# BLOCKREGISTRAR-PATTERNS.RC # # Blocks email from certain registrars that have spam problems # unless it meets rigorous checks for legitimacy. # # .BIZ Registrar # # Last Updated: 8/25/05 # # Other Relevant Info: # # 10/17/03: # Huge number of spam domains are registered with the .BIZ registrar. # The registrar hides the identity of the domain owners, and does not # cooperate with anti-spam efforts. There are legitimate .BIZ domains, # but the registrar's irresponsibility and likely complicity in spamming # means that a negative score on email that contains a reference to a # .BIZ domain in the body text is justified. # # 11/20/03: # To accomodate a few legitimate .BIZ domain owners, I've refined this # recipe to negatively score only email that refers to a .BIZ domain in # the message body. Email that comes from a .BIZ domain, but contains # no reference to a .BIZ domain in the message body, will not be # negatively scored. (This will be true of almost no spam whatsoever.) # Email that contains a .BIZ domain in the From: header and also in the # message body will get a mild negative score. Email that does not # contain a .BIZ domain the From: header, but does contain one in the # message body, will get a heavier negative score. # # Status: Irresponsible Registrar # :0 * LEANTAG ?? no * FROMDOMAIN ?? ^.*\.biz$ * $ ! FIRSTEXDOMAIN ?? ^${FROMDOMAIN}$ * $ ! FIRSTEXHOST ?? ^${FROMHOST}$ { :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * $ -1100^1 (^|[^-_0-9a-z])${FROMDOMAIN}([^a-z0-9.]|\. |\.$|$) * 1100^1 (^|[^-_0-9a-z])[0-9a-z][-_0-9a-z]+(ÿ|\.|=2E)biz([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged .BIZ From domain, different .BIZ domain in message body" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } } :0 * LEANTAG ?? no * ! FROMDOMAIN ?? ^.*\.biz$ { :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * 1100^0 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|=2E))+biz([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-.BIZ domain in message body, not in From: header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } } # .INFO Registrar # # Updated and domains verified 8/25/05 # Other Relevant Info: # # 12/12/03: # Too many spammers. Unlike the .BIZ registrar, however, the # .INFO registrar is trying to do something about their spammers. # So only email with a .INFO domain in the body text and no # such domain in the From: header is negatively scored. (Most # .INFO email that claims to be from a .INFO address isn't spam.) # # 8/25/05: # There's been a huge upswing in spam with .INFO domains in # the last few months, matching the downswing in spam with # .BIZ domains. # # Status: Overwhelmed Registrar # :0 * LEANTAG ?? no * FROMDOMAIN ?? ^.*\.info$ * $ ! FIRSTEXDOMAIN ?? ^${FROMDOMAIN}$ * $ ! FIRSTEXHOST ?? ^${FROMHOST}$ { :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * $ 1100^0 (^|[^-_0-9a-z])${FROMDOMAIN}([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged .INFO From domain" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 2^0 { SBSCORE=$= } } :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * $ -1100^1 (^|[^-_0-9a-z])${FROMDOMAIN}([^a-z0-9.]|\. |\.$|$) * 1100^1 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|=2E))+info([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged .INFO From domain, different .INFO domain in message body" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } } :0 * LEANTAG ?? no * ! FROMDOMAIN ?? ^.*\.info$ { :0 * FIRSTBODYDOMAIN ?? ^.*\.info$ { LOCALIPREGEXP=${FIRSTBODYIPREGEXP} LT2=no TESTCIDR=${SBDIR}/info/yahoo-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc :0 * LT2 ?? no * SECONDBODYDOMAIN ?? ^.