On Sun, 2019-06-30 at 09:08 -0700, Sean Lynch wrote: > A very large number (nearly all, in fact) of the spams I receive > these days involve domains registered with Namecheap. I've received > hundreds of spams involving .icu domains from what appear to be the > same spammer. > Write a local rule that adds points for mails from .icu
> I also receive a large number of scams impersonating Bitmain, again > using domains involving Namecheap. > As above, but for Bitmain. > While Namecheap does suspend at least some domains within days of > their being used in a campaign, it's clear that these are being > treated as single-use domains, so this has very little impact on the > spammers. Since for whatever reason they're so attractive to spammers > that they seem to be a nearly universal choice, at least for spams I > get, I'd like to add a spam score to any message using a domain > registered with them. > If you don't mind a delay in receiving mail from hosts you've never seen before, why not implement a greylister? https://en.wikipedia.org/wiki/Greylisting Does such functionality already exist in SpamAssassin? > Defining local rules has always been possible. Greylisters are used to front end your MTA, so work independently of Spamassassin. I find combinations of rules can be surprisingly specific, e.g. to catch sales spam: - write a rule that contains a list of selling terms with a very small positive score (0.001) - write another rule that contains a list of products pushed by spammers, again with a very small positive score - write a meta rule the triggers only when both the previous rules are hit and give it a significant score If you avoid sales terms and product names/descriptions that are in common use the meta rule will cause few false positives. Martin