
<html><head>


<style id="css_styles" type="text/css"><!--blockquote.cite { margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc }

blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top: 0px; }

a img { border: 0px; }

li[style='text-align: center;'], li[style='text-align: center; '], li[style='text-align: right;'], li[style='text-align: right; '] {  list-style-position: inside;}

body { font-family: 'Segoe UI'; font-size: 12pt; }

.quote { margin-left: 1em; margin-right: 1em; border-left: 5px #ebebeb solid; padding-left: 0.3em; }

--></style></head>

<body><div>SEM is not well maintained in MY opinion.  Far from it.  I gave up.</div><div><br /></div><div>For $40 USD/month we get a daily CSV from whoisds.com that has two columns.  Creation date and domain name.  Creation date is hugely important to me.</div><div><br /></div><div>The problem with SEM is they are pulling the wrong freaking data and listing domains that were created years ago, rendering it useless to me.</div><div><br /></div><div>So I wrote a couple of scripts and dump it daily to MariaDB and then take the last "x" days, 45 in my case, and dump them to an RBLDNS formatted file then my shell script refires rbldnsd and flushes the bind cache.  I flush data with creation dates older than 60 days.  I'm keeping the DB at 60 days in case I want to change my rbl from 45 to 60 days.</div><div><br /></div><div>This has another angle too, we have over 100 domains in our account via UDRP suits.  I do some daily searches of my NRD database and send myself a report on any matches for copycat domain names.   I would rather know the punching is coming and where it is coming from rather than wait to get hit.</div><div><br /></div><div>This works perfectly.</div><div><br /></div><div>Excerpt from my daily email report:</div><div><br /></div><div>----</div><div><br /></div><div><div id="x276258c4c1c640c5b3d559cd04503d64">206,375 Domains Added to NRDCD Database <br />117,387 Domains Deleted from NRDCD Database<br /><br />7,888,146 Domain Names Written to 45 Days RBLDNSD File<br /><br />10,358,902 Total Domains In Database</div></div><div id="x276258c4c1c640c5b3d559cd04503d64"><br /></div><div id="x276258c4c1c640c5b3d559cd04503d64">----</div><div id="x276258c4c1c640c5b3d559cd04503d64"><br /></div>

<div style="clear:both">And so for example, zzzso.top  and know that my "fake" rbl zone is clients.blocked.rbl</div><div style="clear:both"><br /></div><div style="clear:both">time nslookup zzzso.top.clients.blocked.rbl

</div><div style="clear:both"><br /></div><div style="clear:both">Server:         172.16.0.242

</div><div style="clear:both">Address:        172.16.0.242#53

</div><div style="clear:both">

</div><div style="clear:both">Non-authoritative answer:

</div><div style="clear:both">Name:   zzzso.top.clients.blocked.rbl

</div><div style="clear:both">Address: 127.0.0.4

</div><div style="clear:both">

</div><div style="clear:both">

</div><div style="clear:both">real    0m0.024s

</div><div style="clear:both">user    0m0.022s

</div><div style="clear:both">sys     0m0.001s</div><div style="clear:both"><br /></div><div style="clear:both"><br /></div><div style="clear:both">And if that isn't fast enough, I don't know what to tell you.</div><div style="clear:both"><br /></div><div style="clear:both">If you have any questions, would like a copy of my scripts etc, feel free to reach out to me directly.</div><div style="clear:both"><br /></div><div style="clear:both">Regards,</div><div style="clear:both">Tracy Greggs - tgreggs at insuredaircraft dot com</div><div style="clear:both"><br /></div><div style="clear:both"><br /></div><div style="clear:both"><br /></div><div style="clear:both"><br /></div><div style="clear:both"><br /></div>

<div><br /></div>

<div>

<div>------ Original Message ------</div>

<div>From <a href="mailto:mailscanner@barendse.to">mailscanner@barendse.to</a></div>

<div>To "Peter Farrow via MailScanner" <<a href="mailto:mailscanner@lists.mailscanner.info">mailscanner@lists.mailscanner.info</a>></div>

