# new TLDs used for spamming
# https://www.spamhaus.org/statistics/tlds/
# http://www.surbl.org/tld
# https://ntldstats.com/fraud
# https://dnslytics.com/tld

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval

enlist_addrlist (SUSP_NTLD) *@*.icu
enlist_addrlist (SUSP_NTLD) *@*.online
enlist_addrlist (SUSP_NTLD) *@*.work
enlist_addrlist (SUSP_NTLD) *@*.date
enlist_addrlist (SUSP_NTLD) *@*.top
enlist_addrlist (SUSP_NTLD) *@*.fun
enlist_addrlist (SUSP_NTLD) *@*.life
enlist_addrlist (SUSP_NTLD) *@*.review
enlist_addrlist (SUSP_NTLD) *@*.xyz
enlist_addrlist (SUSP_NTLD) *@*.bid
enlist_addrlist (SUSP_NTLD) *@*.stream
enlist_addrlist (SUSP_NTLD) *@*.site
enlist_addrlist (SUSP_NTLD) *@*.space
enlist_addrlist (SUSP_NTLD) *@*.gdn
enlist_addrlist (SUSP_NTLD) *@*.click
enlist_addrlist (SUSP_NTLD) *@*.pro
enlist_addrlist (SUSP_NTLD) *@*.world

header   __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
reuse    __FROM_ADDRLIST_SUSPNTLD

header   __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
reuse    __REPLYTO_ADDRLIST_SUSPNTLD

meta     FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
tflags   FROM_SUSPICIOUS_NTLD publish
describe FROM_SUSPICIOUS_NTLD From abused NTLD
score    FROM_SUSPICIOUS_NTLD 0.5 # limit
reuse    FROM_SUSPICIOUS_NTLD

meta     FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
tflags   FROM_NTLD_REPLY_FREEMAIL publish
describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
score    FROM_NTLD_REPLY_FREEMAIL 2.0 # limit
reuse    FROM_NTLD_REPLY_FREEMAIL

meta     FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
tflags   FROM_NTLD_LINKBAIT publish
describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
score    FROM_NTLD_LINKBAIT 2.0 # limit
reuse    FROM_NTLD_LINKBAIT

meta     GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
tflags   GOOGLE_DRIVE_REPLY_BAD_NTLD publish
describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
score    GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
reuse    GOOGLE_DRIVE_REPLY_BAD_NTLD

body     __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
reuse    __PDS_SEO1
body     __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i
reuse    __PDS_SEO2

meta     SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
tflags   SEO_SUSP_NTLD publish
describe SEO_SUSP_NTLD SEO offer from suspicious TLD
score    SEO_SUSP_NTLD 1.2 # limit
reuse    SEO_SUSP_NTLD

body     __PDS_THIS_IS_ADV  /This is an advertisement\./
reuse    __PDS_THIS_IS_ADV

meta     THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __PDS_THIS_IS_ADV
tflags   THIS_IS_ADV_SUSP_NTLD publish
describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
score    THIS_IS_ADV_SUSP_NTLD 1.5 # limit
reuse    THIS_IS_ADV_SUSP_NTLD

meta     BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
tflags   BULK_RE_SUSP_NTLD publish
describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
score    BULK_RE_SUSP_NTLD 1.0 # limit
reuse    BULK_RE_SUSP_NTLD

meta     SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
tflags   SHORT_IMG_SUSP_NTLD publish
describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
score    SHORT_IMG_SUSP_NTLD 1.5 # limit
reuse    SHORT_IMG_SUSP_NTLD

header   __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i
reuse    __VPSNUMBERONLY_TLD

meta     VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
tflags   VPS_NO_NTLD publish
describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
score    VPS_NO_NTLD 1.0 # limit
reuse    VPS_NO_NTLD

body     __PDS_OFFER_ONLY_AMERICA /This offer (is )?(only )?for (United States|USA)/i

meta     OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe OFFER_ONLY_AMERICA Offer only available to US
score    OFFER_ONLY_AMERICA 2.0 # limit
reuse    OFFER_ONLY_AMERICA

body     __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i

meta     SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
describe SENT_TO_EMAIL_ADDR Email was sent to email address
score    SENT_TO_EMAIL_ADDR 2.0 # limit
reuse    SENT_TO_EMAIL_ADDR

body     __PDS_EXPIRATION_NOTICE /\bexpiration (notice|alert|date)\b/i

meta     SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
score    SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit
reuse    SUSPNTLD_EXPIRATION_EXTORT

endif
endif