Images spams cropping up again

[Robert Fitzpatrick <li...@webtent.net>]

I used some recipes found with the help of this list that pretty much
wiped out these images spams until this morning they are coming through
again different, of course. Is the OCR solution what I need to do? If
so, can someone point me to some info or suggest how to set this up?

Thanks in advance!
-- 
Robert

Re: Images spams cropping up again

[MennovB <mv...@xs4all.nl>]

Bill Randle wrote:
> 
> Would you be willing to share the postfix rules you are using to block
> these?
> 
I don't think that would be wise, I'm afraid they are a bit too risky and
simple for general use..
In most of them I've put the mail on HOLD so I can still inspect for FP's,
probably not workable on larger sites.
I simply collect similar spam in a directory (copied from my amavisd archive
dir) and with cat/lowercase/sort/awk utils find out what 'interesting' long
string is at least once in all spam-files. Even the MIME-part is (mis-)used
for this.
I test that on a HAM-dir (and on other spam to maybe find a more general use
or patterns) and then place it in body_checks.regexp. During last night 82
mails went on HOLD because of a month old rule, all spam (only looking at
the weird sender-addresses says enough, also the file-sizes are comparable
in spam-batches).
Some rules get hit more than a year long and others last only a day (then
it's a waste of time).
It's time consuming and not a necessity (SA tags most of it) but I'm a
little (too) fanatic to prevent SPAM from getting into the users mailboxes.
BTW more spam here is blocked because of blocklists, blocked
ip-ranges/domains (china/korea/..), checks on the helo etcetera than with
postfix rules.

Regards
Menno
-- 
View this message in context: http://www.nabble.com/Images-spams-cropping-up-again-tf2115239.html#a5835275
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: Images spams cropping up again

[Bill Randle <bi...@neocat.org>]

On Wed, 2006-08-16 at 07:28 -0700, MennovB wrote:
> 
> Robert Fitzpatrick wrote:
> > 
> > I used some recipes found with the help of this list that pretty much
> > wiped out these images spams until this morning they are coming through
> > again different, of course. Is the OCR solution what I need to do? If
> > so, can someone point me to some info or suggest how to set this up?
> > 
> Here too, much more than other days during the last 24 hours.
> Most (the ~30k ones) were blocked by existing postfix rules, but some were
> different and got through.
> ImageInfo didn't hit on them, but SA scored them as SPAM anyway.
> I made two new postfix rules to block them (for now..).
> Hope OCR will catch them for you, might try that too if it gets worse.

Would you be willing to share the postfix rules you are using to block
these?

	-Bill

Re: Images spams cropping up again

[MennovB <mv...@xs4all.nl>]

Robert Fitzpatrick wrote:
> 
> I used some recipes found with the help of this list that pretty much
> wiped out these images spams until this morning they are coming through
> again different, of course. Is the OCR solution what I need to do? If
> so, can someone point me to some info or suggest how to set this up?
> 
Here too, much more than other days during the last 24 hours.
Most (the ~30k ones) were blocked by existing postfix rules, but some were
different and got through.
ImageInfo didn't hit on them, but SA scored them as SPAM anyway.
I made two new postfix rules to block them (for now..).
Hope OCR will catch them for you, might try that too if it gets worse.

Regards
Menno van Bennekom
-- 
View this message in context: http://www.nabble.com/Images-spams-cropping-up-again-tf2115239.html#a5833480
Sent from the SpamAssassin - Users forum at Nabble.com.

Re: Images spams cropping up again

[decoder <de...@own-hero.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Robert Fitzpatrick wrote:
> I used some recipes found with the help of this list that pretty
> much wiped out these images spams until this morning they are
> coming through again different, of course. Is the OCR solution what
> I need to do? If so, can someone point me to some info or suggest
> how to set this up?
>
> Thanks in advance!

For OCR, see http://wiki.apache.org/spamassassin/FuzzyOcrPlugin

Another, non-OCR solution is the ImageInfo plugin (google spamassassin
imageinfo)


If you need help with the installation of FuzzyOcr, feel free to mail
me back in private :)


Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE4x0eJQIKXnJyDxURAjKmAJ9LK7wKS06YWZDM7iXqS3eRe+jedACeOgd6
URR7HklwgKxI8F37LA9/6Ww=
=QXE4
-----END PGP SIGNATURE-----

Re: FuzzyOCR and mailscaner/SA issues. (interesting..)

