You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Karsten Bräckelmann <gu...@rudersport.de> on 2007/10/26 23:55:46 UTC
The Bat! reanimated
A recent discussion about The Bat! [1] the other day reminded me of some
sneaky spam, that frequently managed to score below 15. They caught my
eye for another fact in the first place, though. They all got a specific
Date: header strangeness in common: a Tab char. It was after that, that
I realized they all pretended to be sent by The Bat!.
A few days ago I finally got around to writing a custom rule to catch
these. No spam should be scoring below 15, right? ;-)
For the benefit of everyone and for public discussion, here are the
rules [2]. After catching 270 such spam, only an additional 3 messages
actually hit the Date with Tab rule, but was not forged to be sent by
The Bat!.
header KB_DATE_CONTAINS_TAB Date:raw =~ /^ \t/
describe KB_DATE_CONTAINS_TAB Header: Date header starts with Tab
score KB_DATE_CONTAINS_TAB 0.5
header __X_MAILER_THE_BAT X-Mailer =~ /^The Bat! /
meta KB_FAKED_THE_BAT (__X_MAILER_THE_BAT && KB_DATE_CONTAINS_TAB)
describe KB_FAKED_THE_BAT Header: MUA faked The Bat
score KB_FAKED_THE_BAT 1.5
NOTE: I only did a very brief investigation of Date: headers sent by
The Bat! users on this list. If anyone can assure this, or got any
inside knowledge whether The Bat! can or can not generate such headers
legitimately, please pipe up. :)
guenther
[1] Yes, I do know this is a legitimate MUA.
[2] I just realized, the __X_MAILER_THE_BAT test to be redundant. It
should be substituted by __THEBAT_MUA from 20_ratware.cf.
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: The Bat! reanimated (suspicious Date header)
Posted by Karsten Bräckelmann <gu...@rudersport.de>.
On Wed, 2007-10-31 at 08:46 -0700, Kenneth Porter wrote:
> --On Tuesday, October 30, 2007 3:43 PM -0700 Loren Wilton
> <lw...@earthlink.net> wrote:
>
> > FWFW, I ran masschecks on the original posted rules and got zero hits in
> > any corpus. That rather surprised me. But it may indicate that this is
> > either a very recent thing or isn't all that universal.
>
> Did you test with just the tab-in-Date rule, without The Bat qualifier? My
> rate would have been a lot lower had I qualified it by mailer.
Yeah, just checked stats again, gathered over the last 10 days.
Surprisingly, this rule hits no less than about 20% of my Spam. With
about 1% difference, where the DATE_CONTAINS_TAB rule is triggered
without the mail being faked to be sent by The Bat!.
As you mentioned in your previous post already, the generic rule may be
sufficient. I didn't check carefully if there actually are legit MUAs
out there producing such headers, so I cowardly decided to go with a low
score first.
Based on Loren's results, this indeed may be rather specific stuff. But
it definitely hits hard for me. Actually, I didn't expect anything even
remotely close to 20%...
Can anyone confirm if any legit MUA ever sent out such headers?
guenther
--
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: The Bat! reanimated (suspicious Date header)
Posted by Kenneth Porter <sh...@sewingwitch.com>.
--On Tuesday, October 30, 2007 3:43 PM -0700 Loren Wilton
<lw...@earthlink.net> wrote:
> FWFW, I ran masschecks on the original posted rules and got zero hits in
> any corpus. That rather surprised me. But it may indicate that this is
> either a very recent thing or isn't all that universal.
Did you test with just the tab-in-Date rule, without The Bat qualifier? My
rate would have been a lot lower had I qualified it by mailer.
Re: The Bat! reanimated (suspicious Date header)
Posted by Loren Wilton <lw...@earthlink.net>.
FWFW, I ran masschecks on the original posted rules and got zero hits in any
corpus. That rather surprised me. But it may indicate that this is either
a very recent thing or isn't all that universal.
Loren
On Friday, October 26, 2007 11:55 PM +0200 KarstenBräckelmann
<gu...@rudersport.de> wrote:
> NOTE: I only did a very brief investigation of Date: headers sent by
> The Bat! users on this list. If anyone can assure this, or got any
> inside knowledge whether The Bat! can or can not generate such headers
> legitimately, please pipe up. :)
Nice find. I grepped my corpus and found 432 instances of "Date: \t". It
only appears in headers in my known-spam folder. It does appear in other
messages, but only in the headers of forwarded messages carried in the body
of another message. (A check of a few suggests that Mozilla does this.)
The qualification of The Bat in your meta may be too specific. I see the
same thing happening in messages claiming to come from Outlook and Outlook
Express. The header rule should be sufficient by itself.
Re: The Bat! reanimated (suspicious Date header)
Posted by Kenneth Porter <sh...@sewingwitch.com>.
On Friday, October 26, 2007 11:55 PM +0200 KarstenBräckelmann
<gu...@rudersport.de> wrote:
> NOTE: I only did a very brief investigation of Date: headers sent by
> The Bat! users on this list. If anyone can assure this, or got any
> inside knowledge whether The Bat! can or can not generate such headers
> legitimately, please pipe up. :)
Nice find. I grepped my corpus and found 432 instances of "Date: \t". It
only appears in headers in my known-spam folder. It does appear in other
messages, but only in the headers of forwarded messages carried in the body
of another message. (A check of a few suggests that Mozilla does this.)
The qualification of The Bat in your meta may be too specific. I see the
same thing happening in messages claiming to come from Outlook and Outlook
Express. The header rule should be sufficient by itself.