Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. users
Obvious spamware programming screwup that didn't get caught
lwilton at earthlink
Feb 4, 2004, 10:19 PM
Post #1 of 4 (1240 views)
Permalink
I just got a spam that was caught by a couple of my local and very specific
rules, but otherwise would have made it through with flying colors. Yet it
has some really obvious screwups that I would have expected some rule to
catch. Notice:

Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS & %RND_MEDS_2PILLS eJTtq

Aside from the suspicious FWD in uppercase, note the %RND_xxx tags.

In the body:

We ship the following: %RND_MEDS_LIST
<p>
Plus: %RND_ALL_OTHER_MEDS
<p>

Again, my favorite %RND_xxx tags.

Shouldn't there already be a rule to catch this sort of thing?

For that matter, I'm surprised there isn't a "suspicious html tags" checker.
It could be given increasing weight depending on the count of unlikely tags.
For instance, from the same spam:

</table>
</barstow></roseland></catalytic></falconry></avow></paradigmatic>
</i'll></fungoid></agreed></dakar></gemma></sousa>
</interruption></coast></testicular></bavaria></anew></brigade>

Loren
RE: Obvious spamware programming screwup that didn't get caught [ In reply to ]
csanterre at MerchantsOverseas
Feb 5, 2004, 8:11 AM
Post #2 of 4 (1215 views)
Permalink
> -----Original Message-----
> From: Loren Wilton [mailto:lwilton@earthlink.net]
> Sent: Thursday, February 05, 2004 12:20 AM
> To: spamassassin-users@incubator.apache.org
> Subject: *****SPAM***** Obvious spamware programming screwup
> that didn't
> get caught
>
>
> I just got a spam that was caught by a couple of my local and
> very specific
> rules, but otherwise would have made it through with flying
> colors. Yet it
> has some really obvious screwups that I would have expected
> some rule to
> catch. Notice:
>
> Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS &
> %RND_MEDS_2PILLS eJTtq
>
> Aside from the suspicious FWD in uppercase, note the %RND_xxx tags.
>
> In the body:
>
> We ship the following: %RND_MEDS_LIST
> <p>
> Plus: %RND_ALL_OTHER_MEDS
> <p>
>
> Again, my favorite %RND_xxx tags.
>
> Shouldn't there already be a rule to catch this sort of thing?
*Snip*

From Mike K. , I'm not sure if there is any more. This covers a lot. IT
should only be 3 lines, but wrapped lines.

rawbody MK_RATWARE_OOPS_01
/(?:(?:\%\s?(?:RND_|RANDOM(?:URL|IMA|SYB|([UL]C_)?CHAR|TEXT|WORD)))|STRING_C
ONST\%?|CUSTOM[0-9]_|!RANDOM_NUMBERS!|\[RANDOMIZE\]|\$R\s?A\s?N\s?D\s?O\s?M\
s?I\s?Z\s?E|\\messages\\names.{0,5}\.txt)/i
describe MK_RATWARE_OOPS_01 Spammer doesn't know how to use ratware properly
(1)
score MK_RATWARE_OOPS_01 .55 # Change to taste. 75 freakin million!

--Chris
Re: Obvious spamware programming screwup that didn't get caught [ In reply to ]
wstearns at pobox
Feb 5, 2004, 9:15 AM
Post #3 of 4 (1213 views)
Permalink
On Wed, 4 Feb 2004, Loren Wilton wrote:

> I just got a spam that was caught by a couple of my local and very specific
> rules, but otherwise would have made it through with flying colors. Yet it
> has some really obvious screwups that I would have expected some rule to
> catch. Notice:
>
> Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS & %RND_MEDS_2PILLS eJTtq
>
> Aside from the suspicious FWD in uppercase, note the %RND_xxx tags.
>
> In the body:
>
> We ship the following: %RND_MEDS_LIST
> <p>
> Plus: %RND_ALL_OTHER_MEDS
> <p>
>
> Again, my favorite %RND_xxx tags.
>
> Shouldn't there already be a rule to catch this sort of thing?

http://www.stearns.org/sa-blacklist/random.current.cf
Cheers,
- Bill

---------------------------------------------------------------------------
"We don't want an election without a paper trail...all three
owners of the companies who make these machines are donors to the Bush
administration. Is this not corruption?"
-- Gore Vidal
(Courtesy of http://www.laweekly.com/ink/03/52/features-cooper.php)
--------------------------------------------------------------------------
William Stearns (wstearns@pobox.com). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
--------------------------------------------------------------------------
RE: Obvious spamware programming screwup that didn't get caught [ In reply to ]
JunkEmail at rapidigm
Feb 5, 2004, 10:19 AM
Post #4 of 4 (1215 views)
Permalink
Hey Chris, thanks for the plug! I posted all of them to bugzilla
<http://bugzilla.spamassassin.org/show_bug.cgi?id=2997> I don't have the
random med ones in there, but am going to add them now. The ones up on
bugzilla don't have scores, but for anything with symbol and then RND or
RANDOM I score at about 6 on a threshold of 5. I love when spammers
screw up like this, it makes life a lot easier.

Mike


> -----Original Message-----
> From: Chris Santerre [mailto:csanterre@MerchantsOverseas.com]
> Sent: Thursday, February 05, 2004 10:12 AM
> To: 'Loren Wilton'; spamassassin-users@incubator.apache.org
> Subject: RE: Obvious spamware programming screwup that didn't
> get caught
>
>
>
>
> > -----Original Message-----
> > From: Loren Wilton [mailto:lwilton@earthlink.net]
> > Sent: Thursday, February 05, 2004 12:20 AM
> > To: spamassassin-users@incubator.apache.org
> > Subject: *****SPAM***** Obvious spamware programming screwup
> > that didn't
> > get caught
> >
> >
> > I just got a spam that was caught by a couple of my local and
> > very specific
> > rules, but otherwise would have made it through with flying
> > colors. Yet it
> > has some really obvious screwups that I would have expected
> > some rule to
> > catch. Notice:
> >
> > Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS &
> > %RND_MEDS_2PILLS eJTtq
> >
> > Aside from the suspicious FWD in uppercase, note the %RND_xxx tags.
> >
> > In the body:
> >
> > We ship the following: %RND_MEDS_LIST
> > <p>
> > Plus: %RND_ALL_OTHER_MEDS
> > <p>
> >
> > Again, my favorite %RND_xxx tags.
> >
> > Shouldn't there already be a rule to catch this sort of thing?
> *Snip*
>
> From Mike K. , I'm not sure if there is any more. This covers
> a lot. IT
> should only be 3 lines, but wrapped lines.
>
> rawbody MK_RATWARE_OOPS_01
> /(?:(?:\%\s?(?:RND_|RANDOM(?:URL|IMA|SYB|([UL]C_)?CHAR|TEXT|WO
> RD)))|STRING_C
> ONST\%?|CUSTOM[0-9]_|!RANDOM_NUMBERS!|\[RANDOMIZE\]|\$R\s?A\s?
> N\s?D\s?O\s?M\
> s?I\s?Z\s?E|\\messages\\names.{0,5}\.txt)/i
> describe MK_RATWARE_OOPS_01 Spammer doesn't know how to use
> ratware properly
> (1)
> score MK_RATWARE_OOPS_01 .55 # Change to taste. 75 freakin million!
>
> --Chris
>

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal