You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Paul Douglas Franklin <pd...@yugm.org> on 2008/02/14 18:21:52 UTC
Rule for Images that show up anyway
I have Thunderbird set up not to show images by default. But some
spammers have discovered a way to encode their images so that they show
despite my settings. The latest example was exceptionally rude.
Is there some rule that I could add to my local.cf to catch any e-mail
that tries this end-run?
--Paul
--
Paul Douglas Franklin
Computer Manager, Union Gospel Mission of Yakima, Washington
Husband of Danette
Father of Laurene, Miriam, Tycko, Timothy, Sarabeth, Marie, Dawnita, Anna Leah, Alexander, and Caleb
Re: Rule for Images that show up anyway
Posted by SM <sm...@resistor.net>.
At 09:21 14-02-2008, Paul Douglas Franklin wrote:
>I have Thunderbird set up not to show images by default. But some
>spammers have
This is to block remote images.
>discovered a way to encode their images so that they show despite my
>settings. The latest example was exceptionally rude.
>Is there some rule that I could add to my local.cf to catch any
>e-mail that tries this end-run?
The images which are displayed may be inline attachments. See the
ImageInfo plugin on how to add a rule to score messages containing images.
e.g. body ONE_OR_MORE_IMAGES eval:image_count('all',1)
Regards,
-sm
Re: Rule for Images that show up anyway
Posted by John Hardin <jh...@impsec.org>.
On Thu, 14 Feb 2008, Paul Douglas Franklin wrote:
> I had deleted the message yesterday--thoroughly--and didn't think to ask this
> until today.
> Concerning ImageInfo, which sounds like a likely candidate, it's not
> installed on my system. I have Kolab installed; it uses an earlier version
> of Spamassassin, I'm not sure exactly which one, somewhere around 3.2.x.
ImageInfo and possibly some custom meta rules to add score when both
BAYES_99 and IMAGE_* hit will probably take care of it.
I agree they are probably inline images, I just wanted to confirm that
assumption before suggesting a course of action.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Phobias should not be the basis for laws.
-----------------------------------------------------------------------
8 days until George Washington's 276th Birthday
Re: Rule for Images that show up anyway
Posted by Paul Douglas Franklin <pd...@yugm.org>.
I had deleted the message yesterday--thoroughly--and didn't think to ask
this until today.
Concerning ImageInfo, which sounds like a likely candidate, it's not
installed on my system. I have Kolab installed; it uses an earlier
version of Spamassassin, I'm not sure exactly which one, somewhere
around 3.2.x.
I'm not sure whether I can add the plugin; I'm asking about that on the
Kolab list.
--Paul
John Hardin wrote:
> On Thu, 14 Feb 2008, Paul Douglas Franklin wrote:
>
>> I have Thunderbird set up not to show images by default. But some
>> spammers have discovered a way to encode their images so that they
>> show despite my settings. The latest example was exceptionally rude.
>> Is there some rule that I could add to my local.cf to catch any
>> e-mail that tries this end-run?
>
> Would it be possible for you to post the entire raw message somewhere
> so we can see how they are doing it?
>
--
Paul Douglas Franklin
Computer Manager, Union Gospel Mission of Yakima, Washington
Husband of Danette
Father of Laurene, Miriam, Tycko, Timothy, Sarabeth, Marie, Dawnita, Anna Leah, Alexander, and Caleb
Re: Rule for Images that show up anyway
Posted by John Hardin <jh...@impsec.org>.
On Thu, 14 Feb 2008, Paul Douglas Franklin wrote:
> I have Thunderbird set up not to show images by default. But some
> spammers have discovered a way to encode their images so that they show
> despite my settings. The latest example was exceptionally rude.
> Is there some rule that I could add to my local.cf to catch any e-mail
> that tries this end-run?
Would it be possible for you to post the entire raw message somewhere so
we can see how they are doing it?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Warning Labels we'd like to see #1: "If you are a stupid idiot while
using this product you may hurt yourself. And it won't be our fault."
-----------------------------------------------------------------------
8 days until George Washington's 276th Birthday