Re: [Declude.JunkMail] Image spam

2007-03-08 Thread Doug Traylor


 I need an image spam solution.  I followed this discussion, but I didn't
see much talk about what people are actually using that currently works well
for them.

I would most appreciate it if you would share your method for dealing with
image spam.

We have on particular spam that comes through multiple times every day.
Its getting tiring.  There isn't enough other things wrong with the message
to block it.


As stated earlier in this thread, many are using clamAV with the
SaneSecurity signature addition to catch the image spam with excellent
results.

My clamav service runs after a few others in the email stream but it still
catches lots of crap:

10683 total emails blocked by clamd since Nov 1 2006 (4 months)

1220 by clamAV official sigs*:
--
966 malware infected emails
   tojan = 911
   bagle = 55
247 phishing emails
   bank = 167
   paypal = 55
   auction = 18
   acc (?) = 5
   card = 2
7 policy failures
   encrypted zip = 4
   Archive.ExceededRecursionLimit = 2
   CAB.ExceededFileSize = 1

9459 by Sanesecurity signatures*:
--
8414 image spams
537 spam
219 malware
150 stk
72 phishing
   bank = 24
   rock = 17
   auction = 15
   paypal = 10
   cur = 3
   azon = 2
   card = 1
33 loan
17 dipl
14 scam
2 job
1 hdr

* = descriptions are from clamd log.  I do not know what all of them stand
for.

4 by MSRBL image scam signatures (just started)

Doug Traylor


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] Image spam

2007-03-08 Thread Kelly Scotto
Until you make a decision on a specific software try adding the filter David
mentioned from the earlier post. We added it about two weeks ago and have
noticed a definite reduction of image spam. 
 
  
  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Thursday, March 08, 2007 10:06 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam


 

I'm confused.  I understood that if you host multiple email domains on a
mail server that you're considered a hosting company and can't purchase
commtouch?  At least I vaguely recall something to that affect.  I checked
Declude's site and I don't see commtouch listed on there anywhere (it used
to be) other than under "technology partners."

 

Obviously, I'm missing something.  So what is the scoop?  

 

I need an image spam solution.  I followed this discussion, but I didn't see
much talk about what people are actually using that currently works well for
them.  

 

I would most appreciate it if you would share your method for dealing with
image spam.

 

We have on particular spam that comes through multiple times every day.  Its
getting tiring.  There isn't enough other things wrong with the message to
block it.

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 1:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

Thank you I will check these out.

 

Kelly

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 12:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40

 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam

Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-arc

RE: [Declude.JunkMail] Image spam

2007-03-08 Thread David Barker
Commtouch's concern is for ISP's / Service Providers who basically run their
business as a potential clean and forward service or similar like postini
types.

David

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
Bilbee
Sent: Thursday, March 08, 2007 12:10 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam


 

The way it was explained to me is as follows.

If you have customers you charge for email hosting you are hosting company.

If you are a company with multiple domains you are not. We have multiple
domains and use CommTouch. We have domains for multiple divisions.

 

 

 

Kevin Bilbee

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave
Beckstrom
Sent: Thursday, March 08, 2007 8:06 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

I'm confused.  I understood that if you host multiple email domains on a
mail server that you're considered a hosting company and can't purchase
commtouch?  At least I vaguely recall something to that affect.  I checked
Declude's site and I don't see commtouch listed on there anywhere (it used
to be) other than under "technology partners."

 

Obviously, I'm missing something.  So what is the scoop?  

 

I need an image spam solution.  I followed this discussion, but I didn't see
much talk about what people are actually using that currently works well for
them.  

 

I would most appreciate it if you would share your method for dealing with
image spam.

 

We have on particular spam that comes through multiple times every day.  Its
getting tiring.  There isn't enough other things wrong with the message to
block it.

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 1:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

Thank you I will check these out.

 

Kelly

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 12:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40

 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam

Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archi

RE: [Declude.JunkMail] Image spam

2007-03-08 Thread Kevin Bilbee
 

The way it was explained to me is as follows.

