On Thu, September 18, 2008 8:55 am, mouss wrote:
> Skip wrote:
>
>> What can I do to increase my chances on spammies like this one:
>> http://pastebin.com/m5f5d11e0
>>
>>
>
> maybe
>
> header _CTYPE_PLAIN Content-Type =~ m|text/plain| header _CTRANSFER_B64
> Content-Transfer-Encoding =~ m|base64|
>
>
I wonder if that would have too many false positives.
It got me thinking though. I looked in the 20_body_tests.cf rules and see
the following rules:
rawbody __MIME_BASE64 eval:check_for_mime('mime_base64_count')
describe __MIME_BASE64 Includes a base64 attachment
rawbody MIME_BASE64_BLANKS eval:check_for_mime('mime_base64_blanks')
describe MIME_BASE64_BLANKS Extra blank lines in base64 encoding
rawbody MIME_BASE64_TEXT
eval:check_for_mime('mime_base64_encoded_text')
describe MIME_BASE64_TEXT Message text disguised using base64 encoding
and from the 20_head_tests.cf
meta FROM_EXCESS_BASE64 __FROM_ENCODED_B64 &&
!__FROM_NEEDS_MIME
describe FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
Interestingly, I have had exactly three spams fire the MIME_BASE64_TEXT
rule in the past six months, but I have had ten hams fire the rule. Too
many FPs for me.
Same with the FROM_EXCESS_BASE64 rule: I have had zero spams fire that
rule, but have had two hams fire it (they were newsletters from Red Hat).
Sadly, these both sound like they would be good rules, but they don't seem
to live up to their potential. (Btw, I am working with about 6,000 spams
and 3,500 hams)
Quick aside: Does SA decode the message body before running the body
tests? I was really surprised that the decoded content on this message
didn't trigger any of the get rich quick rules, or my bayes.
