.BEST TLD - Spam Like the Best
I’ve made the decision to go ahead and block another one of those pesky new gTLDs that are seemingly exclusively used by malicious actors. Email delivery from .best domains will no longer get past any spam filter under my control.
An inbound mail server showing spam delivered from .best domains.
A quick rundown
Upon closer inspection of this month’s spam campaign, a familiar pattern emerged:
- Domain names are seemingly assembled from random words.
- Every domain I checked was registered with Namecheap.
- Every domain I checked was anonymized behind Cloudflare.
- Predominantly using Turkish based hosting services to deliver e-mail spam.
- Domain names were suspended after a month, give or take.
- Using the same M.O. as seen with the .icu tld spam campaigns.
.Best TLD from BestTLD Pty Ltd.
Block spam from .best domains with Postfix
With Postfix, you may add or edit /etc/postfix/reject_domains to identify .best domains using a simple regular expression:
# /etc/postfix/reject_domains /\.best$/ REJECT We don't talk to .best domains
Proceed to edit the main Postfix configuration and append the regexp lookup to the smtpd_sender_restrictions policy:
# /etc/postfix/main.cf smtpd_sender_restrictions = pcre:/etc/postfix/reject_domains
Restart Postfix, and we’re good to go.
Block spam from .best domains with Sendmail
With Sendmail, you may use the access database to reject messages from .best domains. Simply edit /etc/mail/access and add a reject statement at the end of the file:
# /etc/mail/access best ERROR:"550 We don't talk to .best domains"
Finally, we’ll use makemap to rebuild the access database with the following command:
makemap hash /etc/mail/access.db < /etc/mail/access
And that’s all she wrote for .best domain spam.