If you have customers you charge for email hosting you are hosting company.

If you are a company with multiple domains you are not. We have multiple 
domains and use CommTouch. We have domains for multiple divisions.

 

 

 

Kevin Bilbee

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Thursday, March 08, 2007 8:06 AM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

I'm confused.  I understood that if you host multiple email domains on a mail 
server that you're considered a hosting company and can't purchase commtouch?  
At least I vaguely recall something to that affect.  I checked Declude's site 
and I don't see commtouch listed on there anywhere (it used to be) other than 
under "technology partners."

 

Obviously, I'm missing something.  So what is the scoop?  

 

I need an image spam solution.  I followed this discussion, but I didn’t see 
much talk about what people are actually using that currently works well for 
them.  

 

I would most appreciate it if you would share your method for dealing with 
image spam.

 

We have on particular spam that comes through multiple times every day.  Its 
getting tiring.  There isn’t enough other things wrong with the message to 
block it.

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Scotto
Sent: Wednesday, February 21, 2007 1:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

Thank you I will check these out.

 

Kelly

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Barker
Sent: Wednesday, February 21, 2007 12:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to 
exact-match recurrent patterns across similar but not-identical messages. 
However in the case of images, the minute the spammer makes even the smallest 
changes to an image, the image-encoded data appears completely different. 
Commtouch identified this trend in the earliest days of image-based spam, and 
made the necessary enhancements to its detection engine in order to defend 
against this new threat with a sophisticated protection shield. Commtouch 
invested significant resources into developing a method for decoding the images 
and then sampling them using the proven RPD approach. The result is a 
significantly improved spam detection rate, while maintaining the same low 
false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the 
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which contains 
signatures created from images contained within spam emails. 
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently on 
spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves ORF 
by image spam detection capabilities, but can be used by Declude. 
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe 
-check" 40

 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam

Has there been a declude filter created for blocking or identifying image spam? 
If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECT

RE: [Declude.JunkMail] Image spam

2007-03-08 Thread Dave Beckstrom
 

I'm confused.  I understood that if you host multiple email domains on a
mail server that you're considered a hosting company and can't purchase
commtouch?  At least I vaguely recall something to that affect.  I checked
Declude's site and I don't see commtouch listed on there anywhere (it used
to be) other than under "technology partners."

 

Obviously, I'm missing something.  So what is the scoop?  

 

I need an image spam solution.  I followed this discussion, but I didn't see
much talk about what people are actually using that currently works well for
them.  

 

I would most appreciate it if you would share your method for dealing with
image spam.

 

We have on particular spam that comes through multiple times every day.  Its
getting tiring.  There isn't enough other things wrong with the message to
block it.

 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 1:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

Thank you I will check these out.

 

Kelly

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 12:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40

 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam

Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

image001.gif
Description: GIF image


RE: [Declude.JunkMail] Image spam

2007-03-06 Thread Craig Edmonds
 

Commtouch works great for me.

Kindest Regards
Craig Edmonds
123 Marbella Internet
Marbella Guide Property Web Portal
W:  <http://www.123marbella.com> www.123marbella.com
W: www.marbellaguide.com 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 8:04 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

 

Thank you I will check these out.

 

Kelly

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 12:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40

 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam

Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

image001.gif
Description: GIF image


RE: [Declude.JunkMail] Image spam

2007-03-05 Thread Kelly Scotto
Thank you I will check these out.
 
Kelly

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 12:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam


Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40
 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam



Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 
---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Blank Bkgrd.gif
Description: GIF image


RE: [Declude.JunkMail] Image spam

2007-02-26 Thread David Barker
In the same directory as your clam database files.

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John
Shacklett
Sent: Monday, February 26, 2007 1:59 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam


Where does the .HDB file need to end up? I'm not familiar with that
extension.


