rulesrc/sandbox/pds/20_ntld.cf - spamassassin - Git at Google

 # new TLDs used for spamming
 # https://www.spamhaus.org/statistics/tlds/
 # http://www.surbl.org/tld
 # https://ntldstats.com/fraud
 # https://dnslytics.com/tld

 if (version >= 3.004002)
 ifplugin Mail::SpamAssassin::Plugin::WLBLEval

 enlist_addrlist (SUSP_NTLD) *@*.icu
 enlist_addrlist (SUSP_NTLD) *@*.online
 enlist_addrlist (SUSP_NTLD) *@*.work
 enlist_addrlist (SUSP_NTLD) *@*.date
 enlist_addrlist (SUSP_NTLD) *@*.top
 enlist_addrlist (SUSP_NTLD) *@*.fun
 enlist_addrlist (SUSP_NTLD) *@*.life
 enlist_addrlist (SUSP_NTLD) *@*.review
 enlist_addrlist (SUSP_NTLD) *@*.xyz
 enlist_addrlist (SUSP_NTLD) *@*.bid
 enlist_addrlist (SUSP_NTLD) *@*.stream
 enlist_addrlist (SUSP_NTLD) *@*.site
 enlist_addrlist (SUSP_NTLD) *@*.space
 enlist_addrlist (SUSP_NTLD) *@*.gdn
 enlist_addrlist (SUSP_NTLD) *@*.click
 enlist_addrlist (SUSP_NTLD) *@*.world
 enlist_addrlist (SUSP_NTLD) *@*.fit
 enlist_addrlist (SUSP_NTLD) *@*.ooo
 enlist_addrlist (SUSP_NTLD) *@*.faith
 enlist_addrlist (SUSP_NTLD) *@*.buzz
 enlist_addrlist (SUSP_NTLD) *@*.trade
 enlist_addrlist (SUSP_NTLD) *@*.cyou
 enlist_addrlist (SUSP_NTLD) *@*.vip

 enlist_uri_host (SUSP_URI_NTLD) icu
 enlist_uri_host (SUSP_URI_NTLD) online
 enlist_uri_host (SUSP_URI_NTLD) work
 enlist_uri_host (SUSP_URI_NTLD) date
 enlist_uri_host (SUSP_URI_NTLD) top
 enlist_uri_host (SUSP_URI_NTLD) fun
 enlist_uri_host (SUSP_URI_NTLD) life
 enlist_uri_host (SUSP_URI_NTLD) review
 enlist_uri_host (SUSP_URI_NTLD) xyz
 enlist_uri_host (SUSP_URI_NTLD) bid
 enlist_uri_host (SUSP_URI_NTLD) stream
 enlist_uri_host (SUSP_URI_NTLD) site
 enlist_uri_host (SUSP_URI_NTLD) space
 enlist_uri_host (SUSP_URI_NTLD) gdn
 enlist_uri_host (SUSP_URI_NTLD) click
 enlist_uri_host (SUSP_URI_NTLD) world
 enlist_uri_host (SUSP_URI_NTLD) fit
 enlist_uri_host (SUSP_URI_NTLD) ooo
 enlist_uri_host (SUSP_URI_NTLD) faith
 enlist_uri_host (SUSP_URI_NTLD) buzz
 enlist_uri_host (SUSP_URI_NTLD) trade
 enlist_uri_host (SUSP_URI_NTLD) cyou
 enlist_uri_host (SUSP_URI_NTLD) vip

 enlist_uri_host (SUSP_URI_NTLD_PRO) pro
 header   PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
 score    PDS_PRO_TLD 1.0
 describe PDS_PRO_TLD .pro TLD

 header   __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
 reuse    __FROM_ADDRLIST_SUSPNTLD

 header   __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
 reuse    __REPLYTO_ADDRLIST_SUSPNTLD

 header   PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
 score    PDS_OTHER_BAD_TLD 2.0
 describe PDS_OTHER_BAD_TLD Untrustworthy TLDs

 meta     FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
 tflags   FROM_SUSPICIOUS_NTLD publish
 describe FROM_SUSPICIOUS_NTLD From abused NTLD
 score    FROM_SUSPICIOUS_NTLD 0.5 # limit
 reuse    FROM_SUSPICIOUS_NTLD

