Re: The Bat! reanimated (suspicious Date header)

[Kenneth Porter <sh...@sewingwitch.com>]

On Friday, October 26, 2007 11:55 PM +0200 KarstenBräckelmann 
<gu...@rudersport.de> wrote:

> NOTE:  I only did a very brief investigation of Date: headers sent by
> The Bat! users on this list. If anyone can assure this, or got any
> inside knowledge whether The Bat! can or can not generate such headers
> legitimately, please pipe up. :)

Nice find. I grepped my corpus and found 432 instances of "Date: \t". It 
only appears in headers in my known-spam folder. It does appear in other 
messages, but only in the headers of forwarded messages carried in the body 
of another message. (A check of a few suggests that Mozilla does this.)

The qualification of The Bat in your meta may be too specific. I see the 
same thing happening in messages claiming to come from Outlook and Outlook 
Express. The header rule should be sufficient by itself.

Re: The Bat! reanimated (suspicious Date header)

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2007-10-31 at 08:46 -0700, Kenneth Porter wrote:
> --On Tuesday, October 30, 2007 3:43 PM -0700 Loren Wilton 
> <lw...@earthlink.net> wrote:
> 
> > FWFW, I ran masschecks on the original posted rules and got zero hits in
> > any corpus.  That rather surprised me.  But it may indicate that this is
> > either a very recent thing or isn't all that universal.
> 
> Did you test with just the tab-in-Date rule, without The Bat qualifier? My 
> rate would have been a lot lower had I qualified it by mailer.

Yeah, just checked stats again, gathered over the last 10 days.

Surprisingly, this rule hits no less than about 20% of my Spam. With
about 1% difference, where the DATE_CONTAINS_TAB rule is triggered
without the mail being faked to be sent by The Bat!.

As you mentioned in your previous post already, the generic rule may be
sufficient. I didn't check carefully if there actually are legit MUAs
out there producing such headers, so I cowardly decided to go with a low
score first.

Based on Loren's results, this indeed may be rather specific stuff. But
it definitely hits hard for me. Actually, I didn't expect anything even
remotely close to 20%...


Can anyone confirm if any legit MUA ever sent out such headers?

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: The Bat! reanimated (suspicious Date header)

[Kenneth Porter <sh...@sewingwitch.com>]

--On Tuesday, October 30, 2007 3:43 PM -0700 Loren Wilton 
<lw...@earthlink.net> wrote:

> FWFW, I ran masschecks on the original posted rules and got zero hits in
> any corpus.  That rather surprised me.  But it may indicate that this is
> either a very recent thing or isn't all that universal.

Did you test with just the tab-in-Date rule, without The Bat qualifier? My 
rate would have been a lot lower had I qualified it by mailer.

Re: The Bat! reanimated (suspicious Date header)

[Loren Wilton <lw...@earthlink.net>]

FWFW, I ran masschecks on the original posted rules and got zero hits in any 
corpus.  That rather surprised me.  But it may indicate that this is either 
a very recent thing or isn't all that universal.

        Loren


On Friday, October 26, 2007 11:55 PM +0200 KarstenBräckelmann
<gu...@rudersport.de> wrote:

> NOTE:  I only did a very brief investigation of Date: headers sent by
> The Bat! users on this list. If anyone can assure this, or got any
> inside knowledge whether The Bat! can or can not generate such headers
> legitimately, please pipe up. :)

Nice find. I grepped my corpus and found 432 instances of "Date: \t". It
only appears in headers in my known-spam folder. It does appear in other
messages, but only in the headers of forwarded messages carried in the body
of another message. (A check of a few suggests that Mozilla does this.)

The qualification of The Bat in your meta may be too specific. I see the
same thing happening in messages claiming to come from Outlook and Outlook
Express. The header rule should be sufficient by itself.