Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
[RD] Message-ID ratware patterns (fwd)
jm at jmason
Feb 4, 2004, 12:04 PM
Post #1 of 3 (1490 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------- Forwarded Message

Date: Wed, 04 Feb 2004 10:44:26 -0800
From: Regis Wilson <rwilson@wmgnp.tempdomainname.com>
To: spamassassin-users-owner@incubator.apache.org
Subject: [RD] Message-ID ratware patterns

I've done a lot of research on the message IDs and got some goodies formulated
here. At least one of these has been posted by someone else, but I lost the
reference. Please forgive my plagiarism. My ham corpus is almost
non-existant so I need help determining false positives. Thanks.

Yes, unfortunately, these message-id checks are extremely easy to dodge and
subject to false positives. But an extra half a point here and there can make
a difference, I hope.

Please beware the line breaks; I'm sending every definition on one line but
it could get broken up.

header RATWR1_MESSID Message-Id =~ /^<[A-Z]+-\d+@[a-z']+>$/
describe RATWR1_MESSID Message-Id matches a known spammer pattern (XXX
- -999@xxxx)
score RATWR1_MESSID 1.0

header RATWR2_MESSID Message-ID =~ /<[A-Z0-9]{7,13}-[A-Z0-9]{3,11}-[
A-Z0-9]{2,6}[^-]*\@/i
describe RATWR2_MESSID Message-ID has ratware pattern (XXX-XX-XXX@)
score RATWR2_MESSID 3.2

header RATWR3_MESSID Message-ID =~ /<[A-F0-9]{32}\@/
describe RATWR3_MESSID Message-ID has ratware pattern (32 HEX@)
score RATWR3_MESSID 0.1


header RATWR4_MESSID Message-ID =~ /<[^A-Z0-9]/i
describe RATWR4_MESSID Message-ID has ratware pattern (leading non-alp
hanum)
score RATWR4_MESSID 0.1

header RATWR5_MESSID Message-ID =~ /<\d\d?[\$-]/
describe RATWR5_MESSID Message-ID has ratware pattern (9-, 9$, 99-)
score RATWR5_MESSID 0.1

header RATWR6_MESSID Message-ID =~ /<0{6}\d{6}\$\d/
describe RATWR6_MESSID Message-ID has ratware pattern (000009999$9)
score RATWR6_MESSID 0.1

header RATWR7a_MESSID Message-ID =~ /<[a-z0-9]{12}(\$[a-z0-9]{8}){2}\
@/
describe RATWR7a_MESSID Message-ID has ratware pattern (12hex$8hex$8he
x@)
score RATWR7a_MESSID 0.1

header RATWR7b_MESSID Message-ID =~ /<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@
/
describe RATWR7b_MESSID Message-ID has ratware pattern (7hex$4hex$4hex
@)
score RATWR7b_MESSID 0.1

header RATWR8_MESSID Message-ID =~ /<([a-z0-9]*[-\$]){4}/i
describe RATWR8_MESSID Message-ID has ratware pattern (excessive dashe
s and dollars)
score RATWR8_MESSID 0.1

header RATWR9_MESSID Message-ID =~ /<\d{8,12}\.\d{12,19}\@/
describe RATWR9_MESSID Message-ID has ratware pattern (9999.99999999@)
score RATWR9_MESSID 0.1

header RATWR10_MESSID Message-ID =~ /<[0-9A-Z]{8}\.[0-9A-Z]{7}\@/
describe RATWR10_MESSID Message-ID has ratware pattern (HEXHEX.HEXHEX@)
score RATWR10_MESSID 0.1

header RATWR11_MESSID Message-ID =~ /<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe RATWR11_MESSID Message-ID has ratware pattern (HEXHEXHEX$9x9@)
score RATWR11_MESSID 0.1

header RATWR12_MESSID Message-ID =~ /<\d{10}\.\d{4}\@/
describe RATWR12_MESSID Message-ID has ratware pattern (999999.999@)
score RATWR12_MESSID 0.1

header RATWR13_MESSID Message-ID =~ /<\d{8}\.\d{13}\.JavaMail\.[a-z]+
\@/
describe RATWR13_MESSID Message-ID has ratware pattern (999999.9999999
.JavaMail.)
score RATWR13_MESSID 0.1

header RATWR14_MESSID Message-ID =~ /<\d{5}\.\d{7}\@/
describe RATWR14_MESSID Message-ID has ratware pattern (99999.9999999@
)
score RATWR14_MESSID 0.1

header RATWR15_MESSID Message-ID =~ /<1z.+\@1z/
describe RATWR15_MESSID Message-ID has ratware pattern (1zXXXX@1z)
score RATWR15_MESSID 0.1

header RATWR16_MESSID Message-ID =~ /<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}
@/
describe RATWR16_MESSID Message-ID has ratware pattern (9.9.99.9999999
hex@
score RATWR16_MESSID 0.1

header RATWR17_MESSID Message-ID =~ /<200[3456][.:][01]\d[.:][0123]\d
/
describe RATWR17_MESSID Message-ID has ratware pattern (YYYY.MM.DD)
score RATWR17_MESSID 0.1