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, 21 February 2007 1:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam


Declude and Image based spam - 4 methods


2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload



---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Blank Bkgrd.gif
Description: GIF image


RE: [Declude.JunkMail] Image spam

2007-02-26 Thread John Shacklett
Where does the .HDB file need to end up? I'm not familiar with that
extension.


  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, 21 February 2007 1:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam


Declude and Image based spam - 4 methods


2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Blank Bkgrd.gif
Description: GIF image


Re[2]: [Declude.JunkMail] Image spam

2007-02-23 Thread Sanford Whiteman
> How  is  this  licensed?

Dunno,  but  if  it  costs you an ORF license to use it under Declude,
it's still very cheap.

> It  appears  that  ORF  is  needed to use it legitimately -- is that
> correct?

Well,  it's  not in their customer-only area, so you can draw whatever
conclusion you want from that.

> Also,  can  this  be  configured  to  be  called  only when an image
> attachment is detected?

I  don't  believe  so,  but  redecoding  the  MIME within the external
process should add very minimal overhead.

--Sandy



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
  
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Image spam

2007-02-23 Thread AlamoHost Admin

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that 
improves

ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40



How is this licensed?  It appears that ORF is needed to use it 
legitimately -- is that correct?  Also, can this be configured to be called 
only when an image attachment is detected?


Bill 





---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] Image spam

2007-02-21 Thread Nick Hayer

Hi Scott,

Scott Fisher wrote:
Are there any end users who are using the VAMSOFT IMAGE SPAM AGENT tht 
would like to comment on it's effectiveness / processor utilization?
it seems to not use much cpu; its effectiveness is ok. In case you are 
unaware it does not ocr the email, it just works on probability - like a 
combo filter eg: It returns a value based on its confidence level and I 
score accordingly.


Below is how I have it config'ed
[I hold on 10 and delete on 30]

-Nick

EXTERNAL.ORF.IMAGE_80 external80
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_81 external81
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_82 external82
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_83 external83
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_84 external84
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_85 external85
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_86 external86
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_87 external87
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_88 external88
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_89 external89
"e:\IMail\declude\orf\imgspamagent.exe -check" 10
EXTERNAL.ORF.IMAGE_90 external90
"e:\IMail\declude\orf\imgspamagent.exe -check" 40
EXTERNAL.ORF.IMAGE_91 external91
"e:\IMail\declude\orf\imgspamagent.exe -check" 40
EXTERNAL.ORF.IMAGE_92 external92
"e:\IMail\declude\orf\imgspamagent.exe -check" 40
EXTERNAL.ORF.IMAGE_93  external93
"e:\IMail\declude\orf\imgspamagent.exe -check" 40
EXTERNAL.ORF.IMAGE_94 external94
"e:\IMail\declude\orf\imgspamagent.exe -check" 40
EXTERNAL.ORF.IMAGE_95 external95
"e:\IMail\declude\orf\imgspamagent.exe -check" 50
EXTERNAL.ORF.IMAGE_96 external96
"e:\IMail\declude\orf\imgspamagent.exe -check" 50
EXTERNAL.ORF.IMAGE_97 external97
"e:\IMail\declude\orf\imgspamagent.exe -check" 50
EXTERNAL.ORF.IMAGE_98 external98
"e:\IMail\declude\orf\imgspamagent.exe -check" 60
EXTERNAL.ORF.IMAGE_99 external99
"e:\IMail\declude\orf\imgspamagent.exe -check" 70
EXTERNAL.ORF.IMAGE_100  external100
"e:\IMail\declude\orf\imgspamagent.exe -check" 80






- Original Message -
    *From:* David Barker <mailto:[EMAIL PROTECTED]>
*To:* declude.junkmail@declude.com
<mailto:declude.junkmail@declude.com>
*Sent:* Wednesday, February 21, 2007 12:08 PM
*Subject:* RE: [Declude.JunkMail] Image spam

*_Declude and Image based spam - 4 methods

_1. COMMTOUCH*

Commtouch Recurrent Pattern Detection contains an intrinsic
mechanism to exact-match recurrent patterns across similar but
not-identical messages. However in the case of images, the minute
the spammer makes even the smallest changes to an image, the
image-encoded data appears completely different. Commtouch
identified this trend in the earliest days of image-based spam,
and made the necessary enhancements to its detection engine in
order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into
developing a method for decoding the images and then sampling them
using the proven RPD approach. The result is a significantly
improved spam detection rate, while maintaining the same low
false-positive rate.

