How to filter ever changing subdomains

[BOOZy]

One very prolific spammer keeps getting through by using new subdomains every other day.
These subdomains have functional SPF and DMARC records and even matching RDNS.

A wildcard filter like @*.sa.com does not seem to work, is there any other way to filter these?

Examples:

preacher@hallfate.sa.com
function@slowshare.sa.com
giraffe@drinktwin.sa.com

etc.

They always end with .sa.com, so a wildcard filter should be possible.

[henk]

Boozy,
There are a few defensive options.

By far the simplest one is NR 1,

1. Train Bayes, via the Gui, to learn these mails are spam.

2. Take a look at the IP ranges these mail are send from and catch them. Works fine.
viewtopic.php?t=2659

3. The Block TLD issue with some examples. Go try
viewtopic.php?t=4260

or the drastic approch: Block the TLD at postfix level, just like mail coming from non existent domains

[BOOZy]

1 - We have been training Bayes, it's not enough

2 - IP blocks are ineffective, with the sub-domains they change IPs, typically these are rented VPS's and they don't care if those are taken off-line within a day (probably using stolen credit-cards to pay for them)

3 - "sa.com" is not a TLD and filtrating it as such does not work.

That said, I have worked around it by running my own recursive DNS servers and creating an entry for sa.com and adding a subdomain for *.sa.com that has a no-pass SPF record ("v=spf1 -all").

Whoever owns sa.com either makes mad money from spamming or has it's domain controls hacked and doesn't care to fix them.
A two letter .com domain would sell for a pretty penny.

[daxis]

I was having the exact same problem with the same domain and also za.com and ru.com.
Training bayes is not enough.

sa.com stands for Saudi Arabia, za.com for Zuid Afrika/South Africa and ru.com for Russia.
Anyone can register subdomains under them through different registrars out there.

I ended up blocking from *.sa.com, *.za.com and *.ru.com within EFA.
But with the risk of blocking legitimate emails.

[BOOZy]

This subdomain system is horrendously easy to abuse. The ICANN needs to have a serous look at this but I'm afraid nothing will happen until big players like Google, Cisco, Microsoft, etc. start blocking them.

[amaclach]

The commercial RBLs have a new domains filter.
You are unlikely to see legit mail from these scam sub domains anyway

[daxis]

Not only commercial ones.

But those spammers come fully prepared.
Besides having functional SPF and DMARC records and even matching RDNS most domains already exist for quite some time.
So they aren't in the new domain RBL's anymore.

[amaclach]

Frustrating...
The domains and senders usually end up on the realtime (paid) lists fairly quickly.
I'd suggest rather than blocking the domains, create a custom spamassassin rule that scores messages from those domains quite high - like 4.0 so they are at an immediate disadvantage. Anything minor tips them over the threshold and they get marked as spam.
Spamassassin rules are actually quite easy to create successfully - if I can do it, then anyone can

[BOOZy]

I fixed it a different,maybe more elaborate, way.
What I've done is:
1 - disable recurese DNS on EFA
2 - created my own recursive DNS servers
3 - added the offending domains to my new DNS servers as if I'm authoritative
4 - added a * wildcard subdomain
5 - left the wildcard subdomain empty except for an SPF record with only "v=spf1 -all"

[amaclach]

That'll work