Of course we cannot always share details about our work with customers, but nevertheless it is nice to show our technical achievements and share some of our implemented solutions.
A customer reported increasing incoming spams, all sent by domains using only digits. A few examples:
Jul 10 05:43:02 mailserver postfix/qmgr[337]: F05621DF040: from=<SaveYou92@0643.com>, size=2636, nrcpt=1 (queue active)
Jul 10 05:43:03 mailserver postfix/qmgr[337]: D2C611DF05D: from=<SaveYou92@0643.com>, size=5835, nrcpt=1 (queue active)
Jul 10 05:53:55 mailserver postfix/qmgr[337]: E24501DF016: from=<SaveYou76@1351.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:53:56 mailserver postfix/qmgr[337]: EAFA91DF017: from=<SaveYou76@1351.com>, size=5669, nrcpt=1 (queue active)
Jul 10 05:54:10 mailserver postfix/qmgr[337]: 2F1011DF016: from=<SaveYou12@3524.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:54:11 mailserver postfix/qmgr[337]: 604401DF017: from=<SaveYou12@3524.com>, size=5996, nrcpt=1 (queue active)
Jul 10 06:18:47 mailserver postfix/qmgr[337]: CFC061DF02F: from=<SaveYou65@0020.com>, size=2603, nrcpt=1 (queue active)
Jul 10 06:18:48 mailserver postfix/qmgr[337]: 589C41DF04B: from=<SaveYou65@0020.com>, size=5431, nrcpt=1 (queue active)
Jul 10 06:26:05 mailserver postfix/qmgr[337]: A013918A143: from=<SaveYou15@4841.com>, size=2610, nrcpt=1 (queue active)
Jul 10 06:26:07 mailserver postfix/qmgr[337]: 06A661DF05F: from=<SaveYou15@4841.com>, size=5441, nrcpt=1 (queue active)
Jul 10 07:01:05 mailserver postfix/qmgr[337]: DA0981DF062: from=<SaveYou42@7284.com>, size=2610, nrcpt=1 (queue active)
Jul 10 07:01:07 mailserver postfix/qmgr[337]: 738E71DF067: from=<SaveYou42@7284.com>, size=5822, nrcpt=1 (queue active)
If the sender would be the same address over and over again, this could be easily added into a blacklist, but as you can see, the sender and domain names change frequently. SpamAssassin offers a blacklist_from feature, but unfortunately regular expressions are not allowed:
Whitelist and blacklist addresses are now file-glob-style patterns, so friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons.
However writing a regular expression rule which detects such "digit only domains" can help to quickly identify the incoming mail as spam:
header CK_4DIGIT_SPAM_ADDRESS From =~ /\b\S*\@\d\d\d\d\.[a-zA-Z]*/i
describe CK_4DIGIT_SPAM_ADDRESS Only 4 digit domain name, almost certainly spam domains
score CK_4DIGIT_SPAM_ADDRESS 7.0
In this rule called "CK_4DIGIT_SPAM_ADDRESS" the from address is analyzed and is checked for an exact match of four digits as domain name. Adding a score of 7.0 should tag the mail immediately as spam.
An additional rule "CK_ONLY_DIGIT_DOMAIN" was created to identify domain names only using digits (not fixed to four digits), however the scoring here was set lower:
header CK_ONLY_DIGIT_DOMAIN From =~ /\b\S*\@\d*\.[a-zA-Z]*/i
describe CK_ONLY_DIGIT_DOMAIN Only digits domain name, likely spam domains
score CK_ONLY_DIGIT_DOMAIN 4.0
Using mailbox filters (e.g. with Sieve) these mails now land directly in the customer's junk folder instead of bothering him.
These rules are part of the 75_ckrules.cf file, which is publicly shared on GitHub.