Looking at my own message ids for the past month, I see that the pattern of
two or more $ in a row only occurs in spam, and occurs regularly. Also
three or more - in a row seems to only occur in spam, but is much less
regular. With just over 400000 spam, 5000 match the 2 or more $ rule and
660 match the three or more - rule. However both of these types of spam
generally score over 45 with most of the custom rulesets from this list
active, bayes and network tests on. In more restrictive environments though
testing for these could yield good results.
The following is untested, possibly inaccurate and probably inefficient.
header BAD_MSG_ID1 Message-Id =~ /^<.*([$]{2,}|[-]{3,}).*>$/
describe BAD_MSG_ID1 Message-Id contains 2+ $ or 3+ - in a row
score BAD_MSG_ID1 2.0
Justin Mason
<[EMAIL PROTECTED]>
To
02/04/2004 12:04 [EMAIL PROTECTED]
PM .org
cc
Subject
[RD] Message-ID ratware patterns
(fwd)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------- Forwarded Message
Date: Wed, 04 Feb 2004 10:44:26 -0800
From: Regis Wilson <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [RD] Message-ID ratware patterns
I've done a lot of research on the message IDs and got some goodies
formulated
here. At least one of these has been posted by someone else, but I lost
the
reference. Please forgive my plagiarism. My ham corpus is almost
non-existant so I need help determining false positives. Thanks.
Yes, unfortunately, these message-id checks are extremely easy to dodge and
subject to false positives. But an extra half a point here and there can
make
a difference, I hope.
Please beware the line breaks; I'm sending every definition on one line but
it could get broken up.
header RATWR1_MESSID Message-Id =~ /^<[EMAIL PROTECTED]']+>$/
describe RATWR1_MESSID Message-Id matches a known spammer pattern
(XXX
- [EMAIL PROTECTED])
score RATWR1_MESSID 1.0
header RATWR2_MESSID Message-ID =~
/<[A-Z0-9]{7,13}-[A-Z0-9]{3,11}-[
A-Z0-9]{2,6}[^-]*\@/i
describe RATWR2_MESSID Message-ID has ratware pattern
(XXX-XX-XXX@)
score RATWR2_MESSID 3.2
header RATWR3_MESSID Message-ID =~ /<[A-F0-9]{32}\@/
describe RATWR3_MESSID Message-ID has ratware pattern (32 HEX@)
score RATWR3_MESSID 0.1
header RATWR4_MESSID Message-ID =~ /<[^A-Z0-9]/i
describe RATWR4_MESSID Message-ID has ratware pattern (leading
non-alp
hanum)
score RATWR4_MESSID 0.1
header RATWR5_MESSID Message-ID =~ /<\d\d?[\$-]/
describe RATWR5_MESSID Message-ID has ratware pattern (9-, 9$,
99-)
score RATWR5_MESSID 0.1
header RATWR6_MESSID Message-ID =~ /<0{6}\d{6}\$\d/
describe RATWR6_MESSID Message-ID has ratware pattern
(000009999$9)
score RATWR6_MESSID 0.1
header RATWR7a_MESSID Message-ID =~
/<[a-z0-9]{12}(\$[a-z0-9]{8}){2}\
@/
describe RATWR7a_MESSID Message-ID has ratware pattern
(12hex$8hex$8he
x@)
score RATWR7a_MESSID 0.1
header RATWR7b_MESSID Message-ID =~
/<[a-z0-9]{7}(\$[a-z0-9]{4}){2}\@
/
describe RATWR7b_MESSID Message-ID has ratware pattern
(7hex$4hex$4hex
@)
score RATWR7b_MESSID 0.1
header RATWR8_MESSID Message-ID =~ /<([a-z0-9]*[-\$]){4}/i
describe RATWR8_MESSID Message-ID has ratware pattern (excessive
dashe
s and dollars)
score RATWR8_MESSID 0.1
header RATWR9_MESSID Message-ID =~ /<\d{8,12}\.\d{12,19}\@/
describe RATWR9_MESSID Message-ID has ratware pattern
(9999.99999999@)
score RATWR9_MESSID 0.1
header RATWR10_MESSID Message-ID =~ /<[0-9A-Z]{8}\.[0-9A-Z]{7}\@/
describe RATWR10_MESSID Message-ID has ratware pattern
(HEXHEX.HEXHEX@)
score RATWR10_MESSID 0.1
header RATWR11_MESSID Message-ID =~
/<[A-Z0-9]{30}\$[0-9a-z]{9}\@/
describe RATWR11_MESSID Message-ID has ratware pattern
(HEXHEXHEX$9x9@)
score RATWR11_MESSID 0.1
header RATWR12_MESSID Message-ID =~ /<\d{10}\.\d{4}\@/
describe RATWR12_MESSID Message-ID has ratware pattern (999999.999
@)
score RATWR12_MESSID 0.1
header RATWR13_MESSID Message-ID =~
/<\d{8}\.\d{13}\.JavaMail\.[a-z]+
\@/
describe RATWR13_MESSID Message-ID has ratware pattern
(999999.9999999
.JavaMail.)
score RATWR13_MESSID 0.1
header RATWR14_MESSID Message-ID =~ /<\d{5}\.\d{7}\@/
describe RATWR14_MESSID Message-ID has ratware pattern
(99999.9999999@
)
score RATWR14_MESSID 0.1
header RATWR15_MESSID Message-ID =~ /<[EMAIL PROTECTED]/
describe RATWR15_MESSID Message-ID has ratware pattern ([EMAIL
PROTECTED])
score RATWR15_MESSID 0.1
header RATWR16_MESSID Message-ID =~
/<\d\.\d\.\d\d\.\d{16}[a-f0-9]{6}
@/
describe RATWR16_MESSID Message-ID has ratware pattern
(9.9.99.9999999
hex@
score RATWR16_MESSID 0.1
header RATWR17_MESSID Message-ID =~
/<200[3456][.:][01]\d[.:][0123]\d
/
describe RATWR17_MESSID Message-ID has ratware pattern
(YYYY.MM.DD)
score RATWR17_MESSID 0.1
header RATWR18_MESSID Message-ID =~ /xeg\.tf\@/
describe RATWR18_MESSID Message-ID has ratware pattern (xeg.tf@)
score RATWR18_MESSID 0.1
header RATWR19_MESSID Message-ID =~ /<[A-Z]{21,38}(\.[a-z_]+)?\@/
describe RATWR19_MESSID Message-ID has ratware pattern
(XXXXXXXXXXXX[.
xxxxxx]@)
score RATWR19_MESSID 0.1
header RATWR20_MESSID Message-ID =~
/\@((?:1?\d\d?|2[0-4]\d|25[0-4])\
.){3}(?:1?\d\d?|2[0-4]\d|25[0-4])>$/
describe RATWR20_MESSID Message-ID has ratware pattern
(@255.255.255.2
55)
score RATWR20_MESSID 0.1
header RATWR21_MESSID Message-ID =~ /[EMAIL PROTECTED]>/i
describe RATWR21_MESSID Message-ID has ratware pattern (@xxxxx)
score RATWR21_MESSID 0.1
- ------- End of Forwarded Message
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Exmh CVS
iD8DBQFAIUJRQTcbUG5Y7woRAvA0AJ9CQ6JuGjQka8rip8la3ynyXhgm2QCffFBh
flN5MhxZSJoFYFhVi7UfuAg=
=t43B
-----END PGP SIGNATURE-----
