| # new TLDs used for spamming |
| # https://www.spamhaus.org/statistics/tlds/ |
| # http://www.surbl.org/tld |
| # https://ntldstats.com/fraud |
| # https://dnslytics.com/tld |
| |
| if (version >= 3.004002) |
| ifplugin Mail::SpamAssassin::Plugin::WLBLEval |
| |
| enlist_addrlist (SUSP_NTLD) *@*.icu |
| enlist_addrlist (SUSP_NTLD) *@*.online |
| enlist_addrlist (SUSP_NTLD) *@*.work |
| enlist_addrlist (SUSP_NTLD) *@*.date |
| enlist_addrlist (SUSP_NTLD) *@*.top |
| enlist_addrlist (SUSP_NTLD) *@*.fun |
| enlist_addrlist (SUSP_NTLD) *@*.life |
| enlist_addrlist (SUSP_NTLD) *@*.review |
| enlist_addrlist (SUSP_NTLD) *@*.xyz |
| enlist_addrlist (SUSP_NTLD) *@*.bid |
| enlist_addrlist (SUSP_NTLD) *@*.stream |
| enlist_addrlist (SUSP_NTLD) *@*.site |
| enlist_addrlist (SUSP_NTLD) *@*.space |
| enlist_addrlist (SUSP_NTLD) *@*.gdn |
| enlist_addrlist (SUSP_NTLD) *@*.click |
| enlist_addrlist (SUSP_NTLD) *@*.world |
| enlist_addrlist (SUSP_NTLD) *@*.fit |
| enlist_addrlist (SUSP_NTLD) *@*.ooo |
| enlist_addrlist (SUSP_NTLD) *@*.faith |
| enlist_addrlist (SUSP_NTLD) *@*.buzz |
| enlist_addrlist (SUSP_NTLD) *@*.trade |
| enlist_addrlist (SUSP_NTLD) *@*.cyou |
| enlist_addrlist (SUSP_NTLD) *@*.vip |
| |
| enlist_uri_host (SUSP_URI_NTLD) icu |
| enlist_uri_host (SUSP_URI_NTLD) online |
| enlist_uri_host (SUSP_URI_NTLD) work |
| enlist_uri_host (SUSP_URI_NTLD) date |
| enlist_uri_host (SUSP_URI_NTLD) top |
| enlist_uri_host (SUSP_URI_NTLD) fun |
| enlist_uri_host (SUSP_URI_NTLD) life |
| enlist_uri_host (SUSP_URI_NTLD) review |
| enlist_uri_host (SUSP_URI_NTLD) xyz |
| enlist_uri_host (SUSP_URI_NTLD) bid |
| enlist_uri_host (SUSP_URI_NTLD) stream |
| enlist_uri_host (SUSP_URI_NTLD) site |
| enlist_uri_host (SUSP_URI_NTLD) space |
| enlist_uri_host (SUSP_URI_NTLD) gdn |
| enlist_uri_host (SUSP_URI_NTLD) click |
| enlist_uri_host (SUSP_URI_NTLD) world |
| enlist_uri_host (SUSP_URI_NTLD) fit |
| enlist_uri_host (SUSP_URI_NTLD) ooo |
| enlist_uri_host (SUSP_URI_NTLD) faith |
| enlist_uri_host (SUSP_URI_NTLD) buzz |
| enlist_uri_host (SUSP_URI_NTLD) trade |
| enlist_uri_host (SUSP_URI_NTLD) cyou |
| enlist_uri_host (SUSP_URI_NTLD) vip |
| |
| enlist_uri_host (SUSP_URI_NTLD_PRO) pro |
| header PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO') |
| score PDS_PRO_TLD 1.0 |
| describe PDS_PRO_TLD .pro TLD |
| |
| header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD') |
| reuse __FROM_ADDRLIST_SUSPNTLD |
| |
| header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD') |
| reuse __REPLYTO_ADDRLIST_SUSPNTLD |
| |
| header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD') |
| score PDS_OTHER_BAD_TLD 2.0 |
| describe PDS_OTHER_BAD_TLD Untrustworthy TLDs |
| |
| meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD |
| tflags FROM_SUSPICIOUS_NTLD publish |
| describe FROM_SUSPICIOUS_NTLD From abused NTLD |
| score FROM_SUSPICIOUS_NTLD 0.5 # limit |
| reuse FROM_SUSPICIOUS_NTLD |
| |
| meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST |
| tflags FROM_SUSPICIOUS_NTLD_FP publish |
| describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD |
| score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit |
| |
| meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD |
| tflags FROM_NTLD_REPLY_FREEMAIL publish |
| describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL |
| score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit |
| |
| meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY |
| tflags FROM_NTLD_LINKBAIT publish |
| describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI |
| score FROM_NTLD_LINKBAIT 2.0 # limit |
| |
| meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD |
| tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish |
| describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD |
| score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit |
| reuse GOOGLE_DRIVE_REPLY_BAD_NTLD |
| |
| body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i |
| body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i |
| |
| meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1) |
| tflags SEO_SUSP_NTLD publish |
| describe SEO_SUSP_NTLD SEO offer from suspicious TLD |
| score SEO_SUSP_NTLD 1.2 # limit |
| |
| meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM |
| tflags THIS_IS_ADV_SUSP_NTLD publish |
| describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD |
| score THIS_IS_ADV_SUSP_NTLD 1.5 # limit |
| |
| meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD |
| tflags BULK_RE_SUSP_NTLD publish |
| describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD |
| score BULK_RE_SUSP_NTLD 1.0 # limit |
| |
| meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD |
| tflags SHORT_IMG_SUSP_NTLD publish |
| describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD |
| score SHORT_IMG_SUSP_NTLD 1.5 # limit |
| |
| header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i |
| |
| meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD |
| tflags VPS_NO_NTLD publish |
| describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD |
| score VPS_NO_NTLD 1.0 # limit |
| reuse VPS_NO_NTLD |
| |
| body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i |
| |
| meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA |
| describe OFFER_ONLY_AMERICA Offer only available to US |
| score OFFER_ONLY_AMERICA 2.0 # limit |
| |
| body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i |
| |
| meta SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR |
| describe SENT_TO_EMAIL_ADDR Email was sent to email address |
| score SENT_TO_EMAIL_ADDR 2.0 # limit |
| |
| body __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i |
| |
| meta SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD |
| describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money |
| score SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit |
| |
| meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD ) |
| describe PDS_BTC_NTLD Bitcoin suspect NTLD |
| score PDS_BTC_NTLD 2.0 # limit |
| |
| endif |
| endif |