[Mimedefang] Massive spam with randon subjects

Brent J. Nordquist b-nordquist at bethel.edu
Fri Dec 19 15:38:10 EST 2003 

On Fri, 19 Dec 2003, Marcelo Souza <mpsouza at centroin.com.br> wrote:

> 	Recently I notice a massive incoming messages with subjects like
> these:
> 
> Re: QCWGQOA, from the final
> 
> 	And some unwise spammer, show me part of the construction method of
> the line:
> 
> Re: %RND_UC_CHAR[2-8], the two quarrelling
> 
> 	Some of you has build any filter or SA rule to catch it?

Mine appears below; currently catching 100%.  Yes, the RND_UC_CHAR is
clearly a developer screw-up and I am taking full advantage of it.  :-)  
I also did some surfing to the spamassassin list and found out about the
"backhair" (chuckle) ruleset which catches the "unsightly HTML tags" these
emails have.

#
# $Id: rnd_uc_char.cf,v 1.2 2003/12/19 20:08:50 bjn Exp $
# SpamAssassin RND_UC_CHAR pattern
#
# Thanks to "Christopher X. Candreva" <chris AT westnet DOT com>
# http://marc.theaimsgroup.com/?l=spamassassin-talk&m=107184646319270&w=2
#
# This type of email is generated by some kind of spamware package.
# The first pattern shows where the developer screwed up.  :-)
# The second pattern is where they fixed their bug; we might have
# false-positives there, so use a tight pattern and score it lower.
# The third pattern appears in all emails I've seen of this type.
#
###########################################################################

header SUBJ_RND_UC_CHAR_L	Subject =~ /\%RND_UC_CHAR/
describe SUBJ_RND_UC_CHAR_L	Subject contains literal RND_UC_CHAR tag
score SUBJ_RND_UC_CHAR_L	5.0

header SUBJ_RND_UC_CHAR		Subject =~ /^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
describe SUBJ_RND_UC_CHAR	Subject fits RND_UC_CHAR pattern
score SUBJ_RND_UC_CHAR		2.0

header XOIP_RND_UC_CHAR		X-Originating-IP =~ /\[.*\.(com|net|org|biz).*IP\]/
describe XOIP_RND_UC_CHAR	X-Originating-IP fits RND_UC_CHAR pattern
score XOIP_RND_UC_CHAR		2.0

-- 
Brent J. Nordquist <b-nordquist at bethel.edu> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti

More information about the MIMEDefang mailing list