You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dylan Bouterse <dy...@corp.power1.com> on 2006/10/13 16:38:15 UTC

RE: Having issue with a type of spam I havn't seen before

I'm trying to write a rule to score src=cid" but I can't seem to get it
right. Can somebody shed some light on what I'd use for the
20_phrases.cf file so I can start scoring this? Thanks.

 

Dylan

 

________________________________

From: Thomas Lindell [mailto:tlindell@adlmail.com] 
Sent: Friday, October 13, 2006 10:41 AM
To: users@spamassassin.apache.org
Subject: Having issue with a type of spam I havn't seen before

 

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 
<HTML><HEAD><TITLE>Join the thousands of people who got slim</TITLE> 
</HEAD> 
<BODY> 

<IMG alt="" hspace=0
src="cid:FD3055C1.7805C1EB.80C1EB80.C930C178_csseditor" align=baseline
border=0> 
<p> 
</p> 

 

Note the img tag. 

 

It's using src=cid 

I havn't seen this before. 

 

Can anyone shed some light on this for me? 

Thomas Lindell

RE: Having issue with a type of spam I havn't seen before

Posted by Derek Harding <de...@innovyx.com>.
On Fri, 2006-10-13 at 15:22 -0600, Chris Stone wrote:
> On Fri, 2006-10-13 at 10:38 -0400, Dylan Bouterse wrote:
> > I’m trying to write a rule to score src=cid” but I can’t seem to get
> > it right. Can somebody shed some light on what I’d use for the
> > 20_phrases.cf file so I can start scoring this? Thanks.
> 
> Here's what I am using with success:
> 
> rawbody SENET_INLINEIMG         /src\s*=\s*["']cid:/i

Sometime ago I wrote this rule:
rawbody INLINE_IMAGE    /src\s*=\s*["']cid:/i
describe INLINE_IMAGE   Inline Images
score INLINE_IMAGE 1.5

Works fine though it will catch users who use an attached image for
their sig or use email templates with background images.

I think these days most people are going the ocr route.

Derek

RE: Having issue with a type of spam I havn't seen before

Posted by Chris Stone <ax...@gmail.com>.
On Fri, 2006-10-13 at 10:38 -0400, Dylan Bouterse wrote:
> I’m trying to write a rule to score src=cid” but I can’t seem to get
> it right. Can somebody shed some light on what I’d use for the
> 20_phrases.cf file so I can start scoring this? Thanks.

Here's what I am using with success:

rawbody SENET_INLINEIMG         /src\s*=\s*["']cid:/i

Re: Having issue with a type of spam I havn't seen before

Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Oct 13, 2006 at 09:54:07AM -0500, Thomas Lindell wrote:
> but whas is the CID .  Is that some sort of alternate notation for an ip
> address?

Short for "Content-ID", it'll be a reference to a MIME part (with a Content-ID
header matching that value) in the message.

-- 
Randomly Selected Tagline:
Twenty of the suckiest minutes of my life.
 
 		-- Homer Simpson
 		   Burns, Baby Burns

RE: Having issue with a type of spam I havn't seen before

Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 13 Oct 2006, Jo for Groups and Lists wrote:

> Date: Fri, 13 Oct 2006 12:01:32 -0400
> From: Jo for Groups and Lists <ou...@rogers.com>
> To: users@spamassassin.apache.org
> Subject: RE: Having issue with a type of spam I havn't seen before
> 
> Are you using Outlook by any chance? If you are, mostly  "src=CID"
> only appears in the View-Source via Outlook. It's a reference to the
> downloaded image saved in the temp files on your desktop. If you
> look at the raw mail file on the server before downloading the
> message, there is a regular  "img src='http:// ". So SA would never
> detect 'CID' anyway - it only exists after downloading.  
> 
> BTDT - I found this out when a procmail recipe I tried kept failing!

Not true in all cases. It's how HTML email references an image that is
attached to the message.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Perfect Security is unattainable; beware those who would try to sell
  it to you, regardless of the cost, for they are trying to sell you
  your own slavery.
-----------------------------------------------------------------------

RE: Having issue with a type of spam I havn't seen before

Posted by Jo for Groups and Lists <ou...@rogers.com>.
Are you using Outlook by any chance? If you are, mostly  "src=CID"
only appears in the View-Source via Outlook. It's a reference to the
downloaded image saved in the temp files on your desktop. If you
look at the raw mail file on the server before downloading the
message, there is a regular  "img src='http:// ". So SA would never
detect 'CID' anyway - it only exists after downloading.  

BTDT - I found this out when a procmail recipe I tried kept failing!

Jo

Re: Having issue with a type of spam I havn't seen before

Posted by Andreas Pettersson <an...@telia.com>.
Thomas Lindell wrote:

>I don't see anything attached to the message though.  
>
>Even when I view the source I don't see a mime attachment. 
>  
>

Well, the attachment is missing then.
Come to think of it, that would be some excellent rule :-]

-- 
Andreas

RE: Having issue with a type of spam I havn't seen before

Posted by Thomas Lindell <tl...@adlmail.com>.
I don't see anything attached to the message though.  

Even when I view the source I don't see a mime attachment. 

-----Original Message-----
From: Andreas Pettersson [mailto:andpet@telia.com] 
Sent: Friday, October 13, 2006 10:14 AM
To: users@spamassassin.apache.org
Subject: Re: Having issue with a type of spam I havn't seen before

Thomas Lindell wrote:

> but whas is the CID .  Is that some sort of alternate notation for an 
> ip address?


It's a reference to an attached image.

--
Andreas

Re: Having issue with a type of spam I havn't seen before

Posted by Andreas Pettersson <an...@telia.com>.
Thomas Lindell wrote:

> but whas is the CID .  Is that some sort of alternate notation for an 
> ip address?


It's a reference to an attached image.

-- 
Andreas

RE: Having issue with a type of spam I havn't seen before

Posted by Thomas Lindell <tl...@adlmail.com>.
but whas is the CID .  Is that some sort of alternate notation for an ip
address?

  _____  

From: Dylan Bouterse [mailto:dylan@corp.power1.com] 
Sent: Friday, October 13, 2006 9:38 AM
To: users@spamassassin.apache.org
Subject: RE: Having issue with a type of spam I havn't seen before



I'm trying to write a rule to score src=cid" but I can't seem to get it
right. Can somebody shed some light on what I'd use for the 20_phrases.cf
file so I can start scoring this? Thanks.

 

Dylan

 

  _____  

From: Thomas Lindell [mailto:tlindell@adlmail.com] 
Sent: Friday, October 13, 2006 10:41 AM
To: users@spamassassin.apache.org
Subject: Having issue with a type of spam I havn't seen before

 

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 
<HTML><HEAD><TITLE>Join the thousands of people who got slim</TITLE> 
</HEAD> 
<BODY> 

<IMG alt="" hspace=0 src="cid:FD3055C1.7805C1EB.80C1EB80.C930C178_csseditor"
align=baseline border=0> 
<p> 
</p> 

 

Note the img tag. 

 

It's using src=cid 

I havn't seen this before. 

 

Can anyone shed some light on this for me? 

Thomas Lindell