Hello Eric,
Friday, December 17, 2004, 11:00:12 AM, you wrote:
EF> I've noticed an interesting ratware pattern in the Mime-Version field
EF> that uses "produced by" and then a combination of two random words and a
EF> random version number. ...
EF> header MIME_VER_RATTY Mime-Version =~ /^1\.0 \(produced by
[a-z]{1,20} [0-9]\.[0-9]\)$/
EF> describe MIME_VER_RATTY Ratware sig found in mime type
EF> score MIME_VER_RATTY 0.0001
EF> The hits occured on approx 1% of messages passed though the SA server.
EF> Risks: There may possibly be a 'produced by' sig I haven't seen though
EF> google searches, or someone may create a matching sig on valid software
EF> in the future.
Sorry to take so long to run a mass-check on this. My results:
OVERALL SPAM HAM S/O RANK SCORE NAME
95101 59678 35423 0.628 0.00 0.00 (all messages)
399 399 0 1.000 0.00 1.00 MIME_VER_RATTY
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
95101 59678 35423 0.628 0.00 0.00 (all messages)
100.000 62.7522 37.2478 0.628 0.00 0.00 (all messages as %)
0.420 0.6686 0.0000 1.000 0.00 1.00 MIME_VER_RATTY
Not quite 1% of all spam, but a goodly percentage, and no ham.
I suspect it ovelaps significantly a SARE rule or two, but I'll be
running that check this weekend.
Bob Menschel
