A Spam got through SA last night, with two things I hadn't seen before - Yet
another form of a %RANDOM variable that isn't replaced by a value:
Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned
And a bizare X-Originating-IP header:
X-Originating-IP: [530000x.netIP]
I whipped up a little rule to take care of the first, is there any
possiblity the second is ligit ? Otherwise, I would say a rule that makes
sure X-Originating-IP headers actually have an IP in them would be in order:
header SUBJ_HAS_RND_TAG Subject =~ /\%RND_UC_CHAR/
describe SUBJ_HAS_RND_TAG Subject contains Random tag
score SUBJ_HAS_RND_TAG 2
Full original spam attached.
==========================================================
Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816
WestNet Internet Services of Westchester
http://www.westnet.com/
From [EMAIL PROTECTED] Fri Dec 19 03:31:41 2003
Return-Path: <[EMAIL PROTECTED]>
Received: from jubal.westnet.com (jubal.westnet.com [206.24.6.9])
by westnet.com (8.12.10/8.12.10) with ESMTP id hBJ8VfQk023500
for <[EMAIL PROTECTED]>; Fri, 19 Dec 2003 03:31:41 -0500 (EST)
Received: from ALAN ([210.61.88.212])
by jubal.westnet.com (8.12.10/8.12.10) with SMTP id hBJ8VfMA020865
for <[EMAIL PROTECTED]>; Fri, 19 Dec 2003 03:31:45 -0500 (EST)
Received: from [210.61.88.212] by 530000x.netIP with HTTP;
Fri, 19 Dec 2003 01:31:09 -0700
From: "Sybil Cordero" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned
Mime-Version: 1.0
X-Mailer: mPOP Web-Mail 2.19
X-Originating-IP: [530000x.netIP]
Date: Fri, 19 Dec 2003 12:32:09 +0400
Reply-To: "Cordero Sybil" <[EMAIL PROTECTED]>
Content-Type: multipart/alternative;
boundary="--ALT--KMXN96989606866675"
Message-Id: <[EMAIL PROTECTED]>
----ALT--KMXN96989606866675
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 8bit
cheerleader rudolf luxuriate deathbed prague eligible injure uracil raphael
arid bloodhound coleus heroine tawny fritz brittle althea
assemblage hoot indwell deductible affiance chill chevalier cloture
----ALT--KMXN96989606866675
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 8bit
<HTML><HEAD>
<BODY>
<p>Fr</leeway>ee Ca</hind>ble- TV</p>
<a href="http://www.530000x.net/cable/";>
<img border="0" src="http://www.530000x.net/fiter3.jpg";></a>
wacky crimp aphorism antler brahmaputra mugging amos triumphal proximity oneida dyeing
connally ow booze repugnant cargoes chrysler approximant abnormal beguile straighten
comport godfather <BR>
wapiti vivid integument teleology coven kraft czech othello mao crochet chub diagnoses
foxtail craftspeople conceit <BR>
</BODY>
</HTML>
----ALT--KMXN96989606866675--
![http://www.530000x.net/fiter3.jpg"](http://www.530000x.net/fiter3.jpg"){kind=link}