Re: [sniffer] Bad Rule - 828931

Tue, 07 Feb 2006 17:27:42 -0800 

Pete,
Gotcha. Basically anything that I trapped that is over 10 KB may have failed this (because that would be indicative of having an attachment in base64). It is much less likely to have hit on things without attachments, but it of course would be possible, and the bigger it was, the more likely that it could have failed. 


I also searched my Sniffer logs for the rule number and found no hits.  
It appears that I missed the bad rulebase.


Thanks,

Matt



Pete McNeil wrote:


On Tuesday, February 7, 2006, 6:15:13 PM, David wrote:

DS> Sorry, wrong thread on the last post.

DS> Add'l question. Pete, what is the content of the rule?

The rule info is:

Rule - 828931
Name    C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A
Created         2006-02-07
Source  C%+I%+A%+L%+I%+S%+V%+I%+A%+G%+R%+A
Hidden  false
Blocked         false
Origin  User Submission
Type    Manual
Created By      [EMAIL PROTECTED]
Owner   [EMAIL PROTECTED]
Strength        3.84258274153269
False Reports   0
From Users      0


Rule belongs to following groups
[252] Problematic

The rule was an attempt to build an abstract matching two ed pill
names (you can see them in there) while compensating for heavy
obfuscation. The mistake was in using %+ through the rule.

The rule would match the intended spam (and there was a lot of it, so
22,055 most likely includes mostly spam.

Unfortunately it would also match messages containing the listed
capital letters in that order throughout the message. Essentially, if
the text is long enough then it will probably match. A greater chance
of FP match if the text of the message is in all caps. Also if there
is a badly coded base64 segment and file attachment (badly coded
base64 might not be decoded... raw base64 will contain many of these
letters in mixed case and therefore increase the probability of
matching them all).

Hope this helps,

_M






This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html



 




This E-Mail came from the Message Sniffer mailing list. For information and 
(un)subscription instructions go to 
http://www.sortmonster.com/MessageSniffer/Help/Help.html

























					Reply via email to