Hey Chris, thanks for the plug! I posted all of them to bugzilla <http://bugzilla.spamassassin.org/show_bug.cgi?id=2997> I don't have the random med ones in there, but am going to add them now. The ones up on bugzilla don't have scores, but for anything with symbol and then RND or RANDOM I score at about 6 on a threshold of 5. I love when spammers screw up like this, it makes life a lot easier.
Mike > -----Original Message----- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Thursday, February 05, 2004 10:12 AM > To: 'Loren Wilton'; [EMAIL PROTECTED] > Subject: RE: Obvious spamware programming screwup that didn't > get caught > > > > > > -----Original Message----- > > From: Loren Wilton [mailto:[EMAIL PROTECTED] > > Sent: Thursday, February 05, 2004 12:20 AM > > To: [EMAIL PROTECTED] > > Subject: *****SPAM***** Obvious spamware programming screwup > > that didn't > > get caught > > > > > > I just got a spam that was caught by a couple of my local and > > very specific > > rules, but otherwise would have made it through with flying > > colors. Yet it > > has some really obvious screwups that I would have expected > > some rule to > > catch. Notice: > > > > Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS & > > %RND_MEDS_2PILLS eJTtq > > > > Aside from the suspicious FWD in uppercase, note the %RND_xxx tags. > > > > In the body: > > > > We ship the following: %RND_MEDS_LIST > > <p> > > Plus: %RND_ALL_OTHER_MEDS > > <p> > > > > Again, my favorite %RND_xxx tags. > > > > Shouldn't there already be a rule to catch this sort of thing? > *Snip* > > From Mike K. , I'm not sure if there is any more. This covers > a lot. IT > should only be 3 lines, but wrapped lines. > > rawbody MK_RATWARE_OOPS_01 > /(?:(?:\%\s?(?:RND_|RANDOM(?:URL|IMA|SYB|([UL]C_)?CHAR|TEXT|WO > RD)))|STRING_C > ONST\%?|CUSTOM[0-9]_|!RANDOM_NUMBERS!|\[RANDOMIZE\]|\$R\s?A\s? > N\s?D\s?O\s?M\ > s?I\s?Z\s?E|\\messages\\names.{0,5}\.txt)/i > describe MK_RATWARE_OOPS_01 Spammer doesn't know how to use > ratware properly > (1) > score MK_RATWARE_OOPS_01 .55 # Change to taste. 75 freakin million! > > --Chris >
