Newish domains scoring

Tracy Greggs mailscanner-list at
Fri Oct 20 15:27:55 UTC 2023

SEM is not well maintained in MY opinion.  Far from it.  I gave up.

For $40 USD/month we get a daily CSV from that has two 
columns.  Creation date and domain name.  Creation date is hugely 
important to me.

The problem with SEM is they are pulling the wrong freaking data and 
listing domains that were created years ago, rendering it useless to me.

So I wrote a couple of scripts and dump it daily to MariaDB and then 
take the last "x" days, 45 in my case, and dump them to an RBLDNS 
formatted file then my shell script refires rbldnsd and flushes the bind 
cache.  I flush data with creation dates older than 60 days.  I'm 
keeping the DB at 60 days in case I want to change my rbl from 45 to 60 

This has another angle too, we have over 100 domains in our account via 
UDRP suits.  I do some daily searches of my NRD database and send myself 
a report on any matches for copycat domain names.   I would rather know 
the punching is coming and where it is coming from rather than wait to 
get hit.

This works perfectly.

Excerpt from my daily email report:


206,375 Domains Added to NRDCD Database
117,387 Domains Deleted from NRDCD Database

7,888,146 Domain Names Written to 45 Days RBLDNSD File

10,358,902 Total Domains In Database


And so for example,  and know that my "fake" rbl zone is 

time nslookup

Non-authoritative answer:
real    0m0.024s
user    0m0.022s
sys     0m0.001s

And if that isn't fast enough, I don't know what to tell you.

If you have any questions, would like a copy of my scripts etc, feel 
free to reach out to me directly.

Tracy Greggs - tgreggs at insuredaircraft dot com

------ Original Message ------
>From mailscanner at
To "Peter Farrow via MailScanner" <mailscanner at>
Date 10/20/2023 10:07:23 AM
Subject Re: Newish domains scoring

>Hi Peter!
>I am trying to achieve the same but think it's not working, not sure if that service is still working? The latest news on the website is from 2017, the  documentation at SEM is somewhat basic,
>The only thing I did was to add to /etc/mail/spamassassin/ the lines below and nothing beyond that (did I miss something?) :
>header    RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', '')
>describe  RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER
>header    RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', '')
>tflags    RCVD_IN_SEMBLACK net
>describe  RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK
>score     RCVD_IN_SEMBLACK 0.5
>urirhssub SEM_FRESHZERO A 2
>body      SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO')
>describe  SEM_FRESHZERO Contains a domain never seen before
>tflags    SEM_FRESHZERO net
>score     SEM_FRESHZERO 0.5
>urirhssub SEM_FRESH A 2
>body      SEM_FRESH eval:check_uridnsbl('SEM_FRESH')
>describe  SEM_FRESH Contains a domain registered less than 5 days ago
>tflags    SEM_FRESH net
>score     SEM_FRESH 0.5
>urirhssub SEM_FRESH10 A 2
>body      SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10')
>describe  SEM_FRESH10 Contains a domain registered less than 10 days ago
>tflags    SEM_FRESH10 net
>score     SEM_FRESH10 0.5
>urirhssub SEM_FRESH15 A 2
>body      SEM_FRESH15 eval:check_uridnsbl('SEM_FRESH15')
>describe  SEM_FRESH15 Contains a domain registered less than 15 days ago
>tflags    SEM_FRESH15 net
>score     SEM_FRESH15 0.5
>urirhssub SEM_FRESH30 A 2
>body      SEM_FRESH30 eval:check_uridnsbl('SEM_FRESH30')
>describe  SEM_FRESH30 Contains a domain registered less than 30 days ago
>tflags    SEM_FRESH30 net
>score     SEM_FRESH30 0.5
>urirhssub SEM_URI A 2
>body      SEM_URI eval:check_uridnsbl('SEM_URI')
>describe  SEM_URI Contains a URI listed by SEM-URI
>tflags    SEM_URI net
>score     SEM_URI 0.5
>urirhssub SEM_URIRED A 2
>body      SEM_URIRED eval:check_uridnsbl('SEM_URIRED')
>describe  SEM_URIRED Contains a URI listed by SEM-URIRED
>tflags    SEM_URIRED net
>score     SEM_URIRED 0.5
>On Wed, 10 May 2023, Peter Farrow via MailScanner wrote:
>>Try these:
>>SEM-FRESH  etc for domains registered recently.
>>On 10/05/2023 21:51, Tracy Greggs via MailScanner wrote:
>>       I know this is a question for the SA users group but I wanted to throw it in here in the even anyone has any ideas or existing solutions.
>>So, here we go.
>>We almost never get any phishing email from domains over 1 year old.
>>We get a lot of phishing email from domains less than 1 year old.
>>I would love to be able to have an accurate way of scoring up email from domains less than fill in the blank days old.  In my case 380 days.  This way we could review them for validity and release them if they are good.
>>An accurate way of performing this check would save us quite a bit of grief.
>>Ideas or solutions to this anyone?
>>Peter Farrow BEng(hons) BBC ETSI
>>Office: 01249 736180 |
>>Mobile: +44 (0) 7799605617
>>Email: MailScanner has detected a possible fraud attempt from "mail:peter.farrow at" claiming to be peter.farrow at
>>[icon_fb_togethia.png] [icon_togwthia_skype.png]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the MailScanner mailing list