Mailing List Archive

Ten Minute emails domains
Good day Guys

This was project was posted on kitploit.com, i.e. Whatbreach

https://www.kitploit.com/2019/06/whatbreach-osint-tool-to-find-breached.html

On further investigation I thought this would be a cool project to have
a SA plugin to query against.

https://github.com/Ekultek/WhatBreach/blob/master/etc/ten_minute_emails.lst

But the real reason for my posting is to ask / request, can
20_freemail_domains.cf be updated with the following free domains.

https://github.com/Ekultek/WhatBreach/blob/master/etc/ten_minute_emails.lst

Here you can see my rudimentary for loop checking what domains is not in
20_freemail_domains.cf

https://pastebin.com/raw/ihc6AvyF

Hope this helps.

Many thanks, regards
Brent Clark
Re: Ten Minute emails domains [ In reply to ]
On 6/24/19 11:56 AM, Brent Clark wrote:
> Good day Guys
>
> This was project was posted on kitploit.com, i.e. Whatbreach
>
> https://www.kitploit.com/2019/06/whatbreach-osint-tool-to-find-breached.html
>
>
> On further investigation I thought this would be a cool project to have
> a SA plugin to query against.
>
> https://github.com/Ekultek/WhatBreach/blob/master/etc/ten_minute_emails.lst
>
> But the real reason for my posting is to ask / request, can
> 20_freemail_domains.cf be updated with the following free domains.

Do we really want to bloat 20_freemail_domains.cf with this crud?
Seems pretty pointless as these doamins are bound to be stale, real soon
Imo, the right place for this is in a local rule for those who want to
throw resources at it.

>
> https://github.com/Ekultek/WhatBreach/blob/master/etc/ten_minute_emails.lst
>
> Here you can see my rudimentary for loop checking what domains is not in
> 20_freemail_domains.cf
>
> https://pastebin.com/raw/ihc6AvyF
>
> Hope this helps.
>
> Many thanks, regards
> Brent Clark
Re: Ten Minute emails domains [ In reply to ]
On Mon, Jun 24, 2019 at 02:20:50PM +0200, Axb wrote:
>
> On 6/24/19 11:56 AM, Brent Clark wrote:
> >Good day Guys
> >
> >This was project was posted on kitploit.com, i.e. Whatbreach
> >
> >https://www.kitploit.com/2019/06/whatbreach-osint-tool-to-find-breached.html
> >
> >
> >On further investigation I thought this would be a cool project to have a
> >SA plugin to query against.
> >
> >https://github.com/Ekultek/WhatBreach/blob/master/etc/ten_minute_emails.lst
> >
> >But the real reason for my posting is to ask / request, can
> >20_freemail_domains.cf be updated with the following free domains.
>
> Do we really want to bloat 20_freemail_domains.cf with this crud?
> Seems pretty pointless as these doamins are bound to be stale, real soon
> Imo, the right place for this is in a local rule for those who want to throw
> resources at it.

Yeah unless someone can parse out domains that are actually stable
"freemail", just try locally something like

enlist_addrlist (FROM_10MINMAILS) 0815.ru
enlist_addrlist (FROM_10MINMAILS) 10minutemail.cf
....etc
header FROM_10MINMAILS eval:check_from_in_list('FROM_10MINMAILS')

These hit my spam corpus

cool.fr.nf
dandikmail.com
dingbone.com
disposableinbox.com
drdrb.com
drdrb.net
flurred.com
fyii.de
gmx.com
guerrillamail.info
guerrillamail.org
guerrillamailblock.com
ignoremail.com
lackmail.net
mailcatch.com
nomail.xl.cx
nwldx.com
pwrby.com
rmqkr.net
rppkn.com
smellfear.com
spambog.de
spaml.de
speed.1s.fr
teleworm.com
tempinbox.com
thankyou2010.com
throam.com
throwawaymail.com
trash2009.com
trashymail.com
tyldd.com
uggsrock.com
walkmail.net
yandex.com
Re: Ten Minute emails domains [ In reply to ]
On Mon, Jun 24, 2019 at 04:14:10PM +0300, Henrik K wrote:
>
> enlist_addrlist (FROM_10MINMAILS) 0815.ru
> enlist_addrlist (FROM_10MINMAILS) 10minutemail.cf
> ....etc
> header FROM_10MINMAILS eval:check_from_in_list('FROM_10MINMAILS')

Uhh duh, I think the format is..

enlist_addrlist (FROM_10MINMAILS) *@0815.ru
enlist_addrlist (FROM_10MINMAILS) *@10minutemail.cf
Re: Ten Minute emails domains [ In reply to ]
On 6/24/2019 5:56 AM, Brent Clark wrote:
> This was project was posted on kitploit.com, i.e. Whatbreach
>
> https://www.kitploit.com/2019/06/whatbreach-osint-tool-to-find-breached.html
>
>
> On further investigation I thought this would be a cool project to
> have a SA plugin to query against.
>
> https://github.com/Ekultek/WhatBreach/blob/master/etc/ten_minute_emails.lst
>
>
Interesting idea, please post it up on bugzilla. If you can work on a
plugin, that would be ideal.  Or convince someone else it's a good idea!


> But the real reason for my posting is to ask / request, can
> 20_freemail_domains.cf be updated with the following free domains.
>
> https://github.com/Ekultek/WhatBreach/blob/master/etc/ten_minute_emails.lst
>
>
> Here you can see my rudimentary for loop checking what domains is not
> in 20_freemail_domains.cf
>
> https://pastebin.com/raw/ihc6AvyF
>
> Hope this helps.


