I’ve posted this before, this is how I manage these nasty TLDs:
Make sure WLBLEval is enabled:
loadplugin Mail::SpamAssassin::Plugin::WLBLEval
Then add the TLDs to a URI_HOST list:
enlist_uri_host (NEWSPAMMY) top
enlist_uri_host (NEWSPAMMY) date
enlist_uri_host (NEWSPAMMY) faith
enlist_uri_host (NEWSPAMMY) racing
These can then be used with eval rules:
To check all URIs:
header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('NEWSPAMMY')
score PDS_OTHER_BAD_TLD 0.1
describe PDS_OTHER_BAD_TLD Other untrustworthy TLDs
if you just want to check From address:
header PDS_FROM_OTHER_BAD_TLD eval:check_from_in_list('NEWSPAMMY')
Paul
On 21/02/2017, 03:40, "Alex" <mysqlstud...@gmail.com> wrote:
Hi,
Some time ago I had put together a rule based on comments from this
list, and I've identified a FP that I hoped someone could help me to
correct.
The full domain in the email was http://www.top-1.biz. However, it's
being tagged as if it's "top" as the TLD in one of KAMs rules and one
of mine:
Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule __KAM_TINYDOMAIN
======> got hit: "-1.biz/"
Feb 20 22:34:25.988 [31215] dbg: rules: ran uri rule LOC_URI_RARE_TLD
======> got hit: "://www.top"
uri LOC_URI_RARE_TLD
m;://[^/]+\.(?:work|space|club|science|pub|red|blue|green|link|ninja|lol|xyz|faith|review|download|top|global|(?:web)?site|tech|party|pro|bid|trade|win|moda|news|online)(?:/|\b);i
describe LOC_URI_RARE_TLD URI refers to rarely-nonspam TLD
score LOC_URI_RARE_TLD 0.400
How can this be corrected to specifically only catch top as a TLD?
--
Paul Stead
Systems Engineer
Zen Internet
