[Mimedefang] Image spam and broken file formats

[Kevin A. McGrail]

Ken:

I think you will find that it is not very helpful and that validating the 
images will be more resource intensive than necessary.  Dallas' ImageInfo 
plug-in is a great balance on this issue and I'm voting to have it included 
in the stock SA installation.

My reason for saying not very helpful is that we run a legitimate site that 
allows image uploads and it amazes me how many of these are corrupted files 
in minor, non-visible ways.  Just look at how complex ImageMagick is for an 
idea.  Acrobat for example, has numerous "copy cats" that don't follow the 
spec exactly.

However, I know the number one test I think would be helpful is using 
ImageInfo to see if an image is an animated gif.  I haven't had time to 
research this fully but there are two immediate checks:  A) is it a gif89a 
header and B) Moses Moore thought that it's possible 0x2C indicates a frame.

My point is that I have seen animated gifs being used as well as distorted 
gifs that will beat OCR techniques.  ImageInfo's size ratio tests are likely 
to remain valid.  Increasing those tests with an animated gif test I think 
would be valuable if it can be done with a very efficient test.

Regards,
KAM

> Do the files found in image spam follow the letter of the format specs, or 
> do they tend to be broken? Is the degree of brokenness useful as a spam 
> metric?
>
> I'm a fan of rejecting broken files at the gateway (including HTML) and 
> would like to bounce images that violate their format standards, as 
> they're likely to cause issues like buffer overruns in unsuspecting 
> clients.
>
> Are there any good utilities that simply validate file formats commonly 
> seen in email? I'd like to at least hit JPEG, GIF, PNG, and Acrobat.