Looks like a good idea but this needs to be verified for each of these
freemailers.  For example, I spot checked zebins<munge>.com as is the
eponymous 10minutemail<munge>.com and it's definitely a candidate.

126 and 163, I see all the time from China and I know 126 is owned by
163.  Are they freemail providers?   I thought they were just providers:
https://www.quora.com/What-is-126-com-and-why-are-they-the-owner-of-millions-of-good-domain-names

Additionally, a number of them like wegwerfemail<munge>.com and a
handful of the related .org and .net domais, are not showing anything to
a browser.

I created a Google Sheet at
https://docs.google.com/spreadsheets/d/1dHH2WW_zYCLwmdDpUAk82n4VliPmSQulpePZSX9tNQE/edit#gid=0
to look through some of these and look at adding them.  I think several
have merit.

Regards,

KAM

--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Ten Minute emails domains [ In reply to ]
On Mon, Jun 24, 2019 at 09:48:21AM -0400, Kevin A. McGrail wrote:
>
> Interesting idea, please post it up on bugzilla. If you can work on a plugin,
> that would be ideal.? Or convince someone else it's a good idea!

There's zero need to create "a plugin" for a generic list of domains, which
can be queried from DNS like any other or used as a static list (example in
my previous post).
Re: Ten Minute emails domains [ In reply to ]
On 24 Jun 2019, at 07:48, Kevin A. McGrail <kmcgrail@apache.org> wrote:
> Interesting idea, please post it up on bugzilla. If you can work on a plugin, that would be ideal.

A plugin?

It’s just a list of server names, right?

find: (.*)
replace: enlist_addrlist (FROM_10MINMAILS) *\1


However, using the whatbreach command in the OP's initial post to check an email would be rather expensive to do doing during the transaction [phase, so I don’t think that is viable.

Adding the list of domains is pretty straightforward, though it seems like the start of an endless game of whack-a-mole and there are probably better ways to do this. An RBL comes to mind.


--
Is Mr Humphries available to help a man try on a dress?
Re: Ten Minute emails domains [ In reply to ]
On 6/24/2019 10:25 AM, @lbutlr wrote:
> Adding the list of domains is pretty straightforward, though it seems like the start of an endless game of whack-a-mole and there are probably better ways to do this. An RBL comes to mind.

Plugin aside, adding the domains to freemail list is useful if these are
freemail providers.

--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Ten Minute emails domains [ In reply to ]
On 24 Jun 2019, at 08:27, Kevin A. McGrail <kmcgrail@apache.org> wrote:
> On 6/24/2019 10:25 AM, @lbutlr wrote:
>> Adding the list of domains is pretty straightforward, though it seems like the start of an endless game of whack-a-mole and there are probably better ways to do this. An RBL comes to mind.
>
> Plugin aside, adding the domains to freemail list is useful if these are
> freemail providers.

Right, but there is that ‘if’. I didn’t look too hard, but I didn’t see what the criteria was for listing a domain in the “10minuteemails” category according to WhatBreach. The tool seemed mostly intended to check emails and domains against the haveIbeenPwned database, so I am not sure they all are freeman providers?

--
The Piper's calling you to join him
Re: Ten Minute emails domains [ In reply to ]
On 6/24/2019 10:31 AM, @lbutlr wrote:
> Right, but there is that ‘if’. I didn’t look too hard, but I didn’t see what the criteria was for listing a domain in the “10minuteemails” category according to WhatBreach. The tool seemed mostly intended to check emails and domains against the haveIbeenPwned database, so I am not sure they all are freeman providers?

100% agreed:
https://docs.google.com/spreadsheets/d/1dHH2WW_zYCLwmdDpUAk82n4VliPmSQulpePZSX9tNQE/edit#gid=0
is a list I've started to vet their output for suitability for SA.

--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171
Re: Ten Minute emails domains [ In reply to ]
@Kevin - polite suggestion: maybe retitle it to be "disposable freemail
providers"?

Doesn't really matter much, but someone may miss the intent of the cool
google doc :)

- Udeme

On Mon, Jun 24, 2019 at 10:37 AM Kevin A. McGrail <kmcgrail@apache.org>
wrote:

> On 6/24/2019 10:31 AM, @lbutlr wrote:
> > Right, but there is that ‘if’. I didn’t look too hard, but I didn’t see
> what the criteria was for listing a domain in the “10minuteemails” category
> according to WhatBreach. The tool seemed mostly intended to check emails
> and domains against the haveIbeenPwned database, so I am not sure they all
> are freeman providers?
>
> 100% agreed:
>
> https://docs.google.com/spreadsheets/d/1dHH2WW_zYCLwmdDpUAk82n4VliPmSQulpePZSX9tNQE/edit#gid=0
> is a list I've started to vet their output for suitability for SA.
>
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
Re: Ten Minute emails domains [ In reply to ]
On 6/24/2019 12:00 PM, Udeme Ukutt wrote:
> @Kevin - polite suggestion: maybe retitle it to be "disposable
> freemail providers"? 
>
> Doesn't really matter much, but someone may miss the intent of the
> cool google doc :)

Thanks Udeme but actually, I don't really know what the intent of the
list they created was.  I wouldn't consider 163 for example to be a
disposable freemail provider.

So, I'm looking to assess their list for inclusion with the freemail
default list.  That will allow certain mechanisms to combat them to come
into play.  Henrik, for example, posted a few dozen that he sees in his
corpora:

https://docs.google.com/spreadsheets/d/1dHH2WW_zYCLwmdDpUAk82n4VliPmSQulpePZSX9tNQE/edit#gid=0

Regards,

KAM