> -----Original Message-----
> From: Loren Wilton [mailto:[EMAIL PROTECTED]
> Sent: Thursday, February 05, 2004 12:20 AM
> To: [EMAIL PROTECTED]
> Subject: *****SPAM***** Obvious spamware programming screwup
> that didn't
> get caught
>
>
> I just got a spam that was caught by a couple of my local and
> very specific
> rules, but otherwise would have made it through with flying
> colors. Yet it
> has some really obvious screwups that I would have expected
> some rule to
> catch. Notice:
>
> Subject: FWD: Got all meds 4 U. %RND_MEDS_4PILLS &
> %RND_MEDS_2PILLS eJTtq
>
> Aside from the suspicious FWD in uppercase, note the %RND_xxx tags.
>
> In the body:
>
> We ship the following: %RND_MEDS_LIST
> <p>
> Plus: %RND_ALL_OTHER_MEDS
> <p>
>
> Again, my favorite %RND_xxx tags.
>
> Shouldn't there already be a rule to catch this sort of thing?
*Snip*
>From Mike K. , I'm not sure if there is any more. This covers a lot. IT
should only be 3 lines, but wrapped lines.
rawbody MK_RATWARE_OOPS_01
/(?:(?:\%\s?(?:RND_|RANDOM(?:URL|IMA|SYB|([UL]C_)?CHAR|TEXT|WORD)))|STRING_C
ONST\%?|CUSTOM[0-9]_|!RANDOM_NUMBERS!|\[RANDOMIZE\]|\$R\s?A\s?N\s?D\s?O\s?M\
s?I\s?Z\s?E|\\messages\\names.{0,5}\.txt)/i
describe MK_RATWARE_OOPS_01 Spammer doesn't know how to use ratware properly
(1)
score MK_RATWARE_OOPS_01 .55 # Change to taste. 75 freakin million!
--Chris
