Re: Leaked spam with single GIFs

[Justin Mason <jm...@jmason.org>]

craig@animalhead.com writes:
> HI SA developers,
> 
> Tried this on the "user" mailing list, with NO response:
> 
> I'm surprised that SA tends to leak spam into our Inbox that
> contains one GIF image, and that none of the built-in tests
> involving images triggers on such emails.
> 
> Looking more at such spam, it looks like they avoid the built-in
> tests by the following means:
> 
> 1. They provide enough (visible but meaningless) text to exceed
>      HTML_IMAGE_ONLY_32 and __HTML_LENGTH_1536_2048.
> 
> 2. The text has enough relative area to exceed
>      HTML_IMAGE_RATIO_08.
> 
> 3. The text size is large enough to exceed the small font size tests.
> 
> For myself, I would be happy to have one or more new tests that
> detect something like "one GIF image, the length or area of
> which exceeds a gadget like a signature, button, or icon".  By
> scoring such a thing with maybe 2 points, I could consign this
> last major category of spam leaks to the Junk folder.
> 
> QUESTION: Have such test(s) been written, and if so can I get
> them, and if so, how?

sa-update -- have you tried that?

> If not, can anyone suggest resources that might help me write
> my own test(s)?  Particularly of interest are routines that
> measure the source length or decoded area of an image.

You could try the ImageInfo rules -- I think they do something
like this.  http://www.rulesemporium.com/plugins.htm

--j.