*2. CLAMWIN*

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs)
which contains signatures created from images contained within
spam emails. http://www.msrbl.com/site/msrblimagesdownload

*3. FILTER-CID*

Identifies emails which contains images increasing the weight
suffeciently on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

*4. VAMSOFT IMAGE SPAM AGENT*

This tool is an Ex

Re: [Declude.JunkMail] Image spam

2007-02-21 Thread Scott Fisher
BlankAre there any end users who are using the VAMSOFT IMAGE SPAM AGENT tht 
would like to comment on it's effectiveness / processor utilization?
  - Original Message - 
  From: David Barker 
  To: declude.junkmail@declude.com 
  Sent: Wednesday, February 21, 2007 12:08 PM
  Subject: RE: [Declude.JunkMail] Image spam


  Declude and Image based spam - 4 methods

  1. COMMTOUCH

  Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to 
exact-match recurrent patterns across similar but not-identical messages. 
However in the case of images, the minute the spammer makes even the smallest 
changes to an image, the image-encoded data appears completely different. 
Commtouch identified this trend in the earliest days of image-based spam, and 
made the necessary enhancements to its detection engine in order to defend 
against this new threat with a sophisticated protection shield. Commtouch 
invested significant resources into developing a method for decoding the images 
and then sampling them using the proven RPD approach. The result is a 
significantly improved spam detection rate, while maintaining the same low 
false-positive rate.

  2. CLAMWIN

  Using ClamAV as a virus scanner with Declude you can download the 
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which contains 
signatures created from images contained within spam emails. 
http://www.msrbl.com/site/msrblimagesdownload

  3. FILTER-CID

  Identifies emails which contains images increasing the weight suffeciently on 
spam messages to reach the spam threshold.

  #EXCEPTIONS
  BODYENDNOTCONTAINScid:
  BODYENDNOTCONTAINSContent-Type: image/

  #IMAGES
  BODY3CONTAINSsrc=3D"cid:
  BODY3CONTAINSsrc="cid:
  BODY3CONTAINSsrc='cid:

  BODY3CONTAINSimg src="cid:
  BODY3CONTAINSimg src=3Dcid:

  BODY3CONTAINS/cid:

  #IMAGE TYPES
  BODY2CONTAINSContent-Type: image/gif;
  BODY2CONTAINSContent-Type: image/jpeg;

  4. VAMSOFT IMAGE SPAM AGENT

  This tool is an External Agent for ORF 2.1 and newer versions that improves 
ORF by image spam detection capabilities, but can be used by Declude. 
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

  VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe 
-check" 40

  David Barker
  Director of Product Management
  Your Email security is our business
  978.499.2933 office
  978.988.1311 fax
  [EMAIL PROTECTED]





--
  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly Scotto
  Sent: Wednesday, February 21, 2007 11:47 AM
  To: declude.junkmail@declude.com
  Subject: [Declude.JunkMail] Image spam


  Has there been a declude filter created for blocking or identifying image 
spam? If so can somebody post it for me to try.



  Thank You,

  Kelly




















  ---
  This E-mail came from the Declude.JunkMail mailing list. To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type "unsubscribe Declude.JunkMail". The archives can be found
  at http://www.mail-archive.com. 
  ---
  This E-mail came from the Declude.JunkMail mailing list. To
  unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
  type "unsubscribe Declude.JunkMail". The archives can be found
  at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Blank Bkgrd.gif
Description: GIF image


RE: [Declude.JunkMail] Image spam

2007-02-21 Thread David Barker
John,

I assigned a weight base on this scale:

10 Low Spam
15 Mid Spam
20 High Spam

I guess which is pretty much the same scale as HOLD at 20.

