You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by vertito <ve...@aim-consultants.com> on 2006/12/13 17:52:34 UTC

parsing cid: from HTML spam email

I have this rule from local.cf
 
body MY_harsh_content_RULE18        /cid:/is
describe MY_harsh_content_RULE18    Harsh body content
score MY_harsh_content_RULE18       5.0
 
but still I am receiving this HTML spam emails that scores lower than 2.0.
The ae above rules doesnt catch the said HTML spam email from yahoo.
 
And the only signature I can find is it has "cid:" inside the body of that HTML spam email.
 
See attached image. 
 
 


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 4:32 PM

Re: parsing cid: from HTML spam email

Posted by David B Funk <db...@engineering.uiowa.edu>.

On Wed, 13 Dec 2006, vertito wrote:

> I have this rule from local.cf
>
> body MY_harsh_content_RULE18        /cid:/is
> describe MY_harsh_content_RULE18    Harsh body content
> score MY_harsh_content_RULE18       5.0
>
> but still I am receiving this HTML spam emails that scores lower than 2.0.
> The ae above rules doesnt catch the said HTML spam email from yahoo.
>
> And the only signature I can find is it has "cid:" inside the body of that HTML spam email.
>
> See attached image.

Go get the SARE "70_sare_html.cf" and "70_sare_stocks.cf" rule sets.
They look for 'cid:' with other factors to try to get a spammy-ness
evaluation of a message. They use 'meta' rules to combine different
factors to try to reduce the FP rates.


-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Re: parsing cid: from HTML spam email

Posted by Theo Van Dinter <fe...@apache.org>.

On Wed, Dec 13, 2006 at 05:52:34PM +0100, vertito wrote:
> body MY_harsh_content_RULE18        /cid:/is

Ewww!

> The ae above rules doesnt catch the said HTML spam email from yahoo.

of course.  body rules look at the rendered text, so all the html markup is
gone.

> And the only signature I can find is it has "cid:" inside the body of that HTML spam email.

first, you'd want a uri rule.  second, there's already some rules that look
for this type of stuff.  third, it's not really a good spam sign in and of
itself.  fourth, use sa-update if you're not already. :)

-- 
Randomly Selected Tagline:
"Old Russian women are a hardy, fearless breeed. I'd rather take on a
 regiment of Viet Cong than a squad of these determined septegenerians. If
 you are not wearing a hat, they will come up to you and inform you that
 you are a fool."
         - http://home.earthlink.net/~afabbro/russia/russianmemoirs.html

RE: parsing cid: from HTML spam email

Posted by "Coffey, Neal" <nc...@langeveld.com>.

vertito writes:

> I have this rule from local.cf
>
> body MY_harsh_content_RULE18        /cid:/is

To expand on Theo's comments, the reason this is not a good spam sign is
because it'll match any email with an inline image sent by most modern
email clients (definitely Outlook and Thunderbird).  Scoring it at 5.0
is, then, doubly-bad, at least as a site-wide rule that others might be
affected by.  If you're doing this just for yourself, then at least you
know what to expect.