<div>Date 10/20/2023 10:07:23 AM</div>

<div>Subject Re: Newish domains scoring</div></div><div><br /></div>

<div id="xfd4510ddd33e428" class="plain"><blockquote cite="a35f164-d5cf-c1bc-24d5-c5f56312a2c@barendse.to" type="cite" class="cite2">


<div class="plain_line">Hi Peter!</div>

<div class="plain_line"> </div>

<div class="plain_line">I am trying to achieve the same but think it's not working, not sure if that service is still working? The latest news on the website is from 2017, the  documentation at SEM is somewhat basic,</div>

<div class="plain_line"> </div>

<div class="plain_line">The only thing I did was to add to /etc/mail/spamassassin/local.cf the lines below and nothing beyond that (did I miss something?) :</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-BACKSCATTER</div>

<div class="plain_line">header    RCVD_IN_SEMBACKSCATTER eval:check_rbl('sembackscatter-lastexternal', 'backscatter.spameatingmonkey.net')</div>

<div class="plain_line">tflags    RCVD_IN_SEMBACKSCATTER net</div>

<div class="plain_line">describe  RCVD_IN_SEMBACKSCATTER Received from an IP listed by SEM-BACKSCATTER</div>

<div class="plain_line">score     RCVD_IN_SEMBACKSCATTER 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-BLACK</div>

<div class="plain_line">header    RCVD_IN_SEMBLACK eval:check_rbl('semblack-lastexternal', 'bl.spameatingmonkey.net')</div>

<div class="plain_line">tflags    RCVD_IN_SEMBLACK net</div>

<div class="plain_line">describe  RCVD_IN_SEMBLACK Received from an IP listed by SEM-BLACK</div>

<div class="plain_line">score     RCVD_IN_SEMBLACK 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-FRESHZERO</div>

<div class="plain_line">urirhssub SEM_FRESHZERO freshzero.spameatingmonkey.net. A 2</div>

<div class="plain_line">body      SEM_FRESHZERO eval:check_uridnsbl('SEM_FRESHZERO')</div>

<div class="plain_line">describe  SEM_FRESHZERO Contains a domain never seen before</div>

<div class="plain_line">tflags    SEM_FRESHZERO net</div>

<div class="plain_line">score     SEM_FRESHZERO 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-FRESH</div>

<div class="plain_line">urirhssub SEM_FRESH fresh.spameatingmonkey.net. A 2</div>

<div class="plain_line">body      SEM_FRESH eval:check_uridnsbl('SEM_FRESH')</div>

<div class="plain_line">describe  SEM_FRESH Contains a domain registered less than 5 days ago</div>

<div class="plain_line">tflags    SEM_FRESH net</div>

<div class="plain_line">score     SEM_FRESH 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-FRESH10</div>

<div class="plain_line">urirhssub SEM_FRESH10 fresh10.spameatingmonkey.net. A 2</div>

<div class="plain_line">body      SEM_FRESH10 eval:check_uridnsbl('SEM_FRESH10')</div>

<div class="plain_line">describe  SEM_FRESH10 Contains a domain registered less than 10 days ago</div>

<div class="plain_line">tflags    SEM_FRESH10 net</div>

<div class="plain_line">score     SEM_FRESH10 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-FRESH15</div>

<div class="plain_line">urirhssub SEM_FRESH15 fresh15.spameatingmonkey.net. A 2</div>

<div class="plain_line">body      SEM_FRESH15 eval:check_uridnsbl('SEM_FRESH15')</div>

<div class="plain_line">describe  SEM_FRESH15 Contains a domain registered less than 15 days ago</div>

<div class="plain_line">tflags    SEM_FRESH15 net</div>

<div class="plain_line">score     SEM_FRESH15 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-FRESH30</div>

<div class="plain_line">urirhssub SEM_FRESH30 fresh30.spameatingmonkey.net. A 2</div>