*\.info$ { LOCALIPREGEXP=${SECONDBODYIPREGEXP} TESTCIDR=${SBDIR}/info/yahoo-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc } :0 * LT2 ?? no * THIRDBODYDOMAIN ?? ^.*\.info$ { LOCALIPREGEXP=${THIRDBODYIPREGEXP} TESTCIDR=${SBDIR}/info/yahoo-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc } :0 * LT2 ?? no * FOURTHBODYDOMAIN ?? ^.*\.info$ { LOCALIPREGEXP=${FOURTHBODYIPREGEXP} TESTCIDR=${SBDIR}/info/yahoo-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc } :0 * LT2 ?? no * FIFTHBODYDOMAIN ?? ^.*\.info$ { LOCALIPREGEXP=${FIFTHBODYIPREGEXP} TESTCIDR=${SBDIR}/info/yahoo-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc } :0 * LT2 ?? no * SIXTHBODYDOMAIN ?? ^.*\.info$ { LOCALIPREGEXP=${SIXTHBODYIPREGEXP} TESTCIDR=${SBDIR}/info/yahoo-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc } :0 * LT2 ?? no * SEVENTHBODYDOMAIN ?? ^.*\.info$ { LOCALIPREGEXP=${SEVENTHBODYIPREGEXP} TESTCIDR=${SBDIR}/info/yahoo-ips.cidr INCLUDERC=${SBDIR}/functions/check-cidr.rc } :0 * LT2 ?? yes { SBLOG="A1R-Yahoo-hosted .INFO domain in message body, not in From header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 8^0 { SBSCORE=$= } } } :0 B * LT2 ?? no * !--.*forwarded message -- * !^forwarded message: * -1000^0 * 1100^0 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|=2E))+info([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-.INFO domain in message body, not in From: header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } } # .US Registrar # # Last Updated: 8/25/05 # # Other Relevant Info: # # 12/12/03: # A large number of new spam domains are being registered with the # .US registrar. The .US registrar doesn't appear to be doing # anything to stem the flood. # # There are a number of older .us domains that are perfectly # legitimate, but they are of the format ...us, while # the new domains are simply .us. So this recipe only # affects domains in the new format. It scores them as it does # .BIZ domains, and will until the .US registrar gets a handle # on spammers abusing their domain registration services. # # Status: Irresponsible Registrar # :0 * LEANTAG ?? no * FROMDOMAIN ?? ^.*\.us$ * ! FROMDOMAIN ?? ^([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z]\.us$ * $ ! FIRSTEXDOMAIN ?? ^${FROMDOMAIN}$ * $ ! FIRSTEXHOST ?? ^${FROMHOST}$ { :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * $ 1100^0 (^|[^-_0-9a-z])${FROMDOMAIN}([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged .US From domain" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 2^0 { SBSCORE=$= } } :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * $ -1100^1 (^|[^-_0-9a-z])${FROMDOMAIN}([^a-z0-9.]|\. |\.$|$) * -1100^1 (^|[^-_0-9a-z])blackholes(ÿ|\.|=2E)us([^a-z0-9.]|\. |\.$|$) * -1100^1 (^|[^-_0-9a-z])del(ÿ|\.|=2E)icio(ÿ|\.|=2E)us([^a-z0-9.]|\. |\.$|$) * 1100^1 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|=2E))+us([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-Forged .US From domain, different .US domain in message body" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 3^0 { SBSCORE=$= } } } :0 * LEANTAG ?? no * ! FROMDOMAIN ?? ^.*\.us$ { :0 B * !--.*forwarded message -- * !^forwarded message: * -1000^0 * -1100^0 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|=2E))+[a-z][a-z](ÿ|\.|=2E)us([^a-z0-9.]|\. |\.$|$) * -1100^0 (^|[^-_0-9a-z])blackholes(ÿ|\.|=2E)us([^a-z0-9.]|\. |\.$|$) * -1100^1 (^|[^-_0-9a-z])del(ÿ|\.|=2E)icio(ÿ|\.|=2E)us([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^-_0-9a-z])([0-9a-z][-_0-9a-z]+(ÿ|\.|=2E))+us([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-.US domain in message body, not in From: header" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } }