[Mimedefang] Broken image spam?
Paul Murphy
Paul.Murphy at ArgentaDiscovery.com
Mon Oct 9 11:15:27 EDT 2006
Hi all,
I've noticed a number of messages from the weekend which appear to be an attempt at image spam, where the body of the message is alternative parts in text or HTML, and where the HTML part has an embedded image. The FuzzyOCR plugin to SpamAssassin has been very helpful in filtering these out, but the new versions are getting through - because the image is a 1x1 or 2x1 single layer GIF in a single colour, i.e. it is a plain background image.
Now, as these don't actually have any real content, they're more of an annoyance than a real problem, but has anyone else been seeing these, and figured out a way to block them based on image size or something?
One common factor seems to be that the image name is always a CID: inclusion which ends with "_csseditor", e.g.:
Content-Type: image/gif; name="kgwgiu.gif"
Content-ID: <780C1EB8.0C17FD32.9305C17F.D329A6EB_csseditor>
Content-Transfer-Encoding: base64
For now, I've bumped the SARE_GIF_ATTACH ruleset score to catch these, and I block a lot of them as being from "broadband" or dial-up hosts eventually (after 5 messages from a "broadband" address, if the average score is >10, they get firewalled), but I'd like to catch them on the first pass if possible. Any ideas?
Best Wishes,
Paul.
-------------------------------------------------------
Paul Murphy
Head of I.T.
Argenta Discovery
Tel. 01279 645 554
Fax. 01279 645 646
More information about the MIMEDefang
mailing list