<div class="plain_line">body      SEM_FRESH30 eval:check_uridnsbl('SEM_FRESH30')</div>

<div class="plain_line">describe  SEM_FRESH30 Contains a domain registered less than 30 days ago</div>

<div class="plain_line">tflags    SEM_FRESH30 net</div>

<div class="plain_line">score     SEM_FRESH30 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-URI</div>

<div class="plain_line">urirhssub SEM_URI uribl.spameatingmonkey.net. A 2</div>

<div class="plain_line">body      SEM_URI eval:check_uridnsbl('SEM_URI')</div>

<div class="plain_line">describe  SEM_URI Contains a URI listed by SEM-URI</div>

<div class="plain_line">tflags    SEM_URI net</div>

<div class="plain_line">score     SEM_URI 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"># SEM-URIRED</div>

<div class="plain_line">urirhssub SEM_URIRED urired.spameatingmonkey.net. A 2</div>

<div class="plain_line">body      SEM_URIRED eval:check_uridnsbl('SEM_URIRED')</div>

<div class="plain_line">describe  SEM_URIRED Contains a URI listed by SEM-URIRED</div>

<div class="plain_line">tflags    SEM_URIRED net</div>

<div class="plain_line">score     SEM_URIRED 0.5</div>

<div class="plain_line"> </div>

<div class="plain_line"> </div>

<div class="plain_line"> </div>

<div class="plain_line">Thanks!!</div>

<div class="plain_line"> </div>

<div class="plain_line"> </div>

<div class="plain_line">On Wed, 10 May 2023, Peter Farrow via MailScanner wrote:</div>

<div class="plain_line"> </div>

<blockquote type="cite" class="cite2">

<div class="plain_line"> </div>

<div class="plain_line">Try these:</div>

<div class="plain_line"> </div>

<div class="plain_line"><a href="https://spameatingmonkey.com/services">https://spameatingmonkey.com/services</a></div>

<div class="plain_line"> </div>

<div class="plain_line">SEM-FRESH  etc for domains registered recently.</div>

<div class="plain_line"> </div>

<div class="plain_line">On 10/05/2023 21:51, Tracy Greggs via MailScanner wrote:</div>

<div class="plain_line">      I know this is a question for the SA users group but I wanted to throw it in here in the even anyone has any ideas or existing solutions.</div>

<div class="plain_line">So, here we go.</div>

<div class="plain_line"> </div>

<div class="plain_line">We almost never get any phishing email from domains over 1 year old.</div>

<div class="plain_line"> </div>

<div class="plain_line">We get a lot of phishing email from domains less than 1 year old.</div>

<div class="plain_line"> </div>

<div class="plain_line">I would love to be able to have an accurate way of scoring up email from domains less than fill in the blank days old.  In my case 380 days.  This way we could review them for validity and release them if they are good.</div>

<div class="plain_line"> </div>

<div class="plain_line">An accurate way of performing this check would save us quite a bit of grief.</div>

<div class="plain_line"> </div>

<div class="plain_line">Ideas or solutions to this anyone?</div>

<div class="plain_line"> </div>

<div class="plain_line"> </div>

<div class="plain_line">--</div>

<div class="plain_line">[togethia_logo.png]</div>

<div class="plain_line">Peter Farrow BEng(hons) BBC ETSI</div>

<div class="plain_line">Office: 01249 736180 |</div>

<div class="plain_line">Mobile: +44 (0) 7799605617</div>

<div class="plain_line">Email: MailScanner has detected a possible fraud attempt from "mail:<a href="mailto:peter.farrow@togethia.net">peter.farrow@togethia.net</a>" claiming to be <a href="mailto:peter.farrow@togethia.net">peter.farrow@togethia.net</a></div>

<div class="plain_line">Website: <a href="http://www.togethia.it">www.togethia.it</a></div>

<div class="plain_line">[icon_fb_togethia.png] [icon_togwthia_skype.png]</div>

<div class="plain_line"> </div>

<div class="plain_line"> </div>

</blockquote>

</blockquote></div>


</body></html>