A recent discussion about The Bat! [1] the other day reminded me of some
sneaky spam, that frequently managed to score below 15. They caught my
eye for another fact in the first place, though. They all got a specific
Date: header strangeness in common: a Tab char. It was after that, that
I realized they all pretended to be sent by The Bat!.
A few days ago I finally got around to writing a custom rule to catch
these. No spam should be scoring below 15, right? ;-)
For the benefit of everyone and for public discussion, here are the
rules [2]. After catching 270 such spam, only an additional 3 messages
actually hit the Date with Tab rule, but was not forged to be sent by
The Bat!.
header KB_DATE_CONTAINS_TAB Date:raw =~ /^ \t/
describe KB_DATE_CONTAINS_TAB Header: Date header starts with Tab
score KB_DATE_CONTAINS_TAB 0.5
header __X_MAILER_THE_BAT X-Mailer =~ /^The Bat! /
meta KB_FAKED_THE_BAT (__X_MAILER_THE_BAT && KB_DATE_CONTAINS_TAB)
describe KB_FAKED_THE_BAT Header: MUA faked The Bat
score KB_FAKED_THE_BAT 1.5
NOTE: I only did a very brief investigation of Date: headers sent by
The Bat! users on this list. If anyone can assure this, or got any
inside knowledge whether The Bat! can or can not generate such headers
legitimately, please pipe up. :)
guenther
[1] Yes, I do know this is a legitimate MUA.
[2] I just realized, the __X_MAILER_THE_BAT test to be redundant. It
should be substituted by __THEBAT_MUA from 20_ratware.cf.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
