-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------- Forwarded Message
Date: Wed, 04 Feb 2004 10:44:26 -0800
From: Regis Wilson <rwilson@wmgnp.tempdomainname.com>
To: spamassassin-users-owner@incubator.apache.org
Subject: [RD] Message-ID ratware patterns
I've done a lot of research on the message IDs and got some goodies formulated
here. At least one of these has been posted by someone else, but I lost the
reference. Please forgive my plagiarism. My ham corpus is almost
non-existant so I need help determining false positives. Thanks.
Yes, unfortunately, these message-id checks are extremely easy to dodge and
subject to false positives. But an extra half a point here and there can make
a difference, I hope.
Please beware the line breaks; I'm sending every definition on one line but
it could get broken up.
header RATWR1_MESSID Message-Id =~ /^<[A-Z]+-\d+@[a-z']+>$/
describe RATWR1_MESSID Message-Id matches a known spammer pattern (XXX
- -999@xxxx)
score RATWR1_MESSID 1.0
header RATWR2_MESSID Message-ID =~ /<[A-Z0-9]{7,13}-[A-Z0-9]{3,11}-[
A-Z0-9]{2,6}[^-]*\@/i
describe RATWR2_MESSID Message-ID has ratware pattern (XXX-XX-XXX@)
score RATWR2_MESSID 3.2
header RATWR3_MESSID Message-ID =~ /<[A-F0-9]{32}\@/
describe RATWR3_MESSID Message-ID has ratware pattern (32 HEX@)
score RATWR3_MESSID 0.1
header RATWR4_MESSID Message-ID =~ /<[^A-Z0-9]/i
describe RATWR4_MESSID Message-ID has ratware pattern (leading non-alp
hanum)
score RATWR4_MESSID 0.1
header RATWR5_MESSID Message-ID =~ /<\d\d?[\$-]/
describe RATWR5_MESSID Message-ID has ratware pattern (9-, 9$, 99-)
score RATWR5_MESSID 0.1
header RATWR6_MESSID Message-ID =~ /<0{6}\d{6}\$\d/
describe RATWR6_MESSID Message-ID has ratware pattern (000009999$9)
score RATWR6_MESSID 0.1
header RATWR7a_MESSID Message-ID =~ /<[a-z0-9]{12}(\$[a-z0-9]{8}){2}\
@/
describe RATWR7a_MESSID Message-ID has ratware pattern (12hex$8hex$8he
x@)
score RATWR7a_MESSID 0.1
header RATWR7b_MESSID Message-ID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@
/
describe RATWR7b_MESSID Message-ID has ratware pattern (7hex$4hex$4hex
@)
score RATWR7b_MESSID 0.1
header RATWR8_MESSID Message-ID =~ /<([a-z0-9]*[-\$]){4}/i
describe RATWR8_MESSID Message-ID has ratware pattern (excessive dashe
s and dollars)
score RATWR8_MESSID 0.1
header RATWR9_MESSID Message-ID =~ /<\d{8,12}\.\d{12,19}\@/
describe RATWR9_MESSID Message-ID has ratware pattern (9999.99999999@)
score RATWR9_MESSID 0.1
header RATWR10_MESSID Message-ID =~ /<[0-9A-Z]{8}\.[0-9A-Z]{7}\@/
describe RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@)
score RATWR10_MESSID 0.1
header RATWR11_MESSID Message-ID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe RATWR11_MESSID Message-ID has ratware pattern (HEXHEXHEX$9x9@)
score RATWR11_MESSID 0.1
header RATWR12_MESSID Message-ID =~ /<\d{10}\.\d{4}\@/
describe RATWR12_MESSID Message-ID has ratware pattern (999999.999@)
score RATWR12_MESSID 0.1
header RATWR13_MESSID Message-ID =~ /<\d{8}\.\d{13}\.JavaMail\.[a-z]+
\@/
describe RATWR13_MESSID Message-ID has ratware pattern (999999.9999999
.JavaMail.)
