SUBJ_RAND_UC_CHAR is working well... but I just saw a variant come
through.
Subject: Re: XBHGX,7844, tales of these
Looks like we'll need another rule for this guy - I guess it would be
something like:
Subject =~ /^Re:\s[A-Z]{2,8},\s[0-9]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
Can someone confirm the syntax? I'm new at rule writing.
Aaron Everett
Network Administrator
Forte Design Systems
425-869-4227 ext 125
425-869-4229 FAX
[EMAIL PROTECTED]
http://www.forteds.com
http://support.forteds.com
I've stopped 10,957 spam messages. You can too!
One month FREE spam protection at http://www.cloudmark.com/spamnetsig/}
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Brent J. Nordquist
Sent: Friday, December 19, 2003 12:18 PM
To: [EMAIL PROTECTED]
Subject: [SAtalk] Ruleset for RND UC CHAR spam
On Fri, 19 Dec 2003, Christopher X. Candreva wrote:
> A Spam got through SA last night, with two things I hadn't seen before
-
> Yet another form of a %RANDOM variable that isn't replaced by a value:
>
> Subject: Re: %RND_UC_CHAR[2-8], he inadvertently turned
Heh, yeah, the developer clearly screwed up in early revisions of their
spam software. Seeing a literal %RND_UC_CHAR[2-8] is a dead giveaway;
later revisions are sending 2-8 random upper-case characters in that
spot.
As people pointed out, the backhair set (THANKS Jennifer) helps detect
this one, but many were still getting through here. So here is my
solution; this plus backhair catches all the ones I've seen so far.
#
# $Id: rnd_uc_char.cf,v 1.2 2003/12/19 20:08:50 bjn Exp $
# SpamAssassin RND_UC_CHAR pattern
#
# Thanks to "Christopher X. Candreva" <chris AT westnet DOT com>
#
http://marc.theaimsgroup.com/?l=spamassassin-talk&m=107184646319270&w=2
#
# This type of email is generated by some kind of spamware package.
# The first pattern shows where the developer screwed up. :-)
# The second pattern is where they fixed their bug; we might have
# false-positives there, so use a tight pattern and score it lower.
# The third pattern appears in all emails I've seen of this type.
#
########################################################################
###
header SUBJ_RND_UC_CHAR_L Subject =~ /\%RND_UC_CHAR/
describe SUBJ_RND_UC_CHAR_L Subject contains literal RND_UC_CHAR tag
score SUBJ_RND_UC_CHAR_L 5.0
header SUBJ_RND_UC_CHAR Subject =~
/^Re:\s[A-Z]{2,8},\s[a-z]+\s[a-z]+\s[a-z]+\s*$/
describe SUBJ_RND_UC_CHAR Subject fits RND_UC_CHAR pattern
score SUBJ_RND_UC_CHAR 2.0
header XOIP_RND_UC_CHAR X-Originating-IP =~
/\[.*\.(com|net|org|biz).*IP\]/
describe XOIP_RND_UC_CHAR X-Originating-IP fits RND_UC_CHAR
pattern
score XOIP_RND_UC_CHAR 2.0
--
Brent J. Nordquist <[EMAIL PROTECTED]> N0BJN
Other contact information:
http://kepler.acns.bethel.edu/~bjn/contact.html
* Fast pipe * Always on * Get out of the way - Tim Bray
http://tinyurl.com/7sti
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for
IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys
admin.
Click now! http://ads.osdn.com/?ad_id=1278&alloc_id=3371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
-------------------------------------------------------
This SF.net email is sponsored by: IBM Linux Tutorials.
Become an expert in LINUX or just sharpen your skills. Sign up for IBM's
Free Linux Tutorials. Learn everything from the bash shell to sys admin.
Click now! http://ads.osdn.com/?ad_id�78&alloc_id371&op=click
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
