How to protect your mailbox from spammers using only digit domains with SpamAssassin

Written by - 0 comments

Published on July 12th 2019 - Listed in Mail Linux


A customer reported increasing incoming spams, all sent by domains using only digits. A few examples:

Jul 10 05:43:02 mailserver postfix/qmgr[337]: F05621DF040: from=<SaveYou92@0643.com>, size=2636, nrcpt=1 (queue active)
Jul 10 05:43:03 mailserver postfix/qmgr[337]: D2C611DF05D: from=<SaveYou92@0643.com>, size=5835, nrcpt=1 (queue active)
Jul 10 05:53:55 mailserver postfix/qmgr[337]: E24501DF016: from=<SaveYou76@1351.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:53:56 mailserver postfix/qmgr[337]: EAFA91DF017: from=<SaveYou76@1351.com>, size=5669, nrcpt=1 (queue active)
Jul 10 05:54:10 mailserver postfix/qmgr[337]: 2F1011DF016: from=<SaveYou12@3524.com>, size=2617, nrcpt=1 (queue active)
Jul 10 05:54:11 mailserver postfix/qmgr[337]: 604401DF017: from=<SaveYou12@3524.com>, size=5996, nrcpt=1 (queue active)
Jul 10 06:18:47 mailserver postfix/qmgr[337]: CFC061DF02F: from=<SaveYou65@0020.com>, size=2603, nrcpt=1 (queue active)
Jul 10 06:18:48 mailserver postfix/qmgr[337]: 589C41DF04B: from=<SaveYou65@0020.com>, size=5431, nrcpt=1 (queue active)
Jul 10 06:26:05 mailserver postfix/qmgr[337]: A013918A143: from=<SaveYou15@4841.com>, size=2610, nrcpt=1 (queue active)
Jul 10 06:26:07 mailserver postfix/qmgr[337]: 06A661DF05F: from=<SaveYou15@4841.com>, size=5441, nrcpt=1 (queue active)
Jul 10 07:01:05 mailserver postfix/qmgr[337]: DA0981DF062: from=<SaveYou42@7284.com>, size=2610, nrcpt=1 (queue active)
Jul 10 07:01:07 mailserver postfix/qmgr[337]: 738E71DF067: from=<SaveYou42@7284.com>, size=5822, nrcpt=1 (queue active)

If the sender would be the same address over and over again, this could be easily added into a blacklist, but as you can see, the sender and domain names change frequently. SpamAssassin offers a blacklist_from feature, but unfortunately regular expressions are not allowed:

Whitelist and blacklist addresses are now file-glob-style patterns, so friend@somewhere.com, *@isp.com, or *.domain.net will all work. Specifically, * and ? are allowed, but all other metacharacters are not. Regular expressions are not used for security reasons.

However writing a regular expression rule which detects such "digit only domains" can help to quickly identify the incoming mail as spam:

header CK_4DIGIT_SPAM_ADDRESS   From =~ /\b\S*\@\d\d\d\d\.[a-zA-Z]*/i
describe CK_4DIGIT_SPAM_ADDRESS Only 4 digit domain name, almost certainly spam domains
score CK_4DIGIT_SPAM_ADDRESS    7.0

In this rule called "CK_4DIGIT_SPAM_ADDRESS" the from address is analyzed and is checked for an exact match of four digits as domain name. Adding a score of 7.0 should tag the mail immediately as spam.

An additional rule "CK_ONLY_DIGIT_DOMAIN" was created to identify domain names only using digits (not fixed to four digits), however the scoring here was set lower:

header CK_ONLY_DIGIT_DOMAIN     From =~ /\b\S*\@\d*\.[a-zA-Z]*/i
describe CK_ONLY_DIGIT_DOMAIN   Only digits domain name, likely spam domains
score CK_ONLY_DIGIT_DOMAIN      4.0

Using mailbox filters (e.g. with Sieve) these mails now land directly in the customer's junk folder instead of bothering him.

These rules are part of the 75_ckrules.cf file, which is publicly shared on GitHub.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.