score RATWR13_MESSID 0.1
header RATWR14_MESSID Message-ID =~ /<\d{5}\.\d{7}\@/
describe RATWR14_MESSID Message-ID has ratware pattern (99999.9999999@
)
score RATWR14_MESSID 0.1
header RATWR15_MESSID Message-ID =~ /<1z.+\@1z/
describe RATWR15_MESSID Message-ID has ratware pattern (1zXXXX@1z)
score RATWR15_MESSID 0.1
header RATWR16_MESSID Message-ID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}
@/
describe RATWR16_MESSID Message-ID has ratware pattern (9.9.99.9999999
hex@
score RATWR16_MESSID 0.1
header RATWR17_MESSID Message-ID =~ /<200[3456][.:][01]\d[.:][0123]\d
/
describe RATWR17_MESSID Message-ID has ratware pattern (YYYY.MM.DD)
score RATWR17_MESSID 0.1
header RATWR18_MESSID Message-ID =~ /xeg\.tf\@/
describe RATWR18_MESSID Message-ID has ratware pattern (xeg.tf@)
score RATWR18_MESSID 0.1
header RATWR19_MESSID Message-ID =~ /<[A-Z]{21,38}(\.[a-z_]+)?\@/
describe RATWR19_MESSID Message-ID has ratware pattern (XXXXXXXXXXXX[.
xxxxxx]@)
score RATWR19_MESSID 0.1
header RATWR20_MESSID Message-ID =~ /\@((?:1?\d\d?|2[0-4]\d|25[0-4])\
.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])>$/
describe RATWR20_MESSID Message-ID has ratware pattern (@255.255.255.2
55)
score RATWR20_MESSID 0.1
header RATWR21_MESSID Message-ID =~ /\@[a-z0-9]+>/i
describe RATWR21_MESSID Message-ID has ratware pattern (@xxxxx)
score RATWR21_MESSID 0.1
- ------- End of Forwarded Message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAIUJRQTcbUG5Y7woRAvA0AJ9CQ6JuGjQka8rip8la3ynyXhgm2QCffFBh
flN5MhxZSJoFYFhVi7UfuAg=
=t43B
-----END PGP SIGNATURE-----
Hash: SHA1
- ------- Forwarded Message
Date: Wed, 04 Feb 2004 10:44:26 -0800
From: Regis Wilson <rwilson@wmgnp.tempdomainname.com>
To: spamassassin-users-owner@incubator.apache.org
Subject: [RD] Message-ID ratware patterns
I've done a lot of research on the message IDs and got some goodies formulated
here. At least one of these has been posted by someone else, but I lost the
reference. Please forgive my plagiarism. My ham corpus is almost
non-existant so I need help determining false positives. Thanks.
Yes, unfortunately, these message-id checks are extremely easy to dodge and
subject to false positives. But an extra half a point here and there can make
a difference, I hope.
Please beware the line breaks; I'm sending every definition on one line but
it could get broken up.
header RATWR1_MESSID Message-Id =~ /^<[A-Z]+-\d+@[a-z']+>$/
describe RATWR1_MESSID Message-Id matches a known spammer pattern (XXX
- -999@xxxx)
score RATWR1_MESSID 1.0
header RATWR2_MESSID Message-ID =~ /<[A-Z0-9]{7,13}-[A-Z0-9]{3,11}-[
A-Z0-9]{2,6}[^-]*\@/i
describe RATWR2_MESSID Message-ID has ratware pattern (XXX-XX-XXX@)
score RATWR2_MESSID 3.2
header RATWR3_MESSID Message-ID =~ /<[A-F0-9]{32}\@/
describe RATWR3_MESSID Message-ID has ratware pattern (32 HEX@)
score RATWR3_MESSID 0.1
header RATWR4_MESSID Message-ID =~ /<[^A-Z0-9]/i
describe RATWR4_MESSID Message-ID has ratware pattern (leading non-alp
hanum)
score RATWR4_MESSID 0.1
header RATWR5_MESSID Message-ID =~ /<\d\d?[\$-]/
describe RATWR5_MESSID Message-ID has ratware pattern (9-, 9$, 99-)
