A customer reported increasing incoming spams, all sent by domains using only digits. A few examples:
Jul 10 05:43:02 mailserver postfix/qmgr[337]: F05621DF040: from=<SaveYou92@0643.com>, size=2636, nrcpt=1 (queue active)
Jul 10 05:43:03 mailserver postfix/qmgr[337]: D2C611DF05D: from=<SaveYou92@0643.com>, size=5835, nrcpt=1 (queue active)
Jul 10 05:53:55 mailserver postfix/qmgr[337]: E24501DF016: from=<SaveYou76@1351.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:53:56 mailserver postfix/qmgr[337]: EAFA91DF017: from=<SaveYou76@1351.com>, size=5669, nrcpt=1 (queue active)
Jul 10 05:54:10 mailserver postfix/qmgr[337]: 2F1011DF016: from=<SaveYou12@3524.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:54:11 mailserver postfix/qmgr[337]: 604401DF017: from=<SaveYou12@3524.com>, size=5996, nrcpt=1 (queue active)
Jul 10 06:18:47 mailserver postfix/qmgr[337]: CFC061DF02F: from=<SaveYou65@0020.com>, size=2603, nrcpt=1 (queue active)
Jul 10 06:18:48 mailserver postfix/qmgr[337]: 589C41DF04B: from=<SaveYou65@0020.com>, size=5431, nrcpt=1 (queue active)
Jul 10 06:26:05 mailserver postfix/qmgr[337]: A013918A143: from=<SaveYou15@4841.com>, size=2610, nrcpt=1 (queue active)
Jul 10 06:26:07 mailserver postfix/qmgr[337]: 06A661DF05F: from=<SaveYou15@4841.com>, size=5441, nrcpt=1 (queue active)
Jul 10 07:01:05 mailserver postfix/qmgr[337]: DA0981DF062: from=<SaveYou42@7284.com>, size=2610, nrcpt=1 (queue active)
Jul 10 07:01:07 mailserver postfix/qmgr[337]: 738E71DF067: from=<SaveYou42@7284.com>, size=5822, nrcpt=1 (queue active)
If the sender would be the same address over and over again, this could be easily added into a blacklist, but as you can see, the sender and domain names change frequently. SpamAssassin offers a blacklist_from feature, but unfortunately regular expressions are not allowed:
Whitelist and blacklist addresses are now file-glob-style patterns, so friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons.
However writing a regular expression rule which detects such "digit only domains" can help to quickly identify the incoming mail as spam:
header CK_4DIGIT_SPAM_ADDRESS From =~ /\b\S*\@\d\d\d\d\.[a-zA-Z]*/i
describe CK_4DIGIT_SPAM_ADDRESS Only 4 digit domain name, almost certainly spam domains
score CK_4DIGIT_SPAM_ADDRESS 7.0
In this rule called "CK_4DIGIT_SPAM_ADDRESS" the from address is analyzed and is checked for an exact match of four digits as domain name. Adding a score of 7.0 should tag the mail immediately as spam.
An additional rule "CK_ONLY_DIGIT_DOMAIN" was created to identify domain names only using digits (not fixed to four digits), however the scoring here was set lower:
header CK_ONLY_DIGIT_DOMAIN From =~ /\b\S*\@\d*\.[a-zA-Z]*/i
describe CK_ONLY_DIGIT_DOMAIN Only digits domain name, likely spam domains
score CK_ONLY_DIGIT_DOMAIN 4.0
Using mailbox filters (e.g. with Sieve) these mails now land directly in the customer's junk folder instead of bothering him.
These rules are part of the 75_ckrules.cf file, which is publicly shared on GitHub.
No comments yet.
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder