would a evilnumbers style ruleset of the initial binary data in these images be feasible?
While at first this sounds like a decent idea, it quickly dies. Unlike a binary of a program, the image can almost always have a similar binary start by using a simple color frame around the picture. This will cause a lot of FPs, as many other images do this. grabbing the middle of the binary is better, but cost more cycles. Good idea, but I'm not sold it would work.
I'm suprised the networks like dcc don't find these easy to spot these straight off, however I suspect the generated start of the message throws them off. And I guess dcc don't hang onto checksums forever.
I'd said the md5s of the encoded images, but the processing cost would be impractical.
Are you sure grabbing the middle of the binary is harder, surely we can match on any sufficiently long string in the rawbody.
Just my opinion. Feel free to proove me wrong. Lots of people do that as a hobby now ;)
I don't see enough spam to test my theories (un)fortunately.
Regards,
Rob
-- Robert Brooks, Network Manager, Cable & Wireless UK <[EMAIL PROTECTED]> http://hyperlink-interactive.co.uk/ Tel: +44 (0)20 7240 8121 Fax: +44 (0)20 7240 8098 - Help Microsoft stamp out piracy. Give Linux to a friend today! -