score RATWR5_MESSID 0.1
header RATWR6_MESSID Message-ID =~ /<0{6}\d{6}\$\d/
describe RATWR6_MESSID Message-ID has ratware pattern (000009999$9)
score RATWR6_MESSID 0.1
header RATWR7a_MESSID Message-ID =~ /<[a-z0-9]{12}(\$[a-z0-9]{8}){2}\
@/
describe RATWR7a_MESSID Message-ID has ratware pattern (12hex$8hex$8he
x@)
score RATWR7a_MESSID 0.1
header RATWR7b_MESSID Message-ID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@
/
describe RATWR7b_MESSID Message-ID has ratware pattern (7hex$4hex$4hex
@)
score RATWR7b_MESSID 0.1
header RATWR8_MESSID Message-ID =~ /<([a-z0-9]*[-\$]){4}/i
describe RATWR8_MESSID Message-ID has ratware pattern (excessive dashe
s and dollars)
score RATWR8_MESSID 0.1
header RATWR9_MESSID Message-ID =~ /<\d{8,12}\.\d{12,19}\@/
describe RATWR9_MESSID Message-ID has ratware pattern (9999.99999999@)
score RATWR9_MESSID 0.1
header RATWR10_MESSID Message-ID =~ /<[0-9A-Z]{8}\.[0-9A-Z]{7}\@/
describe RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@)
score RATWR10_MESSID 0.1
header RATWR11_MESSID Message-ID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe RATWR11_MESSID Message-ID has ratware pattern (HEXHEXHEX$9x9@)
score RATWR11_MESSID 0.1
header RATWR12_MESSID Message-ID =~ /<\d{10}\.\d{4}\@/
describe RATWR12_MESSID Message-ID has ratware pattern (999999.999@)
score RATWR12_MESSID 0.1
header RATWR13_MESSID Message-ID =~ /<\d{8}\.\d{13}\.JavaMail\.[a-z]+
\@/
describe RATWR13_MESSID Message-ID has ratware pattern (999999.9999999
.JavaMail.)
score RATWR13_MESSID 0.1
header RATWR14_MESSID Message-ID =~ /<\d{5}\.\d{7}\@/
describe RATWR14_MESSID Message-ID has ratware pattern (99999.9999999@
)
score RATWR14_MESSID 0.1
header RATWR15_MESSID Message-ID =~ /<1z.+\@1z/
describe RATWR15_MESSID Message-ID has ratware pattern (1zXXXX@1z)
score RATWR15_MESSID 0.1
header RATWR16_MESSID Message-ID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}
@/
describe RATWR16_MESSID Message-ID has ratware pattern (9.9.99.9999999
hex@
score RATWR16_MESSID 0.1
header RATWR17_MESSID Message-ID =~ /<200[3456][.:][01]\d[.:][0123]\d
/
describe RATWR17_MESSID Message-ID has ratware pattern (YYYY.MM.DD)
score RATWR17_MESSID 0.1
header RATWR18_MESSID Message-ID =~ /xeg\.tf\@/
describe RATWR18_MESSID Message-ID has ratware pattern (xeg.tf@)
score RATWR18_MESSID 0.1
header RATWR19_MESSID Message-ID =~ /<[A-Z]{21,38}(\.[a-z_]+)?\@/
describe RATWR19_MESSID Message-ID has ratware pattern (XXXXXXXXXXXX[.
xxxxxx]@)
score RATWR19_MESSID 0.1
header RATWR20_MESSID Message-ID =~ /\@((?:1?\d\d?|2[0-4]\d|25[0-4])\
.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])>$/
describe RATWR20_MESSID Message-ID has ratware pattern (@255.255.255.2
55)
score RATWR20_MESSID 0.1
header RATWR21_MESSID Message-ID =~ /\@[a-z0-9]+>/i
describe RATWR21_MESSID Message-ID has ratware pattern (@xxxxx)
score RATWR21_MESSID 0.1
- ------- End of Forwarded Message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAIUJRQTcbUG5Y7woRAvA0AJ9CQ6JuGjQka8rip8la3ynyXhgm2QCffFBh
flN5MhxZSJoFYFhVi7UfuAg=
=t43B
-----END PGP SIGNATURE-----