You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2007/03/01 11:03:03 UTC
Re: Leaked spam with single GIFs
craig@animalhead.com writes:
> HI SA developers,
>
> Tried this on the "user" mailing list, with NO response:
>
> I'm surprised that SA tends to leak spam into our Inbox that
> contains one GIF image, and that none of the built-in tests
> involving images triggers on such emails.
>
> Looking more at such spam, it looks like they avoid the built-in
> tests by the following means:
>
> 1. They provide enough (visible but meaningless) text to exceed
> HTML_IMAGE_ONLY_32 and __HTML_LENGTH_1536_2048.
>
> 2. The text has enough relative area to exceed
> HTML_IMAGE_RATIO_08.
>
> 3. The text size is large enough to exceed the small font size tests.
>
> For myself, I would be happy to have one or more new tests that
> detect something like "one GIF image, the length or area of
> which exceeds a gadget like a signature, button, or icon". By
> scoring such a thing with maybe 2 points, I could consign this
> last major category of spam leaks to the Junk folder.
>
> QUESTION: Have such test(s) been written, and if so can I get
> them, and if so, how?
sa-update -- have you tried that?
> If not, can anyone suggest resources that might help me write
> my own test(s)? Particularly of interest are routines that
> measure the source length or decoded area of an image.
You could try the ImageInfo rules -- I think they do something
like this. http://www.rulesemporium.com/plugins.htm
--j.