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John E.
Richardson
Sent: Wednesday, February 21, 2007 1:43 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Hi David,

Great information, thank you.

What is the hold value for this setup, 20? The provided syntax is great, but
it would generally be helpful to know that the test should be valued at x%
of your hold weight. I hesitate to assume but wanted to make sure if it was,
in fact, based off of the default hold value of 20.


Thanks,

John


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 1:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40
 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam



Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 

---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list. To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail". The archives can be found at http://www.mail-archive.com.




---
This E-mail came from the Declude.JunkMail mailing list.  To unsubscribe,
just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe
Declude.JunkMail".  The archives can be found at
http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Image spam

2007-02-21 Thread John E. Richardson
Hi David,

Great information, thank you.

What is the hold value for this setup, 20? The provided syntax is great, but
it would generally be helpful to know that the test should be valued at x%
of your hold weight. I hesitate to assume but wanted to make sure if it was,
in fact, based off of the default hold value of 20.


Thanks,

John


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David
Barker
Sent: Wednesday, February 21, 2007 1:08 PM
To: declude.junkmail@declude.com
Subject: RE: [Declude.JunkMail] Image spam

Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40
 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]





From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam



Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



RE: [Declude.JunkMail] Image spam

2007-02-21 Thread David Barker
Declude and Image based spam - 4 methods

1. COMMTOUCH

Commtouch Recurrent Pattern Detection contains an intrinsic mechanism to
exact-match recurrent patterns across similar but not-identical messages.
However in the case of images, the minute the spammer makes even the
smallest changes to an image, the image-encoded data appears completely
different. Commtouch identified this trend in the earliest days of
image-based spam, and made the necessary enhancements to its detection
engine in order to defend against this new threat with a sophisticated
protection shield. Commtouch invested significant resources into developing
a method for decoding the images and then sampling them using the proven RPD
approach. The result is a significantly improved spam detection rate, while
maintaining the same low false-positive rate.

2. CLAMWIN

Using ClamAV as a virus scanner with Declude you can download the
MSRBL-Images.hdb file which has additional signatures (MD5 sigs) which
contains signatures created from images contained within spam emails.
http://www.msrbl.com/site/msrblimagesdownload

3. FILTER-CID

Identifies emails which contains images increasing the weight suffeciently
on spam messages to reach the spam threshold.

#EXCEPTIONS
BODYENDNOTCONTAINScid:
BODYENDNOTCONTAINSContent-Type: image/

#IMAGES
BODY3CONTAINSsrc=3D"cid:
BODY3CONTAINSsrc="cid:
BODY3CONTAINSsrc='cid:

BODY3CONTAINSimg src="cid:
BODY3CONTAINSimg src=3Dcid:

BODY3CONTAINS/cid:

#IMAGE TYPES
BODY2CONTAINSContent-Type: image/gif;
BODY2CONTAINSContent-Type: image/jpeg;

4. VAMSOFT IMAGE SPAM AGENT

This tool is an External Agent for ORF 2.1 and newer versions that improves
ORF by image spam detection capabilities, but can be used by Declude.
http://www.vamsoft.com/vsimagespam/vsimagespam.zip

VSIMAGE   externalnonzero"[path]\Declude\VSIMAGE\imgspamagent.exe
-check" 40
 

David Barker
Director of Product Management
Your Email security is our business
978.499.2933 office
978.988.1311 fax
[EMAIL PROTECTED]



  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kelly
Scotto
Sent: Wednesday, February 21, 2007 11:47 AM
To: declude.junkmail@declude.com
Subject: [Declude.JunkMail] Image spam



Has there been a declude filter created for blocking or identifying image
spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 

---
This E-mail came from the Declude.JunkMail mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail". The archives can be found
at http://www.mail-archive.com. 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

Blank Bkgrd.gif
Description: GIF image


[Declude.JunkMail] Image spam

2007-02-21 Thread Kelly Scotto
Has there been a declude filter created for blocking or identifying
image spam? If so can somebody post it for me to try.

