mc-fast says thumbs up

Yay, mc-fast is back. And what a nice feedback it sent me…

Freqs for those rules in 'mc-fast' mass-check:
  MSECS    SPAM%     HAM%     S/O    RANK   SCORE  NAME
      0     1996     1999    0.500   0.00    0.00  (all messages)
0.00000  49.9625  50.0375    0.500   0.00    0.00  (all messages as %)
0.00000  41.1323   0.0000    1.000   1.00    0.01  T_PQRTW_4

Could it possibly be I just created a killer rule to identify > 40% spam with no false positives? Seriously low scoring spam. Using a single, really short RE? Could it possibly be there is one major spammer out there, that uses this easy to catch finger print on all his spam? And that no one spotted it before…?

Granted, that’s just a tiny pre-flight corpus used for some very basic, fast evaluation. Eagerly awaiting the real mass-check results tomorrow…

2 Responses to “mc-fast says thumbs up”

  1. Joe Buck says:

    Could be a short-term phenomenon, where one botnet sends out a massive spam-wave. Next week that rule might not catch much.

  2. kbrae says:

    Yes, of course. After seeing the mass-check results, it appears this indeed is a phenomenon, limited to a few corpora and last weeks stream. Coincidentally, that’s what feeds the pre-flight.

    However, this is not an isolated case. The rule has been rotting for weeks, if not months, in a hacking env. Spam with this signature used to be sneaky before, and is again with different content.