You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Rakesh <ra...@netcore.co.in> on 2005/05/27 15:24:08 UTC

embedded image spams

Hi

I have been bugged a lot by embedded image spams recently, although some 
of these spams got trapped due URI checks, some managed to pass as well 
as the url wasn't yet blocked in the SURBLs.

I probably found something tht i wanted to share with u guys and try and 
see if we can trap those spams further on the basis of tht. I have 
classified those embedded image spams into two classes. Class 1 of image 
of fulllist of viagra and other meds and Class 2 of image of one liner 
information on cheap softwares or viagra. I was thinking of if possibly 
we can understand a common pattern and try and make a ruleset on top of 
tht so tht we dont have to wait for updates at URIbl, then it would be 
really some thing good. These image only spams apparently have a prob 
tht we can trap on :). The loophole is in most of the cases the message 
id of the mail and the content id or cid of the embedded image is 
exactly same.

For e.g.

Message-ID: <10...@boschkitchencentre.com>
Content-ID: <10...@boschkitchencentre.com>

some variations also had something like this

Message-ID: <10...@cal.cybersurf.net>
Content-ID: <sivjxu_onzvh_dzdohvo>


But thts applicable  to class1 of the spams and in class 2 which are 
just images containing oneliners has some variations. In some cases the 
content id is smartly tampered but again there is a loophole and here is 
an example of tht

Message-ID: <52...@comcast.net>
Content-ID: <e1...@comcast.net>

the message id and the content id both contain the domain name of the 
sending server. And a valid mail that had embedded image in it but was 
sent from outlook had details something like this

 From Outlook
Message-ID: <00...@cg>
Content-ID: <im...@01C55C5D.CB204210>

Frankly I haven't seen how content id appears when images are embedded 
using other valid email clients like netscape or thunderbird. But if we 
compare the above set of patterns, what appears is tht if a image is 
embedded using a client like outlook then "@" appears in the content id 
of the attachment but the latter part of @ is not the domain name, but 
has the name of the attachment itself and the messageid is different 
from the content id, whereas incase of the spammers content ids that 
appear are either exactly same to tht of the message id, or doesnt have 
a @ or has the domain name of the server as a latter part of the @ in 
content id.

So my question is can we have rulesets in spamassassin that can compare 
the sending host domain with the latter part of @ of content id or look 
for @ in the content id.


Any suggestions ? comments ?

-- 
Regards, 
Rakesh B. Pal
Project Leader
Emergic CleanMail Team.
Netcore Solutions Pvt. Ltd.

========================================================
Success is how high you reach after you hit the bottom.
========================================================



----------------------------------------------------------
Netcore Solutions Pvt. Ltd.
Website:  http://www.netcore.co.in
Spamtraps: http://cleanmail.netcore.co.in/directory.html
----------------------------------------------------------

Re: embedded image spams

Posted by Loren Wilton <lw...@earthlink.net>.

> So my question is can we have rulesets in spamassassin that can compare
> the sending host domain with the latter part of @ of content id or look
> for @ in the content id.

Nice analysis!

Yes, we can make rules that will (often, not always) catch this sort of
thing.  The problem is they require a capturing group, and that is
relatively slow in Perl.  Further, it is reputed by many to slow down ALL
tests as soon as you put it into one test.  I don't know if this is really
true or not, but it is something that can be at least roughly measured in a
mass-check.

I'll see about doing some rules over the weekend to try this.

        Loren

PS: A plugin would be another way of doing these, and theoretically would
not slow things down.  Someday I'm going to have to figure out how to write
a plugin...

Re: embedded image spams

Posted by Jeff Chan <je...@surbl.org>.

On Friday, May 27, 2005, 6:24:08 AM, Rakesh Rakesh wrote:
> Hi

> I have been bugged a lot by embedded image spams recently, although some 
> of these spams got trapped due URI checks, some managed to pass as well 
> as the url wasn't yet blocked in the SURBLs.

Please provide the URI and the timestamp it was first seen.
We can use that information to see if we can get them into SURBLs
sooner.

Jeff C.
-- 
Jeff Chan
mailto:jeffc@surbl.org
http://www.surbl.org/