# new TLDs used for spamming
# https://www.spamhaus.org/statistics/tlds/
# http://www.surbl.org/tld
# https://ntldstats.com/fraud
# https://dnslytics.com/tld

if (version >= 3.004002)
ifplugin Mail::SpamAssassin::Plugin::WLBLEval

enlist_addrlist (SUSP_NTLD) *@*.icu
enlist_addrlist (SUSP_NTLD) *@*.online
enlist_addrlist (SUSP_NTLD) *@*.work
enlist_addrlist (SUSP_NTLD) *@*.date
enlist_addrlist (SUSP_NTLD) *@*.top
enlist_addrlist (SUSP_NTLD) *@*.fun
enlist_addrlist (SUSP_NTLD) *@*.life
enlist_addrlist (SUSP_NTLD) *@*.review
enlist_addrlist (SUSP_NTLD) *@*.bid
enlist_addrlist (SUSP_NTLD) *@*.stream
enlist_addrlist (SUSP_NTLD) *@*.gdn
enlist_addrlist (SUSP_NTLD) *@*.click
enlist_addrlist (SUSP_NTLD) *@*.world
enlist_addrlist (SUSP_NTLD) *@*.fit
enlist_addrlist (SUSP_NTLD) *@*.ooo
enlist_addrlist (SUSP_NTLD) *@*.faith
enlist_addrlist (SUSP_NTLD) *@*.buzz
enlist_addrlist (SUSP_NTLD) *@*.trade
enlist_addrlist (SUSP_NTLD) *@*.cyou
enlist_addrlist (SUSP_NTLD) *@*.vip

enlist_uri_host (SUSP_URI_NTLD) icu
enlist_uri_host (SUSP_URI_NTLD) online
enlist_uri_host (SUSP_URI_NTLD) work
enlist_uri_host (SUSP_URI_NTLD) date
enlist_uri_host (SUSP_URI_NTLD) top
enlist_uri_host (SUSP_URI_NTLD) fun
enlist_uri_host (SUSP_URI_NTLD) life
enlist_uri_host (SUSP_URI_NTLD) review
enlist_uri_host (SUSP_URI_NTLD) bid
enlist_uri_host (SUSP_URI_NTLD) stream
enlist_uri_host (SUSP_URI_NTLD) gdn
enlist_uri_host (SUSP_URI_NTLD) click
enlist_uri_host (SUSP_URI_NTLD) world
enlist_uri_host (SUSP_URI_NTLD) fit
enlist_uri_host (SUSP_URI_NTLD) ooo
enlist_uri_host (SUSP_URI_NTLD) faith
enlist_uri_host (SUSP_URI_NTLD) buzz
enlist_uri_host (SUSP_URI_NTLD) trade
enlist_uri_host (SUSP_URI_NTLD) cyou
enlist_uri_host (SUSP_URI_NTLD) vip

enlist_uri_host (SUSP_URI_NTLD_PRO) pro
header   PDS_PRO_TLD eval:check_uri_host_listed('SUSP_URI_NTLD_PRO')
score    PDS_PRO_TLD 1.0
describe PDS_PRO_TLD .pro TLD

header   __FROM_ADDRLIST_SUSPNTLD eval:check_from_in_list('SUSP_NTLD')
reuse    __FROM_ADDRLIST_SUSPNTLD

header   __REPLYTO_ADDRLIST_SUSPNTLD eval:check_replyto_in_list('SUSP_NTLD')
reuse    __REPLYTO_ADDRLIST_SUSPNTLD

header   PDS_OTHER_BAD_TLD eval:check_uri_host_listed('SUSP_URI_NTLD')
score    PDS_OTHER_BAD_TLD 2.0
describe PDS_OTHER_BAD_TLD Untrustworthy TLDs

meta     FROM_SUSPICIOUS_NTLD __FROM_ADDRLIST_SUSPNTLD
tflags   FROM_SUSPICIOUS_NTLD publish
describe FROM_SUSPICIOUS_NTLD From abused NTLD
score    FROM_SUSPICIOUS_NTLD 0.5 # limit
reuse    FROM_SUSPICIOUS_NTLD

meta     FROM_SUSPICIOUS_NTLD_FP __FROM_ADDRLIST_SUSPNTLD && !__HAS_SENDER && !__HAS_IN_REPLY_TO && !__HAS_X_MAILING_LIST
tflags   FROM_SUSPICIOUS_NTLD_FP publish
describe FROM_SUSPICIOUS_NTLD_FP From abused NTLD
score    FROM_SUSPICIOUS_NTLD_FP 2.0 # limit

meta     FROM_NTLD_REPLY_FREEMAIL FREEMAIL_FORGED_REPLYTO && __FROM_ADDRLIST_SUSPNTLD
tflags   FROM_NTLD_REPLY_FREEMAIL publish
describe FROM_NTLD_REPLY_FREEMAIL From abused NTLD and Reply-To is FREEMAIL
score    FROM_NTLD_REPLY_FREEMAIL 2.0 # limit

