Mail with image marked as spam

[Alex <my...@gmail.com>]

Hi,

I've asked variations of this question in the past, but I'm still not sure
what to do about it. Should an email with just an image attachment, with no
subject and no body be treated as spam? This is the circumstance where
users are using email as a file transfer device.

There seems to be one irregularity with this email that causes it to be
marked as spam:

 *  1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg

but should that be enough? Here are the other spam indicators for this
message where only a 9MB attachment was included:

 *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
 *  0.2 KAM_BLANKSUBJECT Message has a blank Subject
 *  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
 *  0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
 *  1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg
 *  1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
 *  2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
 *      Subject: text

It otherwise hit no local rules, passed SPF and DKIM as it went through
gmail, and even had TXREP deduct a point.

Perhaps we create a meta rule that deducts points for instances where all
of these rules are hit, indicating it was just an image attachment?

What are others doing here? This is with the latest SA v4 from svn.

Re: Mail with image marked as spam

[Loren Wilton <lw...@earthlink.net>]

> It sure seems to me like people are just using email to share pictures 
> (licenses, l
> egal docs, as well as pictures of the kids.)

Are these messages that are being sent by individuals from their phones?
Or is there some program that is sending these?
I can see it being too much work to type a subject if you are just texting a 
snapshot to someone else on another phone, but if it is a program, perhaps 
it could be trained to put a "Here is your photo!" subject in the mail and 
eliminate the problem.

Re: Mail with image marked as spam

[Alex <my...@gmail.com>]

Hi,

>  *  1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg
>
> That rule is nowhere in the current standard rules or the KAM rules.
>
> If you don't like your custom local rules, only you can change them.
>

Ah, thanks. Usually my local rules are indicated as such, so I didn't even
realize it. I've disabled it for now, thanks.


>

Re: Mail with image marked as spam

[Bill Cole <sa...@billmail.scconsult.com>]

On 2022-09-25 at 13:35:51 UTC-0400 (Sun, 25 Sep 2022 13:35:51 -0400)
Alex <my...@gmail.com>
is rumored to have said:

> Hi,
>
> I've asked variations of this question in the past, but I'm still not sure
> what to do about it. Should an email with just an image attachment, with no
> subject and no body be treated as spam? This is the circumstance where
> users are using email as a file transfer device.
>
> There seems to be one irregularity with this email that causes it to be
> marked as spam:
>
>  *  1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg

That rule is nowhere in the current standard rules or the KAM rules.

If you don't like your custom local rules, only you can change them.


On 2022-09-25 at 16:33:38 UTC-0400 (Sun, 25 Sep 2022 16:33:38 -0400)
Alex <my...@gmail.com>
is rumored to have said:

> Do we have more info on what percentage of similar messages are actually spam?

https://ruleqa.spamassassin.org/ has info on rule accuracy for the corpora submitted for RuleQA, which are human-classified as the controls.

Of the significant STANDARD rules you cited:

MPART_ALT_DIFF:     5.8% of spam, 2.4% of ham, 70% of matches are spam
HTML_IMAGE_ONLY_04: 0.25% of spam, 0.03% of ham, 91% of matches are spam
EMPTY_MESSAGE:      0.13% of spam, 0.01% of ham, 95% of matches are spam

As of the latest scores update, those together total 4.3. I suspect MPART_ALT_DIFF is incorrectly hitting no-text messages, but I have not confirmed.



-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Re: Mail with image marked as spam

[Alex <my...@gmail.com>]

On Sun, Sep 25, 2022 at 1:56 PM Matus UHLAR - fantomas <uh...@fantomas.sk>
wrote:

> On 25.09.22 13:35, Alex wrote:
> >I've asked variations of this question in the past, but I'm still not sure
> >what to do about it. Should an email with just an image attachment, with
> no
> >subject and no body be treated as spam? This is the circumstance where
> >users are using email as a file transfer device.
> >
> >There seems to be one irregularity with this email that causes it to be
> >marked as spam:
> >
> > *  1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg
>
> correct mime type is image/jpeg
>

All indications are that this message was crafted and sent by Gmail. I
don't see that an email client connecting to gmail was used.


>
> >but should that be enough? Here are the other spam indicators for this
> >message where only a 9MB attachment was included:
> >
> > *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
>
> you can train these, if it makes sense
>

Yes, I've been doing that, but there are apparently too many slight
variations.


> > *  0.2 KAM_BLANKSUBJECT Message has a blank Subject
> > *  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
> > *  0.8 MPART_ALT_DIFF BODY: HTML and text parts are different
>
> so, does the message contain something or doesn't it? looks like either
> HTML
> or text part does contain something.
>

Content-Type: text/html; charset="UTF-8"
<div><img src="cid:1836721ea9843a698751" style="max-width: 100%;"><div><img
src="cid:1836721f684735c7cef2" style="max-width: 100%;"></div></div>

sending empty message with empty subject really looks like spam
>

Do we have more info on what percentage of similar messages are actually
spam? It sure seems to me like people are just using email to share
pictures (licenses, legal docs, as well as pictures of the kids.)


> >It otherwise hit no local rules, passed SPF and DKIM as it went through
> >gmail, and even had TXREP deduct a point.
> >
> >Perhaps we create a meta rule that deducts points for instances where all
> >of these rules are hit, indicating it was just an image attachment?
> >
> >What are others doing here? This is with the latest SA v4 from svn.
>
> If you can advise the sender not to send blank subject/body, AND possibly
> to
> fix the mime type, your problem is over
>

There are too many variations and one-timers for this to be practical.

>
>

Re: Mail with image marked as spam

[Matus UHLAR - fantomas <uh...@fantomas.sk>]

On 25.09.22 13:35, Alex wrote:
>I've asked variations of this question in the past, but I'm still not sure
>what to do about it. Should an email with just an image attachment, with no
>subject and no body be treated as spam? This is the circumstance where
>users are using email as a file transfer device.
>
>There seems to be one irregularity with this email that causes it to be
>marked as spam:
>
> *  1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg

correct mime type is image/jpeg

>but should that be enough? Here are the other spam indicators for this
>message where only a 9MB attachment was included:
>
> *  0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%

you can train these, if it makes sense

> *  0.2 KAM_BLANKSUBJECT Message has a blank Subject
> *  0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in
> *  0.8 MPART_ALT_DIFF BODY: HTML and text parts are different

so, does the message contain something or doesn't it? looks like either HTML 
or text part does contain something.

> *  1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg
> *  1.2 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of words
> *  2.3 EMPTY_MESSAGE Message appears to have no textual parts and no
> *      Subject: text

sending empty message with empty subject really looks like spam

>It otherwise hit no local rules, passed SPF and DKIM as it went through
>gmail, and even had TXREP deduct a point.
>
>Perhaps we create a meta rule that deducts points for instances where all
>of these rules are hit, indicating it was just an image attachment?
>
>What are others doing here? This is with the latest SA v4 from svn.

If you can advise the sender not to send blank subject/body, AND possibly to 
fix the mime type, your problem is over

otherwise, you can put the sender into welcomelist_auth

-- 
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?