 

Thank You,

Kelly

 

 

 

 

 

 

 

 

 

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Blank Bkgrd.gif
Description: Blank Bkgrd.gif


[Declude.JunkMail] Image Spam

2007-01-06 Thread Dave Beckstrom

Sniffer tags some of the image spam we receive but much of it doesn't score
high enough for a hold weight. 

Is Declude or anyone else working on anything new that will be more
effective at catching image spam?  We're not eligible for Interceptor
because we host email for some other companies.

What options are available?




---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



Re: [Declude.JunkMail] image spam

2006-05-05 Thread Nick Hayer

Sanford Whiteman wrote:


In  keeping  with  the  increased  CPU  demands of such tests, the new
version of SPAMC32 will contain the ability to send the request to two
(maybe  more  than  two  in future) "tiered" SPAMD daemons. The second
daemon  -- listening on a different port, or on a different machine --
will be consulted only if the results from the first daemon are within
configured  thresholds. 


great idea. tag team to distribute the load as needed.


P.S.  This gives me the idea of having different max-size switches for
messages  with  and  without  image  attachments.  What  do you think,
SPAMC32 users?
 


good idea again. Otherwise blatant spam is possibly bypassed..

-Nick

 


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] image spam

2006-05-04 Thread Sanford Whiteman
> http://wiki.apache.org/spamassassin/OcrPlugin
> http://antispam.imp.ch/patches/patch-ocrtext

> That will ocr the gifs, etc. These should help SA be even more effective
> within Declude..

In  keeping  with  the  increased  CPU  demands of such tests, the new
version of SPAMC32 will contain the ability to send the request to two
(maybe  more  than  two  in future) "tiered" SPAMD daemons. The second
daemon  -- listening on a different port, or on a different machine --
will be consulted only if the results from the first daemon are within
configured  thresholds.  So  if  you  already flag the spam using less
resource-intensive  tests,  you  can short-circuit the testing at that
point.

I'd guess it's possible to do this within Declude as well, by defining
SPAMC32  a  few  different times, but just trying to make some stuff a
little easier on both sides. . . .

--Sandy

P.S.  This gives me the idea of having different max-size switches for
messages  with  and  without  image  attachments.  What  do you think,
SPAMC32 users?



Sanford Whiteman, Chief Technologist
Broadleaf Systems, a division of
Cypress Integrated Systems, Inc.
e-mail: [EMAIL PROTECTED]

SpamAssassin plugs into Declude!
  http://www.imprimia.com/products/software/freeutils/SPAMC32/download/release/

Defuse Dictionary Attacks: Turn Exchange or IMail mailboxes into IMail Aliases!
  
http://www.imprimia.com/products/software/freeutils/exchange2aliases/download/release/
  
http://www.imprimia.com/products/software/freeutils/ldap2aliases/download/release/

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] image spam

2006-05-04 Thread Bill Landry
RulesDeJour is a script for pulling down the non-official SARE rules sets. 
The sa-update script is used to pull down official SA rule updates (updating 
the default rule sets that come with SA).


Bill
- Original Message - 
From: "Colbeck, Andrew" <[EMAIL PROTECTED]>

To: 
Sent: Thursday, May 04, 2006 2:00 PM
Subject: RE: [Declude.JunkMail] image spam


For what it's worth, SARE has their own download script (I'm not
familiar with the sa-update script Bill mentioned) called RulesDuJour
which is a bash shell script:

http://www.exit0.us/index.php?pagename=RulesDuJour

And that page contains a howto link for us Windows users who are running
CygWin:

http://www.exit0.us/index.php?pagename=InstallRdjOnCygwin

Andrew 8)




-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
Sent: Thursday, May 04, 2006 1:50 PM
To: Declude.JunkMail@declude.com
Subject: Re: [Declude.JunkMail] image spam

Thanks Bill. I have been using the SARE stock rules but the
others I was unaware of - as well as the update script!