[Agent Smith <ne...@yahoo.com>]

huh,

I downloaded an image mentioned in this group 
wget http://www.nabble.com/user-files/322/bell.gif
and ran it thru gocr without any problems, when
attached to a message, SA detects it and it works
well.

$ text2gif -t "Trading company million trade service
trade price buy thousand  million money" > test.gif
[jraval@core ~]$ gocr -i test.gif
# Warning: non-positive median line gap of 0
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _


--- Agent Smith <ne...@yahoo.com> wrote:

> 
> # gocr -i test.gif
> # Warning: non-positive median line gap of 0
> _ _ _ _ _ _ _ _ _ _ _ _ _ _  _
> 
> #
> is this the problem then? the image IS a gif file
> generated by text2gif, I can open it in pic viewer
> or
> whatever.
> 
> maybe I need a diff. version of gocr
> 
> 
> --- decoder <de...@own-hero.net> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Agent Smith wrote:
> > > I installed fuzzyocr according to the
> installation
> > manual at
> > >
> > >
> http://wiki.apache.org/spamassassin/FuzzyOcrPlugin
> > >
> > > I am running fc5 and had netpbm installed
> already
> > but I had to get
> > > gocr and giffix by installing libungif-4.1.4. I
> > also had to fix the
> > > path in fuzzyocr.cf file.
> > >
> > > now, when I ran those sample emails via
> > spamassassin -t <
> > > ocr-gif.eml, it detected it as spam and all
> works
> > well but when I
> > > passed an image generated by text2gif it doesn't
> > get filtered.
> > >
> > > I catch spam so I believe spamassassin is
> working
> > just not doing
> > > anything with fuzzyocr?
> > >
> > > anyone?
> > >
> > 
> > If the samples get recognized correctly, then it
> is
> > probably working,
> > try to manually recognize your gif with gocr -i
> > file.gif and see what
> > it spits out :)
> > 
> > 
> > Chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.5 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla -
> > http://enigmail.mozdev.org
> > 
> >
>
iD8DBQFE4yHGJQIKXnJyDxURAvnvAKCcO32ANFURfLC86wKfmnY7/gbY7gCfdZne
> > YRwS0eR5UN2J61/CRfqzgks=
> > =rowA
> > -----END PGP SIGNATURE-----
> > 
> > 
> 
> 
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: FuzzyOCR and mailscaner/SA issues.

[Agent Smith <ne...@yahoo.com>]

# gocr -i test.gif
# Warning: non-positive median line gap of 0
_ _ _ _ _ _ _ _ _ _ _ _ _ _  _

#
is this the problem then? the image IS a gif file
generated by text2gif, I can open it in pic viewer or
whatever.

maybe I need a diff. version of gocr


--- decoder <de...@own-hero.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Agent Smith wrote:
> > I installed fuzzyocr according to the installation
> manual at
> >
> > http://wiki.apache.org/spamassassin/FuzzyOcrPlugin
> >
> > I am running fc5 and had netpbm installed already
> but I had to get
> > gocr and giffix by installing libungif-4.1.4. I
> also had to fix the
> > path in fuzzyocr.cf file.
> >
> > now, when I ran those sample emails via
> spamassassin -t <
> > ocr-gif.eml, it detected it as spam and all works
> well but when I
> > passed an image generated by text2gif it doesn't
> get filtered.
> >
> > I catch spam so I believe spamassassin is working
> just not doing
> > anything with fuzzyocr?
> >
> > anyone?
> >
> 
> If the samples get recognized correctly, then it is
> probably working,
> try to manually recognize your gif with gocr -i
> file.gif and see what
> it spits out :)
> 
> 
> Chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> Comment: Using GnuPG with Mozilla -
> http://enigmail.mozdev.org
> 
>
iD8DBQFE4yHGJQIKXnJyDxURAvnvAKCcO32ANFURfLC86wKfmnY7/gbY7gCfdZne
> YRwS0eR5UN2J61/CRfqzgks=
> =rowA
> -----END PGP SIGNATURE-----
> 
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

Re: FuzzyOCR and mailscaner/SA issues.

