I’ve updated the list of spammy TLD’s I use for SpamAssassin, adding .sbs, .shop, and .store, based on having received zero legit mails from senders on domains using those TLD’s for 30 days. The current rule I’m using is
header SPAMMY_TLD From =~ /@[a-z0-9\-\.]+\.(autos|bid|bio|buzz|club|cyou|fit|fun|gdn|icu|monster|ooo|sbs|sex|shop|site|store|top|win|work|xyz)/i
describe SPAMMY_TLD From address uses a TLD popular with spammers
score SPAMMY_TLD 6.0
On my servers, the spam threshold is set between 5.0 and 6.0, with auto delete set quite high (usually around 18).
I almost never get legit mail that scores higher than 12, but I still whitelist known-legit domains just to be cautious. Some legit senders have misconfigured or absent PTR or DMARC, which could push them over the threshold, and therefore need a safety net.
I have a number of domains in the Education Sector who use .icu and one in particular auction house that uses a .bid and a number of .club and .fun users. I manage their servers among many others. Now I am pretty certain no spam originates from any of their users. What is more I doubt if any of their users would be emailing you or any of your users (genuinely) or otherwise.
It is just that I believe this sort of blanket approach is about as indiscriminate as possible to take. it is about as useful as locking all .com sites because they might originate in the USA or .cn because they might be Chinese. I would much prefer to be informed that spam is actually originating from one of my VPS so I can investigate, isolate and resolve.
Spam doesn’t happen just because there is a domain with a particular tld it happens because a user on that domain sends it (often indirectly)
I have always maintained it is not the job of a system admin to decide on what is SPAM and what isn’t - just like it is not our job to decide what goes in a database or what words used in application code are deemed “offensive”.
But at the end of the day It’s your server - do with it what you want and answer to no one.
I understand your position, but my clients disagree. They don’t want to see spam in their inboxes; and ultimately, since they pay the bills, I answer to them.
Also, if the sending mail servers are properly configured in the other standard ways (PTR, DMARC, etc.), that will deduct three points and put them under the threshold. But even if they’re not, it just means they get sent to the spam folder, not deleted. If they’re legit, the individual domains will be whitelisted.
It’s really about ratios. The ratio of spam to legit mail coming from domains on those TLD’s ranges from hundreds to one to thousands to one. I haven’t received a single report nor observed a single false positive on any of them in a very long time.
I can’t say I understand but “he who pays the piper” I guess. I suppose I have too many clients who firmly believe it is their user’s responsibility to decide what is or is not spam. Nice to see how you did it, nevertheless
Thanks. It works for me. False positives are exceedingly rare, and the amount of spam that slips through is tolerable. People don’t mind two or three spams slipping through in a day. They’d rather have that than the false positives.
The whole rule set averages about 235 lines, by the way. There are rules to add points and subtract points. I edit them several times a week based on spam trends. I probably could make a full-time job out of maintaining local.cf files.
Thing is, I have clients that move on because they like some other designer’s Web style better than mine, or because they buy into a package deal based around their particular industry; but then they come back for mail only a few weeks or months later specifically because I spend more time on spam filtering.
I don’t mind mail-only clients because I charge them the same amount of money and don’t have to worry about the SEO crap. So in the end, it works out for me.
The point is you are using a public forum to suggest this to others. There are many novice and part time admins using the software so you really need to be careful in what you suggest and how you suggest it here. Since 5 is the SA default I think 6 is a tad aggressive for most. It should be only be a fraction of 5 to be safe.
Actually, 6 is less aggressive than 5. The higher the spam score, the more likely to be “spammy” the piece of mail in question is.
The score you choose will tag mail of that value or higher as spam. So the higher the threshold you set, the more permissive (or less aggressive) SpamAssassin will be when deciding what to do with the mail.
An email with a score of 6 will be perceived as more likely to be spam than an email with a score of 5. A threshold setting of 6 will allow it through. The default setting of 5 will not.
That seems pretty clear. You’re saying that 6 is too aggressive because it’s more than the SA default. But it’s actually less aggressive.
What am I missing?
Okay, I think I see what you mean. You mean the setting for the individual rule, I think.
To my knowledge, there is no default for a custom rule. I’m not even sure how there could be since a custom rule is, well, custom. But that aside, there are also other custom rules that subtract points.
As for the rest, I don’t recommend that anyone do anything just because I do it. Do whatever works for your situation. This works for mine. If others do or don’t want to use it, I won’t be elated or disappointed, respectively.
Lets hope your clients don’t buy anything a online store using those domains.
.SBS domain name - Generic
.SBS is a new domain extension that stands for Side By Side. Intended for organisations, businesses and professionals embracing inclusion and unbiased mindsets, as well as social welfare enterprises, community groups, non-profits and activists who aim at driving awareness and change.
Also the idea of SA is to build up a score to 5 or 6 with the content of the email, dkim spf etc. A blanket 6 is 100% spam just for buying a legit domain is a bit overboard. But its your service.