-Nick


Bill Landry wrote:

> You might also want to look at using the SARE rules at
> http://www.rulesemporium.com/rules.htm, particularly the SARE Stock
> rules (70_sare_stocks.cf).  Also, a couple of Fred's rule sets at
> http://www.rulesemporium.com/other-rules.htm (88_FVGT_rawbody.cf  &
> 99_FVGT_meta.cf) can be quite helpful, as well.
>
> If you are running SA 3.1.1, you can also use the sa-update
script to
> pull down the latest SA rules, which includes additional
rules found
> in the 80_additional.cf rule set that are very good at
tagging these
> kinds of image spams.
>
> And finally, Sniffer seems to successfully tag almost 100% of these
> image spams, and Razor tags a majority of them, as well.
>
> Bill
> - Original Message - From: "Nick Hayer"
> <[EMAIL PROTECTED]>
> To: 
> Sent: Thursday, May 04, 2006 7:39 AM
> Subject: [Declude.JunkMail] image spam
>
>
>> fyi -
>>
>> I just found these 2 plugins for spamassassin
>> http://wiki.apache.org/spamassassin/OcrPlugin
>> http://antispam.imp.ch/patches/patch-ocrtext
>>
>> That will ocr the gifs, etc. These should help SA be even more
>> effective within Declude..
>>
>> -Nick
>> ---
>> This E-mail came from the Declude.JunkMail mailing list.  To
>> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
>> "unsubscribe Declude.JunkMail".  The archives can be found at
>> http://www.mail-archive.com.
>>
>
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type
> "unsubscribe Declude.JunkMail".  The archives can be found at
> http://www.mail-archive.com.
>
>
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be
found at http://www.mail-archive.com.


---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.

---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


RE: [Declude.JunkMail] image spam

2006-05-04 Thread Colbeck, Andrew
For what it's worth, SARE has their own download script (I'm not
familiar with the sa-update script Bill mentioned) called RulesDuJour
which is a bash shell script:

http://www.exit0.us/index.php?pagename=RulesDuJour

And that page contains a howto link for us Windows users who are running
CygWin:

http://www.exit0.us/index.php?pagename=InstallRdjOnCygwin

Andrew 8)



> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Nick Hayer
> Sent: Thursday, May 04, 2006 1:50 PM
> To: Declude.JunkMail@declude.com
> Subject: Re: [Declude.JunkMail] image spam
> 
> Thanks Bill. I have been using the SARE stock rules but the 
> others I was unaware of - as well as the update script!
> 
> -Nick
> 
> 
> Bill Landry wrote:
> 
> > You might also want to look at using the SARE rules at 
> > http://www.rulesemporium.com/rules.htm, particularly the SARE Stock 
> > rules (70_sare_stocks.cf).  Also, a couple of Fred's rule sets at 
> > http://www.rulesemporium.com/other-rules.htm (88_FVGT_rawbody.cf  &
> > 99_FVGT_meta.cf) can be quite helpful, as well.
> >
> > If you are running SA 3.1.1, you can also use the sa-update 
> script to 
> > pull down the latest SA rules, which includes additional 
> rules found 
> > in the 80_additional.cf rule set that are very good at 
> tagging these 
> > kinds of image spams.
> >
> > And finally, Sniffer seems to successfully tag almost 100% of these 
> > image spams, and Razor tags a majority of them, as well.
> >
> > Bill
> > - Original Message - From: "Nick Hayer" 
> > <[EMAIL PROTECTED]>
> > To: 
> > Sent: Thursday, May 04, 2006 7:39 AM
> > Subject: [Declude.JunkMail] image spam
> >
> >
> >> fyi -
> >>
> >> I just found these 2 plugins for spamassassin 
> >> http://wiki.apache.org/spamassassin/OcrPlugin
> >> http://antispam.imp.ch/patches/patch-ocrtext
> >>
> >> That will ocr the gifs, etc. These should help SA be even more 
> >> effective within Declude..
> >>
> >> -Nick
> >> ---
> >> This E-mail came from the Declude.JunkMail mailing list.  To 
> >> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
> >> "unsubscribe Declude.JunkMail".  The archives can be found at 
> >> http://www.mail-archive.com.
> >>
> >
> > ---
> > This E-mail came from the Declude.JunkMail mailing list.  To 
> > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type 
> > "unsubscribe Declude.JunkMail".  The archives can be found at 
> > http://www.mail-archive.com.
> >
> >
> ---
> This E-mail came from the Declude.JunkMail mailing list.  To 
> unsubscribe, just send an E-mail to [EMAIL PROTECTED], and 
> type "unsubscribe Declude.JunkMail".  The archives can be 
> found at http://www.mail-archive.com.
> 
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] image spam

