Hello Jonathan, I urge caution from experience... png images are not entirely rare, and the cid: tag format in the regex is also common.
I'd love to be wrong - but I recall false positives with similar attempts in the past. Is there more to this than the two elements I just described - something I'm not seeing? _M Tuesday, June 6, 2006, 10:19:36 AM, you wrote: > Nick, very good method. I have added that to my configuration as well now. > ----- Original Message ----- > From: "Nick Hayer" <[EMAIL PROTECTED]> > To: "Message Sniffer Community" <[email protected]> > Sent: Tuesday, June 06, 2006 10:05 AM > Subject: Re: [sniffer]Numeric spam topic change to png stock spam >> Hi Markus - >> >> Markus Gufler wrote: >> >> >There is also another type of spam (stock spam now with attached png > image) >> >this morning passing our filters. >> > >> I am catching these fairly easily - >> a combo filter - >> #combo-stockspammer-png.txt >> SKIPIFWEIGHT 26 >> TESTSFAILED END NOTCONTAINS EXTERNAL.REGEX.STOCKSPAMMER.BODY >> BODY 5 CONTAINS Content-Type: image/png; >> # >> The body regex is this: >> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ >> >> -Nick >> >> > >> > >> >> >> ############################################################# >> This message is sent to you because you are subscribed to >> the mailing list <[email protected]>. >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> >> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> >> Send administrative queries to <[EMAIL PROTECTED]> >> > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[email protected]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> -- Pete McNeil Chief Scientist, Arm Research Labs, LLC. ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
