And even going further, querying owner information. > >> Am I missing something? > >Because this information is only available at tld's and just querying the whois endlessly will be blocked. Every tld registry has their own operating rules.
RE: Re[4]: rule based on domain age
Yes some already block/timeout with the 2nd lookup. But there is a flip side. There are dns blacklists that have domainnames that are currently being abused. > > I hadn't considered being blocked by the TLD's from doing the lookups. > Good point. We probably do about 2K per day so not sure that is enough > to be blocked but it certainly could be. > > > > > >> > >> Why would it have to have to be specific per TLD? Why I have in > mind is > >> looking at the creation date of the sending domain and scoring it up > if > >> it is newer than 12 months, no matter what the TLD is. > > > >I totally get it. I was thinking of incorporating this in a service for > a European project. And even going further, querying owner information. > > > >> Am I missing something? > > > >Because this information is only available at tld's and just querying > the whois endlessly will be blocked. Every tld registry has their own > operating rules.
Re[4]: rule based on domain age
I hadn't considered being blocked by the TLD's from doing the lookups. Good point. We probably do about 2K per day so not sure that is enough to be blocked but it certainly could be. -- Original Message -- From "Marc" To "Tracy Greggs" Date 5/10/2023 3:32:05 PM Subject RE: Re[2]: rule based on domain age Why would it have to have to be specific per TLD? Why I have in mind is looking at the creation date of the sending domain and scoring it up if it is newer than 12 months, no matter what the TLD is. I totally get it. I was thinking of incorporating this in a service for a European project. And even going further, querying owner information. Am I missing something? Because this information is only available at tld's and just querying the whois endlessly will be blocked. Every tld registry has their own operating rules.
RE: rule based on domain age
> > My apologies if that has been asked and or answered previously. > > I would love to have a rule to score up messages from domains registered > in the past X configurable days. > > We rarely receive legit email from domains newer than 1 year old, but we > get spoofs daily from domains that are less than 1 year old. > > I would like to score all of the less than 1 year old domains up and > quarantine them for review. > > Does such a rule already exist? > > Thanks in advance for any direction any of you may have. > I don't think this is available. All this would be also specific per tld. So everyone needed to agree on participating in some system and then you also have different judicial areas.
rule based on domain age
My apologies if that has been asked and or answered previously. I would love to have a rule to score up messages from domains registered in the past X configurable days. We rarely receive legit email from domains newer than 1 year old, but we get spoofs daily from domains that are less than 1 year old. I would like to score all of the less than 1 year old domains up and quarantine them for review. Does such a rule already exist? Thanks in advance for any direction any of you may have. Regards
Re: Today's Google Docs phish (domain age)
Noel Butler skrev den 2017-05-04 12:45: The SEM fresh* uri lists I dare say. it could be core part of spamassassin, why ?, since spammers avoid sending it to sem, and not all new domains come to sem before its depricatd spam campains :/ who will make it to sa core ? sad to see your mail host add big signature to your maillist postings
Re: Today's Google Docs phish (domain age)
On 04/05/2017 17:38, Merijn van den Kroonenberg wrote: >> On Wed, 3 May 2017, Alex wrote: >> That target domain "g-docs . pro" was registered 12 days ago via >> namecheap.com >> which was enough to earn it a few extra points at our site. > > How do you detect the domain age in SA? I am really interested in a domain > age solution if its out there. The SEM fresh* uri lists I dare say. -- Kind Regards, Noel Butler This Email, including any attachments, may contain legally privileged information, therefore remains confidential and subject to copyright protected under international law. You may not disseminate, discuss, or reveal, any part, to anyone, without the authors express written authority to do so. If you are not the intended recipient, please notify the sender then delete all copies of this message including attachments, immediately. Confidentiality, copyright, and legal privilege are not waived or lost by reason of the mistaken delivery of this message. Only PDF [1] and ODF [2] documents accepted, please do not send proprietary formatted documents Links: -- [1] http://www.adobe.com/ [2] http://en.wikipedia.org/wiki/OpenDocument signature.asc Description: OpenPGP digital signature
Re: Today's Google Docs phish (domain age)
> On Wed, 3 May 2017, Alex wrote:
>
>> Hi,
>>
>> If you haven't heard, there was a huge Google Docs phishing attack
>> today.
