You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by John Hardin <jh...@impsec.org> on 2008/03/10 23:42:47 UTC

header case as a spam sign?

This just squeaked past my SA:

   {snip}
   Date: Mon, 10 Mar 2008 17:38:53 -0400
   from: "greg martind" <re...@gmx.com>
   Message-ID: <20...@gmx.com>
   MIME-Version: 1.0
   subject: [SPAM] GOOD EMPLOYMENT OFFER
   to: donov_johnson@hotmail.com
   X-Authenticated: #46068547
   {snip}

The all-lowercase headers immediately caught my eye.

There doesn't appear to be a way to check for headers in a case-sensitive 
manner short of a plugin or (maybe) a "full" rule. Am I missing something?

After a quick troll through my corpus it looks like from, to and subject 
headers all in lowercase might be a useful spam sign - if there was a way 
to check them.

Comments?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   W-w-w-w-w-where did he learn to n-n-negotiate like that?
-----------------------------------------------------------------------
  4 days until Albert Einstein's 129th Birthday

Re: header case as a spam sign?

Posted by John Hardin <jh...@impsec.org>.

On Mon, 10 Mar 2008, John Hardin wrote:

> This just squeaked past my SA:
>
>   {snip}
>   Date: Mon, 10 Mar 2008 17:38:53 -0400
>   from: "greg martind" <re...@gmx.com>
>   Message-ID: <20...@gmx.com>
>   MIME-Version: 1.0
>   subject: [SPAM] GOOD EMPLOYMENT OFFER
>   to: donov_johnson@hotmail.com
>   X-Authenticated: #46068547
>   {snip}
>
> The all-lowercase headers immediately caught my eye.

Whoops. Clarification: the all lowercase header *names*.

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   W-w-w-w-w-where did he learn to n-n-negotiate like that?
-----------------------------------------------------------------------
  4 days until Albert Einstein's 129th Birthday

Re: header case as a spam sign?

Posted by Evan Platt <ev...@espphotography.com>.

At 03:42 PM 3/10/2008, John Hardin wrote:
>This just squeaked past my SA:
>
>   {snip}
>   Date: Mon, 10 Mar 2008 17:38:53 -0400
>   from: "greg martind" <re...@gmx.com>
>   Message-ID: <20...@gmx.com>
>   MIME-Version: 1.0
>   subject: [SPAM] GOOD EMPLOYMENT OFFER
>   to: donov_johnson@hotmail.com
>   X-Authenticated: #46068547
>   {snip}
>
>The all-lowercase headers immediately caught my eye.
>
>There doesn't appear to be a way to check for headers in a 
>case-sensitive manner short of a plugin or (maybe) a "full" rule. Am 
>I missing something?
>
>After a quick troll through my corpus it looks like from, to and 
>subject headers all in lowercase might be a useful spam sign - if 
>there was a way to check them.
>
>Comments?

Well, your subject was all upper case, so so much for that idea. ;)

I've seen plenty of all lower case from / to ham, so YMMV as they say.

Re: header case as a spam sign?

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

On 10/03/2008 8:15 PM, John Hardin wrote:
> On Mon, 10 Mar 2008, Daryl C. W. O'Shea wrote:
> 
>> On 10/03/2008 6:42 PM, John Hardin wrote:
>>> This just squeaked past my SA:
>>>
>>>   {snip}
>>>   Date: Mon, 10 Mar 2008 17:38:53 -0400
>>>   from: "greg martind" <re...@gmx.com>
>>>   Message-ID: <20...@gmx.com>
>>>   MIME-Version: 1.0
>>>   subject: [SPAM] GOOD EMPLOYMENT OFFER
>>>   to: donov_johnson@hotmail.com
>>>   X-Authenticated: #46068547
>>>   {snip}
>>>
>>> The all-lowercase headers immediately caught my eye.
>>
>> They're not uncommon in ham either, though.
> 
> See my followup - I was speaking of the header *names* being all
> lowercase, not their content. Sorry for not making that clearer in my
> initial post.

I thought your initial post was clear.  The header field names are lower
case.

>>> There doesn't appear to be a way to check for headers in a
>>> case-sensitive manner short of a plugin or (maybe) a "full" rule. Am I
>>> missing something?
>>>
>>> After a quick troll through my corpus it looks like from, to and subject
>>> headers all in lowercase might be a useful spam sign - if there was a
>>> way to check them.
>>
>> Do header checks with the ALL, ALL-UNTRUSTED or ALL-EXTERNAL headers.
> 
> Does that let you check the header names? Or just the content of headers
> regardless of their name?

Yes, it does.  See the M::SA::PerMsgStatus POD.

Daryl

Re: header case as a spam sign?

Posted by John Hardin <jh...@impsec.org>.

On Mon, 10 Mar 2008, Daryl C. W. O'Shea wrote:

> On 10/03/2008 6:42 PM, John Hardin wrote:
>> This just squeaked past my SA:
>>
>>   {snip}
>>   Date: Mon, 10 Mar 2008 17:38:53 -0400
>>   from: "greg martind" <re...@gmx.com>
>>   Message-ID: <20...@gmx.com>
>>   MIME-Version: 1.0
>>   subject: [SPAM] GOOD EMPLOYMENT OFFER
>>   to: donov_johnson@hotmail.com
>>   X-Authenticated: #46068547
>>   {snip}
>>
>> The all-lowercase headers immediately caught my eye.
>
> They're not uncommon in ham either, though.

See my followup - I was speaking of the header *names* being all 
lowercase, not their content. Sorry for not making that clearer in my 
initial post.

>> There doesn't appear to be a way to check for headers in a
>> case-sensitive manner short of a plugin or (maybe) a "full" rule. Am I
>> missing something?
>>
>> After a quick troll through my corpus it looks like from, to and subject
>> headers all in lowercase might be a useful spam sign - if there was a
>> way to check them.
>
> Do header checks with the ALL, ALL-UNTRUSTED or ALL-EXTERNAL headers.

Does that let you check the header names? Or just the content of headers 
regardless of their name?

-- 
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  jhardin@impsec.org    FALaholic #11174     pgpk -a jhardin@impsec.org
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   The difference is that Unix has had thirty years of technical
   types demanding basic functionality of it. And the Macintosh has
   had fifteen years of interface fascist users shaping its progress.
   Windows has the hairpin turns of the Microsoft marketing machine
   and that's all.                                    -- Red Drag Diva
-----------------------------------------------------------------------
  4 days until Albert Einstein's 129th Birthday

Re: header case as a spam sign?

Posted by "Daryl C. W. O'Shea" <sp...@dostech.ca>.

On 10/03/2008 6:42 PM, John Hardin wrote:
> This just squeaked past my SA:
> 
>   {snip}
>   Date: Mon, 10 Mar 2008 17:38:53 -0400
>   from: "greg martind" <re...@gmx.com>
>   Message-ID: <20...@gmx.com>
>   MIME-Version: 1.0
>   subject: [SPAM] GOOD EMPLOYMENT OFFER
>   to: donov_johnson@hotmail.com
>   X-Authenticated: #46068547
>   {snip}
> 
> The all-lowercase headers immediately caught my eye.

They're not uncommon in ham either, though.

> There doesn't appear to be a way to check for headers in a
> case-sensitive manner short of a plugin or (maybe) a "full" rule. Am I
> missing something?
> 
> After a quick troll through my corpus it looks like from, to and subject
> headers all in lowercase might be a useful spam sign - if there was a
> way to check them.

Do header checks with the ALL, ALL-UNTRUSTED or ALL-EXTERNAL headers.

Daryl