Just saw my first one of these. Sniffer caught it for us. Darin.
----- Original Message ----- From: "Martin Schaible" <[EMAIL PROTECTED]> To: "Darin Cox" <[email protected]> Sent: Monday, November 07, 2005 4:48 PM Subject: Re: [IMail Forum] Image-only Spam-Mails Hi Darin, This is the source: <Header> X-UIDL: 391310558 --=_074dfa5e8a301a18a5010725144ba931 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable <img src=3Dcid:8c6f6cbaa3d688708c460cf2c3ada79f> --=_074dfa5e8a301a18a5010725144ba931 Content-Type: image/gif Content-Transfer-Encoding: base64 Content-Disposition: inline; filename="fvwarf.gif" Content-ID: <8c6f6cbaa3d688708c460cf2c3ada79f> R0lGODlhEgJYAoQAAAAAAP////8AAP4REf4iIv4zM/5ERP5VVf5mZv53d/6IiP6Zmf6qqv67u/7M zP7d3f7u7u7u7t3d3czMzLu7u6qqqpmZmYiIiHd3d2ZmZlVVVURERDMzMyIiIhEREf///yH5BAEA AB8ALAAAAAASAlgCAAX+ICACATmKQTqq7HmWKiqTpRzPcL3Sad77LtaPxjMRb6uWbeeamWIwojH3 bFGHwGItChXqvrftcddDlX86HnBoFnu5wuX5Ja3Wr/T59BnsVvF1bT5bZUlNXmN0RotqeUqGe0ds hlw4fFRFTIdMb4yBZFF9f1iQZm13aWtTVk55dkt8mbFgNkiESbSJjGJ7VoSsqaZwfmqFX55QY3Cz <Here follows the rest of the image> ============================================ Am Montag, 7. November 2005 um 18:52 schrieben Sie: > Well... we have been lucky... what does the body of the email look like? > Darin. > ----- Original Message ----- > From: "Martin Schaible" <[EMAIL PROTECTED]> > To: "Darin Cox" <[email protected]> > Sent: Monday, November 07, 2005 12:25 PM > Subject: Re: [IMail Forum] Image-only Spam-Mails > Hi Darin, >> How about the URL of the image? Either that or the URL that links the > image >> to a website is the way most of this is caught. > Nope, no URL. Image only. >> If there's no link at all (I haven't seen any like that), then it could > Good for you ;-) > We had hunderts of it today. i attached the image as a sample. >> still be filtered by comparing the bit signature of the image with known >> spam. > Good idea. Maybe i can take some of the binary stuff from the image as a > phrase and add it to rules.ima. The regular phrase filter does not work > "inside" of images. > ============================================ > Am Montag, 7. November 2005 um 16:32 schrieben Sie: >> How about the URL of the image? Either that or the URL that links the > image >> to a website is the way most of this is caught. >> If there's no link at all (I haven't seen any like that), then it could >> still be filtered by comparing the bit signature of the image with known >> spam. >> Darin. >> ----- Original Message ----- >> From: "Martin Schaible" <[EMAIL PROTECTED]> >> To: "Duane Hill" <[email protected]> >> Sent: Monday, November 07, 2005 10:11 AM >> Subject: Re: [IMail Forum] Image-only Spam-Mails >> Hi, >> The problem is, that mostly no url is available. The url is written in to >> the image (stupid, isn't it), meaning the recipient has to type the > address. >> Other mails are advertising stock recommondations, no url.... >> This is my problem, the only chance is to hope, that an external service > is >> able to catch such ad's. If not, the mail will pass through. >> ============================================ >> Am Montag, 7. November 2005 um 15:36 schrieben Sie: >>> On Monday, November 7, 2005 at 2:25:45 PM, [EMAIL PROTECTED] >> confabulated: >>>> That could be. However, it has been an extremely long time since I've >>>> seen a Spam with an image myself. >>> My bad for making this statement. I didn't look hard enough. However, >>> upon looking at the raw source of the message, SpamAssassin would have >>> looked at this: >>> <a href=3D"http://www.gfmort.net/book.php";>No, so its here</a><br> >>> It would have then looked gfmort.net up on SURBL and would have found: >>> URIBL: multi.surbl.org: listed [Blocked, gfmort.net on lists >>> [ab][jp][ob][sc][ws], See: http://www.surbl.org/lists.html] >>> URIBL: multi.uribl.com: listed [Black, See >> http://l.uribl.com/?d=gfmort.net] >>> This was a particular Spam advertising low mortgages. Of course the >>> image itself didn't have any link to a site. >>> -- >>> "This message is made of 100% recycled electrons." >>> To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html >>> List Archive: > http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ >>> Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ >> ============================================ > ============================================ ============================================ -- Mit freundlichen GrĂ¼ssen -------------------------------------------- Merlin Consulting Martin Schaible Bahnhofstrasse 27 CH-8702 Zollikon Phone: +41 44 391 30 00 Fax: +41 44 391 32 49 Mail: mailto:[EMAIL PROTECTED] URL: http://www.merlinconsulting.ch Support: http://support.merlinconsulting.ch GPS: N47 20.235 E8 34.226 -------------------------------------------- News - Neue Produkte: .:. NOD32 Antivirus System .:. BlueDragon .:. Kiwi Syslog Monitor .:. Paessler GmbH .:. Sawmill Loganalyzer .:. SmarterTools -------------------------------------------- To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/ To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
