Hello Bob,
Tuesday, February 17, 2004, 7:29:10 AM, you wrote:
>> There is at least one evil mailer that uses random lowercase words in
>> the X-mailer field. I have a rule to match these; it's part of an
>> upcoming "randoms" ruleset...
BA> I've found low FPs looking for "/^X-Mailer: [a-z ]*/"
BA> Would the following work?:
BA> header T_LCASED_XMAILER X-Mailer =~ /^[a-z ]*$/
BA> describe T_LCASED_XMAILER X-Mailer contains only lowercase words
BA> score T_LCASED_XMAILER 0.5
T_LCASED_XMAILER -- 34193s/5681h of 100794 corpus (82099s/18695h) 02/17/04
Hits 30% of my ham.
Most of the matches logged by mass-check show:
> # T_LCASED_XMAILER=""
in other words, NO x-mailer.
Include a test to exclude those, and you may have a good test.
Tuesday, February 17, 2004, 7:53:09 AM, Pierre wrote:
PT> Here's my current version -- note that the "evil" ones have a
PT> space after each word, even the last one:
PT> header RANDMAILER X-Mailer =~ /^([a-z]{4,15} ){1,5}$/
PT> describe RANDMAILER random words in X-Mailer field
PT> score RANDMAILER 2.0
RANDMAILER -- 1267s/0h of 100794 corpus (82099s/18695h) 02/17/04
hits 1.5% of my spam, and no ham. Works for me!
Bob Menschel
