You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Craig Baird <cr...@xpressweb.com> on 2006/01/26 18:21:14 UTC
Image spam
Since the first of the year, we've seen a barrage of image spam. Some of it
gets nailed by SA, but a lot of it seems to get through. Most of it has a
text/plain part with random or non-sensical text. It also has a text/html
part, also with random text. Then, the actual spam (usually a stock spam) is
contained in a 15k-20k .gif image. I've found that many of these hit very few
rules, and due to the random text, Bayes appears to be ineffective. I'm using
SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has
anyone come up with a good way to stop these?
Craig
Re: Image spam
Posted by Chris Purves <ch...@northfolk.ca>.
Craig Baird wrote:
> Since the first of the year, we've seen a barrage of image spam. Some of it
> gets nailed by SA, but a lot of it seems to get through. Most of it has a
> text/plain part with random or non-sensical text. It also has a text/html
> part, also with random text. Then, the actual spam (usually a stock spam) is
> contained in a 15k-20k .gif image. I've found that many of these hit very few
> rules, and due to the random text, Bayes appears to be ineffective. I'm using
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has
> anyone come up with a good way to stop these?
>
I've been seeing this also. In fact, these are the only spam getting
through presently (although the total amount of spam I get is very
small). I did notice that for one that got through it scored only 2 or
3 points. I tested it manually, maybe 8 hours later, and it scored 16.5
points being listed on blacklists as well as razor or pyzor, so it's
good to see that people are reporting.
--
Good day, eh.
Chris
Re: Image spam
Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.
Hello.
From: Craig Baird <cr...@xpressweb.com>
Subject: Image spam
Date: Thu, 26 Jan 2006 10:21:14 -0700
> Since the first of the year, we've seen a barrage of image spam. Some of it
> gets nailed by SA, but a lot of it seems to get through. Most of it has a
> text/plain part with random or non-sensical text. It also has a text/html
> part, also with random text. Then, the actual spam (usually a stock spam) is
> contained in a 15k-20k .gif image. I've found that many of these hit very few
> rules, and due to the random text, Bayes appears to be ineffective. I'm using
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has
> anyone come up with a good way to stop these?
>
> Craig
Your SA is old, so I recommend upgrade SA 3.1.0.
And, it seems to me that some rules failed to detect the image spam's
characteristics.
Especially, HTML_FONT_SIZE_*** rules don't seem to work correctly.
## --- rule examples ---
meta ___HTMLIMG HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 || HTML_IMAGE_ONLY_32 || HTML_IMAGE_RATIO_02
rawbody HTML_FONT_SIZE_TINY2 /<FONT +(face=\w |)size=\"{0,1}[0-5]\"{0,1}>/i
describe HTML_FONT_SIZE_TINY2 <FONT face=Arial size=2>
score HTML_FONT_SIZE_TINY2 0.5
meta IMGONLYHTML1 HTML_FONT_SIZE_TINY2 && ___HTMLIMG && BAYES_99
rawbody ___OBSCURED_TEXT1 /^(,|\!)($| \w)/
rawbody ___OBSCURED_TEXT2 /\w (,|\!) \w/
meta IMGONLYHTML2 ___OBSCURED_TEXT1 && ___OBSCURED_TEXT2 && ___HTMLIMG && BAYES_99
## --- rule examples ---
There are several types of image only spams.
I wrote two types image spams in a hurry.
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: Image spam
Posted by Matt Kettler <mk...@evi-inc.com>.
Craig Baird wrote:
> Since the first of the year, we've seen a barrage of image spam. Some of it
> gets nailed by SA, but a lot of it seems to get through. Most of it has a
> text/plain part with random or non-sensical text. It also has a text/html
> part, also with random text. Then, the actual spam (usually a stock spam) is
> contained in a 15k-20k .gif image. I've found that many of these hit very few
> rules, and due to the random text, Bayes appears to be ineffective. I'm using
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has
> anyone come up with a good way to stop these?
Hmm, I don't have much trouble getting the RBLs and Bayes to help out on these.
Here's my most recent image-only stock pump-and-dump spam.
Received: from HSI-KBW-082-212-042-044.hsi.kabelbw.de
(HSI-KBW-082-212-042-044.hsi.kabelbw.de [82.212.42.44])
by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id k0C9hPEn022507
for <sp...@evi-inc.com>; Thu, 12 Jan 2006 04:43:25 -0500
Subject: {SPAM}{!} America's Microcaps
Date: Thu, 12 Jan 2006 10:43:20 -0000
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=17.571, required 5,
autolearn=spam, BAYES_80 2.00, EXTRA_MPART_TYPE 1.09,
HELO_DYNAMIC_IPADDR 4.20, HTML_90_100 0.11, HTML_IMAGE_ONLY_04 3.60,
HTML_MESSAGE 0.00, INFO_GREYLIST_NOTDELAYED -0.00,
MIME_HTML_MOSTLY 1.10, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_XBL 3.90,
RELAY_DE 0.01)
SA 3.1.0 with the RelayCountry enabled (affects bayes performance somewhat).