[decoder <de...@own-hero.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Agent Smith wrote:
> I installed fuzzyocr according to the installation manual at
>
> http://wiki.apache.org/spamassassin/FuzzyOcrPlugin
>
> I am running fc5 and had netpbm installed already but I had to get
> gocr and giffix by installing libungif-4.1.4. I also had to fix the
> path in fuzzyocr.cf file.
>
> now, when I ran those sample emails via spamassassin -t <
> ocr-gif.eml, it detected it as spam and all works well but when I
> passed an image generated by text2gif it doesn't get filtered.
>
> I catch spam so I believe spamassassin is working just not doing
> anything with fuzzyocr?
>
> anyone?
>

If the samples get recognized correctly, then it is probably working,
try to manually recognize your gif with gocr -i file.gif and see what
it spits out :)


Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFE4yHGJQIKXnJyDxURAvnvAKCcO32ANFURfLC86wKfmnY7/gbY7gCfdZne
YRwS0eR5UN2J61/CRfqzgks=
=rowA
-----END PGP SIGNATURE-----

FuzzyOCR and mailscaner/SA issues.

[Agent Smith <ne...@yahoo.com>]

I installed fuzzyocr according to the installation
manual at 

http://wiki.apache.org/spamassassin/FuzzyOcrPlugin

I am running fc5 and had netpbm installed already but
I had to get gocr and giffix by installing
libungif-4.1.4. I also had to fix the path in
fuzzyocr.cf file.

now, when I ran those sample emails via spamassassin
-t < ocr-gif.eml, it detected it as spam and all works
well but when I passed an image generated by text2gif
it doesn't get filtered.

I catch spam so I believe spamassassin is working just
not doing anything with fuzzyocr?

anyone? 



====== /var/log/maillog section ================

Aug 16 09:27:31 linux1 sendmail[8053]: k7GDROM5008053:
from=<RE...@hotmail.com>, size=2029, class=0,
nrcpts=1,
msgid=<BA...@phx.gbl>,
proto=ESMTP, daemon=MTA,
relay=bay0-omc3-s17.bay0.hotmail.com [65.54.246.217]
Aug 16 09:27:52 linux1 MailScanner[689]: New Batch:
Scanning 1 messages, 2607 bytes
Aug 16 09:27:52 linux1 MailScanner[689]: MCP Checks
completed at 2589284 bytes per second
Aug 16 09:27:52 linux1 MailScanner[689]: Spam Checks:
Starting
Aug 16 09:28:07 linux1 MailScanner[689]: Spam Checks
completed at 174 bytes per second
Aug 16 09:28:07 linux1 MailScanner[689]: Virus and
Content Scanning: Starting
Aug 16 09:28:14 linux1 MailScanner[689]: Virus
Scanning completed at 336 bytes per second
Aug 16 09:28:14 linux1 MailScanner[689]: Uninfected:
Delivered 1 messages
Aug 16 09:28:14 linux1 MailScanner[689]: Virus
Processing completed at 52515 bytes per second
Aug 16 09:28:14 linux1 MailScanner[689]: Disinfection
completed at 5581700 bytes per second
Aug 16 09:28:14 linux1 MailScanner[689]: Batch
completed at 114 bytes per second (2607 / 22)
Aug 16 09:28:14 linux1 MailScanner[689]: Batch (1
message) processed in 22.73 seconds
Aug 16 09:28:14 linux1 MailScanner[689]: MailScanner
child dying of old age
Aug 16 09:28:15 linux1 MailScanner[8074]: MailScanner
E-Mail Virus Scanner version 4.54.6 starting...
Aug 16 09:28:15 linux1 sendmail[8075]: k7GDROM5008053:
to=<RE...@DOMAIN.com>, delay=00:00:45,
xdelay=00:00:00, mailer=local, pri=122029, dsn=2.0.0,
stat=