[snip]
>> Have you received any of these? Have you done anything to prevent them
>> next time or from being received this time?
>
> That target domain "g-docs . pro" was registered 12 days ago via
> namecheap.com
> which was enough to earn it a few extra points at our site.
How do you detect the domain age in SA? I am really interested in a domain
age solution if its out there.
>
> It's now sitting in a high-scoring local URIBL here (which is enough to
> get a
> SMTP-REJECT).
>
> --
> Dave Funk University of Iowa
> College of Engineering
> 319/335-5751 FAX: 319/384-0549 1256 Seamans Center
> Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
> #include
> Better is not better, 'standard' is better. B{
>
Domain Age
Hello, today we came up with the idea to look at the domain age. It may be a criteria for otherwise perfect messages. Is there something I could ask with a domainname and receive the age as answer? Andreas
Re: Domain Age
On Thu, Jun 5, 2014 at 3:22 PM, Andreas Schulze s...@andreasschulze.de wrote: Is there something I could ask with a domainname and receive the age as answer? http://support-intelligence.com/dob/ Which domain would you be interested in? MAIL FROM, From:, Body URL-domain, ...? -- Matthias
Re: Domain Age
On 6/5/2014 9:22 AM, Andreas Schulze wrote: today we came up with the idea to look at the domain age. It may be a criteria for otherwise perfect messages. Is there something I could ask with a domainname and receive the age as answer? Hi Andreas, I believe you should look at RCVD_IN_DOB which is short for Day Old Bread as a starting point for this idea. It's been done before but perhaps you have a new twist! regards, KAM
Re: Domain Age
On 06/05/2014 03:22 PM, Andreas Schulze wrote: Hello, today we came up with the idea to look at the domain age. It may be a criteria for otherwise perfect messages. Is there something I could ask with a domainname and receive the age as answer? We've been there a few days ago See thread SPAM from a registrar
.cn domain age query?
(resend, first attempted about 14 hours ago) I noticed that many spam (in English) have links like can't include in this post because of apache.org's spam filter.cn where the domains are not triggering URIBL's. It seems that they have thousands of randomword.cn domains (very cheap to register?), and I very rarely see them repeat from one spam to the next. One thing they all have in common is their registration dates are very young according to whois lookups. It seems in general if we had a reliable way to lookup domain age we might be able to differentiate spam. Is there any good way to query for the age of a domain? Unfortunately it seems whois is too slow and the text format is non-standard. Warren Togami wtog...@redhat.com
Re: .cn domain age query?
On Mon, 14 Sep 2009, Warren Togami wrote: One thing they all have in common is their registration dates are very young according to whois lookups. It seems in general if we had a reliable way to lookup domain age we might be able to differentiate spam. What's the current status of the Day Old Bread BL? Has it moved to subscription-only? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #12: Have a plan. USMC Rules of Gunfighting #13: Have a back-up plan, because the first one won't work. --- 3 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: .cn domain age query?
On Sep 14, 2009, at 12:41 PM, John Hardin wrote: On Mon, 14 Sep 2009, Warren Togami wrote: One thing they all have in common is their registration dates are very young according to whois lookups. It seems in general if we had a reliable way to lookup domain age we might be able to differentiate spam. What's the current status of the Day Old Bread BL? Has it moved to subscription-only? It don't think it has but you can drill down a bit further with the SEM lists: http://spameatingmonkey.com/lists.html They will tell you domains that are 5, 10 and 15 days old. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: .cn domain age query?
- Bill Landry b...@inetmsg.com wrote: | On Mon, 14 Sep 2009, Warren Togami wrote: | | One thing they all have in common is their registration dates are | very | young according to whois lookups. It seems in general if we had a | reliable way to lookup domain age we might be able to | differentiate | spam. | | What's the current status of the Day Old Bread BL? Has it moved to | subscription-only? | | Still working fine for me here, 51 hits so far today against DOB. | | Bill | Not come across that RBL before! Thanks :) Best Regards, -- This message has been scanned for viruses and dangerous content and is believed to be clean. SplatNIX IT Services :: Innovation through collaboration
Re: .cn domain age query?