 meta     FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
 tflags   FROM_SUSPICIOUS_NTLD_FP publish
 describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
 score    FROM_SUSPICIOUS_NTLD_FP 2.0 # limit

 meta     FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
 tflags   FROM_NTLD_REPLY_FREEMAIL publish
 describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
 score    FROM_NTLD_REPLY_FREEMAIL 2.0 # limit

 meta     FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
 tflags   FROM_NTLD_LINKBAIT publish
 describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
 score    FROM_NTLD_LINKBAIT 2.0 # limit

 meta     GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
 tflags   GOOGLE_DRIVE_REPLY_BAD_NTLD publish
 describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
 score    GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
 reuse    GOOGLE_DRIVE_REPLY_BAD_NTLD

 body     __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
 body     __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i

 meta     SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
 tflags   SEO_SUSP_NTLD publish
 describe SEO_SUSP_NTLD SEO offer from suspicious TLD
 score    SEO_SUSP_NTLD 1.2 # limit

 meta     THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
 tflags   THIS_IS_ADV_SUSP_NTLD publish
 describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
 score    THIS_IS_ADV_SUSP_NTLD 1.5 # limit

 meta     BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
 tflags   BULK_RE_SUSP_NTLD publish
 describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
 score    BULK_RE_SUSP_NTLD 1.0 # limit

 meta     SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
 tflags   SHORT_IMG_SUSP_NTLD publish
 describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
 score    SHORT_IMG_SUSP_NTLD 1.5 # limit

 header   __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i

 meta     VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
 tflags   VPS_NO_NTLD publish
 describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
 score    VPS_NO_NTLD 1.0 # limit
 reuse    VPS_NO_NTLD

 body     __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States|USA)/i

 meta     OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
 describe OFFER_ONLY_AMERICA Offer only available to US
 score    OFFER_ONLY_AMERICA 2.0 # limit

 body     __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i

 meta     SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
 describe SENT_TO_EMAIL_ADDR Email was sent to email address
 score    SENT_TO_EMAIL_ADDR 2.0 # limit

 body     __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i

 meta     SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
 describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
 score    SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit

 meta     PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
 describe PDS_BTC_NTLD Bitcoin suspect NTLD
 score    PDS_BTC_NTLD 2.0 # limit

 endif
 endif
	# new TLDs used for spamming
	# https://www.spamhaus.org/statistics/tlds/
	# http://www.surbl.org/tld
	# https://ntldstats.com/fraud
	# https://dnslytics.com/tld

	if (version >= 3.004002)
	ifplugin Mail::SpamAssassin::Plugin::WLBLEval

	enlist_addrlist (SUSP_NTLD) @.icu
	enlist_addrlist (SUSP_NTLD) @.online
	enlist_addrlist (SUSP_NTLD) @.work
	enlist_addrlist (SUSP_NTLD) @.date
	enlist_addrlist (SUSP_NTLD) @.top
	enlist_addrlist (SUSP_NTLD) @.fun
	enlist_addrlist (SUSP_NTLD) @.life
	enlist_addrlist (SUSP_NTLD) @.review
	enlist_addrlist (SUSP_NTLD) @.xyz
	enlist_addrlist (SUSP_NTLD) @.bid
	enlist_addrlist (SUSP_NTLD) @.stream
	enlist_addrlist (SUSP_NTLD) @.site
	enlist_addrlist (SUSP_NTLD) @.space
	enlist_addrlist (SUSP_NTLD) @.gdn
	enlist_addrlist (SUSP_NTLD) @.click
	enlist_addrlist (SUSP_NTLD) @.world
	enlist_addrlist (SUSP_NTLD) @.fit
	enlist_addrlist (SUSP_NTLD) @.ooo
	enlist_addrlist (SUSP_NTLD) @.faith
	enlist_addrlist (SUSP_NTLD) @.buzz
	enlist_addrlist (SUSP_NTLD) @.trade
	enlist_addrlist (SUSP_NTLD) @.cyou
	enlist_addrlist (SUSP_NTLD) @.vip

