RE: How to detect current images-only messages?

Mon, 19 Jun 2006 08:58:34 -0700

Title: RE: How to detect current images-only messages?


> -----Original Message-----
> From: Yves Goergen [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, June 18, 2006 5:50 AM
> To: users@spamassassin.apache.org
> Subject: How to detect current images-only messages?
>
>
> Hello,
> I keep receiving messages that contain of nothing but composed images.
> They're HTML messages with only <img/> tags in them. There
> seems to be a
> rule that checks if the message has *any* image and compares it to its
> length. That gave my spam some scores recently but not so today. I
> received a message that looks just like the others but has no score at
> all due to the fact that it only contains of images.
>
> Is there any way to detect this type of message with SpamAssassin? I
> cannot think of a regular _expression_ that would do it, and even if I
> could, SA offered no way to match it reliably. (See the line-by-line
> problem with 'rawbody' and encoding problems with 'full'.)

I keep hearing this is a problem, but I'm not seeing it on my end. Most are being caught:

Some examples

X-Spam-Status: Yes, score=7.6 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100,
        HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
        MY_ALT,MY_DSL,RCVD_IN_NJABL_DUL

X-Spam-Status: Yes, score=7.6 required=5.0 tests=HTML_90_100,
        HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
        MSGID_DOLLARS,MY_ALT

X-Spam-Status: Yes, score=9.2 required=5.0 tests=HTML_90_100,
        HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,
        MSGID_DOLLARS,MY_ALT,SARE_BOUNDARY_09

X-Spam-Status: Yes, score=8.6 required=5.0 tests=EXTRA_MPART_TYPE,
        HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100,HTML_IMAGE_ONLY_08,
        HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,SPF_HELO_SOFTFAIL

X-Spam-Status: Yes, score=5.6 required=5.0 tests=HTML_90_100,HTML_MESSAGE,
        MIME_HTML_MOSTLY,MPART_ALT_DIFF,MSGID_DOLLARS,MY_ALT

Ahhh...occasional slip thru...

X-Spam-Status: No, score=4.4 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100,
        HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,RCVD_IN_NJABL_DUL

X-Spam-Status: No, score=4.4 required=5.0 tests=EXTRA_MPART_TYPE,
        FORGED_RCVD_HELO,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE,
        MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,MY_HELO,SPF_HELO_PASS
       
I'll have to adjust for those 2. :)

Chris Santerre
SysAdmin and SARE/URIBL ninja
http://www.uribl.com
http://www.rulesemporium.com

Reply via email to