On Tue, 18 Jul 2018, Chip M. wrote:
Here's the SA test stats for 13 of this new morph:
FORGED_MUA_MOZILLA 1
HTML_MESSAGE 13
HTML_MIME_NO_HTML_TAG 13
LOCALPART_IN_SUBJECT 13
MIME_BASE64_TEXT 9
MIME_HTML_ONLY 13
RCVD_IN_SORBS_DUL 1
RDNS_DYNAMIC 3
TVD_RCVD_SPACE_BRACKET 6
UNPARSEABLE_RELAY 6
This new variant should be easy to exterminate. :)
1. The quick and easy combo of "HTML_MIME_NO_HTML_TAG" and
"LOCALPART_IN_SUBJECT" is worth a meta.
The latter test is _VERY_ rare in Ham.
Not according to masscheck.
overlap ham: 48% of LOCALPART_IN_SUBJECT hits also hit
HTML_MIME_NO_HTML_TAG; 0% of HTML_MIME_NO_HTML_TAG hits also hit
LOCALPART_IN_SUBJECT (spam 3%)
No spam overlap at all. Masscheck would not promote that.
2. Another meta with those two and "MIME_BASE64_TEXT" is even safer.
Part of that is a little better. Adding.
3. Pure numeric TLDs appear to be non existent (so far!), so I look
forward to you regex wizards doing your thing. :)
Adding some test rules for that.
4. There's lots of low risk phrases worth scoring (KAM rules?).
5. Riskier & more complex: The pattern of the account name occurring
hundreds of times in HTML comments is distinctive, and "feels"
safe, however Thick Hammers are unpredictable.
I will be releasing a regression test for my volunteers.
Once I get sufficient Ham stats, I'll report back.
That will be difficult to look for but the format is consistent enough
that a simpler comment rule might work.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Back in 1969 the technology to fake a Moon landing didn't exist,
but the technology to actually land there did.
Today, it is the opposite. -- unknown
-----------------------------------------------------------------------
3 days until the 49th anniversary of Apollo 11 landing on the Moon