	enlist_uri_host (SUSP_URI_NTLD) icu
	enlist_uri_host (SUSP_URI_NTLD) online
	enlist_uri_host (SUSP_URI_NTLD) work
	enlist_uri_host (SUSP_URI_NTLD) date
	enlist_uri_host (SUSP_URI_NTLD) top
	enlist_uri_host (SUSP_URI_NTLD) fun
	enlist_uri_host (SUSP_URI_NTLD) life
	enlist_uri_host (SUSP_URI_NTLD) review
	enlist_uri_host (SUSP_URI_NTLD) xyz
	enlist_uri_host (SUSP_URI_NTLD) bid
	enlist_uri_host (SUSP_URI_NTLD) stream
	enlist_uri_host (SUSP_URI_NTLD) site
	enlist_uri_host (SUSP_URI_NTLD) space
	enlist_uri_host (SUSP_URI_NTLD) gdn
	enlist_uri_host (SUSP_URI_NTLD) click
	enlist_uri_host (SUSP_URI_NTLD) world
	enlist_uri_host (SUSP_URI_NTLD) fit
	enlist_uri_host (SUSP_URI_NTLD) ooo
	enlist_uri_host (SUSP_URI_NTLD) faith
	enlist_uri_host (SUSP_URI_NTLD) buzz
	enlist_uri_host (SUSP_URI_NTLD) trade
	enlist_uri_host (SUSP_URI_NTLD) cyou
	enlist_uri_host (SUSP_URI_NTLD) vip

	enlist_uri_host (SUSP_URI_NTLD_PRO) pro
	header PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
	score PDS_PRO_TLD 1.0
	describe PDS_PRO_TLD .pro TLD

	header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
	reuse __FROM_ADDRLIST_SUSPNTLD

	header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
	reuse __REPLYTO_ADDRLIST_SUSPNTLD

	header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
	score PDS_OTHER_BAD_TLD 2.0
	describe PDS_OTHER_BAD_TLD Untrustworthy TLDs

	meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
	tflags FROM_SUSPICIOUS_NTLD publish
	describe FROM_SUSPICIOUS_NTLD From abused NTLD
	score FROM_SUSPICIOUS_NTLD 0.5 # limit
	reuse FROM_SUSPICIOUS_NTLD

	meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
	tflags FROM_SUSPICIOUS_NTLD_FP publish
	describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
	score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit

	meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
	tflags FROM_NTLD_REPLY_FREEMAIL publish
	describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
	score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit

	meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
	tflags FROM_NTLD_LINKBAIT publish
	describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
	score FROM_NTLD_LINKBAIT 2.0 # limit

	meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
	tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
	describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
	score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
	reuse GOOGLE_DRIVE_REPLY_BAD_NTLD

	body __PDS_SEO1 /(?:top\|first page\|1st) (?:(?:results\|rank(?:ing)?) )?(?:in\|of\|on) (?:Google\|MSN\|Yahoo\|Bing)\|rank number one\|top page rank\|guarantee you 1st\|link.building/i
	body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?\|results)\|rank well on [a-z]+\b/i

	meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
	tflags SEO_SUSP_NTLD publish
	describe SEO_SUSP_NTLD SEO offer from suspicious TLD
	score SEO_SUSP_NTLD 1.2 # limit

	meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
	tflags THIS_IS_ADV_SUSP_NTLD publish
	describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
	score THIS_IS_ADV_SUSP_NTLD 1.5 # limit

	meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
	tflags BULK_RE_SUSP_NTLD publish
	describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
	score BULK_RE_SUSP_NTLD 1.0 # limit

	meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
	tflags SHORT_IMG_SUSP_NTLD publish
	describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
	score SHORT_IMG_SUSP_NTLD 1.5 # limit

	header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i

	meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
	tflags VPS_NO_NTLD publish
	describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
	score VPS_NO_NTLD 1.0 # limit
	reuse VPS_NO_NTLD

	body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (United States\|USA)/i

	meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
	describe OFFER_ONLY_AMERICA Offer only available to US
	score OFFER_ONLY_AMERICA 2.0 # limit

	body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i

	meta SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
	describe SENT_TO_EMAIL_ADDR Email was sent to email address
	score SENT_TO_EMAIL_ADDR 2.0 # limit

	body __PDS_EXPIRATION_NOTICE /\bexpiration (notice\|alert\|date)\b/i

	meta SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
	describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
	score SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit

	meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
	describe PDS_BTC_NTLD Bitcoin suspect NTLD
	score PDS_BTC_NTLD 2.0 # limit

	endif
	endif