[LINK] getting rid of image spam
link at todd.inoz.com
Sun Oct 29 12:46:16 EST 2006
I didn't say ALL image spam, I said most - based on the sample I have anyway.
You have some interesting ones in there similar to image spam I've started
to receive in the last 10 days , but haven't had time to really look at
yet. (Obviously the image spam that I'm not yet filtering.)
There has to be a better way!
At 10:44 AM 29/10/2006, Kim Holburn wrote:
>Odd, I looked through a few today and I get these. No height and width at
><IMG alt="Denied" hspace=0
>src="<cid:000901c6fad1>cid:000901c6fad1$0f812ab0$ee9554db at mychat58829494"
><IMG alt="" hspace=0
>src="<cid:000301c634d3>cid:000301c634d3$5e87f4f0$aa0fa8c0 at sanya"
><img border=0 id=rueful.7.gif
>src="<cid:18.104.22.168.0.28283979172251.59261367 at blair.brookfld.com.7>cid:22.214.171.124.0.28283979172251.59261367 at blair.brookfld.com.7">
><img hspace=0 src="<cid:5QFBLJUA06G09LH1FQKI>cid:5QFBLJUA06G09LH1FQKI"
><IMG alt= "" hspace=0
>src= "<cid:086501c6faba>cid:086501c6faba$32de5350$6601a8c0 at D7X25071"
><IMG alt= "talking" hspace=0
>src="<cid:000701c6fae0>cid:000701c6fae0$5e828c30$447028d5 at Dandermatt"
><IMG alt= "accounting" hspace=0
>src="<cid:000e01c6fae5>cid:000e01c6fae5$ef0ded80$9db51148 at D62J2R31"
><IMG alt= "bundled" hspace=0
>src="<cid:000301c6fae6>cid:000301c6fae6$f588e790$47516255 at bsemihy53rdjd3"
>On 2006 Oct 28, at 2:38 PM, Adam Todd wrote:
>>Not only are they getting crafty but they break the rules!
>>Most embedded image SPAM messages have an incorrect construct:
>>IMG alt="" hspace=0 width79 heightF8 src="<cid:000b01>cid:000b01
>>So what I did was this:
>>body -case 'width\S\d height\S\d' drop
>>the regexs (in '') hopefully won't toss too many real ones which should
>>read using the correct width= syntax.
>>I wonder if this is a "quirk" of the spammer? Because it's the part that
>>stands out like a sore thumb!
>>Much better than the multipart suggestion that will catch everything,
>>even true messages.
>>At 10:01 AM 28/10/2006, Howard Lowndes wrote:
>>>Jan Whitaker wrote:
>>>>At 07:04 AM 28/10/2006, Kim Holburn wrote:
>>>>>>He noticed that the image spam emails always have two
>>>>>>distinguishing marks: they come from a different address each time
>>>>>>and the Content-Type header begins with "multipart/related".
>>>>this filtering supposedly works in Eudora as well. I'm having a go
>>>>since you brought it up. I looked at one of the more recent ones that
>>>>are mixed color courier font stock info, and it has "multipart/mixed" .
>>>>I added that to the filter as well in the "any headers" qualifier. It
>>>>may trash embedded graphics email that I want to get, though, so this
>>>>may be a risky strategy. I know, I know, but I have family who aren't
>>>>quite cluey on this stuff and do send email with embedded graphics.
>>>>What's a person to do?
>>>Educate them :)
>>>An interesting aspect of this type of spam (mostly stock pumps) that I
>>>have noticed is that, from one that I have just studied, it is coming
>>>from a dynamic DSL address (the RDNS says so), BUT, the (I assume)
>>>zombie that is sending it is not a "fire and forget" zombie, but is
>>>retrying if it doesn't get through first time. I know this because I
>>>run greylisting and the greylist software has inserted a header into the
>>>email to say that it was greylisted for 339 seconds, which means that it
>>>was allowed in on the second attempt.
>>>Damn it, these spammers are getting smart/crafty :(
>>Link mailing list
>><mailto:Link at mailman.anu.edu.au>Link at mailman.anu.edu.au
>IT Network & Security Consultant
>Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
><mailto:kim at holburn.net>mailto:kim at holburn.net
><skype://kholburn>skype://kholburn - PGP Public Key on request
>Cacert Root Cert:
>Aust. Spam Act: To stop receiving mail from me: reply and let me know.
>Use ISO 8601 dates [YYYY-MM-DD]
>Democracy imposed from without is the severest form of tyranny.
> -- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link