On Fri, 19 Dec 2003, Christopher X. Candreva wrote: > A Spam got through SA last night, with two things I hadn't seen before - Yet > another form of a %RANDOM variable that isn't replaced by a value: > > Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned
That's a "ratware misfire". The spammer is too stupid to use his own software effectively. I saw several hundred of those at my PPOE this past week. > And a bizare X-Originating-IP header: > > X-Originating-IP: [530000x.netIP] 530000.net is the site he was trying to spamvertise. > I whipped up a little rule to take care of the first, is there any > possiblity the second is ligit ? Otherwise, I would say a rule that makes > sure X-Originating-IP headers actually have an IP in them would be in order: > > header SUBJ_HAS_RND_TAG Subject =~ /\%RND_UC_CHAR/ > describe SUBJ_HAS_RND_TAG Subject contains Random tag > score SUBJ_HAS_RND_TAG 2 That'll account for the misfires, but not the "real" spams. Not that binning the misfires is a bad thing (they ought to be a *very* good indicator of compromised third-party systems). What's the general consensus in the anti-spam community: Should we file a complaint with the ISP who hosts such compromised systems? I'm *not* interested in getting innocent bystanders crucified by over- vigilant ISP staff, but I don't exactly think that we can stand by and do nothing. Thoughts on this, and conversation, are most welcome. +------------------------------------------------+---------------------+ | Carl Richard Friend (UNIX Sysadmin) | West Boylston | | Minicomputer Collector / Enthusiast | Massachusetts, USA | | mailto:[EMAIL PROTECTED] +---------------------+ | http://users.rcn.com/crfriend/museum | ICBM: 42:22N 71:47W | +------------------------------------------------+---------------------+ ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
