blocking an entire TLD such as all from *.icu

srv

Verified User
Joined
Nov 6, 2019
Messages
7
User began getting multiple spam messages from various addresses using TLD of icu. Since any mail coming FROM following EXAMPLES:
wedeling@leanmiss.icu OR leanmiss.icu, there needs to be a way to BLOCK an entire TLD such as *.icu.
Currently DA version 1.60.1 requires either an complete email address, or a complete domain, there needs to be way to block
these spams from any domain in the .icu Top Level Domain.
 

Richard G

Verified User
Joined
Jul 6, 2008
Messages
4,541
Location
Maastricht
First check in the headers if the mail adress is not spoofed.
If not... here's your answer, same spam domain by the way:
 

jordivn

Verified User
Joined
Nov 4, 2016
Messages
52
I do this within my local.cf of spamassassin:

Code:
#--------------------------------------------------
# top level domain matching
#--------------------------------------------------
header SPAMMY_TLD_IN_RCVD Received =~ /(\.net\.ae|\.net\.id|\.ro|\.ru|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.cu\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade|\.ga)\s/i
score SPAMMY_TLD_IN_RCVD 4.0
describe SPAMMY_TLD_IN_RCVD Spammy TLD used in Received line

header SPAMMY_TLD_IN_FROM From =~ /(\.net\.ae|\.net\.id|\.ro|\.ru|\.co\.jp|\.co\.ke|\.AC\.ZA|\.co\.in|\.com\.vn|\.vn|\.cc|\.cu\.ua|\.com\.br|\.gr|\.hr|\.dk|\.win|\.bid|\.tw|\.br|\.pk|\.top|\.club|\.date|\.stream|\.xyz|\.trade)>$/i
score SPAMMY_TLD_IN_FROM 4.0
describe SPAMMY_TLD_IN_FROM Spammy TLD used in From line

header __HIGH_SPAMMY_TLD_RCVD Received =~ /\.(win|bid|top|club|date|stream|xyz)\/.*/i
header __HIGH_SPAMMY_TLD_FROM From =~ /\.(win|bid|top|club|date|stream|xyz)\/.*/i
uri __HIGH_SPAMMY_TLD_URI /\.(win|bid|top|club|date|stream|xyz)\/.+/i
meta HIGH_SPAMMY_TLD (__HIGH_SPAMMY_TLD_RCVD && __HIGH_SPAMMY_TLD_FROM && __HIGH_SPAMMY_TLD_URI)
score HIGH_SPAMMY_TLD 7.5
describe HIGH_SPAMMY_TLD HIGH spammy tld used in Received, From and link
 

jordivn

Verified User
Joined
Nov 4, 2016
Messages
52
Nope, it updates its bayesfiles, didn't update local.cf so far.
I do check this by an git push before and after update. Then i check the config file changes.
 
Top