Re: block 'new style' TLDs ?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

Ralph Seichter-2
* [hidden email]:

> what's the best way to block that, block entire '*.best' ?
> how and where ?

See http://www.postfix.org/ADDRESS_VERIFICATION_README.html . You can
for example use

  /\.best$/ REJECT

in a PCRE style sender access file to match envelope sender addresses.

-Ralph
Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

miim
I've had the same problem for some time. I put the following into access_helo and header_checks. It's pretty severe (and the list gets bigger every month) but the percentage of valid email coming from those domains is next to nil.

I use a 510 rather than a 554 reject so hopefully they won't try again.

# Invalid and disreputable TLDs

/\.asia$/ 510 Denied: Unacceptable TLD .asia
/\.best$/ 510 Denied: Unacceptable TLD .best
/\.bid$/ 510 Denied: Unacceptable TLD .bid
/\.club$/ 510 Denied: Unacceptable TLD .club
/\.date$/ 510 Denied: Unacceptable TLD .date
/\.domain$/ 510 Denied: Unacceptable TLD .domain
/\.faith$/ 510 Denied: Unacceptable TLD .faith
/\.host$/ 510 Denied: Unacceptable TLD .host
/\.icu$/ 510 Denied: Unacceptable TLD .icu
/\.internal$/ 510 Denied: Unacceptable TLD .internal
/\.lan$/ 510 Denied: Unacceptable TLD .lan
/\.loan$/ 510 Denied: Unacceptable TLD .loan
/\.local$/ 510 Denied: Unacceptable TLD .local
/\.ninja$/ 510 Denied: Unacceptable TLD .ninja
/\.online$/ 510 Denied: Unacceptable TLD .online
/\.party$/ 510 Denied: Unacceptable TLD .party
/\.pro$/ 510 Denied: Unacceptable TLD .pro
/\.ren$/ 510 Denied: Unacceptable TLD .ren
/\.review$/ 510 Denied: Unacceptable TLD .review
/\.science$/ 510 Denied: Unacceptable TLD .science
/\.site$/ 510 Denied: Unacceptable TLD .site
/\.space$/ 510 Denied: Unacceptable TLD .space
/\.stream$/ 510 Denied: Unacceptable TLD .stream
/\.tech$/ 510 Denied: Unacceptable TLD .tech
/\.top$/ 510 Denied: Unacceptable TLD .top
/\.trade$/ 510 Denied: Unacceptable TLD .trade
/\.vip$/ 510 Denied: Unacceptable TLD .vip
/\.website$/ 510 Denied: Unacceptable TLD .website
/\.win$/ 510 Denied: Unacceptable TLD .win
/\.zone$/ 510 Denied: Unacceptable TLD .zone
Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

lists@lazygranch.com
As an aside, I have stopped some real live human beings from getting these dumb TLDs. Apparently "design" is one that is becoming popular for obvious but wrong headed reasons.

https://en.m.wikipedia.org/wiki/.design





  Original Message  



From: [hidden email]
Sent: October 23, 2019 1:49 PM
To: [hidden email]
Subject: Re: block 'new style' TLDs ?


I've had the same problem for some time. I put the following into access_helo and header_checks. It's pretty severe (and the list gets bigger every month) but the percentage of valid email coming from those domains is next to nil.

I use a 510 rather than a 554 reject so hopefully they won't try again.

# Invalid and disreputable TLDs

/\.asia$/ 510 Denied: Unacceptable TLD .asia
/\.best$/ 510 Denied: Unacceptable TLD .best
/\.bid$/ 510 Denied: Unacceptable TLD .bid
/\.club$/ 510 Denied: Unacceptable TLD .club
/\.date$/ 510 Denied: Unacceptable TLD .date
/\.domain$/ 510 Denied: Unacceptable TLD .domain
/\.faith$/ 510 Denied: Unacceptable TLD .faith
/\.host$/ 510 Denied: Unacceptable TLD .host
/\.icu$/ 510 Denied: Unacceptable TLD .icu
/\.internal$/ 510 Denied: Unacceptable TLD .internal
/\.lan$/ 510 Denied: Unacceptable TLD .lan
/\.loan$/ 510 Denied: Unacceptable TLD .loan
/\.local$/ 510 Denied: Unacceptable TLD .local
/\.ninja$/ 510 Denied: Unacceptable TLD .ninja
/\.online$/ 510 Denied: Unacceptable TLD .online
/\.party$/ 510 Denied: Unacceptable TLD .party
/\.pro$/ 510 Denied: Unacceptable TLD .pro
/\.ren$/ 510 Denied: Unacceptable TLD .ren
/\.review$/ 510 Denied: Unacceptable TLD .review
/\.science$/ 510 Denied: Unacceptable TLD .science
/\.site$/ 510 Denied: Unacceptable TLD .site
/\.space$/ 510 Denied: Unacceptable TLD .space
/\.stream$/ 510 Denied: Unacceptable TLD .stream
/\.tech$/ 510 Denied: Unacceptable TLD .tech
/\.top$/ 510 Denied: Unacceptable TLD .top
/\.trade$/ 510 Denied: Unacceptable TLD .trade
/\.vip$/ 510 Denied: Unacceptable TLD .vip
/\.website$/ 510 Denied: Unacceptable TLD .website
/\.win$/ 510 Denied: Unacceptable TLD .win
/\.zone$/ 510 Denied: Unacceptable TLD .zone
Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

@lbutlr
On 23 Oct 2019, at 15:20, lists <[hidden email]> wrote:
>
> /\.asia$/ 510 Denied: Unacceptable TLD .asia

[Long list… removed]

smtpd_helo_restrictions = reject_invalid_helo_hostname
    check_helo_access pcre:/etc/postfix/helo_checks.pcre permit

/etc/postfix/helo_checks.pcre:
/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
/.*\.*$/ 550 Mail to or from this TLD is not allowed


Of course your list will differ than mine, but I find this much better than reacting to which of these new garbage TLDs are spamming me this week.


--
Anybody who could duck the Vietnam war can certainly duck a couple of
shoes.

Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

Jaroslaw Rafa
Dnia 23.10.2019 o godz. 23:32:44 @lbutlr pisze:
>
> /etc/postfix/helo_checks.pcre:
> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
> /.*\.*$/ 550 Mail to or from this TLD is not allowed

And thus you for example would reject all e-mail originating from my country
(.pl) ;)
--
Regards,
   Jaroslaw Rafa
   [hidden email]
--
"In a million years, when kids go to school, they're gonna know: once there
was a Hushpuppy, and she lived with her daddy in the Bathtub."
Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

Fourhundred Thecat
In reply to this post by @lbutlr
On 24/10/2019 07.32, @lbutlr wrote:

> On 23 Oct 2019, at 15:20, lists <[hidden email]> wrote:
>>
>> /\.asia$/ 510 Denied: Unacceptable TLD .asia
>
> [Long list… removed]
>
> smtpd_helo_restrictions = reject_invalid_helo_hostname
>     check_helo_access pcre:/etc/postfix/helo_checks.pcre permit
>
> /etc/postfix/helo_checks.pcre:
> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
> /.*\.*$/ 550 Mail to or from this TLD is not allowed

your list of allowed TLDs seems rather arbitrary. You allow .info, but
not .email

I understand that it can make sense to block .ninja or .loan

I have an .email domain myself, and use if for my personal email

Is .email considered a dumb TLD ?



Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

@lbutlr
On 24 Oct 2019, at 04:10, Fourhundred Thecat <[hidden email]> wrote:

> On 24/10/2019 07.32, @lbutlr wrote:
>> On 23 Oct 2019, at 15:20, lists <[hidden email]> wrote:
>>>
>>> /\.asia$/ 510 Denied: Unacceptable TLD .asia
>>
>> [Long list… removed]
>>
>> smtpd_helo_restrictions = reject_invalid_helo_hostname
>>    check_helo_access pcre:/etc/postfix/helo_checks.pcre permit
>>
>> /etc/postfix/helo_checks.pcre:
>> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
>> /.*\.*$/ 550 Mail to or from this TLD is not allowed
>
> your list of allowed TLDs seems rather arbitrary. You allow .info, but
> not .email

Yes, it is avsolutely arbitrary based on the email I receive. I also have some domain specific exceptions (for example, a couple of .fm domains).

> I understand that it can make sense to block .ninja or .loan
>
> I have an .email domain myself, and use if for my personal email
>
> Is .email considered a dumb TLD ?

To my mind they are ALL dumb TLDs until they are proved otherwise or until I need to receive mail from several domains in the TLD.

This is the sort of stuff I see from .email TLD in my logs:

NOQUEUE: reject: RCPT from unknown[221.146.236.9]: 550 5.7.1 <theworld.email>: Helo command rejected: Mail to or from this TLD is not allowed; from=<[hidden email]> to=<[hidden email]> proto=ESMTP helo=<theworld.email>

As you can see, the email was not just from .email, but also trying to send to a message ID.

This one might be legit?

NOQUEUE: reject: RCPT from mta1a1.spe.ometria.email[52.31.63.235]: 550 5.7.1 <mta1a1.spe.ometria.email>: Helo command rejected: Mail to or from this TLD is not allowed; from=<[hidden email]> to=<*munged*> proto=ESMTP helo=<mta1a1.spe.ometria.email>



--
Two of the most famous products of Berkeley are LSD and Unix.
I don't think that is a coincidence

Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

John Schmerold
In reply to this post by Jaroslaw Rafa
On 10/24/2019 4:46 AM, Jaroslaw Rafa wrote:
> Dnia 23.10.2019 o godz. 23:32:44 @lbutlr pisze:
>> /etc/postfix/helo_checks.pcre:
>> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
>> /.*\.*$/ 550 Mail to or from this TLD is not allowed
> And thus you for example would reject all e-mail originating from my country
> (.pl) ;)

To me, that is the beauty of this approach, it is easy to add |pl|design
etc.

It might be worth doing something similar with HELO strings, for
example, I have yet to see a legitimate message coming from .TOP.


Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

John Schmerold
In reply to this post by @lbutlr
On 10/24/2019 12:32 AM, @lbutlr wrote:

> On 23 Oct 2019, at 15:20, lists <[hidden email]> wrote:
>> /\.asia$/ 510 Denied: Unacceptable TLD .asia
> [Long list… removed]
>
> smtpd_helo_restrictions = reject_invalid_helo_hostname
>      check_helo_access pcre:/etc/postfix/helo_checks.pcre permit
>
> /etc/postfix/helo_checks.pcre:
> /.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
> /.*\.*$/ 550 Mail to or from this TLD is not allowed
>
>
> Of course your list will differ than mine, but I find this much better than reacting to which of these new garbage TLDs are spamming me this week.

You can achieve a similar result with this addition to SA's custom.cf:

header GC_TLD_COM_R Received !~/\.(?:com|net|org|edu|uk|us|gov)\b/i
score GC_TLD_COM_R 3.2

header GC_TLD_COM_F From !~/\.(?:com|net|org|edu|uk|us|ca|gov)\b/i
score GC_TLD_COM_F 3.2

If I were a bit more worldly, I would add a few more country codes.


Reply | Threaded
Open this post in threaded view
|

Re: block 'new style' TLDs ?

