Re: Frequency of SUSP_NTLD updates
On Wed, 1 Jul 2020 10:20:50 -0700 (PDT) John Hardin wrote: > I realize this isn't really a welcome solution per the original note > but until the legitimate use of those TLDs grows the rules punishing > them do have value. There ought to be delist version of enlist_addrlist though.
Re: Frequency of SUSP_NTLD updates
On Wed, 1 Jul 2020, @lbutlr wrote: On 30 Jun 2020, at 09:31, RW wrote: On Tue, 30 Jun 2020 11:30:17 + Roald Stolte wrote: These mails were all using TLDs such as .site and .online and were getting marked because of it. Are others seeing a decrease in spam from .site and .online? All I see from these TLD is 100% spam. They are not at the volume that .top was when this free-for all on TLDs started, but they are not generating any legitimate mail on my servers. That matches my experience. You could just drop the score for FROM_SUSPICIOUS_NTLD & FROM_SUSPICIOUS_NTLD_FP. This is probably the best way, but I'd be wary of dropping it too much. Especially as the rule covers *other* rarely-legit TLDs as well, and that would impact their scoring. I'd suggest instead a rule with an offsetting negative score (not necessarily an actual whitelist/accept entry as that's *too* generous) for the TLDs (or if possible the specific domains in those TLDs) that are causing problems. I realize this isn't really a welcome solution per the original note but until the legitimate use of those TLDs grows the rules punishing them do have value. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Microsoft is not a standards body. --- 3 days until the 244th anniversary of the Declaration of Independence
Re: Frequency of SUSP_NTLD updates
On 30 Jun 2020, at 09:31, RW wrote: > On Tue, 30 Jun 2020 11:30:17 + > Roald Stolte wrote: > > >> These mails were all using TLDs such as .site and .online and were >> getting marked because of it. Are others seeing a decrease in spam from .site and .online? All I see from these TLD is 100% spam. They are not at the volume that .top was when this free-for all on TLDs started, but they are not generating any legitimate mail on my servers. I've loosened some restrictions on .fm tv and ,info, since there are legitimate senders there, but even those are still mostly spam. I see connections from domains like server.creativecabin.online, mail.mobile-advertising.site, mail.freebitcoins.site, dand fame.servetxt.online, and most of it is coming in to spam-trap email addresses. > You could just drop the score for FROM_SUSPICIOUS_NTLD & > FROM_SUSPICIOUS_NTLD_FP. This is probably the best way, but I'd be wary of dropping it too much. -- Good old Dame Fortune. You can _depend_ on her.
Re: Frequency of SUSP_NTLD updates
On Tue, 30 Jun 2020 11:30:17 + Roald Stolte wrote: > These mails were all using TLDs such as .site and .online and were > getting marked because of it. > > > Rules triggering included FROM_SUSPICIOUS_NTLD and > FROM_SUSPICIOUS_NTLD_FP and PDS_OTHER_BAD_TLD, which instantly bumped > the spam score by 4.5 (sum of scores at time of writing). > I was wondering how often the NTLDs that were added to the SUSP_NTLDs > list in the past get reviewed and/or removed from this list, and how > I can mitigate this without manually whitelisting each and every > address and maintaining some degree of integrity/consistency. You can deal with PDS_OTHER_BAD_TLD by using delist_uri_host. Unfortunately there is no delist version of enlist_addrlist. You could just drop the score for FROM_SUSPICIOUS_NTLD & FROM_SUSPICIOUS_NTLD_FP. Alternately you could override the definitions of the 2 rules so the problematic TLDs don't trigger them.