Spam in images
Eric Wood
eric at interplas.com
Wed Sep 6 15:21:06 CEST 2006
----- Original Message -----
From: "Bill Wohler"
> Seems to be a spam virus afoot the last couple of weeks which
> generates a message consisting of a rather innocuous header (as it may
> have been sent by the victims of the virus), a text/plain body part
> with lots of random, legitimate, words to stump the Bayesian filters,
> and an ad in a GIF image attachment.
>
> What's the current best practice with these? Classify as spam, or just
> delete?
I use a more stupid approach and it catches a ton of image spam no matter
how much "ham" text them wrap around it:
:0 HB
* < 100000
* > 30000
* src=3D\"cid:.*@.*\"
{
:0 fwh
| formail -I"X-Loop: adult-trap GIFAD" -I "Subject: [GIFAD] $SUBJECT"
:0
! spam at intgrp.com
}
I've seen all kinds of spam images (including body size) between 30k and
100k. They all seem to be reference by inline by the 'src="cid:xxxx@"'
syntax. Legit corporate email grabs all the images from the web.
Although this had been very effective for me, I sometimes have a legit email
caught. For example, people put in their large "business card" signatures.
If message size is over 30K, and it uses the '@' character in the cid: - it
gets caught . Most cid's I see uses a valid filename. Most signatures are
less that 30K fortunately.
Some people with auto signatures have HUGE sent boxes because all their
email images are inline and are redundantly stored as opposed to being
referenced to a web server.
-eric wood
More information about the Bogofilter
mailing list