.BEST TLD - Spam Like the Best

I’ve made the decision to go ahead and block another one of those pesky new gTLDs that are seemingly exclusively used by malicious actors. Email delivery from .best domains will no longer get past any spam filter under my control.

.best spam domains

An inbound mail server showing spam delivered from .best domains.

A quick rundown

Upon closer inspection of this month’s spam campaign, a familiar pattern emerged:

  • Domain names are seemingly assembled from random words.
  • Every domain I checked was registered with Namecheap.
  • Every domain I checked was anonymized behind Cloudflare.
  • Predominantly using Turkish based hosting services to deliver e-mail spam.
  • Domain names were suspended after a month, give or take.
  • Using the same M.O. as seen with the .icu tld spam campaigns.

.Best TLD from BestTLD Pty Ltd

.Best TLD from BestTLD Pty Ltd.

Anyhow, Namecheap is rapidly suspending .best domains and thus putting a damper on their business. As a side note, I also noticed that my own ISP has added a few .best domains to their self maintained DNS blacklist.

Block spam from .best domains with Postfix

With Postfix, you may add or edit /etc/postfix/reject_domains to identify .best domains using a simple regular expression:

# /etc/postfix/reject_domains
/\.best$/ REJECT We don't talk to .best domains

Proceed to edit the main Postfix configuration and append the regexp lookup to the smtpd_sender_restrictions policy:

# /etc/postfix/main.cf
smtpd_sender_restrictions = pcre:/etc/postfix/reject_domains

Restart Postfix, and we’re good to go.

Block spam from .best domains with Sendmail

With Sendmail, you may use the access database to reject messages from .best domains. Simply edit /etc/mail/access and add a reject statement at the end of the file:

# /etc/mail/access
best  ERROR:"550 We don't talk to .best domains"

Finally, we’ll use makemap to rebuild the access database with the following command:

makemap hash /etc/mail/access.db < /etc/mail/access

And that’s all she wrote for .best domain spam.

Roger Comply avatar
Roger Comply
Thank you for reading!
Feel free to waste more time by subscribing to my RSS feed.