From: "MennovB" <[EMAIL PROTECTED]>
These image spams have recognizable strings, but normally not in the header.
Just collect a few of them and compare (e.g. cat|sort the lines, you will
always find similarities (sometimes only in the Mime-part but even that can
work nicely and safe enough).
You could then make a Spamassassin rule for it (check them on your HAM
first).
The strings I'm sure enough about are not configured in SA but in Postfix
with body_checks, if needed first I put them on HOLD to check the result a
few days in the hold-queue then I put them on DISCARD so it is thrown away
unnoticed. One of these newer checks 'HOLDED' 170 spams this weekend without
FP's, not a big absolute number but there's not a lot of spam coming in
anyway because of ip-blocks, RBL's etc in postfix.
Only trouble is after some time they change the spam, but then already
hundreds of spams are stopped.
And finding a new string/regexp can be an entertaining puzzle. But some spam
is just used over and over again so some rules still get hit after 2 years,
very kind of the spammers..
I check the spam (archived by SA/Amavisd) every morning and if I see more
spam than normal and a lot of spam of the same size I know there's work to
do ;-)
One that made it through here had no URLs in the body, a LOT of HTML
formatting, and hit HTML_IMAGE_RATIO_06, a very low scoring rule.
The HTML formatting is excessive use of this long string for
individually formatting small chunks of text which are then covered
by the enclosed Base64 image:
<p class=3DMsoNormal><font size=3D2 face=3DArial>
<span lang=3DEN-US = style=3D'font-size:10.0pt;font-family:Arial'>
That can probably lead to some tests.
I also noticed here that HTML_IMAGE_RATIO_06 hit 0.3 percent spam
and 0.0 percent ham, here. So I bumped its score up a little. I expect
that to be safe here. YMMV.
That is the only spam that has broken through in a VERY long time.
{^_^}
