[Mimedefang] Image blocking idea

Paul Whittney pwhittney at net.arrivetech.com
Fri Apr 21 15:52:49 EDT 2006 

Maybe another possibility is to limit what accounts get images..

I've been thinking about this, in relation to clients wanting their
email address on their webpages (uurrgghh). If there is a info at domain
or abuse@ postmaster@ webmaster@ (etc...), would it be worth it to
deny connections, stating a "Please see www.mydomain.com/emailRules.html"
in the response? As some small places have info and webmaster directed
to their real email address.

This seems more cost effective for the server (although, you have to wait
till the first image...), but the user will see less email.

As I say, just thinking out loud... Perhaps it's wrong to do this
for images, but might be good for attachments...
 "Error: Email to webmaster must not contain attachments"
Not sure if its worth making another list of "users that should not
get attachments". If the user needs a file, they would respond using
their real email address, so it's not a complete loss for website 
updates, say.

With all the talk of images I've added a sub to filter that logs
images:
	$res = filter_filename_image($entity);
	if ($res) {
		md_graphdefang_log('incoming_image', $fname, $type);
	}

Where filter_filename_image is just like filter_bad_filenames but with:
	$bad_exts = '(bmp|dib|emf|gif|ico|jfif|jpe|jpeg|jpg|png|rle|tif|tiff|wmf)';

I think I was trying to prevent the wmf XP issue back in December, and took
all images out with a "Sorry: images not permitted at this time". But I never
checked my logs, and the problem went away.

But now I can see what percentage of emails have images, to see if its worth
processing them. Today alone I've seen 157 out of about 750 (kinda wrong,
as an email could have had 2 images in it... I only just thought about that)

On a different note concerning images, what about an email filter logging the 
possibility of the images containing hidden data (i.e. Steganography test).

Maybe its a bit overboard, but that harmless image of the birthday party
at the office could contain hidden info about the current secret project..
Okay, a little far fetched, and paranoid. But I'd be curious if the detection
tools would log anything (other than false positives).

Although, couldn't the statistical testing an image show a difference 
between a photograph, and a spam message? I don't know how, not into
image manipulation. Wouldn't the same picture, but with a different 
size/name/extension in multiple emails result in roughly the same 
high/mid/low tones? or the same red channel distribution (again, I 
don't know enough about images). 

Suppose this could also be an issue with storing, and looking at email images,
which might complicate the testing.

And (this'll be the last thought, honest ;-), I just got an auto response 
back from an abuse system (bank phishing scam report) that I forwarded the
email to containing an embedded html image. The response has the same email,
except it put: "(Embedded image moved to file: pic14474.jpg)" and sent it
as an attachment.
And the email contains  [IMAGE]  where the image was...

Could this be a way to prevent the image tracking bots to those users who 
insist that html email is always shown in outlook.

Thoughts?

Best Regards
	Paul

On Thu, Apr 20, 2006 at 10:58:12AM -0400, David F. Skoll wrote:
> Kenneth Porter wrote:
> 
> > I'm beginning to favor the idea of challenge/response systems, but only
> > for "rich" content (ie. anything not pure text/plain).
> 
> Intriguing... I normally hate C/R systems, but that might be a good idea.
> Anything to make it more of a hassle to send non-plain-text e-mail is
> a good idea, IMO.
> 
> Regards,
> 
> David.
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
> 
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

-- 
Paul Whittney                                ArriveTech, Inc.
Network Specialist / Systems Engineer       / |3823 W 12th St, Suite A
                                           /--|Erie, PA, 16505, USA
PWhittney [at] arrivetech.com (Main)      /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)  /    |Tel: 814 868 3306

More information about the MIMEDefang mailing list