a reliable way to detect The Bat! is by message-id, not by x-mailer

[Maxim Masiutin <ma...@ritlabs.com>]

Hello Dev,

  A reliable way to detect The Bat! is to parse the Message-ID. 

  The Bat! uses a special algorithm to construct it, I wrote to Malte S. Stretz about it already, and he have implemented a corresponding rule several years ago.

  I suggest to drop the following rule entirely __THEBAT_MUA               X-Mailer =~ /The Bat!/
  and only rely to the message-id to detect The Bat! 
  


-- 
Best regards,
Maxim Masiutin                          mailto:max@ritlabs.com

Re: a reliable way to detect The Bat! is by message-id, not by x-mailer

[Justin Mason <jm...@jmason.org>]

On Wed, Feb 11, 2009 at 09:57, Maxim Masiutin <ma...@ritlabs.com> wrote:
> Hello Dev,
>
>  A reliable way to detect The Bat! is to parse the Message-ID.
>
>  The Bat! uses a special algorithm to construct it, I wrote to Malte S. Stretz about it already, and he have implemented a corresponding rule several years ago.
>
>  I suggest to drop the following rule entirely __THEBAT_MUA               X-Mailer =~ /The Bat!/
>  and only rely to the message-id to detect The Bat!

hi Maxim --

could you repost the message you sent to Malte about this?

fwiw, that _MUA rule has two purposes.  One is to detect "real" Bat!
users, but it also serves to detect spammers attempting to impersonate
The Bat!.  so we'll have to split its usage into two accordingly.

--j.

Re: a reliable way to detect The Bat! is by message-id, not by x-mailer

[Maxim Masiutin <ma...@ritlabs.com>]

Hello Phil,

The rule to detect forged The Bat! by message it It did exist several years ago, I remember for sure (maybe it didn't come to production version of SpamAssassin). That rule have checked if there were "X-Mailer: The Bat!" and the "message id" was formed not the way The Bat! does.

I now only can find the following:

meta FORGED_MUA_THEBAT_CS       (__THEBAT_MUA && __CTYPE_CHARSET_QUOTED)
meta FORGED_MUA_THEBAT_BOUN     (__THEBAT_MUA_V1 && __CTYPE_HAS_BOUNDARY && !__BAT_BOUNDARY && !__MAILMAN_21)

Maybe we should also add 

meta FORGED_MUA_THEBAT_MSGID    (__THEBAT_MUA && !__BAT_MSGID)


We should also modify the rule

header __BAT_BOUNDARY           Content-Type =~ /boundary=\"?-{10}/

to something like 

boundary=\"-{10}\[A-F0-9]{4,}\"


Since the quotes are always put by The Bat!, and after ten dash characters there came from four up to many uppercase hexadecimal characters.

I guess we can change the rule FORGED_MUA_THEBAT_BOUN by replacing __THEBAT_MUA_V1 to __THEBAT_MUA there, since this format of boundary is used in any version of The Bat!


-- 
Best regards,
Maxim Masiutin                            mailto:max@ritlabs.com



-- 
Best regards,
 Maxim                            mailto:max@ritlabs.com

RE: a reliable way to detect The Bat! is by message-id, not by x-mailer

["Randal, Phil" <pr...@herefordshire.gov.uk>]

If we do that, we could do with a corresponding __FAKE_THEBAT_MUA rule,
which should then be trivial.

Cheers,

Phil

--
Phil Randal | Networks Engineer
Herefordshire Council | Deputy Chief Executive's Office | I.C.T.
Services Division
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT
Tel: 01432 260160
email: prandal@herefordshire.gov.uk

Any opinion expressed in this e-mail or any attached files are those of
the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely
for the use of the addressee. This communication may contain material
protected by law from being passed on. If you are not the intended
recipient and have received this e-mail in error, you are advised that
any use, dissemination, forwarding, printing or copying of this e-mail
is strictly prohibited. If you have received this e-mail in error please
contact the sender immediately and destroy all copies of it.

-----Original Message-----
From: Maxim Masiutin [mailto:max@ritlabs.com] 
Sent: 11 February 2009 09:58
To: dev@spamassassin.apache.org
Subject: a reliable way to detect The Bat! is by message-id, not by
x-mailer

Hello Dev,

  A reliable way to detect The Bat! is to parse the Message-ID. 

  The Bat! uses a special algorithm to construct it, I wrote to Malte S.
Stretz about it already, and he have implemented a corresponding rule
several years ago.

  I suggest to drop the following rule entirely __THEBAT_MUA
X-Mailer =~ /The Bat!/
  and only rely to the message-id to detect The Bat! 
  


--
Best regards,
Maxim Masiutin                          mailto:max@ritlabs.com