I noticed another identifying feature to this spam:
header ANTIBAYES_ORIG_IP X-Originating-IP =~ /\[\p{IsAlnum}+\.(net|com|org)(\/\p{IsAlnum}+)?(IP\])?$/
describe ANTIBAYES_ORIG_IP X-Originating-IP matches pattern for anti-Bayes spam.
score ANTIBAYES_MESSAGEID 0.75 0.75 2.50 2.50
header MPOP_MUA X-Mailer =~ /\bmPOP Web-Mail\b/
describe MPOP_MUA Legitimate web-based MUA frequently abused by anti-Bayes spam.
score MPOP_MUA 0.75 0.75 2.50 2.50
header ANTIBAYES_SUBJECT Subject =~ /\bRe: ([A-Z]+|%RND_UC_CHAR\[2-8\]),\s+\p{IsGraph}+\b/
describe ANTIBAYES_SUBJECT Subject matches pattern for anti-Bayes spam.
score ANTIBAYES_SUBJECT 0.75 0.75 2.50 2.50
header ANTIBAYES_MESSAGEID MESSAGEID =~ /\b[A-Z]{7}-[0-9]{13}@\b/
describe ANTIBAYES_MESSAGEID Message-ID matches pattern for anti-Bayes spam.
score ANTIBAYES_MESSAGEID 0.75 0.75 2.50 2.50
header ANTIBAYES_ORIG_IP X-Originating-IP =~ /\[\p{IsAlnum}+\.(net|com|org)(\/\p{IsAlnum}+)?(IP\])?$/
describe ANTIBAYES_ORIG_IP X-Originating-IP matches pattern for anti-Bayes spam.
score ANTIBAYES_MESSAGEID 0.75 0.75 2.50 2.50
meta ANTIBAYES_SPAM (MPOP_MUA && ANTIBAYES_SUBJECT) || (MPOP_MUA && ANTIBAYES_MESSAGEID) || (MPOP_MUA && ANTIBAYES_ORIG_IP) || (ANTIBAYES_SUBJECT && ANTIBAYES_MESSAGEID) || (ANTIBAYES_SUBJECT && ANTIBAYES_ORIG_IP) || (ANTIBAYES_MESSAGEID && ANTIBAYES_ORIG_IP)
describe ANTIBAYES_SPAM Several indications of anti-Bayes spam.
score ANTIBAYES_SPAM 1.50 1.50 5.00 5.00
Post a Comment