We sometimes write.

Of course we cannot always share details about our work with customers, but nevertheless it is nice to show our achievements and share some solutions.

How to protect your mailbox from spammers using only digit domains with SpamAssassin

Published on July 12th 2019 - see original post


A customer reported increasing incoming spams, all sent by domains using only digits. A few examples:

Jul 10 05:43:02 mailserver postfix/qmgr[337]: F05621DF040: from=<SaveYou92@0643.com>, size=2636, nrcpt=1 (queue active)
Jul 10 05:43:03 mailserver postfix/qmgr[337]: D2C611DF05D: from=<SaveYou92@0643.com>, size=5835, nrcpt=1 (queue active)
Jul 10 05:53:55 mailserver postfix/qmgr[337]: E24501DF016: from=<SaveYou76@1351.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:53:56 mailserver postfix/qmgr[337]: EAFA91DF017: from=<SaveYou76@1351.com>, size=5669, nrcpt=1 (queue active)
Jul 10 05:54:10 mailserver postfix/qmgr[337]: 2F1011DF016: from=<SaveYou12@3524.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:54:11 mailserver postfix/qmgr[337]: 604401DF017: from=<SaveYou12@3524.com>, size=5996, nrcpt=1 (queue active)
Jul 10 06:18:47 mailserver postfix/qmgr[337]: CFC061DF02F: from=<SaveYou65@0020.com>, size=2603, nrcpt=1 (queue active)
Jul 10 06:18:48 mailserver postfix/qmgr[337]: 589C41DF04B: from=<SaveYou65@0020.com>, size=5431, nrcpt=1 (queue active)
Jul 10 06:26:05 mailserver postfix/qmgr[337]: A013918A143: from=<SaveYou15@4841.com>, size=2610, nrcpt=1 (queue active)
Jul 10 06:26:07 mailserver postfix/qmgr[337]: 06A661DF05F: from=<SaveYou15@4841.com>, size=5441, nrcpt=1 (queue active)
Jul 10 07:01:05 mailserver postfix/qmgr[337]: DA0981DF062: from=<SaveYou42@7284.com>, size=2610, nrcpt=1 (queue active)
Jul 10 07:01:07 mailserver postfix/qmgr[337]: 738E71DF067: from=<SaveYou42@7284.com>, size=5822, nrcpt=1 (queue active)

If the sender would be the same address over and over again, this could be easily added into a blacklist, but as you can see, the sender and domain names change frequently. SpamAssassin offers a blacklist_from feature, but unfortunately regular expressions are not allowed:

Whitelist and blacklist addresses are now file-glob-style patterns, so friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons.

However writing a regular expression rule which detects such "digit only domains" can help to quickly identify the incoming mail as spam:

header CK_4DIGIT_SPAM_ADDRESS   From =~ /\b\S*\@\d\d\d\d\.[a-zA-Z]*/i
describe CK_4DIGIT_SPAM_ADDRESS Only 4 digit domain name, almost certainly spam domains
score CK_4DIGIT_SPAM_ADDRESS    7.0

In this rule called "CK_4DIGIT_SPAM_ADDRESS" the from address is analyzed and is checked for an exact match of four digits as domain name. Adding a score of 7.0 should tag the mail immediately as spam.

An additional rule "CK_ONLY_DIGIT_DOMAIN" was created to identify domain names only using digits (not fixed to four digits), however the scoring here was set lower:

header CK_ONLY_DIGIT_DOMAIN     From =~ /\b\S*\@\d*\.[a-zA-Z]*/i
describe CK_ONLY_DIGIT_DOMAIN   Only digits domain name, likely spam domains
score CK_ONLY_DIGIT_DOMAIN      4.0

Using mailbox filters (e.g. with Sieve) these mails now land directly in the customer's junk folder instead of bothering him.

These rules are part of the 75_ckrules.cf file, which is publicly shared on GitHub.