We run our own small hosting company for our websites and some clients. We've recently seen a large flood of spam getting though and discovered it's from all the new tlds that apparently RBLs aren't blocking. Our servers run two RBLs (spamhaus and barracuda) and literally hundreds of spam messages a day were getting past them and being delivered with tlds like, .ninja, .xyz, .website, etc. Seems these RBLs haven't adapted for the new tlds and spammers have figured it out.
Because we own all our servers, I created an EXIM filter to block all the new tlds these spammers were using. About once a day I'd run a report to see what emails (spam) got delivered, pick out the tlds they were using and add them to the EXIM filter. After a couple weeks now we have these spammers back under control. I imagine sooner or later these RBLs will update to start filtering the new tlds but we and our clients needed an immediate solution as we were getting hundreds a day, thousands a week.
Code:
# Blacklist Domains
if first_delivery
and (
("$h_from:" matches ".+@.+\\\\.space[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.work[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.click[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.cricket[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.exercise[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.link[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.ninja[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.rocks[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.science[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co.in[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.xyz[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.review[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.date[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.co[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.biz[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.us[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.uno[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.party[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.webcam[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.gq[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.faith[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.eu[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.me[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.tk[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.au[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.vn[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.website[^a-zA-Z0-9_]")
or ("$h_from:" matches ".+@.+\\\\.nl[^a-zA-Z0-9_]")
)
then
headers add "SpamRule: EXIM FILTER Block Newfangled Domains (was: $h_subject:)"
deliver "Newfangled <blacklist@yourdomain.com>"
seen finish
endif
Hi InBargains,
I'm new at posting to this forum. I've used your Exim Filter for Newfangled Domains for the last couple years and it works great!
I'm now noticed that a lot of spammers are now getting around this great filter by using alias domains like...
blabla@blabla.blabla.work
or
blabla@blabla.blabla.blabla.date
I've tried experimenting with the regex but I can't get it to work for the above examples. Would you be able to share a new set of regex for the above examples?
Thanks again as you've same our clients with untold amount of spam.
