[At-Large] Fwd: [technical-issues] Banning .xyz email from my company's servers

bzs at theworld.com bzs at theworld.com
Fri Mar 18 19:50:43 UTC 2016

On March 17, 2016 at 13:26 evan at telly.org (Evan Leibovitch) wrote:
 > It's all in the balance, I guess.
 > On a very high-volume site, the scoring of each incoming mail -- which
 > requires examining content and evaluating it against what could be a complex
 > ruleset -- presents a potentially significant drain on resources. If a
 > reasonable judgment is made that a TLD is a source of no significant non-spam,
 > then it's far more efficient to just block on the TLD.

That's true. For example we block many nets based on just the IP
address and those connections are just dropped nearly instantly.

Also pattern matches of sending hosts. For example not accepting
anything coming from a host which appears to be an end-user (dhcp-.*,
ppp-.*, host names which look like ip addresss like that sort of thing) tho generally there's a
little more qualification than that, end-user networks which have been
sources of spam.

So the recommendation was fairly specific to the example given.

I'm resistant to dropping an entire TLD and try to use more focused
methods such as raising their base spamassassin score or, well, we
have a lot of tools like testing regular expressions on Subject:
lines, From addresses.

Hint: Don't ever open an account with a user name containing the name
of any erectile dysfunction medication or variant thereof (e.g.,
replacing 'i' with 1) and expect me to ever see your mail!

 > It's certainly not uncommon for people or organizations to say "if you want to
 > communicate with me you need to do so in a way that is acceptable to me". The
 > requirements could mean (in descending level of complexity) a local set of
 > rules, or not being on the spamhaus black list, or not using an undesired TLD.
 > Olivier's issue of bounce messages might be appropriate ... if the recipient
 > of the bounce messages cared at all. I imagine most spamming sites would just
 > drop them.
 > Arguably that "drastic" action -- cutting off access from a whole TLD --
 > provides a market-based incentive for that TLD to clean up its act. If enough
 > of the world won't accept mail from a TLD, theoretically its sales would drop
 > and there would be a financial incentive to fix that.

You're an optimist :-)

That assumes a lot of the net would block them which I suspect is not
the case.

But there have been analogues, some quite troublesome.

For example organizations buying returned IP address blocks only to
find they're in many, many spam databases. Probably why they were

 > In the absence of any regulatory enforcement of abuse complaints, this is as
 > effective an agent of change as one can hope for.
 > Universal Acceptance is ICANN's begging the world to live with the products of
 > its TLD expansion, no matter how awful they may be. But given ICANN's lack of
 > any real end-user protections (led by identifiable Board members who believe
 > that end-users are not legitimate stakeholders), this is really the only tool
 > available with which to fight back.

There are other tools but point taken.

Another aspect is that with 90+% of all email being spam and as I said
earlier typical "real" spammers sending on the order of a billion
messages per day there is the issue of bandwidth and resources in

It's very nice to have strong gates when the barbarians are at the
gate but who paid for those gates and, more importantly, there are
barbarians out there!

I could show you logs of spammers, for example, sending to generated
names such as aaaa at theworld.com, aaab at theworld.com, aaac at theworld.com,
etc, millions of them, for days or weeks, until they're just blocked
at the IP level.

And then a customer asks why it took 20 minutes for an email to get to
them or why some path they're using (e.g., interactive web site) is so

Maybe it's all the spam trying to travel along the same path?!?!

People tend to think of this problem only in terms of their own
mailbox, what spam they did or didn't see, which is understandable.

At a governance level we need to also think about the mind-boggling
resource consumption and waste of human resources caused by spam.

And the inherent criminality of course, fraud etc.

Now if you will all open your psalters to page 334 we will...

 > - Evan 
 > On 17 March 2016 at 05:32, <bzs at theworld.com> wrote:
 >     [is this OT, how did this start?]
 >     I use spamassassin system-wide to increase the spam score of a message
 >     from certain TLDs to near the threshold where it's just rejected.
 >     So for example in local.cf I add a rule like:
 >     header DOTTOP_RULE              From =~ /.*\.top/i
 >     describe DOTTOP_RULE            BZS 20160226
 >     score DOTTOP_RULE               2.5
 >     which means just having a .TOP TLD in the From gives it a base score
 >     of 2.5, so it wouldn't take much more, tripping some other
 >     spamassassin rules, to just get it blocked entirely.
 >     But it means in theory a very non-spammy msg from that TLD might still
 >     get through.
 >     --
 >             -Barry Shein
 >     Software Tool & Die    | bzs at TheWorld.com             | http://
 >     www.TheWorld.com
 >     Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
 >     The World: Since 1989  | A Public Information Utility | *oo*
 >     _______________________________________________
 >     At-Large mailing list
 >     At-Large at atlarge-lists.icann.org
 >     https://atlarge-lists.icann.org/mailman/listinfo/at-large
 >     At-Large Official Site: http://atlarge.icann.org
 > --
 > Evan Leibovitch
 > Geneva, CH
 >     Em: evan at telly dot org
 >     Sk: evanleibovitch
 >     Tw: el56

        -Barry Shein

Software Tool & Die    | bzs at TheWorld.com             | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD       | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

More information about the At-Large mailing list