All the time actually, but it's all over the place, often in fake tags and comments in the HTML body code, or in the subject where the name ought to be. I don't know that it is effective to stop this by filtering for the variables they use because such patterns don't last long in my experience.Notice the "%RND_UC_CHAR[2-8]" in the subject. Looks like broken spam software that is supposed to insert RaNDom characters into the subject. We've seen this coming from a variety of sources. I guess we can just filter for that string in the SUBJECT? It's not failing enough tests to give it a high enough weight.
Anyone else seeing this?
This is the type of message though that typically has many characteristics that my own custom filters are tagging. Relying exclusively on RBL's and built-in technical tests will let a lot of this stuff through, however at the same time, there are many patterns which are common enough to this sort of spam that you should be able to catch it.
The FOREIGN/TLD filter set that I shared yesterday for instance would have added at least 3 points to this message and possibly two more depending on the X-Declude-Sender which you cut out. This type of spam also tends to randomize the From, HELO and MAILFROM addresses, and/or use common domains like aol.com or yahoo.com, in which case some points from a SPAMDOMAINS test would be effective. The body often has gibberish in it, if not the subject, and the my GIBBERISH filters work for that, or they use obfuscation to hide URL's from filtering software which can also be caught without keeping track of the URL's themselves. This spam is also commonly sent from zombie machines resulting from virus infections, and they are often on residential broadband networks, in which case my DYNAMIC filter might add some points (but not in this case). Message Sniffer also might be tracking the URL's in the body for another potential hit.
Maybe if you shared the entirety of the message body plus the MAILFROM, I and others could tell you what common used/shared filters might be effective.
Matt
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
