On Fri, 19 Dec 2003, Christopher X. Candreva wrote:

> A Spam got through SA last night, with two things I hadn't seen before - 
> Yet another form of a %RANDOM variable that isn't replaced by a value:
> 
> Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned

Heh, yeah, the developer clearly screwed up in early revisions of their
spam software.  Seeing a literal %RND_UC_CHAR[2-8] is a dead giveaway;  
later revisions are sending 2-8 random upper-case characters in that spot.

As people pointed out, the backhair set (THANKS Jennifer) helps detect
this one, but many were still getting through here.  So here is my
solution; this plus backhair catches all the ones I've seen so far.

#
# $Id: rnd_uc_char.cf,v 1.2 2003/12/19 20:08:50 bjn Exp $
# SpamAssassin RND_UC_CHAR pattern
#
# Thanks to "Christopher X. Candreva" <chris AT westnet DOT com>
# http://marc.theaimsgroup.com/?l=spamassassin-talk&m=107184646319270&w=2
#
# This type of email is generated by some kind of spamware package.
# The first pattern shows where the developer screwed up.  :-)
# The second pattern is where they fixed their bug; we might have
# false-positives there, so use a tight pattern and score it lower.
# The third pattern appears in all emails I've seen of this type.
#
###########################################################################

header SUBJ_RND_UC_CHAR_L       Subject =~ /\%RND_UC_CHAR/
describe SUBJ_RND_UC_CHAR_L     Subject contains literal RND_UC_CHAR tag
score SUBJ_RND_UC_CHAR_L        5.0

header SUBJ_RND_UC_CHAR         Subject =~ 
/^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
describe SUBJ_RND_UC_CHAR       Subject fits RND_UC_CHAR pattern
score SUBJ_RND_UC_CHAR          2.0

header XOIP_RND_UC_CHAR         X-Originating-IP =~ /\[.*\.(com|net|org|biz).*IP\]/
describe XOIP_RND_UC_CHAR       X-Originating-IP fits RND_UC_CHAR pattern
score XOIP_RND_UC_CHAR          2.0

-- 
Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN
Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti



-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills.  Sign up for IBM's
Free Linux Tutorials.  Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to