Chris Owen wrote: One thing they all have in common is their registration dates are very young according to whois lookups. It seems in general if we had a reliable way to lookup domain age we might be able to differentiate spam. What's the current status of the Day Old Bread BL? Has it moved to subscription-only? It don't think it has but you can drill down a bit further with the SEM lists: http://spameatingmonkey.com/lists.html They will tell you domains that are 5, 10 and 15 days old. That wouldn't help in this particular case: All domains registered in the last 5 days under the .BIZ, .COM, .INFO, .NAME, .NET and .US TLDs Doesn't work for .cn's, or any other country level tld's (apart from .us) -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: .cn domain age query?
On Mon, 14 Sep 2009, Warren Togami wrote: One thing they all have in common is their registration dates are very young according to whois lookups. It seems in general if we had a reliable way to lookup domain age we might be able to differentiate spam. What's the current status of the Day Old Bread BL? Has it moved to subscription-only? Still working fine for me here, 51 hits so far today against DOB. Bill
Re: .cn domain age query?
On Mon, 14 Sep 2009, Mike Cardwell wrote: Chris Owen wrote: http://spameatingmonkey.com/lists.html They will tell you domains that are 5, 10 and 15 days old. That wouldn't help in this particular case: All domains registered in the last 5 days under the .BIZ, .COM, .INFO, .NAME, .NET and .US TLDs Doesn't work for .cn's, or any other country level tld's (apart from .us) Query sent about adding .cn TLD. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- One death is a tragedy; thirty is a media sensation; a million is a statistic. -- Joseph Stalin, modernized --- 3 days until the 222nd anniversary of the signing of the U.S. Constitution
Re: .cn domain age query?
On Mon, 2009-09-14 at 18:55 +0100, --[ UxBoD ]-- wrote:
| Still working fine for me here, 51 hits so far today against DOB.
Not come across that RBL before! Thanks :)
grep _DOB *.cf# Part of the stock rule-set.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: .cn domain age query?
- Karsten Bräckelmann guent...@rudersport.de wrote:
| On Mon, 2009-09-14 at 18:55 +0100, --[ UxBoD ]-- wrote:
| | Still working fine for me here, 51 hits so far today against DOB.
|
| Not come across that RBL before! Thanks :)
|
| grep _DOB *.cf# Part of the stock rule-set.
|
|
| --
| char
| *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
| main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8?
| c=1:
| (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){
| putchar(t[s]);h=m;s=0; }}}
|
How dumb me be ;) Thanks Karsten :D
Should have checked ... Been to busy defending a previous naughty OP ;)
Best Regards,
--
This message has been scanned for viruses and
dangerous content and is believed to be clean.
SplatNIX IT Services :: Innovation through collaboration
Re: .cn domain age query?
On Mon, 2009-09-14 at 19:51 +0100, UxBoD wrote:
- Karsten Bräckelmann wrote:
| grep _DOB *.cf# Part of the stock rule-set.
How dumb me be ;) Thanks Karsten :D
Heh, no problem. :) Just figured I should spare you the time of adding
it, and prevent you from scoring twice.
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: .cn domain age query?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Let's try this again with sending to the list. Sorry Mike! Mike Cardwell wrote: That wouldn't help in this particular case: All domains registered in the last 5 days under the .BIZ, .COM, .INFO, .NAME, .NET and .US TLDs Doesn't work for .cn's, or any other country level tld's (apart from .us) Unfortunately, ccTLDs aren't very cooperative in matters such as this. There are a few exceptions but most of them will ignore requests for zone file access or outright tell you they can't for security reasons. The operators of the .cn TLD are unwilling to work with me at all. If anyone has any contacts at various ccTLDs that are willing to grant people access to zone files then please let the list know. I'm sure there are several others that would like to get access. - --Blaine -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) iEYEARECAAYFAkqunckACgkQLp9/dJH6k+MKQwCgh+9L8+5edKSwRKUAcelT1BDR hQUAn2beU0Vy4oFULDaZjh8IQluQ7exT =ZO2c -END PGP SIGNATURE-
