>> >> > On Mon, Jul 31, 2006 at 01:57:52PM +0530, Ramprasad wrote: >> >> So if the spammer keeps generating different images for every spam mail >> >> then DCC RAZOR etc would be useless right ? >> > >> > An image is just content - much like text or HTML. How useful >> > DCC/RAZOR/etc. would be depends highly on how they are used and >> > on how sophisticated the spammer is. What I suggested is not the >> > end-it-all solution for spam detection but another tool to add to >> > the spamassassin toolbox. >> > >> > Also, generating new images potentially is computationally expensive >> > enough that most spammers wouldn't try it. >> > >> > Over 50% of my false negatives this week would have been properly >> > identified by IDing the image. YMMV. >> > >> > Tim >> > >> >> A few months ago I played around with a plugin that computed MD5 hashes >> from images contained in a mail and compared that sum to a RBL-like >> DNS-based database maintained by Will Stearns. >> Results were somewhat disappointing. If Will still feeds the zone I can >> post the code somewhere >> >> Another idea was to check the images for correctness. Some spammers seem >> to use slightly modified copies of a master image. These copies are >> displayed correctly by the usual MUAs but they do contain errors that show >> up when using Image::Info or something. >> >> Dirk >>
Hi, this should be possible to detect, but at least gif format can be modified easily without introducing errors: just play with unused colormap entries. An algorithm that actually renders the image (eg converts it to pbm) before the md5 would recognize images as the same while plain md5 will consider them different Wolfgang Hamann Musicman
