Re: rule based on mime version header

[Robert Menschel <Ro...@Menschel.net>]

Hello Eric,

Friday, December 17, 2004, 11:00:12 AM, you wrote:

EF> I've noticed an interesting ratware pattern in the Mime-Version field
EF> that uses "produced by" and then a combination of two random words and a
EF> random version number. ...

EF> header          MIME_VER_RATTY       Mime-Version =~ /^1\.0 \(produced by [a-z]{1,20} [0-9]\.[0-9]\)$/
EF> describe        MIME_VER_RATTY       Ratware sig found in mime type
EF> score           MIME_VER_RATTY       0.0001

EF> The hits occured on approx 1% of messages passed though the SA server.
EF> Risks:  There may possibly be a 'produced by' sig I haven't seen though
EF> google searches, or someone may create a matching sig on valid software
EF> in the future.

Sorry to take so long to run a mass-check on this.  My results:
OVERALL    SPAM      HAM      S/O    RANK  SCORE  NAME
  95101    59678    35423    0.628   0.00   0.00  (all messages)
    399      399        0    1.000   0.00   1.00  MIME_VER_RATTY

OVERALL%   SPAM%     HAM%     S/O    RANK   SCORE  NAME
  95101    59678    35423    0.628   0.00    0.00  (all messages)
100.000  62.7522  37.2478    0.628   0.00    0.00  (all messages as %)
  0.420   0.6686   0.0000    1.000   0.00    1.00  MIME_VER_RATTY

Not quite 1% of all spam, but a goodly percentage, and no ham.

I suspect it ovelaps significantly a SARE rule or two, but I'll be
running that check this weekend.

Bob Menschel

Re: rule based on mime version header

[Loren Wilton <lw...@earthlink.net>]

> EF> header          MIME_VER_RATTY       Mime-Version =~ /^1\.0 \(produced
by [a-z]{1,20}
>
> I suspect it ovelaps significantly a SARE rule or two, but I'll be
> running that check this weekend.

It actually overlaps a rule that is almost identical that is targeted at
exactly the same pattern.

        Loren