You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Craig Baird <cr...@xpressweb.com> on 2006/01/26 18:21:14 UTC

Image spam

Since the first of the year, we've seen a barrage of image spam.  Some of it 
gets nailed by SA, but a lot of it seems to get through.  Most of it has a 
text/plain part with random or non-sensical text.  It also has a text/html 
part, also with random text.  Then, the actual spam (usually a stock spam) is 
contained in a 15k-20k .gif image.  I've found that many of these hit very few 
rules, and due to the random text, Bayes appears to be ineffective.  I'm using 
SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL.  Has 
anyone come up with a good way to stop these?

Craig

Re: Image spam

Posted by Chris Purves <ch...@northfolk.ca>.

Craig Baird wrote:
> Since the first of the year, we've seen a barrage of image spam.  Some of it 
> gets nailed by SA, but a lot of it seems to get through.  Most of it has a 
> text/plain part with random or non-sensical text.  It also has a text/html 
> part, also with random text.  Then, the actual spam (usually a stock spam) is 
> contained in a 15k-20k .gif image.  I've found that many of these hit very few 
> rules, and due to the random text, Bayes appears to be ineffective.  I'm using 
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL.  Has 
> anyone come up with a good way to stop these?
> 

I've been seeing this also.  In fact, these are the only spam getting 
through presently (although the total amount of spam I get is very 
small).  I did notice that for one that got through it scored only 2 or 
3 points.  I tested it manually, maybe 8 hours later, and it scored 16.5 
points being listed on blacklists as well as razor or pyzor, so it's 
good to see that people are reporting.

-- 
Good day, eh.
Chris

Re: Image spam

Posted by MATSUDA Yoh-ichi <yo...@flcl.org>.

Hello.

From: Craig Baird <cr...@xpressweb.com>
Subject: Image spam
Date: Thu, 26 Jan 2006 10:21:14 -0700

> Since the first of the year, we've seen a barrage of image spam.  Some of it 
> gets nailed by SA, but a lot of it seems to get through.  Most of it has a 
> text/plain part with random or non-sensical text.  It also has a text/html 
> part, also with random text.  Then, the actual spam (usually a stock spam) is 
> contained in a 15k-20k .gif image.  I've found that many of these hit very few 
> rules, and due to the random text, Bayes appears to be ineffective.  I'm using 
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL.  Has 
> anyone come up with a good way to stop these?
> 
> Craig

Your SA is old, so I recommend upgrade SA 3.1.0.

And, it seems to me that some rules failed to detect the image spam's
characteristics.
Especially, HTML_FONT_SIZE_*** rules don't seem to work correctly.

## --- rule examples ---

meta ___HTMLIMG HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 || HTML_IMAGE_ONLY_28 || HTML_IMAGE_ONLY_32 || HTML_IMAGE_RATIO_02

rawbody HTML_FONT_SIZE_TINY2 /<FONT +(face=\w |)size=\"{0,1}[0-5]\"{0,1}>/i
describe HTML_FONT_SIZE_TINY2 <FONT face=Arial size=2>
score HTML_FONT_SIZE_TINY2 0.5

meta IMGONLYHTML1 HTML_FONT_SIZE_TINY2 && ___HTMLIMG && BAYES_99

rawbody ___OBSCURED_TEXT1 /^(,|\!)($| \w)/
rawbody ___OBSCURED_TEXT2 /\w (,|\!) \w/

meta IMGONLYHTML2 ___OBSCURED_TEXT1 && ___OBSCURED_TEXT2 && ___HTMLIMG && BAYES_99

## --- rule examples ---

There are several types of image only spams.
I wrote two types image spams in a hurry.
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:yoh@flcl.org
http://www.flcl.org/~yoh/diary/ (only Japanese)

Re: Image spam

Posted by Matt Kettler <mk...@evi-inc.com>.

Craig Baird wrote:
> Since the first of the year, we've seen a barrage of image spam.  Some of it 
> gets nailed by SA, but a lot of it seems to get through.  Most of it has a 
> text/plain part with random or non-sensical text.  It also has a text/html 
> part, also with random text.  Then, the actual spam (usually a stock spam) is 
> contained in a 15k-20k .gif image.  I've found that many of these hit very few 
> rules, and due to the random text, Bayes appears to be ineffective.  I'm using 
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL.  Has 
> anyone come up with a good way to stop these?

Hmm, I don't have much trouble getting the RBLs and Bayes to help out on these.
Here's my most recent image-only stock pump-and-dump spam.

Received: from HSI-KBW-082-212-042-044.hsi.kabelbw.de
(HSI-KBW-082-212-042-044.hsi.kabelbw.de [82.212.42.44])
	by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id k0C9hPEn022507
	for <sp...@evi-inc.com>; Thu, 12 Jan 2006 04:43:25 -0500
Subject: {SPAM}{!} America's Microcaps
Date:   Thu, 12 Jan 2006 10:43:20 -0000

X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=17.571, required 5,
	autolearn=spam, BAYES_80 2.00, EXTRA_MPART_TYPE 1.09,
	HELO_DYNAMIC_IPADDR 4.20, HTML_90_100 0.11, HTML_IMAGE_ONLY_04 3.60,
	HTML_MESSAGE 0.00, INFO_GREYLIST_NOTDELAYED -0.00,
	MIME_HTML_MOSTLY 1.10, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_XBL 3.90,
	RELAY_DE 0.01)


SA 3.1.0 with the RelayCountry enabled (affects bayes performance somewhat).