Rich Kulawiec on 19 Oct 2016 02:30:30 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spamassassin help: create a rule to score by sender TLD

I think it's fair to say that I have some expertise in this area, so:

On Tue, Oct 18, 2016 at 12:55:28PM -0400, Greg Helledy wrote:
> I know how to blacklist a domain, but I don't want to be that blunt [...]

But you should be.  It's rapidly becoming a best practice.

There are quite a few new TLDs that have been quickly overrun by spammers.
I highly recommend blacklisting them outright and -- maybe -- making exceptions
on a case-by-case basis.  (I say "maybe" because I have very little sympathy
for people who make extremely poor decisions and then expect the rest of us to
compensate for their lack of due diligence.  Anybody registering a domain
in something like .stream or .download is either a spammer or clueless.
Do you really want email from spammers or idiots?)

Spamhaus is now tracking these:

	The World's Most Abused TLDs

But do keep in mind that Spamhaus is very conservative, so what you
see on that page is probably a serious underestimate.  (Note that the first
entry is .science, and per their stats it's nearly 90% bad.  Already.
It will never get better.  It will always get worse.  We've seen this
movie before and it always ends the same way.)

I blacklisted several hundred TLDs the moment they went live.  In all
the time since, I've had one reported false positive.  (And yes, I have
a working, tested, reliable mechanism for FP reporting.)  I recommend the
same course of action for everybody else *unless* you have a business or
personal need for email from one of them.

More broadly: the age of default permit in email is over.  You should
think in terms of what you *need*, not what anybody else wants.  If you
don't need email from Korea or Portugal or Argentina, you should be
blocking the entire TLD and the IP address allocations (see
of those countries outright...not trying to filter traffic from them.
The same goes for TLDs, domains, and everything else.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --