[LINK] getting rid of image spam

[Neale Banks]

Hi Craig,

[...]
> for anyone using postfix, here's a PCRE header_checks rule which blocks them:
> 
> /^Content-Type:.*multipart\/related.*boundary="(?:------------|--+=?_NextPart)/ REJECT
> 
> i came up with the boundary=... qualifier by examining all the
> multipart/related image spams in my amavisd spamtrap quarrantine.
> there's no guarantee that it wont reject other non-image-spam messages,
> but this pattern is common to all of the ones in my spamtrap.

Interesting observation... but either I'm mis-reading your PCRE or
getting different spams than you, like this one:
	Content-Type: multipart/related; ??boundary="D1404ZGM1C0I4LWS1WJU"
That appears to be from a NAB phishing attempt, given the sender's domain.

But... the nice thing about that one is it's wrong as it omits the
required parameter "Type".  I.e. in regexp terms:

	if /^Content-Type:[[:space:]]*multipart\/related/
	!/type=/ REJECT RFC2387 says multipart/related requires a Type
	endif

FWIW, I've received at least two "genuine" multipart/related emails this
week so have reservations about summary blocking of all multipart/related.

The first was from casa.gov.au - it's potentially easy as it's the only
one I've seen with Type=text/html.

The second one is more challenging:

	Message-ID: <000a01c6fe76$0b6ac320$9815fddc at johndm38widz8b>
	MIME-Version: 1.0
	Content-Type: multipart/related;
	        type="multipart/alternative";
	        boundary="----=_NextPart_000_0006_01C6FED2.3E50FC80"
	X-Priority: 3
	X-MSMail-Priority: Normal
	X-Mailer: Microsoft Outlook Express 6.00.2600.0000
	X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

Those headers come from an email which, arguably reasonably, includes an
embedded image.  My best hypothesis is that the author of that email and
the authors of the spams are all using Outlook Express {:-(

So the question remains: how to distinguish them?

Regards,
Neale.