header RATWR18_MESSID Message-ID =~ /xeg\.tf\@/
describe RATWR18_MESSID Message-ID has ratware pattern (xeg.tf@)
score RATWR18_MESSID 0.1

header RATWR19_MESSID Message-ID =~ /<[A-Z]{21,38}(\.[a-z_]+)?\@/
describe RATWR19_MESSID Message-ID has ratware pattern (XXXXXXXXXXXX[.
xxxxxx]@)
score RATWR19_MESSID 0.1

header RATWR20_MESSID Message-ID =~ /\@((?:1?\d\d?|2[0-4]\d|25[0-4])\
.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])>$/
describe RATWR20_MESSID Message-ID has ratware pattern (@255.255.255.2
55)
score RATWR20_MESSID 0.1

header RATWR21_MESSID Message-ID =~ /\@[a-z0-9]+>/i
describe RATWR21_MESSID Message-ID has ratware pattern (@xxxxx)
score RATWR21_MESSID 0.1



- ------- End of Forwarded Message

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAIUJRQTcbUG5Y7woRAvA0AJ9CQ6JuGjQka8rip8la3ynyXhgm2QCffFBh
flN5MhxZSJoFYFhVi7UfuAg=
=t43B
-----END PGP SIGNATURE-----
Re: [RD] Message-ID ratware patterns (fwd) [ In reply to ]
Andrew_Hoying at blm
Feb 4, 2004, 12:54 PM
Post #2 of 3 (1454 views)
Permalink
Looking at my own message ids for the past month, I see that the pattern of
two or more $ in a row only occurs in spam, and occurs regularly. Also
three or more - in a row seems to only occur in spam, but is much less
regular. With just over 400000 spam, 5000 match the 2 or more $ rule and
660 match the three or more - rule. However both of these types of spam
generally score over 45 with most of the custom rulesets from this list
active, bayes and network tests on. In more restrictive environments though
testing for these could yield good results.

The following is untested, possibly inaccurate and probably inefficient.

header BAD_MSG_ID1 Message-Id =~ /^<.*([$]{2,}|[-]{3,}).*>$/
describe BAD_MSG_ID1 Message-Id contains 2+ $ or 3+ - in a row
score BAD_MSG_ID1 2.0




Justin Mason
<jm@jmason.org>
To
02/04/2004 12:04 SpamAssassin-users@incubator.apache
PM .org
cc

Subject
[RD] Message-ID ratware patterns
(fwd)










-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


- ------- Forwarded Message

Date: Wed, 04 Feb 2004 10:44:26 -0800
From: Regis Wilson <rwilson@wmgnp.tempdomainname.com>
To: spamassassin-users-owner@incubator.apache.org
Subject: [RD] Message-ID ratware patterns

I've done a lot of research on the message IDs and got some goodies
formulated
here. At least one of these has been posted by someone else, but I lost
the
reference. Please forgive my plagiarism. My ham corpus is almost
non-existant so I need help determining false positives. Thanks.

Yes, unfortunately, these message-id checks are extremely easy to dodge and
subject to false positives. But an extra half a point here and there can
make
a difference, I hope.

Please beware the line breaks; I'm sending every definition on one line but
it could get broken up.

header RATWR1_MESSID Message-Id =~ /^<[A-Z]+-\d+@[a-z']+>$/
describe RATWR1_MESSID Message-Id matches a known spammer pattern
(XXX
- -999@xxxx)
score RATWR1_MESSID 1.0

header RATWR2_MESSID Message-ID =~
/<[A-Z0-9]{7,13}-[A-Z0-9]{3,11}-[
A-Z0-9]{2,6}[^-]*\@/i
describe RATWR2_MESSID Message-ID has ratware pattern
(XXX-XX-XXX@)
score RATWR2_MESSID 3.2

header RATWR3_MESSID Message-ID =~ /<[A-F0-9]{32}\@/
describe RATWR3_MESSID Message-ID has ratware pattern (32 HEX@)
score RATWR3_MESSID 0.1


header RATWR4_MESSID Message-ID =~ /<[^A-Z0-9]/i
describe RATWR4_MESSID Message-ID has ratware pattern (leading
non-alp
hanum)
score RATWR4_MESSID 0.1

header RATWR5_MESSID Message-ID =~ /<\d\d?[\$-]/
describe RATWR5_MESSID Message-ID has ratware pattern (9-, 9$,
99-)
score RATWR5_MESSID 0.1

header RATWR6_MESSID Message-ID =~ /<0{6}\d{6}\$\d/
describe RATWR6_MESSID Message-ID has ratware pattern
(000009999$9)
score RATWR6_MESSID 0.1

header RATWR7a_MESSID Message-ID =~
/<[a-z0-9]{12}(\$[a-z0-9]{8}){2}\
@/
describe RATWR7a_MESSID Message-ID has ratware pattern
(12hex$8hex$8he
x@)
score RATWR7a_MESSID 0.1

header RATWR7b_MESSID Message-ID =~
/<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@
/
describe RATWR7b_MESSID Message-ID has ratware pattern
(7hex$4hex$4hex
@)
score RATWR7b_MESSID 0.1

