You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Dylan Bouterse <dy...@corp.power1.com> on 2006/10/13 16:38:15 UTC
RE: Having issue with a type of spam I havn't seen before
I'm trying to write a rule to score src=cid" but I can't seem to get it
right. Can somebody shed some light on what I'd use for the
20_phrases.cf file so I can start scoring this? Thanks.
Dylan
________________________________
From: Thomas Lindell [mailto:tlindell@adlmail.com]
Sent: Friday, October 13, 2006 10:41 AM
To: users@spamassassin.apache.org
Subject: Having issue with a type of spam I havn't seen before
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Join the thousands of people who got slim</TITLE>
</HEAD>
<BODY>
<IMG alt="" hspace=0
src="cid:FD3055C1.7805C1EB.80C1EB80.C930C178_csseditor" align=baseline
border=0>
<p>
</p>
Note the img tag.
It's using src=cid
I havn't seen this before.
Can anyone shed some light on this for me?
Thomas Lindell
RE: Having issue with a type of spam I havn't seen before
Posted by Derek Harding <de...@innovyx.com>.
On Fri, 2006-10-13 at 15:22 -0600, Chris Stone wrote:
> On Fri, 2006-10-13 at 10:38 -0400, Dylan Bouterse wrote:
> > I’m trying to write a rule to score src=cid” but I can’t seem to get
> > it right. Can somebody shed some light on what I’d use for the
> > 20_phrases.cf file so I can start scoring this? Thanks.
>
> Here's what I am using with success:
>
> rawbody SENET_INLINEIMG /src\s*=\s*["']cid:/i
Sometime ago I wrote this rule:
rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i
describe INLINE_IMAGE Inline Images
score INLINE_IMAGE 1.5
Works fine though it will catch users who use an attached image for
their sig or use email templates with background images.
I think these days most people are going the ocr route.
Derek
RE: Having issue with a type of spam I havn't seen before
Posted by Chris Stone <ax...@gmail.com>.
On Fri, 2006-10-13 at 10:38 -0400, Dylan Bouterse wrote:
> I’m trying to write a rule to score src=cid” but I can’t seem to get
> it right. Can somebody shed some light on what I’d use for the
> 20_phrases.cf file so I can start scoring this? Thanks.
Here's what I am using with success:
rawbody SENET_INLINEIMG /src\s*=\s*["']cid:/i
Re: Having issue with a type of spam I havn't seen before
Posted by Theo Van Dinter <fe...@apache.org>.
On Fri, Oct 13, 2006 at 09:54:07AM -0500, Thomas Lindell wrote:
> but whas is the CID . Is that some sort of alternate notation for an ip
> address?
Short for "Content-ID", it'll be a reference to a MIME part (with a Content-ID
header matching that value) in the message.
--
Randomly Selected Tagline:
Twenty of the suckiest minutes of my life.
-- Homer Simpson
Burns, Baby Burns
RE: Having issue with a type of spam I havn't seen before
Posted by "John D. Hardin" <jh...@impsec.org>.
On Fri, 13 Oct 2006, Jo for Groups and Lists wrote:
> Date: Fri, 13 Oct 2006 12:01:32 -0400
> From: Jo for Groups and Lists <ou...@rogers.com>
> To: users@spamassassin.apache.org
> Subject: RE: Having issue with a type of spam I havn't seen before
>
> Are you using Outlook by any chance? If you are, mostly "src=CID"
> only appears in the View-Source via Outlook. It's a reference to the
> downloaded image saved in the temp files on your desktop. If you
> look at the raw mail file on the server before downloading the
> message, there is a regular "img src='http:// ". So SA would never
> detect 'CID' anyway - it only exists after downloading.
>
> BTDT - I found this out when a procmail recipe I tried kept failing!
Not true in all cases. It's how HTML email references an image that is
attached to the message.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin@impsec.org FALaholic #11174 pgpk -a jhardin@impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Perfect Security is unattainable; beware those who would try to sell
it to you, regardless of the cost, for they are trying to sell you
your own slavery.
-----------------------------------------------------------------------
RE: Having issue with a type of spam I havn't seen before
Posted by Jo for Groups and Lists <ou...@rogers.com>.
Are you using Outlook by any chance? If you are, mostly "src=CID"
only appears in the View-Source via Outlook. It's a reference to the
downloaded image saved in the temp files on your desktop. If you
look at the raw mail file on the server before downloading the
message, there is a regular "img src='http:// ". So SA would never
detect 'CID' anyway - it only exists after downloading.
BTDT - I found this out when a procmail recipe I tried kept failing!
Jo
Re: Having issue with a type of spam I havn't seen before
Posted by Andreas Pettersson <an...@telia.com>.
Thomas Lindell wrote:
>I don't see anything attached to the message though.
>
>Even when I view the source I don't see a mime attachment.
>
>
Well, the attachment is missing then.
Come to think of it, that would be some excellent rule :-]
--
Andreas
RE: Having issue with a type of spam I havn't seen before
Posted by Thomas Lindell <tl...@adlmail.com>.
I don't see anything attached to the message though.
Even when I view the source I don't see a mime attachment.
-----Original Message-----
From: Andreas Pettersson [mailto:andpet@telia.com]
Sent: Friday, October 13, 2006 10:14 AM
To: users@spamassassin.apache.org
Subject: Re: Having issue with a type of spam I havn't seen before
Thomas Lindell wrote:
> but whas is the CID . Is that some sort of alternate notation for an
> ip address?
It's a reference to an attached image.
--
Andreas
Re: Having issue with a type of spam I havn't seen before
Posted by Andreas Pettersson <an...@telia.com>.
Thomas Lindell wrote:
> but whas is the CID . Is that some sort of alternate notation for an
> ip address?
It's a reference to an attached image.
--
Andreas
RE: Having issue with a type of spam I havn't seen before
Posted by Thomas Lindell <tl...@adlmail.com>.
but whas is the CID . Is that some sort of alternate notation for an ip
address?
_____
From: Dylan Bouterse [mailto:dylan@corp.power1.com]
Sent: Friday, October 13, 2006 9:38 AM
To: users@spamassassin.apache.org
Subject: RE: Having issue with a type of spam I havn't seen before
I'm trying to write a rule to score src=cid" but I can't seem to get it
right. Can somebody shed some light on what I'd use for the 20_phrases.cf
file so I can start scoring this? Thanks.
Dylan
_____
From: Thomas Lindell [mailto:tlindell@adlmail.com]
Sent: Friday, October 13, 2006 10:41 AM
To: users@spamassassin.apache.org
Subject: Having issue with a type of spam I havn't seen before
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<HTML><HEAD><TITLE>Join the thousands of people who got slim</TITLE>
</HEAD>
<BODY>
<IMG alt="" hspace=0 src="cid:FD3055C1.7805C1EB.80C1EB80.C930C178_csseditor"
align=baseline border=0>
<p>
</p>
Note the img tag.
It's using src=cid
I havn't seen this before.
Can anyone shed some light on this for me?
Thomas Lindell