Pure image based spam in the wild
Jonathan Buzzard
jonathan at buzzard.org.uk
Fri Jan 31 15:16:25 CET 2003
matthias.andree at gmx.de said:
> Could you run bogolexer on the full mail and let us know what it
> prints?
>
Here goes, I have upgraded to 0.10.1.4 just for the test. As you can see
apart from "enchanted holiday", there is nothing for bogofilter to go on
really. It might be more instructive to look at the actual email, though
not much apart from the From "enchantedholiday at lycos.com" and subject line
"Enchanted Holiday" the rest of the email is a MIME with a minimal bit of
HTML and the image. The minimal HTML looks likes this
<HTML>
<HEAD>
<META NAME=3D"GENERATOR" Content=3D"Microsoft DHTML Editing Control">
<TITLE></TITLE>
</HEAD>
<BODY>
<P><IMG align=3Dbaseline alt=3D"" border=3D0 hspace=3D0=20
src=3D"cid:lux12.jpg"></P>
</BODY>
</HTML>
Like I said the chances of bogofilter picking this out as spam are going
to be next to nothing. The output of bogolexer is below. If you want to
see the full message at the URL below till the end of February at least.
http://www.buzzard.org.uk/jonathan/image-spam.txt
Basically I think it is going to be very hard to defend against this
sort of spam. I have noticed quite a lot of near total image spam, but
the images have been externally referenced and this has been enough
with the few bits of text left for bogofilter to identify them for
what they are. But with this sort of spam and bogofilter as it stands
is about as useful as a can of petrol at a house fire.
JAB.
normal mode.
get_token: 2 'from'
get_token: 1 'enchantedholiday'
get_token: 1 'lycos.com'
get_token: 1 'thu'
get_token: 1 'jan'
get_token: 1 'return-path'
get_token: 1 'enchantedholiday'
get_token: 1 'lycos.com'
get_token: 1 'envelope-to'
get_token: 1 'jab'
get_token: 1 'jelly.buzzard.org.uk'
get_token: 1 'received'
get_token: 1 'from'
get_token: 1 'localhost'
get_token: 5 '127.0.0.1'
get_token: 1 'ident'
get_token: 1 'root'
get_token: 1 'jelly.buzzard.org.uk'
get_token: 1 'with'
get_token: 1 'esmtp'
get_token: 1 'exim'
get_token: 1 'debian'
get_token: 1 'for'
get_token: 1 'jab'
get_token: 1 'jelly.buzzard.org.uk'
get_token: 1 'thu'
get_token: 1 'jan'
get_token: 1 'received'
get_token: 1 'from'
get_token: 1 'pop.tiscali.co.uk'
get_token: 5 '212.74.114.58'
get_token: 1 'localhost'
get_token: 1 'with'
get_token: 1 'pop3'
get_token: 1 'fetchmail-5.9.11'
get_token: 1 'for'
get_token: 1 'jab'
get_token: 1 'jelly.buzzard.org.uk'
get_token: 1 'single-drop'
get_token: 1 'thu'
get_token: 1 'jan'
get_token: 1 'gmt'
get_token: 1 'received'
get_token: 1 'from'
get_token: 1 'ns0.entweb.co.uk'
get_token: 5 '217.33.99.70'
get_token: 1 'mk-cpfrontend.uk.tiscali.com'
get_token: 1 'e2fe6160069e15c'
get_token: 1 'for'
get_token: 1 'jabuzz'
get_token: 1 'tiscali.co.uk'
get_token: 1 'thu'
get_token: 1 'jan'
get_token: 1 'received'
get_token: 1 'qmail'
get_token: 1 'invoked'
get_token: 1 'uid'
get_token: 1 'jan'
get_token: 1 'delivered-to'
get_token: 1 'buzzard-jonathan'
get_token: 1 'buzzard.org.uk'
get_token: 1 'received'
get_token: 1 'qmail'
get_token: 1 'invoked'
get_token: 1 'from'
get_token: 1 'network'
get_token: 1 'jan'
get_token: 1 'received'
get_token: 1 'from'
get_token: 1 'mail134.mail.bellsouth.net'
get_token: 1 'helo'
get_token: 1 'imf46bis.bellsouth.net'
get_token: 5 '205.152.58.94'
get_token: 1 'ns0.entweb.co.uk'
get_token: 1 'with'
get_token: 1 'smtp'
get_token: 1 'jan'
get_token: 1 'received'
get_token: 1 'from'
get_token: 1 'netsendmail'
get_token: 5 '68.154.105.181'
get_token: 1 'imf46bis.bellsouth.net'
get_token: 1 'intermail'
get_token: 1 'vm.5.01.04.25'
get_token: 1 'with'
get_token: 1 'smtp'
get_token: 1 'netsendmail'
get_token: 1 'for'
get_token: 1 'jonathan'
get_token: 1 'buzzard.org.uk'
get_token: 1 'thu'
get_token: 1 'jan'
get_token: 1 'reply-to'
get_token: 1 'enchantedholiday'
get_token: 1 'lycos.com'
get_token: 1 'from'
get_token: 1 'enchanted'
get_token: 1 'holiday'
get_token: 1 'enchantedholiday'
get_token: 1 'lycos.com'
get_token: 1 'jonathan'
get_token: 1 'buzzard'
get_token: 1 'jonathan'
get_token: 1 'buzzard.org.uk'
get_token: 1 'subject'
get_token: 1 'enchanted'
get_token: 1 'holiday'
get_token: 1 'mime-version'
get_token: 1 'type'
get_token: 1 'multipart'
get_token: 1 'alternative'
get_token: 1 'content-type'
get_token: 1 'multipart'
get_token: 1 'related'
get_token: 1 'x-mailer'
get_token: 1 'nettalk'
get_token: 1 'email'
get_token: 1 'x-nettalk'
get_token: 1 'nettalk'
get_token: 1 'email'
get_token: 1 'this'
get_token: 1 'multi-part'
get_token: 1 'message'
get_token: 1 'mime'
get_token: 1 'format'
get_token: 1 'this'
get_token: 1 'email'
get_token: 1 'requires'
get_token: 1 'mime'
get_token: 1 'compatible'
get_token: 1 'email'
get_token: 1 'reader'
get_token: 1 'content-type'
get_token: 1 'multipart'
get_token: 1 'alternative'
get_token: 1 'content-type'
get_token: 1 'text'
get_token: 1 'plain'
get_token: 1 'charset'
get_token: 1 'us-ascii'
get_token: 1 'content-transfer-encoding'
get_token: 1 'bit'
get_token: 1 'content-type'
get_token: 1 'text'
get_token: 1 'html'
get_token: 1 'charset'
get_token: 1 'us-ascii'
get_token: 1 'content-transfer-encoding'
get_token: 1 'quoted-printable'
get_token: 1 'content-type'
get_token: 1 'image'
get_token: 1 'jpg'
get_token: 1 'lux12.jpg'
get_token: 1 'content-transfer-encoding'
get_token: 1 'base64'
get_token: 1 'content-id'
get_token: 1 'lux12.jpg'
157 tokens read.
--
Jonathan A. Buzzard Email: jonathan at buzzard.org.uk
Northumberland, United Kingdom. Tel: +44(0)1661-832195
More information about the Bogofilter
mailing list