On Fri, 19 Dec 2003, Christopher X. Candreva wrote: > A Spam got through SA last night, with two things I hadn't seen before - > Yet another form of a %RANDOM variable that isn't replaced by a value: > > Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned
Heh, yeah, the developer clearly screwed up in early revisions of their spam software. Seeing a literal %RND_UC_CHAR[2-8] is a dead giveaway; later revisions are sending 2-8 random upper-case characters in that spot. As people pointed out, the backhair set (THANKS Jennifer) helps detect this one, but many were still getting through here. So here is my solution; this plus backhair catches all the ones I've seen so far. # # $Id: rnd_uc_char.cf,v 1.2 2003/12/19 20:08:50 bjn Exp $ # SpamAssassin RND_UC_CHAR pattern # # Thanks to "Christopher X. Candreva" <chris AT westnet DOT com> # http://marc.theaimsgroup.com/?l=spamassassin-talk&m=107184646319270&w=2 # # This type of email is generated by some kind of spamware package. # The first pattern shows where the developer screwed up. :-) # The second pattern is where they fixed their bug; we might have # false-positives there, so use a tight pattern and score it lower. # The third pattern appears in all emails I've seen of this type. # ########################################################################### header SUBJ_RND_UC_CHAR_L Subject =~ /\%RND_UC_CHAR/ describe SUBJ_RND_UC_CHAR_L Subject contains literal RND_UC_CHAR tag score SUBJ_RND_UC_CHAR_L 5.0 header SUBJ_RND_UC_CHAR Subject =~ /^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/ describe SUBJ_RND_UC_CHAR Subject fits RND_UC_CHAR pattern score SUBJ_RND_UC_CHAR 2.0 header XOIP_RND_UC_CHAR X-Originating-IP =~ /\[.*\.(com|net|org|biz).*IP\]/ describe XOIP_RND_UC_CHAR X-Originating-IP fits RND_UC_CHAR pattern score XOIP_RND_UC_CHAR 2.0 -- Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN Other contact information: http://kepler.acns.bethel.edu/~bjn/contact.html * Fast pipe * Always on * Get out of the way - Tim Bray http://tinyurl.com/7sti ------------------------------------------------------- This SF.net email is sponsored by: IBM Linux Tutorials. Become an expert in LINUX or just sharpen your skills. Sign up for IBM's Free Linux Tutorials. Learn everything from the bash shell to sys admin. Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk