You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Matt <mh...@gmail.com> on 2006/04/21 17:15:28 UTC

Spam that is nothing but one large image

Hi,
We have received a large quantity of spam that is nothing but a large
image.  Spamassassin is tagging it a little because it is an image,
and only an image, however I'm wondering how other people are
handeling this type of spam?    I don't want to score mail that is
just an image with a very high score, since that could render a legit
mail with a picture in it or something as spam.  Any thoughts?

Re: Spam that is nothing but one large image

Posted by Dirk Bonengel <di...@bonengel.de>.

Matt,

try enabling razor, pyzor and dcc. You might also want to try the iXhash 
plugin I did some time ago (if you run a 3.1.x installation. See 
http://wiki.apache.org/spamassassin/iXhash for ore info on that and drop 
me a mail if you use it so I can get in touch)
Those image only spams in fact do contain text and/or html code, and the 
above mentioned plugins can score on that. At least that's what I see here
SURBL and URIBL are nice to have to but fail with stock spam that's 
often sent as 'image only'

Dirk

Matt schrieb:
> Hi,
> We have received a large quantity of spam that is nothing but a large
> image.  Spamassassin is tagging it a little because it is an image,
> and only an image, however I'm wondering how other people are
> handeling this type of spam?    I don't want to score mail that is
> just an image with a very high score, since that could render a legit
> mail with a picture in it or something as spam.  Any thoughts?
>

Re: Spam that is nothing but one large image

Posted by Matt Kettler <mk...@evi-inc.com>.

Andrzej Adam Filip wrote:
> Matt <mh...@gmail.com> writes:
> 
>> Hi,
>> We have received a large quantity of spam that is nothing but a large
>> image.  Spamassassin is tagging it a little because it is an image,
>> and only an image, however I'm wondering how other people are
>> handeling this type of spam?    I don't want to score mail that is
>> just an image with a very high score, since that could render a legit
>> mail with a picture in it or something as spam.  Any thoughts?
> 
> I receive a lot of "stock spam".
> It consist of a little bit of "cloaking html" and all content is
> contained in attached image.

The SARE stocks ruleset covers this. It has rules specific to this kind of
"image spam"

www.rulesemporium.com

Re: Spam that is nothing but one large image

Posted by Andrzej Adam Filip <an...@xl.wp.pl>.

Matt <mh...@gmail.com> writes:

> Hi,
> We have received a large quantity of spam that is nothing but a large
> image.  Spamassassin is tagging it a little because it is an image,
> and only an image, however I'm wondering how other people are
> handeling this type of spam?    I don't want to score mail that is
> just an image with a very high score, since that could render a legit
> mail with a picture in it or something as spam.  Any thoughts?

I receive a lot of "stock spam".
It consist of a little bit of "cloaking html" and all content is
contained in attached image.

-- 
[pl2en Andrew] Andrzej Adam Filip : anfi@priv.onet.pl : anfi@xl.wp.pl
http://anfi.homeunix.net/

Re: Spam that is nothing but one large image

Posted by Matt Kettler <mk...@evi-inc.com>.

Gaute Lund wrote:
>> -----Original Message-----
>> From: Matt [mailto:mhoppes@gmail.com] 
>> Sent: Wednesday, April 26, 2006 8:51 PM
>>
>> Unfortunately this is what I may be forced to do.  I hate to 
>> let one item give a high score, but when the message is 
>> nothing but an IMAGE... no HTML... no link... and the 
>> blacklists have not yet picked it up.. and Pyzor doesn't see 
>> it yet... what else can you do?
>>
>> On 4/22/06, John D. Hardin <jh...@impsec.org> wrote:
>>> Many of them are HTML-only (no plain-text parts). I give 
>> HTML-only + 
>>> image-only a high score.
> 
> Matt/Johnn: Does this mean you have simple way to specify "rule A is 1.0, rule B
> is 1.0, but if A+B matches, give it 4.0"?

Create rule A, and score it 1.0, Create rule B, and score it 1.0

meta L_A_AND_B	(A && B)
score L_A_AND_B 2.0

if both A and B match, it will total 4.0 (1.0 + 1.0 + 2.0)

RE: Spam that is nothing but one large image

Posted by Gaute Lund <ga...@idrift.no>.

> -----Original Message-----
> From: Matt [mailto:mhoppes@gmail.com] 
> Sent: Wednesday, April 26, 2006 8:51 PM
>
> Unfortunately this is what I may be forced to do.  I hate to 
> let one item give a high score, but when the message is 
> nothing but an IMAGE... no HTML... no link... and the 
> blacklists have not yet picked it up.. and Pyzor doesn't see 
> it yet... what else can you do?
> 
> On 4/22/06, John D. Hardin <jh...@impsec.org> wrote:
> > Many of them are HTML-only (no plain-text parts). I give 
> HTML-only + 
> > image-only a high score.

Matt/Johnn: Does this mean you have simple way to specify "rule A is 1.0, rule B
is 1.0, but if A+B matches, give it 4.0"?

If so, how?

Med vennleg helsing / Best regards
Gaute Lund
IT consultant
iDrift AS
Phone: (+47) 53 47 22 00
Fax: (+47) 53 47 22 01
Mobile: (+47) 97 00 82 00

Re: Spam that is nothing but one large image

Posted by Matt <mh...@gmail.com>.

Unfortunately this is what I may be forced to do.  I hate to let one
item give a high score, but when the message is nothing but an
IMAGE... no HTML... no link... and the blacklists have not yet picked
it up.. and Pyzor doesn't see it yet... what else can you do?

On 4/22/06, John D. Hardin <jh...@impsec.org> wrote:
> On Fri, 21 Apr 2006, Matt wrote:
>
> > We have received a large quantity of spam that is nothing but a large
> > image.  Spamassassin is tagging it a little because it is an image,
> > and only an image, however I'm wondering how other people are
> > handeling this type of spam?    I don't want to score mail that is
> > just an image with a very high score, since that could render a legit
> > mail with a picture in it or something as spam.  Any thoughts?
>
> Many of them are HTML-only (no plain-text parts). I give HTML-only +
> image-only a high score.
>
> --
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>  Senator, when you took your oath of office, you placed your hand on
>  the Bible and swore to uphold the Constitution. You didn't place your
>  hand on the Constitution and swear to uphold the Bible.
>                     -- Jamie Raskin, Professor of Law at American
>                     University, testifying before the Maryland Senate
> -----------------------------------------------------------------------
>
>

Re: Spam that is nothing but one large image

Posted by "John D. Hardin" <jh...@impsec.org>.

On Fri, 21 Apr 2006, Matt wrote:

> We have received a large quantity of spam that is nothing but a large
> image.  Spamassassin is tagging it a little because it is an image,
> and only an image, however I'm wondering how other people are
> handeling this type of spam?    I don't want to score mail that is
> just an image with a very high score, since that could render a legit
> mail with a picture in it or something as spam.  Any thoughts?

Many of them are HTML-only (no plain-text parts). I give HTML-only +
image-only a high score.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
 Senator, when you took your oath of office, you placed your hand on
 the Bible and swore to uphold the Constitution. You didn't place your
 hand on the Constitution and swear to uphold the Bible.
                    -- Jamie Raskin, Professor of Law at American
                    University, testifying before the Maryland Senate
-----------------------------------------------------------------------

RE: Spam that is nothing but one large image

Posted by Martin Hepworth <ma...@solid-state-logic.com>.

Matt

Make sure you've got the URI-RBLs working (check the plugins in init.pre and
v310.pre) and also maybe add the URI-Black in to the mix as well..

http://www.uribl.com/


--
Martin Hepworth 
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300

> -----Original Message-----
> From: Matt [mailto:mhoppes@gmail.com]
> Sent: 21 April 2006 16:15
> To: spamassassin-users@incubator.apache.org
> Subject: Spam that is nothing but one large image
> 
> Hi,
> We have received a large quantity of spam that is nothing but a large
> image.  Spamassassin is tagging it a little because it is an image,
> and only an image, however I'm wondering how other people are
> handeling this type of spam?    I don't want to score mail that is
> just an image with a very high score, since that could render a legit
> mail with a picture in it or something as spam.  Any thoughts?


**********************************************************************

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.	

**********************************************************************