Mailing List Archive

TRACKER_ID_BODY
Hi,

Does anyone know the details of the test "TRACKER_ID_BODY"? I recieved two nearly identical SPAM e-mails two minues apart.
The bogus "From:" line was different in each one. The subject and first line of body in the first e-mail was:

> Subject: Cable-TV Filter Lets You Get It ALL-FOR-NOTHING, ID: n498ix02
> ID: 1504zY20

The subject and first line of body in the second e-mail was:

> Subject: Cable-TV Filter Lets You Get It ALL-FOR-NOTHING, ID: r328Ib72
> ID: D524va50

The random gibberish at the end of each SPAM was different but I don't that's relevant to this question (is it)? The question
is, why does the second e-mail score 3.8 for the "TRACKER_IN_BODY" test but the first one does not?

* 3.8 TRACKER_ID BODY: Incorporates a tracking ID number

My Bayesian scored them both 99% likely SPAM (5.4) so they were caught, but my co-worker got a copy as well and his Bayesian,
perhaps not as well trained, only gave it a 90-99% SPAM (2.1) and the e-mail (along with about 400 other types of SPAM over the
weekend) ended up in his Inbox. My weekend was good ... only one SPAM got through. We're looking for reasons why we had such
vastly different results and this is the first inconsistent test result we've found.

Regards,
Ragnar
Re: TRACKER_ID_BODY [ In reply to ]
At 10:37 AM 5/17/2004, Ragnar Paulson wrote:
>Hi,
>
>Does anyone know the details of the test "TRACKER_ID_BODY"? I recieved
>two nearly identical SPAM e-mails two minues apart.
>The bogus "From:" line was different in each one. The subject and first
>line of body in the first e-mail was:
>
> > Subject: Cable-TV Filter Lets You Get It ALL-FOR-NOTHING, ID: n498ix02
> > ID: 1504zY20
>
>The subject and first line of body in the second e-mail was:
>
> > Subject: Cable-TV Filter Lets You Get It ALL-FOR-NOTHING, ID: r328Ib72
> > ID: D524va50
>
>The random gibberish at the end of each SPAM was different but I don't
>that's relevant to this question (is it)? The question
>is, why does the second e-mail score 3.8 for the "TRACKER_IN_BODY" test
>but the first one does not?
>
> * 3.8 TRACKER_ID BODY: Incorporates a tracking ID number

The tracker_id rule doesn't look for ID's like the one you quoted from the
body. It requires at LEAST 24 characters of ID:

20_body_tests.cf:body
TRACKER_ID
/^[a-z0-9]{6,24}[-_a-z0-9]{12,36}[a-z0-9]{6,24}\s*\z/is

It matches things like this:
KxLhORD0SKJpa3oulqJXbSd1tzJASO3ZhxET