[Spambayes] OT - broken spam

Skip Montanaro skip at pobox.com
Thu Dec 4 09:46:08 EST 2003


    atom> i've been getting spam with "Re: %RND_UC_CHAR[2-8]," in the
    atom> subject line for a few weeks
    atom> now... http://smasher.suspicious.org/tmp/spam.png

Yup.  There are several similar gaffs floating around.  A quick grep for
RANDOM in some older spam shows these interesting tokens:

    $RANDOM
    $RANDOMI
    RANDOM_WORD
    %RANDOM=
    %RANDOM_T=
    %RANDOM_TE=
    %RANDOM_W=
    %RANDOM_WO=
    %RANDOM_WOR=
    %RANDOMC3%
    {FROM_NAME}{RANDOM_MIXED|3}@fullpharm.org
    [RANDOMIZE][RANDOMIZE][RANDOMIZE][RANDOMIZE]

and many other variations.  Try grepping a largish spam collection for
'%R[A-Z]*='.  You get a lot of similar stuff which sort of makes their bug
obvious:

    % find Set4 -type f | xargs egrep '%R[A-Z]*='
    Set4/3797:ORD -->tercou<!-- abscess -->rse pro<!-- inviolate -->ble<!-- %RAN=
    Set4/3797:RANDOM_WORD -->en ob<!-- those -->ta<!-- zen -->i<!-- %RAN=
    Set4/3797:DOM_WORD -->n an<!-- carne -->d mai<!-- caliphate -->nta<!-- %RA=
    Set4/3797:NDOM_WORD -->i<!-- estimable -->n a<!-- dolly -->n ere<!-- %RAND=
    Set4/3797:D -->ble<!-- acrid -->ms rep<!-- fay -->ort th<!-- %RANDOM=
    Set4/3797:_WORD -->at th<!-- adulate -->is dr<!-- filipino -->ug inc<!-- %R=
    Set4/3797:  ma<!-- moneymake -->king ple<!-- accelerate -->asure an<!-- %RANDOM=

substituting for $RANDOM_WORD after encoding as quoted-printable...

    atom> totally off topic, but amusing since someone really screwed up
    atom> their spamming program before letting that one loose.

Not really.  That sort of stuff makes for killer spam clues and might
suggest other tokenizing tricks to try if needed.

Skip



More information about the Spambayes mailing list