Re: The Bat! reanimated (suspicious Date header)

[Karsten Bräckelmann <gu...@rudersport.de>]

On Wed, 2007-10-31 at 08:46 -0700, Kenneth Porter wrote:
> --On Tuesday, October 30, 2007 3:43 PM -0700 Loren Wilton 
> <lw...@earthlink.net> wrote:
> 
> > FWFW, I ran masschecks on the original posted rules and got zero hits in
> > any corpus.  That rather surprised me.  But it may indicate that this is
> > either a very recent thing or isn't all that universal.
> 
> Did you test with just the tab-in-Date rule, without The Bat qualifier? My 
> rate would have been a lot lower had I qualified it by mailer.

Yeah, just checked stats again, gathered over the last 10 days.

Surprisingly, this rule hits no less than about 20% of my Spam. With
about 1% difference, where the DATE_CONTAINS_TAB rule is triggered
without the mail being faked to be sent by The Bat!.

As you mentioned in your previous post already, the generic rule may be
sufficient. I didn't check carefully if there actually are legit MUAs
out there producing such headers, so I cowardly decided to go with a low
score first.

Based on Loren's results, this indeed may be rather specific stuff. But
it definitely hits hard for me. Actually, I didn't expect anything even
remotely close to 20%...


Can anyone confirm if any legit MUA ever sent out such headers?

  guenther


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}