We've had quite a bit of spam getting through lately, all with a similarly formatted subject line:
X-F: <xxx> Mon Nov 10 15:23:57 2003 Received: from h51n1fls34o281.telia.com [213.66.91.51] by xxx (SMTPD32-6.06) id A3D216140152; Mon, 10 Nov 2003 15:23:46 -0500 Received: from 206.147.156.5 by 213.66.91.51; Mon, 10 Nov 2003 04:24:42 -0400 Message-ID: <[EMAIL PROTECTED]> From: "Heriberto" <xxx> Reply-To: "Heriberto" <xxx> To: xxx Subject: Re: %RND_UC_CHAR[2-8], rapier under their Date: Mon, 10 Nov 2003 13:20:42 +0500 X-Mailer: Internet Mail Service (5.5.2650.21) MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="--866095091364674" X-Priority: 1 X-MSMail-Priority: High X-RBL-Warning: NOABUSE: Not supporting [EMAIL PROTECTED] X-RBL-Warning: NOPOSTMASTER: Not supporting [EMAIL PROTECTED] X-RBL-Warning: ROUTING: This E-mail was routed in a poor manner consistent with spam [2000010f]. X-Warn: This message contains content that is likely spam Message failed SPAMCHK: 2. X-Declude-Sender: xxx [213.66.91.51] X-Declude-Spoolname: Df3d2152.SMD X-SpamWatch-Tests-Failed: NOABUSE, NOPOSTMASTER, IPNOTINMX, NOLEGITCONTENT, ROUTING, SPAMCHK [9] X-SpamWatch-Country-Chain: UNITED STATES->SWEDEN->destination X-SpamWatch-ReverseLookUp: h51n1fls34o281.telia.com ([213.66.91.51]). X-RCPT-TO: <xxx> X-UIDL: 364066639 Status: U Notice the "%RND_UC_CHAR[2-8]" in the subject. Looks like broken spam software that is supposed to insert RaNDom characters into the subject. We've seen this coming from a variety of sources. I guess we can just filter for that string in the SUBJECT? It's not failing enough tests to give it a high enough weight. Anyone else seeing this? -- Scot --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
