-
Notifications
You must be signed in to change notification settings - Fork 70
/
20_ntld.cf
148 lines (121 loc) · 5.88 KB
/
20_ntld.cf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# new TLDs used for spamming
# https://www.spamhaus.org/statistics/tlds/
# http://www.surbl.org/tld
# https://ntldstats.com/fraud
# https://dnslytics.com/tld
if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval
enlist_addrlist (SUSP_NTLD) *@*.icu
enlist_addrlist (SUSP_NTLD) *@*.online
enlist_addrlist (SUSP_NTLD) *@*.work
enlist_addrlist (SUSP_NTLD) *@*.date
enlist_addrlist (SUSP_NTLD) *@*.top
enlist_addrlist (SUSP_NTLD) *@*.fun
enlist_addrlist (SUSP_NTLD) *@*.life
enlist_addrlist (SUSP_NTLD) *@*.review
enlist_addrlist (SUSP_NTLD) *@*.bid
enlist_addrlist (SUSP_NTLD) *@*.stream
enlist_addrlist (SUSP_NTLD) *@*.gdn
enlist_addrlist (SUSP_NTLD) *@*.click
enlist_addrlist (SUSP_NTLD) *@*.world
enlist_addrlist (SUSP_NTLD) *@*.fit
enlist_addrlist (SUSP_NTLD) *@*.ooo
enlist_addrlist (SUSP_NTLD) *@*.faith
enlist_addrlist (SUSP_NTLD) *@*.buzz
enlist_addrlist (SUSP_NTLD) *@*.trade
enlist_addrlist (SUSP_NTLD) *@*.cyou
enlist_addrlist (SUSP_NTLD) *@*.vip
enlist_uri_host (SUSP_URI_NTLD) icu
enlist_uri_host (SUSP_URI_NTLD) online
enlist_uri_host (SUSP_URI_NTLD) work
enlist_uri_host (SUSP_URI_NTLD) date
enlist_uri_host (SUSP_URI_NTLD) top
enlist_uri_host (SUSP_URI_NTLD) fun
enlist_uri_host (SUSP_URI_NTLD) life
enlist_uri_host (SUSP_URI_NTLD) review
enlist_uri_host (SUSP_URI_NTLD) bid
enlist_uri_host (SUSP_URI_NTLD) stream
enlist_uri_host (SUSP_URI_NTLD) gdn
enlist_uri_host (SUSP_URI_NTLD) click
enlist_uri_host (SUSP_URI_NTLD) world
enlist_uri_host (SUSP_URI_NTLD) fit
enlist_uri_host (SUSP_URI_NTLD) ooo
enlist_uri_host (SUSP_URI_NTLD) faith
enlist_uri_host (SUSP_URI_NTLD) buzz
enlist_uri_host (SUSP_URI_NTLD) trade
enlist_uri_host (SUSP_URI_NTLD) cyou
enlist_uri_host (SUSP_URI_NTLD) vip
enlist_uri_host (SUSP_URI_NTLD_PRO) pro
header PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
score PDS_PRO_TLD 1.0
describe PDS_PRO_TLD .pro TLD
header __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
reuse __FROM_ADDRLIST_SUSPNTLD
header __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
reuse __REPLYTO_ADDRLIST_SUSPNTLD
header PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
score PDS_OTHER_BAD_TLD 2.0
describe PDS_OTHER_BAD_TLD Untrustworthy TLDs
meta FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
tflags FROM_SUSPICIOUS_NTLD publish
describe FROM_SUSPICIOUS_NTLD From abused NTLD
score FROM_SUSPICIOUS_NTLD 0.5 # limit
reuse FROM_SUSPICIOUS_NTLD
meta FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
tflags FROM_SUSPICIOUS_NTLD_FP publish
describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
score FROM_SUSPICIOUS_NTLD_FP 2.0 # limit
meta FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
tflags FROM_NTLD_REPLY_FREEMAIL publish
describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
score FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
meta FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
tflags FROM_NTLD_LINKBAIT publish
describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
score FROM_NTLD_LINKBAIT 2.0 # limit
meta GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
tflags GOOGLE_DRIVE_REPLY_BAD_NTLD publish
describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
score GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
reuse GOOGLE_DRIVE_REPLY_BAD_NTLD
body __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
body __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
meta SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
tflags SEO_SUSP_NTLD publish
describe SEO_SUSP_NTLD SEO offer from suspicious TLD
score SEO_SUSP_NTLD 1.2 # limit
meta THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
tflags THIS_IS_ADV_SUSP_NTLD publish
describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
score THIS_IS_ADV_SUSP_NTLD 1.5 # limit
meta BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
tflags BULK_RE_SUSP_NTLD publish
describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
score BULK_RE_SUSP_NTLD 1.0 # limit
meta SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
tflags SHORT_IMG_SUSP_NTLD publish
describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
score SHORT_IMG_SUSP_NTLD 1.5 # limit
header __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
meta VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
tflags VPS_NO_NTLD publish
describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
score VPS_NO_NTLD 1.0 # limit
reuse VPS_NO_NTLD
body __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i
meta OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe OFFER_ONLY_AMERICA Offer only available to US
score OFFER_ONLY_AMERICA 2.0 # limit
body __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i
meta SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
describe SENT_TO_EMAIL_ADDR Email was sent to email address
score SENT_TO_EMAIL_ADDR 2.0 # limit
body __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i
meta SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
score SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
meta PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
describe PDS_BTC_NTLD Bitcoin suspect NTLD
score PDS_BTC_NTLD 2.0 # limit
endif
endif