Hi all,
I've noticed a number of messages from the weekend which appear to be an
attempt at image spam, where the body of the message is alternative parts in
text or HTML, and where the HTML part has an embedded image. The FuzzyOCR
plugin to SpamAssassin has been very helpful in filtering these out, but the
new versions are getting through - because the image is a 1x1 or 2x1 single
layer GIF in a single colour, i.e. it is a plain background image.
Now, as these don't actually have any real content, they're more of an
annoyance than a real problem, but has anyone else been seeing these, and
figured out a way to block them based on image size or something?
One common factor seems to be that the image name is always a CID: inclusion
which ends with "_csseditor", e.g.:
Content-Type: image/gif; name="kgwgiu.gif"
Content-ID: <780C1EB8.0C17FD32.9305C17F.D329A6EB_csseditor>
Content-Transfer-Encoding: base64
For now, I've bumped the SARE_GIF_ATTACH ruleset score to catch these, and I
block a lot of them as being from "broadband" or dial-up hosts eventually
(after 5 messages from a "broadband" address, if the average score is >10, they
get firewalled), but I'd like to catch them on the first pass if possible. Any
ideas?
Best Wishes,
Paul.
-------------------------------------------------------
Paul Murphy
Head of I.T.
Argenta Discovery
Tel. 01279 645 554
Fax. 01279 645 646
_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list [email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
