[LINK] getting rid of image spam

Adam Todd link at todd.inoz.com
Thu Nov 2 11:09:18 AEDT 2006 

At 08:14 AM 2/11/2006, Neale Banks wrote:
>Hi Craig,
>
>[...]
> > for anyone using postfix, here's a PCRE header_checks rule which blocks 
> them:
> >
> > 
> /^Content-Type:.*multipart\/related.*boundary="(?:------------|--+=?_NextPart)/ 
> REJECT
> >
>
>Interesting observation... but either I'm mis-reading your PCRE or
>getting different spams than you, like this one:
>         Content-Type: multipart/related; ??boundary="D1404ZGM1C0I4LWS1WJU"
>That appears to be from a NAB phishing attempt, given the sender's domain.
>
>FWIW, I've received at least two "genuine" multipart/related emails this
>week so have reservations about summary blocking of all multipart/related.

Yes but you have to remember that Craig is on the extreme end of 
things.  He prefers to block and deny everything and send 500 messages back 
to the origin saying he's blocked and denied a single message.

>The first was from casa.gov.au - it's potentially easy as it's the only
>one I've seen with Type=text/html.
>
>The second one is more challenging:
>
>         Message-ID: <000a01c6fe76$0b6ac320$9815fddc at johndm38widz8b>
>         MIME-Version: 1.0
>         Content-Type: multipart/related;
>                 type="multipart/alternative";
>                 boundary="----=_NextPart_000_0006_01C6FED2.3E50FC80"
>         X-Priority: 3
>         X-MSMail-Priority: Normal
>         X-Mailer: Microsoft Outlook Express 6.00.2600.0000
>         X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000

It also has the multipart/alternative type tag - which you are referring 
to, but so do many image spams.  Which is why I opted not to use this 
method of detection.  It's going to get a lot of false positives.

>Those headers come from an email which, arguably reasonably, includes an
>embedded image.  My best hypothesis is that the author of that email and
>the authors of the spams are all using Outlook Express {:-(

Not necessarily. Many are using one of a range of software applications 
that are specially designed to create the pretty spam messages and send 
them via a random list of open relays and addresses.

Defiantly not the Outlook style!  I also can't say I've seen one created by 
Outlook, but then I've been looking for things like BatMail and other like 
applications.


>So the question remains: how to distinguish them?

Well I suggest looking at the image tag embedded in the messages HTML :)

I've said too much on this already!

More information about the Link mailing list