Well, you did pretty well on tagging that one I would say :) You caught it with a SPAMDOMAINS entry for instance, and I can't verify if Message Sniffer would catch this. The only additional scoring that my server would have levied outside of Message Sniffer would have been with my DYNAMIC filter (search the archives), which looks for REVDNS strings that contain IP addresses in the naming.
This particular randomization method makes use of a dictionary for inserting the random text, and the GIBBERISH filters wouldn't catch it, however there is typically more than one type of obfuscation method used which makes these fairly easy to tag.
The broken randomization in the subject was intended to insert a line like the following:
Subject: [5] Re: Yadda yadda yadda
This is done to fool some subject tagging systems, though I don't know how effective it is. There is a simple test for this one technique though when the randomization actually works:
SUBJECT 15 BEGINSWITH [0] SUBJECT 15 BEGINSWITH [1] SUBJECT 15 BEGINSWITH [2] SUBJECT 15 BEGINSWITH [3] SUBJECT 15 BEGINSWITH [4] SUBJECT 15 BEGINSWITH [5] SUBJECT 15 BEGINSWITH [6] SUBJECT 15 BEGINSWITH [7] SUBJECT 15 BEGINSWITH [8] SUBJECT 15 BEGINSWITH [9] SUBJECT 15 CONTAINS re[0] SUBJECT 15 CONTAINS re[1] SUBJECT 15 CONTAINS re[2] SUBJECT 15 CONTAINS re[3] SUBJECT 15 CONTAINS re[4] SUBJECT 15 CONTAINS re[5] SUBJECT 15 CONTAINS re[6] SUBJECT 15 CONTAINS re[7] SUBJECT 15 CONTAINS re[8] SUBJECT 15 CONTAINS re[9]
Those are at least the two variations that I have seen, but I never seem to see this stuff getting through with the other protections in place.
Matt
Fritz Squib wrote:
Matt, Great job on the filters...Thanks.
Here is one in it's entirety from one of my spamtraps, only the names have been changed to protect my 'honeypot'.
Fritz
Frederick P. Squib, Jr. Network Operations/Mail Administrator Citizens Telephone Company of Kecksburg http://www.wpa.net
() ascii ribbon campaign - against html mail /\ - against microsoft attachments
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