2006-05-04 Thread Nick Hayer
Thanks Bill. I have been using the SARE stock rules but the others I was 
unaware of - as well as the update script!


-Nick


Bill Landry wrote:

You might also want to look at using the SARE rules at 
http://www.rulesemporium.com/rules.htm, particularly the SARE Stock 
rules (70_sare_stocks.cf).  Also, a couple of Fred's rule sets at 
http://www.rulesemporium.com/other-rules.htm (88_FVGT_rawbody.cf  & 
99_FVGT_meta.cf) can be quite helpful, as well.


If you are running SA 3.1.1, you can also use the sa-update script to 
pull down the latest SA rules, which includes additional rules found 
in the 80_additional.cf rule set that are very good at tagging these 
kinds of image spams.


And finally, Sniffer seems to successfully tag almost 100% of these 
image spams, and Razor tags a majority of them, as well.


Bill
- Original Message - From: "Nick Hayer" <[EMAIL PROTECTED]>
To: 
Sent: Thursday, May 04, 2006 7:39 AM
Subject: [Declude.JunkMail] image spam



fyi -

I just found these 2 plugins for spamassassin
http://wiki.apache.org/spamassassin/OcrPlugin
http://antispam.imp.ch/patches/patch-ocrtext

That will ocr the gifs, etc. These should help SA be even more 
effective within Declude..


-Nick
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


Re: [Declude.JunkMail] image spam

2006-05-04 Thread Bill Landry
You might also want to look at using the SARE rules at 
http://www.rulesemporium.com/rules.htm, particularly the SARE Stock rules 
(70_sare_stocks.cf).  Also, a couple of Fred's rule sets at 
http://www.rulesemporium.com/other-rules.htm (88_FVGT_rawbody.cf  & 
99_FVGT_meta.cf) can be quite helpful, as well.


If you are running SA 3.1.1, you can also use the sa-update script to pull 
down the latest SA rules, which includes additional rules found in the 
80_additional.cf rule set that are very good at tagging these kinds of image 
spams.


And finally, Sniffer seems to successfully tag almost 100% of these image 
spams, and Razor tags a majority of them, as well.


Bill
- Original Message - 
From: "Nick Hayer" <[EMAIL PROTECTED]>

To: 
Sent: Thursday, May 04, 2006 7:39 AM
Subject: [Declude.JunkMail] image spam



fyi -

I just found these 2 plugins for spamassassin
http://wiki.apache.org/spamassassin/OcrPlugin
http://antispam.imp.ch/patches/patch-ocrtext

That will ocr the gifs, etc. These should help SA be even more effective 
within Declude..


-Nick
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.



---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.


[Declude.JunkMail] image spam

2006-05-04 Thread Nick Hayer

fyi -

I just found these 2 plugins for spamassassin
http://wiki.apache.org/spamassassin/OcrPlugin
http://antispam.imp.ch/patches/patch-ocrtext

That will ocr the gifs, etc. These should help SA be even more effective 
within Declude..


-Nick
---
This E-mail came from the Declude.JunkMail mailing list.  To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.JunkMail".  The archives can be found
at http://www.mail-archive.com.