ac on 19 Oct 2016 04:26:17 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] spamassassin help: create a rule to score by sender TLD 

On Wed, 19 Oct 2016 05:30:24 -0400
Rich Kulawiec <rsk@gsp.org> wrote:

> I think it's fair to say that I have some expertise in this area, so:
> 
you have 'some' experience in being aggressively vocally anti spam,
there is a big difference in having an opinion and actually having to
deal with end users/clients. 

> On Tue, Oct 18, 2016 at 12:55:28PM -0400, Greg Helledy wrote:
> > I know how to blacklist a domain, but I don't want to be that blunt
> > [...]
> 
> But you should be.  It's rapidly becoming a best practice.
> 
no, imnsho it is not.

punishing the ipv4 senders and white-list ipv6 is already best practice.

it works very well.

> There are quite a few new TLDs that have been quickly overrun by
> spammers. I highly recommend blacklisting them outright and -- maybe
> -- making exceptions on a case-by-case basis.  (I say "maybe" because
> I have very little sympathy for people who make extremely poor
> decisions and then expect the rest of us to compensate for their lack
> of due diligence.  Anybody registering a domain in something
> like .stream or .download is either a spammer or clueless. Do you
> really want email from spammers or idiots?)
> 
> Spamhaus is now tracking these:
> 
> 	The World's Most Abused TLDs
> 	https://www.spamhaus.org/statistics/tlds/
> 
> But do keep in mind that Spamhaus is very conservative, so what you
> see on that page is probably a serious underestimate.  (Note that the
> first entry is .science, and per their stats it's nearly 90% bad.
> Already. It will never get better.  It will always get worse.  We've
> seen this movie before and it always ends the same way.)
> 
> I blacklisted several hundred TLDs the moment they went live.  In all
> the time since, I've had one reported false positive.  (And yes, I
> have a working, tested, reliable mechanism for FP reporting.)  I
> recommend the same course of action for everybody else *unless* you
> have a business or personal need for email from one of them.
> 
> More broadly: the age of default permit in email is over.  You should
> think in terms of what you *need*, not what anybody else wants.  If
> you don't need email from Korea or Portugal or Argentina, you should
> be blocking the entire TLD and the IP address allocations (see
> ipdeny.com) of those countries outright...not trying to filter
> traffic from them. The same goes for TLDs, domains, and everything
> else.
> 
> ---rsk
> ___________________________________________________________________________
> Philadelphia Linux Users Group         --
> http://www.phillylinux.org Announcements -
> http://lists.phillylinux.org/mailman/listinfo/plug-announce General
> Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug