Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

Re: [milter-greylist] Spam coming for new top level domains...

2015-01-21 by Vincent Fox

On 1/20/2015 7:39 AM, Mike Grau m.grau@... [milter-greylist] 
wrote:
> On 01/17/2015 02:56 PM, Vincent Fox vbfox@... [milter-greylist]
> wrote:
>> There are times when I think about adding .us and .eu as well.
>> But there is SOME legit stuff there.  So we mildly penalize score
>> in our spamassassin layer instead.   Been thinking about making
>> US and EU people also wait longer on the greylist before sending
>> but I haven't gotten around to it yet.
> I sympathize with that inclination. But I assure you that the domains
> ".xx.us", where "xx" is a two letter abbreviation for a US state, are
> legitimate domains. :)
>
> There does seem to be a bit of compromised account trouble out of of
> ".k12.xx.us" domains, but that is a drop in the bucket compared to the
> "name@..." type spam. Similarly, quit a bit of spam comes from
> the .edu TLD.
>
I see the problem as quite different.

EDU spam is compromised accounts, on legitimate servers with
previously decent reputations.  We have it here on a semi-regular basis
that phished account credentials are used to send spam from our
mail routing pool, which may result in some of our servers appearing
in blacklists and then we run around dealing with the mess.

I've never seem torrents of spam from .k12.xx.us compromises.
I'd be perfectly willing to give extra credit to y'all so you are not
tarred with the same brush.

The *.us and *.eu spam I see, is usually from servers set up for that
purpose in bought domains, with legit DNS & SPF provisioned. They pop up
and blast out spam as fast as they can.  The half-life on all these newly
provisioned domains before they start appearing in everyone's blacklist
is quite short, but it's CHEAP they can just write off the cost of having
to constantly repeat this process.

Consequently I've started to rely more and more, on the Day Old Bread idea
of penalizing brand-spanking-new domains in our SpamAssassin scoring.
Between DOB and the various SEM-FRESH lists it helps.

Digression:  I get a kick out of my campus department "IT people" busybodies
who regularly propose SPF or DKIM whitelisting since "it's secure and 
trusted".
Most of the spam I see these days has SPF provisioned, and forges DKIM.

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.