These image spams have recognizable strings, but normally not in the header. Just collect a few of them and compare (e.g. cat|sort the lines, you will always find similarities (sometimes only in the Mime-part but even that can work nicely and safe enough). You could then make a Spamassassin rule for it (check them on your HAM first). The strings I'm sure enough about are not configured in SA but in Postfix with body_checks, if needed first I put them on HOLD to check the result a few days in the hold-queue then I put them on DISCARD so it is thrown away unnoticed. One of these newer checks 'HOLDED' 170 spams this weekend without FP's, not a big absolute number but there's not a lot of spam coming in anyway because of ip-blocks, RBL's etc in postfix. Only trouble is after some time they change the spam, but then already hundreds of spams are stopped. And finding a new string/regexp can be an entertaining puzzle. But some spam is just used over and over again so some rules still get hit after 2 years, very kind of the spammers.. I check the spam (archived by SA/Amavisd) every morning and if I see more spam than normal and a lot of spam of the same size I know there's work to do ;-)
Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/Image-spams-getting-thru-tf2014839.html#a5577751 Sent from the SpamAssassin - Users forum at Nabble.com.
