Jeff Chan writes: > On Thursday, June 19, 2008, 7:33:44 AM, Yet Ninja wrote: > > Guys, you're being hit with hacked web site URIs showing up in a heavy > > spam flood. I see Uribl.com got most of them, but in case: > > > rawbody GMD_R_DOT_HTML /\/r\.html$/ > > describe GMD_R_DOT_HTML Possible hacked site with porntube redirect > > score GMD_R_DOT_HTML 3.5 > > > Note: making it an uri rule doesn't hit them all.
if you can find a case where the uri rule doesn't match but the rawbody does, and the URL works, please open a bug! > > enjoy > > It and video.exe are Storm. yeah, I was thinking it looked familiar. BAD_ENC_HEADER hits them all btw, on the Subject line's encoding. and there's some interesting regularity in the Message-ID: Message-id: <Q0150625piByoZfn/[EMAIL PROTECTED]> Message-id: <N7556814WYcmtrMl/[EMAIL PROTECTED]> Message-id: <P5195955SYbtbcft/[EMAIL PROTECTED]> Message-id: <P2384398XFKSgzjs/[EMAIL PROTECTED]> also, odd spaces: Date: Thu, 19 Jun 2008 17:04:32 +0200 Date: Thu, 19 Jun 2008 18:03:54 +0300 Date: Thu, 19 Jun 2008 17:03:49 +0200 Date: Thu, 19 Jun 2008 10:02:50 -0500 --j.