Kevin A. McGrail

On 11/2/2019 2:38 PM, John Schmerold wrote:
On 10/24/2019 12:32 AM, @lbutlr wrote:
On 23 Oct 2019, at 15:20, lists [hidden email] wrote:
/\.asia$/ 510 Denied: Unacceptable TLD .asia
[Long list… removed]

smtpd_helo_restrictions = reject_invalid_helo_hostname
     check_helo_access pcre:/etc/postfix/helo_checks.pcre permit

/etc/postfix/helo_checks.pcre:
/.*\.(com|net|org|edu|gov|ca|mx|de|dk|fi|fr|uk|us|tv|info|biz|eu|es|il|it|nl|name|jp|host|au|nz|ch|tv)$/ DUNNO
/.*\.*$/ 550 Mail to or from this TLD is not allowed


Of course your list will differ than mine, but I find this much better than reacting to which of these new garbage TLDs are spamming me this week.

You can achieve a similar result with this addition to SA's custom.cf:

header GC_TLD_COM_R Received !~/\.(?:com|net|org|edu|uk|us|gov)\b/i
score GC_TLD_COM_R 3.2

header GC_TLD_COM_F From !~/\.(?:com|net|org|edu|uk|us|ca|gov)\b/i
score GC_TLD_COM_F 3.2

If I were a bit more worldly, I would add a few more country codes.


Just some additions to John's ideas:

If you search TLD in KAM.cf (http://www.mcgrail.com/downloads/KAM.cf), you'll see some examples of how to do this.

There is also a new feature for WLBLEval plugin (see https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7354) which is in trunk and in the release candidate for 3.4.3. 

That lets you do something like:

enlist_addrlist (SUSPECTTLDS) *@*.politicians
enlist_addrlist (SUSPECTTLDS) *@*.spammer

header __FROM_SUSPECT_TLD eval:check_from_in_list('SUSPECTTLDS')

Take a look.  We can also use help testing the release candidate[1].


Regards,

KAM


[1]

3.4.3 release candidate 5 is now available at http://talon2.pccc.com/~kmcgrail/devel/

sha256sum of archive files:

  0004e17011f8d050e621dce7990bfd31fbdf50a7c54c68829f0553c6759d11f9  Mail-SpamAssassin-3.4.3-rc5.tar.bz2
  b7f12b3e2ff740e9746ad0bc1446807e1972309689ced6e3de0c24facf3db77f  Mail-SpamAssassin-3.4.3-rc5.tar.gz
  751aa714c923e2464c4c8a1ae624dbd9355c38f59bd8cbdc7949bc4f29449aa1  Mail-SpamAssassin-3.4.3-rc5.zip
  41edfd71101a48c7f3c404f481595b9613c95ce25e25abeb9ced0e45d7539f84  Mail-SpamAssassin-rules-3.4.3-rc5.r1868741.tgz

sha512sum of archive files:

  ac1e51f814040af9397fb73de4c0da7daf3327a543b7e5082c63cd19166dc530c725490bcdf65e8c1472df4d2d3fdfbb84779a23a98281313ec2b457c7fcb190  Mail-SpamAssassin-3.4.3-rc5.tar.bz2
  51518571eec7691987065c66aaec882b5deabac37124011f8da26cbd040cb223e37b3d0d4a4d962ff848fe4639a101046ffc21d4694df035acb8eb330b24e614  Mail-SpamAssassin-3.4.3-rc5.tar.gz
  65b783d037ebe8a99466e15c0409c51ed3fa12d046139232ba90d6ccb63614008e2c54138a01f8afe67f38c163e5bf2955d2c8fd2bf2397b83d09a4b0a6534e7  Mail-SpamAssassin-3.4.3-rc5.zip
  ed1565c8f4448319546808fc2a2326f380153699631089c183ee93aa962fded59414643b2345ecdfabf9098d40609dd121b1056feabd162d830ea527ec2c3b04  Mail-SpamAssassin-rules-3.4.3-rc5.r1868741.tgz



--
Kevin A. McGrail
CEO Emeritus

Peregrine Computer Consultants Corporation
10311 Cascade Lane
Fairfax, VA 22032

http://www.pccc.com/

703-359-9700 / 800-823-8402 (Toll-Free)
703-798-0171 (wireless)
[hidden email]

https://www.linkedin.com/in/kmcgrail