My recommendation is to take this approach.... Penalize emails with
inline gifs, and penalize them even more if they hit in combination with
HTML_IMAGE_ONLY_*.
meta __IMG_ONLY (HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 ||
HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 ||
HTML_IMAGE_ONLY_24 )
full SARE_GIF_ATTACH /name=\"[a-z]{3,18}\.gif\"/
describe SARE_GIF_ATTACH Email has a inline gif
score SARE_GIF_ATTACH 0.75
meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY )
describe SARE_GIF_STOX Inline Gif with little HTML
score SARE_GIF_STOX 1.75
Realize that some of the new stox spam is coming with addition bayes
garbage to screw up the HTML to Image ratio, and cause HTML_IMAGE_ONLY_*
to not even fire. If that is the case, you may just want to pump
SARE_GIF_ATTACH up a bit. Realize SARE_GIF_ATTACH "will" FP if you
score it too high. Neither of the above rules are published by SARE.
70_sare_stocks.cf contains the following rules because the have very
good S/O's. Although we have masschecked the above SARE_GIF_STOX have
it had a very nice S/O as well, we just never published it.. Not sure
why. Those masscheck results are below from 5 different corpii.
OVERALL% SPAM% HAM% S/O RANK SCORE NAME
1244 1244 0 1.000 0.42 1.25 SARE_GIF_STOX
88 87 1 0.957 0.68 1.25 SARE_GIF_STOX
1582 1581 1 0.998 0.59 1.25 SARE_GIF_STOX
44 44 0 1.000 0.89 1.25 SARE_GIF_STOX
115 115 0 1.000 0.89 1.25 SARE_GIF_STOX
The current published rules for image only stock spam look like this...
#-----------------------------------------------------------------------
------------
# 02/01/06
## Contributed by Dallas
full __SHORT_GIF /name=\"[a-z]{3,8}\.gif\"/
full __SHORT_GIF2 /filename=\"[a-z]{3,8}\"/
meta SARE_STOX_IMG_ONLY ( __SHORT_GIF && ( HTML_IMAGE_ONLY_04 ||
HTML_IMAGE_ONLY_08 ))
describe SARE_STOX_IMG_ONLY Image only stock spam
score SARE_STOX_IMG_ONLY 1.25
##counts SARE_STOX_IMG_ONLY 1s/0h of 27159 corpus (19368s/7791h
FT) 01/31/06
##counts SARE_STOX_IMG_ONLY 20s/0h of 11689 corpus (6129s/5560h
CT) 01/31/06
##counts SARE_STOX_IMG_ONLY 2s/0h of 8032 corpus (5812s/2220h
AxB) 02/01/06
##counts SARE_STOX_IMG_ONLY 44s/0h of 37291 corpus (31813s/5478h
MY) 01/31/06
##counts SARE_STOX_IMG_ONLY 487s/0h of 58996 corpus
(45504s/13492h ML) 01/31/06
##counts SARE_STOX_IMG_ONLY 536s/1h of 206158 corpus
(52568s/153590h RM) 02/03/06
##counts SARE_STOX_IMG_ONLY 925s/0h of 88486 corpus
(49109s/39377h DOC) 01/31/06
meta SARE_STOX_IMG_ONLY2 ( __SHORT_GIF2 && ( HTML_IMAGE_ONLY_04
|| HTML_IMAGE_ONLY_08 ))
describe SARE_STOX_IMG_ONLY2 Image only stock spam
score SARE_STOX_IMG_ONLY2 1.66
##counts SARE_STOX_IMG_ONLY2 0s/0h of 11689 corpus (6129s/5560h
CT) 01/31/06
##counts SARE_STOX_IMG_ONLY2 0s/0h of 206158 corpus
(52568s/153590h RM) 02/03/06
##counts SARE_STOX_IMG_ONLY2 0s/0h of 37291 corpus (31813s/5478h
MY) 01/31/06
##counts SARE_STOX_IMG_ONLY2 160s/0h of 27159 corpus
(19368s/7791h FT) 01/31/06
##counts SARE_STOX_IMG_ONLY2 230s/0h of 8032 corpus (5812s/2220h
AxB) 02/01/06
##counts SARE_STOX_IMG_ONLY2 30s/0h of 58996 corpus
(45504s/13492h ML) 01/31/06
##counts SARE_STOX_IMG_ONLY2 98s/0h of 88486 corpus
(49109s/39377h DOC) 01/31/06
Cya,
Dallas
> -----Original Message-----
> From: Craig Baird [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, March 07, 2006 10:54
> To: users@spamassassin.apache.org
> Subject: Re: All image spam
>
> I'm having similar results here. As others have mentioned,
> the SARE stock rules do help somewhat, but it's by no means
> the proverbial "silver bullet".
> As someone else also mentioned, it helps to increase the
> HTML_IMAGE_ONLY_XX rules. I increased 12,16,20, and 24 by
> one point each. However, that still doesn't nail all of
> them. I have seen some come through without even hitting any
> HTML_IMAGE_ONLY_XX rules.
>
> It seems to me that with these image-only spams, spammers may
> have finally stumbled onto a pretty good weapon to counter
> SA, and to defeat Bayes. With broadband connections being
> dirt cheap these days, and with all the zombie nets at their
> disposal, spammers can now blast out large spams in a short
> amount of time, without causing much drain on their own
> network resources.
> I'm getting image-only spam with attachments ranging in size
> from about 12K to 70K.
>
> I'll bet it's only a matter of time before we start seeing
> spam larger than 256K, which I believe is the threshold that
> most people use to determine whether to send a message to SA
> for scanning or not. We'll probably all be bumping up that
> threshold at some point. :(
>
> Craig
>
>
> Quoting Jack Gostl <[EMAIL PROTECTED]>:
>
> > I've seen some references to this in threads, but I didn't
> see an answer.
> >
> > Starting in late November, we started getting hit with spam
> that was
> > almost entirely a jpeg. They seem to be mostly "stock
> > recommendations". There is minimal message, usually HTML,
> and the real spam content is in the image.
> > Despite al the trainging that I do, this seems to slip through the
> > Bayes algorithms with no more than a 50%, and the rest of the tests
> > don't drive the score up high enough to help.
> >
> > I am currently running SpamAssassin 3.0.3. I tried running these
> > messages through SpamAssassin 3.1 and it doesn't seem to help.
> >
> > Any suggestions?
> >
> > Thanks - Jack
> >
>
>
>