============== and the message =============

/tmp ] # cat msg
X-Envelope-From: REMOVED@hotmail.com
Received: from bay0-omc3-s17.bay0.hotmail.com
(bay0-omc3-s17.bay0.hotmail.com [65.54.246.217])
    by DOMAIN.com (8.13.7/8.13.7) with ESMTP id
k7GDROM5008053
    for <RE...@DOMAIN.com>; Wed, 16 Aug 2006
09:27:30 -0400
Received: from BAY101-W7 ([64.4.56.107]) by
bay0-omc3-s17.bay0.hotmail.com with Microsoft
SMTPSVC(6.0.3790.1830);
     Wed, 16 Aug 2006 06:26:04 -0700
X-Originating-IP: [xxx.xxx.xxx.xxx]
X-Originating-Email: [REMOVED@hotmail.com]
Message-ID:
<BA...@phx.gbl>
MIME-Version: 1.0
Content-Type: multipart/mixed;
    boundary="_2844eb73-fdd6-4571-b1ed-87827ce388f8_"
From: "Hotmail User" <RE...@hotmail.com>
To: REMOVED@DOMAIN.com
Subject: FW: test.gif file
Date: Wed, 16 Aug 2006 09:26:03 -0400
X-OriginalArrivalTime: 16 Aug 2006 13:26:04.0176 (UTC)
FILETIME=[85FA1900:01C6C137]
X-DOMAIN-MailScanner-Information: Please contact the
ISP for more information
X-DOMAIN-MailScanner: Found to be clean
X-DOMAIN-MailScanner-SpamCheck: not spam, SpamAssassin
(score=2.269,
    required 5, DK_POLICY_SIGNSOME 0.00,
DNS_FROM_RFC_ABUSE 0.48,
    DNS_FROM_RFC_POST 1.44, FWD2_MSG -0.40,
SARE_GIF_ATTACH 0.75,
    SPF_PASS -0.00)
X-DOMAIN-MailScanner-SpamScore: ss
X-DOMAIN-MailScanner-From: REMOVED@hotmail.com
X-Spam-Status: No

--_2844eb73-fdd6-4571-b1ed-87827ce388f8_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable






----------------------------------------
> Date: Mon, 14 Aug 2006 13:32:17 -0400
> From: REMOVED@DOMAIN.com
> To: REMOVED@hotmail.com
> CC: REMOVED@yahoo.com
> Subject: test.gif file
>=20
>=20
> This is a test file

_________________________________________________________________
Try Live.com - your fast, personalized homepage with
all the things you car=
e about in one place.
http://www.live.com/getstarted=

--_2844eb73-fdd6-4571-b1ed-87827ce388f8_
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="test.gif"

R0lGODdhGAIIAIAAAAAAAP///ywAAAAAGAIIAAAC/4SPEWjKD9N6Ltpr1Twa831V3oiJEol2o4m2
DejGr8fKK5zi9j7zpw8E1Hy1YS7IK+qSS+TPGWpCW8bp0xqrlqTYLkPrhWpE4035oyqbxxLQWfjO
sK+97XoOV+XJi44azaeX11bx9yIId3OXtnYY+LjYyIhI8RY36AgpFceJZzkB1qnn4Nd4SBgZNceX
WFfp2ReICqjD+uUmadp6+9FrS4NbSfL7u1toUlw3RBzby+sMDE2a67uEbCoIJt3symzcZHRdPR6K
Y5ut+z3u+pzImvx0XKs77Wy4C71Xug3hDY8arN0Wft0MsTjXqR89bq3u4YvC751BPPgQvtIiMZ8/
UK0YKYqboUSbvkzH2n18qK9KRpAcwWGzlo4kQ3gnCaJUxzKfyYB05NisqXMlzp3r3KUTObRkSYgF
7W1yeaqYt0FIpVLjhTSnMKwwaHJBo7VhvQiM2NnUSbLNrUgzcblNNVQhrGvaVh3VxA6hR7pw9Y6i
dFHZHYAp19IKekmuWHRLUapM/Dfyvpu02JrFBKhyWrKxLAvkGtOR5sJhSps+jTq16tWnE7N+DXtt
R9QFAAA7

--_2844eb73-fdd6-4571-b1ed-87827ce388f8_--




__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com