Because a small amount of weight is added, it is still sufficient for tilting the scales on more occurrences than other image types.
----- Original Message ----- From: "Pete McNeil" <[EMAIL PROTECTED]> To: "Message Sniffer Community" <[email protected]> Sent: Tuesday, June 06, 2006 10:44 AM Subject: [sniffer]Re[2]: [sniffer]Numeric spam topic change to png stock spam > Hello Jonathan, > > I urge caution from experience... png images are not entirely rare, > and the cid: tag format in the regex is also common. > > I'd love to be wrong - but I recall false positives with similar > attempts in the past. > > Is there more to this than the two elements I just described - > something I'm not seeing? > > _M > > Tuesday, June 6, 2006, 10:19:36 AM, you wrote: > > > Nick, very good method. I have added that to my configuration as well now. > > > ----- Original Message ----- > > From: "Nick Hayer" <[EMAIL PROTECTED]> > > To: "Message Sniffer Community" <[email protected]> > > Sent: Tuesday, June 06, 2006 10:05 AM > > Subject: Re: [sniffer]Numeric spam topic change to png stock spam > > > >> Hi Markus - > >> > >> Markus Gufler wrote: > >> > >> >There is also another type of spam (stock spam now with attached png > > image) > >> >this morning passing our filters. > >> > > >> I am catching these fairly easily - > >> a combo filter - > >> #combo-stockspammer-png.txt > >> SKIPIFWEIGHT 26 > >> TESTSFAILED END NOTCONTAINS EXTERNAL.REGEX.STOCKSPAMMER.BODY > >> BODY 5 CONTAINS Content-Type: image/png; > >> # > >> The body regex is this: > >> src="cid:[a-z0-9]{12}\$[a-z0-9]{8}\$[a-z0-9]{8}@ > >> > >> -Nick > >> > >> > > >> > > >> > >> > >> ############################################################# > >> This message is sent to you because you are subscribed to > >> the mailing list <[email protected]>. > >> To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > >> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > >> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > >> Send administrative queries to <[EMAIL PROTECTED]> > >> > > > > > > ############################################################# > > This message is sent to you because you are subscribed to > > the mailing list <[email protected]>. > > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > > Send administrative queries to <[EMAIL PROTECTED]> > > > > -- > Pete McNeil > Chief Scientist, > Arm Research Labs, LLC. > > > ############################################################# > This message is sent to you because you are subscribed to > the mailing list <[email protected]>. > To unsubscribe, E-mail to: <[EMAIL PROTECTED]> > To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> > To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> > Send administrative queries to <[EMAIL PROTECTED]> > ############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
