You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by vertito <ve...@aim-consultants.com> on 2006/12/13 17:52:34 UTC
parsing cid: from HTML spam email
I have this rule from local.cf
body MY_harsh_content_RULE18 /cid:/is
describe MY_harsh_content_RULE18 Harsh body content
score MY_harsh_content_RULE18 5.0
but still I am receiving this HTML spam emails that scores lower than 2.0.
The ae above rules doesnt catch the said HTML spam email from yahoo.
And the only signature I can find is it has "cid:" inside the body of that HTML spam email.
See attached image.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.432 / Virus Database: 268.15.16/582 - Release Date: 12/11/2006 4:32 PM
Re: parsing cid: from HTML spam email
Posted by David B Funk <db...@engineering.uiowa.edu>.
On Wed, 13 Dec 2006, vertito wrote:
> I have this rule from local.cf
>
> body MY_harsh_content_RULE18 /cid:/is
> describe MY_harsh_content_RULE18 Harsh body content
> score MY_harsh_content_RULE18 5.0
>
> but still I am receiving this HTML spam emails that scores lower than 2.0.
> The ae above rules doesnt catch the said HTML spam email from yahoo.
>
> And the only signature I can find is it has "cid:" inside the body of that HTML spam email.
>
> See attached image.
Go get the SARE "70_sare_html.cf" and "70_sare_stocks.cf" rule sets.
They look for 'cid:' with other factors to try to get a spammy-ness
evaluation of a message. They use 'meta' rules to combine different
factors to try to reduce the FP rates.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
Re: parsing cid: from HTML spam email
Posted by Theo Van Dinter <fe...@apache.org>.
On Wed, Dec 13, 2006 at 05:52:34PM +0100, vertito wrote:
> body MY_harsh_content_RULE18 /cid:/is
Ewww!
> The ae above rules doesnt catch the said HTML spam email from yahoo.
of course. body rules look at the rendered text, so all the html markup is
gone.
> And the only signature I can find is it has "cid:" inside the body of that HTML spam email.
first, you'd want a uri rule. second, there's already some rules that look
for this type of stuff. third, it's not really a good spam sign in and of
itself. fourth, use sa-update if you're not already. :)
--
Randomly Selected Tagline:
"Old Russian women are a hardy, fearless breeed. I'd rather take on a
regiment of Viet Cong than a squad of these determined septegenerians. If
you are not wearing a hat, they will come up to you and inform you that
you are a fool."
- http://home.earthlink.net/~afabbro/russia/russianmemoirs.html
RE: parsing cid: from HTML spam email
Posted by "Coffey, Neal" <nc...@langeveld.com>.
vertito writes:
> I have this rule from local.cf
>
> body MY_harsh_content_RULE18 /cid:/is
To expand on Theo's comments, the reason this is not a good spam sign is
because it'll match any email with an inline image sent by most modern
email clients (definitely Outlook and Thunderbird). Scoring it at 5.0
is, then, doubly-bad, at least as a site-wide rule that others might be
affected by. If you're doing this just for yourself, then at least you
know what to expect.