meta     FROM_NTLD_LINKBAIT __LCL__KAM_BODY_LENGTH_LT_512 && __FROM_ADDRLIST_SUSPNTLD && __BODY_URI_ONLY
tflags   FROM_NTLD_LINKBAIT publish
describe FROM_NTLD_LINKBAIT From abused NTLD with little more than a URI
score    FROM_NTLD_LINKBAIT 2.0 # limit

meta     GOOGLE_DRIVE_REPLY_BAD_NTLD __PDS_GOOGLE_DRIVE_SHARE && __REPLYTO_ADDRLIST_SUSPNTLD
tflags   GOOGLE_DRIVE_REPLY_BAD_NTLD publish
describe GOOGLE_DRIVE_REPLY_BAD_NTLD From Google Drive and Reply-To is from a suspicious TLD
score    GOOGLE_DRIVE_REPLY_BAD_NTLD 1.0 # limit
reuse    GOOGLE_DRIVE_REPLY_BAD_NTLD

body     __PDS_SEO1 /(?:top|first page|1st) (?:(?:results|rank(?:ing)?) )?(?:in|of|on) (?:Google|MSN|Yahoo|Bing)|rank number one|top page rank|guarantee you 1st|link.building/i
body     __PDS_SEO2 /losing your (?:[a-z]+ )?(?:rank(?:ing)?|results)|rank well on [a-z]+\b/i

meta     SEO_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && (__PDS_SEO1 + __PDS_SEO2 >= 1)
tflags   SEO_SUSP_NTLD publish
describe SEO_SUSP_NTLD SEO offer from suspicious TLD
score    SEO_SUSP_NTLD 1.2 # limit

meta     THIS_IS_ADV_SUSP_NTLD __FROM_ADDRLIST_SUSPNTLD && __ADMITS_SPAM
tflags   THIS_IS_ADV_SUSP_NTLD publish
describe THIS_IS_ADV_SUSP_NTLD This is an advertisement from a suspicious TLD
score    THIS_IS_ADV_SUSP_NTLD 1.5 # limit

meta     BULK_RE_SUSP_NTLD __SUBJ_RE && __ML1 && __FROM_ADDRLIST_SUSPNTLD
tflags   BULK_RE_SUSP_NTLD publish
describe BULK_RE_SUSP_NTLD Precedence bulk and RE: from a suspicious TLD
score    BULK_RE_SUSP_NTLD 1.0 # limit

meta     SHORT_IMG_SUSP_NTLD __LCL__KAM_BODY_LENGTH_LT_1024 && __HTML_LINK_IMAGE && __FROM_ADDRLIST_SUSPNTLD
tflags   SHORT_IMG_SUSP_NTLD publish
describe SHORT_IMG_SUSP_NTLD Short HTML + image + suspicious TLD
score    SHORT_IMG_SUSP_NTLD 1.5 # limit

header   __VPSNUMBERONLY_TLD From:addr =~ /\@vps[0-9]{4,}\.[a-z]+$/i

meta     VPS_NO_NTLD __VPSNUMBERONLY_TLD && __FROM_ADDRLIST_SUSPNTLD
tflags   VPS_NO_NTLD publish
describe VPS_NO_NTLD vps[0-9] domain at a suspiscious TLD
score    VPS_NO_NTLD 1.0 # limit
reuse    VPS_NO_NTLD

body     __PDS_OFFER_ONLY_AMERICA /This offer (?:is )?(?:only )?for (?:United States|USA)/i

meta     OFFER_ONLY_AMERICA __FROM_ADDRLIST_SUSPNTLD && __PDS_OFFER_ONLY_AMERICA
describe OFFER_ONLY_AMERICA Offer only available to US
score    OFFER_ONLY_AMERICA 2.0 # limit

body     __PDS_SENT_TO_EMAIL_ADDR /This message was sent to Email Address\./i

meta     SENT_TO_EMAIL_ADDR __FROM_ADDRLIST_SUSPNTLD && __PDS_SENT_TO_EMAIL_ADDR
describe SENT_TO_EMAIL_ADDR Email was sent to email address
score    SENT_TO_EMAIL_ADDR 2.0 # limit

body     __PDS_EXPIRATION_NOTICE /\bexpiration (?:notice|alert|date)\b/i

meta     SUSPNTLD_EXPIRATION_EXTORT LOTS_OF_MONEY && __PDS_EXPIRATION_NOTICE && __FROM_ADDRLIST_SUSPNTLD
describe SUSPNTLD_EXPIRATION_EXTORT Susp NTLD with an expiration notice and lotsa money
score    SUSPNTLD_EXPIRATION_EXTORT 2.0 # limit

meta     PDS_BTC_NTLD ( __BITCOIN_ID && __FROM_ADDRLIST_SUSPNTLD )
describe PDS_BTC_NTLD Bitcoin suspect NTLD
score    PDS_BTC_NTLD 2.0 # limit

endif
endif