From last week on I can see spam messages containing one single image. The
body is something like
img src=cid:5fb45cc53f5274d38075894147920f00
The attached message is an image showing a slightly rotated text message.
Interesting: It has a total message size of arround 68 kbytes and so it's
Title: Message
Hi Goran,
I write this because maybe Pete McNeil can clarify it
easily.
Does SNIFFER have something inside who can identify
CMDSPACE?
Only if it's not so it would be a good combo
filter.
Markus
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
I received a spam email, which was an HTML email with only one line. The
line is as follows:
img src=cid:85ae9b8e79a2548912c0c40ef7709a27
I have a body filter with the following:
BODY 2 BEGINSWITH img src=cid:
The filter didn't trip on the spam email. Any idea of
Hi Dave,
Look at this thread:
http://www.mail-archive.com/declude.junkmail@declude.com/msg27075.html
Erik
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Dave Beckstrom
Sent: Monday, January 16, 2006 4:03 PM
To: Declude.JunkMail@declude.com
Subject:
Title: Message
Perhaps this would be better asked on the sniffer
forum?
- Original Message -
From:
Markus Gufler
To: Declude.JunkMail@declude.com
Sent: Monday, January 16, 2006 3:00
AM
Subject: RE: [Declude.JunkMail] Combo
Filter
Hi Goran,
I write
There is probably some html coding before that line.
- Original Message -
From: Dave Beckstrom [EMAIL PROTECTED]
To: Declude.JunkMail@declude.com
Sent: Monday, January 16, 2006 9:02 AM
Subject: [Declude.JunkMail] Help with filter
I received a spam email, which was an HTML email with
Title: Message
No, Markus, the CMDSPACE is not duplicated inside of Pete's
Message Sniffer.
What the Declude CMDSPACE test checks for is in the
envelope (the Q*.SMD file) and what Message Sniffer checks is the content of the
message itself (D*.SMD).
Andrew.
From: [EMAIL
Scott,
No, there was nothing before that line. At least nothing that made it
through with the email message. When I did a view source that was the
only line in the message.
-Original Message-
From: [EMAIL PROTECTED] [mailto:Declude.JunkMail-
[EMAIL PROTECTED] On Behalf Of Scott
Hi Erik,
Thanks for turning me on to that thread. There was some good information in
that discussion.
The spam I received had a subject of Fax Received
Much of the filter discussion, in that topic you directed me to, centered
around also checking the contents of the subject line.
Yes, that spam campaign keeps changing subjects.
Unfortunately, if you filter only on the CID tag; you will filter some
legitimate newsletters as they do use the CID tag. As long as you will be
monitoring your HOLD queue; you should fine so you filter out the false
positives.
Also in that
Erik,
I thought that the beginswith meant that we are testing the very first
line of the message? A newsletter would never have just one line -- that
being the CID tag.
I could see where contains would be a problem though.
-Original Message-
From: [EMAIL PROTECTED]
Yes, you are correct with the use of BEGINSWITH.
This campaign is and has been lately using html code before the CID tag to
throw off spam filters. Your use of BEGINSWITH to detect the CID tag
should be effective then as very few email bodies begin with just a CID tag.
Below is what we are
I don't know if the BEGINSWITH will work in all cases, but if it does,
great.
I think you'd do better to mitigate the false positives by checking for
text that is missing, e.g. I think this would be a lethal test, and
wouldn't require you to track his evolving HELO and SUBJECT lines:
BODY END
13 matches
Mail list logo
