You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Alex <my...@gmail.com> on 2016/11/18 01:49:49 UTC
BODY_EMPTY score
Hi all,
We have a lot of users who use email to share photos. Empty body, 2M
JPG attachment, nothing in the subject.
How do you train bayes for these?
Is 3.0 a suitable score for BODY_EMPTY? That seems quite high. I also
don't recall seeing it that high in the past, or it effectively being
enough to push the email into spam.
It's also a great way for a spammer to then sending image spam. I'd
appreciate any ideas on how best to manage this.
Thanks,
Alex
Re: BODY_EMPTY score
Posted by Alex <my...@gmail.com>.
HI,
On Fri, Nov 18, 2016 at 1:12 PM, John Hardin <jh...@impsec.org> wrote:
> On Thu, 17 Nov 2016, Alex wrote:
>
>> We have a lot of users who use email to share photos. Empty body, 2M
>> JPG attachment, nothing in the subject.
>
> Is the subject header missing entirely, or present but empty?
I believe in this particular case it was present but empty, but I've
also seen with MISSING_HEADERS.
Looking through this particular email, it also has EMPTY_MESSAGE for
another 1.8 points.
Re: BODY_EMPTY score
Posted by John Hardin <jh...@impsec.org>.
On Thu, 17 Nov 2016, Alex wrote:
> We have a lot of users who use email to share photos. Empty body, 2M
> JPG attachment, nothing in the subject.
Is the subject header missing entirely, or present but empty?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you trust the government, you obviously failed history class.
-- Don Freeman
-----------------------------------------------------------------------
333 days since the first successful real return to launch site (SpaceX)
Re: BODY_EMPTY score
Posted by RW <rw...@googlemail.com>.
On Thu, 17 Nov 2016 20:49:49 -0500
Alex wrote:
> Hi all,
>
> We have a lot of users who use email to share photos. Empty body, 2M
> JPG attachment, nothing in the subject.
>
> How do you train bayes for these?
Same as anything else, they still have header tokens which may help,
particularly for ham from low spam servers.
> Is 3.0 a suitable score for BODY_EMPTY?
Note that this shouldn't apply to the image-only emails:
meta BODY_EMPTY __EMPTY_BODY && ... && !__MIME_ATTACHMENT
There are several other exceptions.
Re: BODY_EMPTY score
Posted by John Hardin <jh...@impsec.org>.
On Fri, 18 Nov 2016, Martin Gregorie wrote:
> On Thu, 2016-11-17 at 20:49 -0500, Alex wrote:
>> Hi all,
>>
>> We have a lot of users who use email to share photos. Empty body, 2M
>> JPG attachment, nothing in the subject.
>>
>> How do you train bayes for these?
>>
>> Is 3.0 a suitable score for BODY_EMPTY?
>>
>> It's also a great way for a spammer to then sending image spam.
>
> Indeed, though I haven't seen that type of spam for a long time and
> IIRC they tended to carry obfuscatory text as well as the image
> payload.
It's performing well in masscheck, so there is that type of spam out
there currently.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Maxim I: Pillage, _then_ burn.
-----------------------------------------------------------------------
333 days since the first successful real return to launch site (SpaceX)
Re: BODY_EMPTY score
Posted by Martin Gregorie <ma...@gregorie.org>.
On Thu, 2016-11-17 at 20:49 -0500, Alex wrote:
> Hi all,
>
> We have a lot of users who use email to share photos. Empty body, 2M
> JPG attachment, nothing in the subject.
>
> How do you train bayes for these?
>
> Is 3.0 a suitable score for BODY_EMPTY? That seems quite high. I also
> don't recall seeing it that high in the past, or it effectively being
> enough to push the email into spam.
>
Sounds like a case for a local rule to me: one subrule to check that
the body is *only* a JPG attachment and another making sure that the
subject is blank.�
> It's also a great way for a spammer to then sending image spam. I'd
> appreciate any ideas on how best to manage this.
>
Indeed, though I haven't seen that type of spam for a long time and
IIRC they tended to carry obfuscatory text as well as the image
payload.
Martin