header RATWR8_MESSID Message-ID =~ /<([a-z0-9]*[-\$]){4}/i
describe RATWR8_MESSID Message-ID has ratware pattern (excessive
dashe
s and dollars)
score RATWR8_MESSID 0.1

header RATWR9_MESSID Message-ID =~ /<\d{8,12}\.\d{12,19}\@/
describe RATWR9_MESSID Message-ID has ratware pattern
(9999.99999999@)
score RATWR9_MESSID 0.1

header RATWR10_MESSID Message-ID =~ /<[0-9A-Z]{8}\.[0-9A-Z]{7}\@/
describe RATWR10_MESSID Message-ID has ratware pattern
(HEXHEX.HEXHEX@)
score RATWR10_MESSID 0.1

header RATWR11_MESSID Message-ID =~
/<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe RATWR11_MESSID Message-ID has ratware pattern
(HEXHEXHEX$9x9@)
score RATWR11_MESSID 0.1

header RATWR12_MESSID Message-ID =~ /<\d{10}\.\d{4}\@/
describe RATWR12_MESSID Message-ID has ratware pattern (999999.999
@)
score RATWR12_MESSID 0.1

header RATWR13_MESSID Message-ID =~
/<\d{8}\.\d{13}\.JavaMail\.[a-z]+
\@/
describe RATWR13_MESSID Message-ID has ratware pattern
(999999.9999999
.JavaMail.)
score RATWR13_MESSID 0.1

header RATWR14_MESSID Message-ID =~ /<\d{5}\.\d{7}\@/
describe RATWR14_MESSID Message-ID has ratware pattern
(99999.9999999@
)
score RATWR14_MESSID 0.1

header RATWR15_MESSID Message-ID =~ /<1z.+\@1z/
describe RATWR15_MESSID Message-ID has ratware pattern (1zXXXX@1z)
score RATWR15_MESSID 0.1

header RATWR16_MESSID Message-ID =~
/<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}
@/
describe RATWR16_MESSID Message-ID has ratware pattern
(9.9.99.9999999
hex@
score RATWR16_MESSID 0.1

header RATWR17_MESSID Message-ID =~
/<200[3456][.:][01]\d[.:][0123]\d
/
describe RATWR17_MESSID Message-ID has ratware pattern
(YYYY.MM.DD)
score RATWR17_MESSID 0.1

header RATWR18_MESSID Message-ID =~ /xeg\.tf\@/
describe RATWR18_MESSID Message-ID has ratware pattern (xeg.tf@)
score RATWR18_MESSID 0.1

header RATWR19_MESSID Message-ID =~ /<[A-Z]{21,38}(\.[a-z_]+)?\@/
describe RATWR19_MESSID Message-ID has ratware pattern
(XXXXXXXXXXXX[.
xxxxxx]@)
score RATWR19_MESSID 0.1

header RATWR20_MESSID Message-ID =~
/\@((?:1?\d\d?|2[0-4]\d|25[0-4])\
.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])>$/
describe RATWR20_MESSID Message-ID has ratware pattern
(@255.255.255.2
55)
score RATWR20_MESSID 0.1

header RATWR21_MESSID Message-ID =~ /\@[a-z0-9]+>/i
describe RATWR21_MESSID Message-ID has ratware pattern (@xxxxx)
score RATWR21_MESSID 0.1



- ------- End of Forwarded Message

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAIUJRQTcbUG5Y7woRAvA0AJ9CQ6JuGjQka8rip8la3ynyXhgm2QCffFBh
flN5MhxZSJoFYFhVi7UfuAg=
=t43B
-----END PGP SIGNATURE-----
Re: [RD] Message-ID ratware patterns (fwd) [ In reply to ]
Andrew_Hoying at blm
Feb 4, 2004, 3:07 PM
Post #3 of 3 (1454 views)
Permalink
The first rule I posted below is broken. I've have improved it
significantly with some more testing and verification if someone wants to
mass-check it.

header BAD_MSG_ID1 Message-Id =~
/^<.*([-\$]{3}|[\$]{2}|[.]{2}|[\\]{2}).*>$/
describe BAD_MSG_ID1 Message-Id contains common spam signs.
score BAD_MSG_ID1 2.0

Andrew_Hoying@blm.gov wrote on 02/04/2004 12:54:46 PM:

>
>
>
>
> Looking at my own message ids for the past month, I see that the pattern
of
> two or more $ in a row only occurs in spam, and occurs regularly. Also
> three or more - in a row seems to only occur in spam, but is much less
> regular. With just over 400000 spam, 5000 match the 2 or more $ rule and
> 660 match the three or more - rule. However both of these types of spam
> generally score over 45 with most of the custom rulesets from this list
> active, bayes and network tests on. In more restrictive environments
though
> testing for these could yield good results.
>
> The following is untested, possibly inaccurate and probably inefficient.
>
> header BAD_MSG_ID1 Message-Id =~ /^<.*([$]{2,}|[-]{3,}).*>$/
> describe BAD_MSG_ID1 Message-Id contains 2+ $ or 3+ - in a row
> score BAD_MSG_ID1 2.0
>
>
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal