/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=80 protocol=tcp random=\
3 src-address=10.0.0.0/8 src-address-list=Small_user to-addresses=\
/ip firewall address-list
add address=10.0.0.0/8 disabled=no list=Small_user
I don't see what the problem is. The router is doing exactly what you're telling it to, which is to redirect people whose source address matches 10/8 with a chance of 3%. You're specifically telling it to do that twice, once via a match on src-address and then again with a match on a source address list that contains only 10/8.
If you only want a few people to see the redirect you'll have to specify a source address list that doesn't encompass the entire 10/8 space, but rather has many entries for /32s. I don't understand what you mean by 'unregistered' user in your original post. Are you referring to anyone not on ANY ONE of the other address lists (Normal_user, Business_user, Servers)? You could make that work with a custom chain you bail out of:
/ip firewall nat
add action=jump chain=dstnat disabled=no dst-port=80 protocol=tcp src-address=10.0.0.0/8 jump-target=randomRedirect comment="everyone on 10/8 gets investigated on whether they should be redirected"
add action=return chain=randomRedirect src-address-list=Business_user comment="abort if they are on the Business_user list"
add action=return chain=randomRedirect src-address-list=Normal_user comment="abort if they are on the Normal_user list"
add action=return chain=randomRedirect src-address-list=Servers comment="abort if they are on the Servers list"
add action=dst-nat chain=randomRedirect random=3 to-address=10.99.1.99 to-ports=80 comment="everyone still left is unregistered and has a 3% chance of seeing a redirect"
That first rule (the one in the dstnat chain) should again go to the top of everything.
If that still doesn't help you, please describe in detail what you are trying to achieve.