Yay, mc-fast is back. And what a nice feedback it sent me…
Freqs for those rules in 'mc-fast' mass-check:
MSECS SPAM% HAM% S/O RANK SCORE NAME
0 1996 1999 0.500 0.00 0.00 (all messages)
0.00000 49.9625 50.0375 0.500 0.00 0.00 (all messages as %)
0.00000 41.1323 0.0000 1.000 1.00 0.01 T_PQRTW_4
Could it possibly be I just created a killer rule to identify > 40% spam with no false positives? Seriously low scoring spam. Using a single, really short RE? Could it possibly be there is one major spammer out there, that uses this easy to catch finger print on all his spam? And that no one spotted it before…?
Granted, that’s just a tiny pre-flight corpus used for some very basic, fast evaluation. Eagerly awaiting the real mass-check results tomorrow…
Could be a short-term phenomenon, where one botnet sends out a massive spam-wave. Next week that rule might not catch much.
Yes, of course. After seeing the mass-check results, it appears this indeed is a phenomenon, limited to a few corpora and last weeks stream. Coincidentally, that’s what feeds the pre-flight.
However, this is not an isolated case. The rule has been rotting for weeks, if not months, in a hacking env. Spam with this signature used to be sneaky before, and is again with different content.