[LINK] getting rid of image spam
Kim Holburn
kim at holburn.net
Sun Oct 29 10:44:01 AEDT 2006
Odd, I looked through a few today and I get these. No height and
width at all:
<IMG alt="Denied" hspace=0
src="cid:000901c6fad1$0f812ab0$ee9554db at mychat58829494"
align=baseline border=0>
<IMG alt="" hspace=0
src="cid:000301c634d3$5e87f4f0$aa0fa8c0 at sanya" align=baseline
border=0>
<img border=0 id=rueful.7.gif
src="cid:5.0.0.24.0.28283979172251.59261367 at blair.brookfld.com.7">
<img hspace=0 src="cid:5QFBLJUA06G09LH1FQKI" align=baseline>
<IMG alt= "" hspace=0
src= "cid:086501c6faba$32de5350$6601a8c0 at D7X25071" align=baseline
border=0>
<IMG alt= "talking" hspace=0
src="cid:000701c6fae0$5e828c30$447028d5 at Dandermatt" align=baseline
border=0>
<IMG alt= "accounting" hspace=0
src="cid:000e01c6fae5$ef0ded80$9db51148 at D62J2R31" align=baseline
border=0>
<IMG alt= "bundled" hspace=0
src="cid:000301c6fae6$f588e790$47516255 at bsemihy53rdjd3"
align=baseline border=0>
On 2006 Oct 28, at 2:38 PM, Adam Todd wrote:
> Not only are they getting crafty but they break the rules!
>
> Most embedded image SPAM messages have an incorrect construct:
>
> IMG alt="" hspace=0 width79 heightF8 src="cid:000b01
>
>
> So what I did was this:
>
> body -case 'width\S\d height\S\d' drop
>
>
> the regexs (in '') hopefully won't toss too many real ones which
> should read using the correct width= syntax.
>
> I wonder if this is a "quirk" of the spammer? Because it's the
> part that stands out like a sore thumb!
>
> Much better than the multipart suggestion that will catch
> everything, even true messages.
>
>
> At 10:01 AM 28/10/2006, Howard Lowndes wrote:
>> Jan Whitaker wrote:
>>> At 07:04 AM 28/10/2006, Kim Holburn wrote:
>>>
>>>>> He noticed that the image spam emails always have two
>>>>> distinguishing marks: they come from a different address each time
>>>>> and the Content-Type header begins with "multipart/related".
>>> this filtering supposedly works in Eudora as well. I'm having a
>>> go since you brought it up. I looked at one of the more recent
>>> ones that are mixed color courier font stock info, and it has
>>> "multipart/mixed" . I added that to the filter as well in the
>>> "any headers" qualifier. It may trash embedded graphics email
>>> that I want to get, though, so this may be a risky strategy. I
>>> know, I know, but I have family who aren't quite cluey on this
>>> stuff and do send email with embedded graphics. What's a person
>>> to do?
>>
>> Educate them :)
>>
>> An interesting aspect of this type of spam (mostly stock pumps)
>> that I have noticed is that, from one that I have just studied, it
>> is coming from a dynamic DSL address (the RDNS says so), BUT, the
>> (I assume) zombie that is sending it is not a "fire and forget"
>> zombie, but is retrying if it doesn't get through first time. I
>> know this because I run greylisting and the greylist software has
>> inserted a header into the email to say that it was greylisted for
>> 339 seconds, which means that it was allowed in on the second
>> attempt.
>>
>> Damn it, these spammers are getting smart/crafty :(
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link
--
Kim Holburn
IT Network & Security Consultant
Ph: +61 2 61258620 M: +61 417820641 F: +61 2 6230 6121
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/
datefmt.htm
Democracy imposed from without is the severest form of tyranny.
-- Lloyd Biggle, Jr. Analog, Apr 1961
More information about the Link
mailing list