[LINK] getting rid of image spam

Adam Todd link at todd.inoz.com
Sat Oct 28 14:38:56 AEST 2006 

Not only are they getting crafty but they break the rules!

Most embedded image SPAM messages have an incorrect construct:

IMG alt="" hspace=0  width79 heightF8 src="cid:000b01


So what I did was this:

body -case 'width\S\d height\S\d' drop


the regexs (in '') hopefully won't toss too many real ones which should 
read using the correct width= syntax.

I wonder if this is a "quirk" of the spammer?  Because it's the part that 
stands out like a sore thumb!

Much better than the multipart suggestion that will catch everything, even 
true messages.


At 10:01 AM 28/10/2006, Howard Lowndes wrote:
>Jan Whitaker wrote:
>>At 07:04 AM 28/10/2006, Kim Holburn wrote:
>>
>>>>He noticed that the image spam emails always have two
>>>>distinguishing marks: they come from a different address each time
>>>>and the Content-Type header begins with "multipart/related".
>>this filtering supposedly works in Eudora as well. I'm having a go since 
>>you brought it up. I looked at one of the more recent ones that are mixed 
>>color courier font stock info, and it has "multipart/mixed" . I added 
>>that to the filter as well in the "any headers" qualifier. It may trash 
>>embedded graphics email that I want to get, though, so this may be a 
>>risky strategy. I know, I know, but I have family who aren't quite cluey 
>>on this stuff and do send email with embedded graphics. What's a person to do?
>
>Educate them  :)
>
>An interesting aspect of this type of spam (mostly stock pumps) that I 
>have noticed is that, from one that I have just studied, it is coming from 
>a dynamic DSL address (the RDNS says so), BUT, the (I assume) zombie that 
>is sending it is not a "fire and forget" zombie, but is retrying if it 
>doesn't get through first time.  I know this because I run greylisting and 
>the greylist software has inserted a header into the email to say that it 
>was greylisted for 339 seconds, which means that it was allowed in on the 
>second attempt.
>
>Damn it, these spammers are getting smart/crafty  :(

More information about the Link mailing list