Hello,
I've noticed an interesting ratware pattern in the Mime-Version field that uses "produced by" and then a combination of two random words and a random version number. Here are a few examples:
MIME-Version: 1.0 (produced by nightgownbunyan 8.2) MIME-Version: 1.0 (produced by lamellartramway 0.6) MIME-Version: 1.0 (produced by contradictoryforest 9.8) MIME-Version: 1.0 (produced by stanfordprotrusion 0.4)
The "produced by" mime version google hits seem to be the spam tool above, and:
MIME-Version: 1.0 (produced by Synapse) MIME-Version: 1.0 (produced by MetaSend Vx.x) Mime-Version: 1.0 (Produced by PhpWiki 1.3.x Mime-Version: 1.0 (Produced by Tiki) MIME-Version: 1.0 (produced by IP*Works! www.dev-soft.com) MIME-Version: 1.0 (Produced by HUB e-mail engine)
After removing these valid types, only the spam sigs seems to remain: (google search)
http://makeashorterlink.com/?G10A12D0A
These programs do not use the same versioning style as the spam tool. I don't have a ham/spam corpus to test against but I've ran the rule below for 24 hours and gotten 140 matches with no FP. More than half of the messages matched on RATWARE_RCVD_AT; all of them matched on MIME_BOUND_DD_DIGITS.
header MIME_VER_RATTY Mime-Version =~ /^1\.0 \(produced by [a-z]{1,20} [0-9]\.[0-9]\)$/
describe MIME_VER_RATTY Ratware sig found in mime type
score MIME_VER_RATTY 0.0001
The hits occured on approx 1% of messages passed though the SA server.
Risks: There may possibly be a 'produced by' sig I haven't seen though google searches, or someone may create a matching sig on valid software in the future.
I think that when checked in conjunction with MIME_BOUND_DD_DIGITS, this could create a higher confidence ratware rule. However, I'm concerned about making checks that identify things already caught by other methods -- it seems redudant & bloaty. Thoughts?
--eric
