[LINK] getting rid of image spam

Kim Holburn kim at holburn.net
Sun Oct 29 10:44:01 AEDT 2006 

Odd, I looked through a few today and I get these.  No height and  
width at all:

<IMG alt="Denied" hspace=0
src="cid:000901c6fad1$0f812ab0$ee9554db at mychat58829494"
align=baseline border=0>

<IMG alt="" hspace=0
src="cid:000301c634d3$5e87f4f0$aa0fa8c0 at sanya" align=baseline
border=0>

<img border=0 id=rueful.7.gif
src="cid:5.0.0.24.0.28283979172251.59261367 at blair.brookfld.com.7">

<img hspace=0  src="cid:5QFBLJUA06G09LH1FQKI" align=baseline>

<IMG alt= "" hspace=0
src= "cid:086501c6faba$32de5350$6601a8c0 at D7X25071" align=baseline
border=0>

<IMG alt= "talking" hspace=0
src="cid:000701c6fae0$5e828c30$447028d5 at Dandermatt" align=baseline
border=0>

<IMG alt= "accounting" hspace=0
src="cid:000e01c6fae5$ef0ded80$9db51148 at D62J2R31" align=baseline
border=0>

<IMG alt= "bundled" hspace=0
src="cid:000301c6fae6$f588e790$47516255 at bsemihy53rdjd3"
align=baseline border=0>



On 2006 Oct 28, at 2:38 PM, Adam Todd wrote:
> Not only are they getting crafty but they break the rules!
>
> Most embedded image SPAM messages have an incorrect construct:
>
> IMG alt="" hspace=0  width79 heightF8 src="cid:000b01
>
>
> So what I did was this:
>
> body -case 'width\S\d height\S\d' drop
>
>
> the regexs (in '') hopefully won't toss too many real ones which  
> should read using the correct width= syntax.
>
> I wonder if this is a "quirk" of the spammer?  Because it's the  
> part that stands out like a sore thumb!
>
> Much better than the multipart suggestion that will catch  
> everything, even true messages.
>
>
> At 10:01 AM 28/10/2006, Howard Lowndes wrote:
>> Jan Whitaker wrote:
>>> At 07:04 AM 28/10/2006, Kim Holburn wrote:
>>>
>>>>> He noticed that the image spam emails always have two
>>>>> distinguishing marks: they come from a different address each time
>>>>> and the Content-Type header begins with "multipart/related".
>>> this filtering supposedly works in Eudora as well. I'm having a  
>>> go since you brought it up. I looked at one of the more recent  
>>> ones that are mixed color courier font stock info, and it has  
>>> "multipart/mixed" . I added that to the filter as well in the  
>>> "any headers" qualifier. It may trash embedded graphics email  
>>> that I want to get, though, so this may be a risky strategy. I  
>>> know, I know, but I have family who aren't quite cluey on this  
>>> stuff and do send email with embedded graphics. What's a person  
>>> to do?
>>
>> Educate them  :)
>>
>> An interesting aspect of this type of spam (mostly stock pumps)  
>> that I have noticed is that, from one that I have just studied, it  
>> is coming from a dynamic DSL address (the RDNS says so), BUT, the  
>> (I assume) zombie that is sending it is not a "fire and forget"  
>> zombie, but is retrying if it doesn't get through first time.  I  
>> know this because I run greylisting and the greylist software has  
>> inserted a header into the email to say that it was greylisted for  
>> 339 seconds, which means that it was allowed in on the second  
>> attempt.
>>
>> Damn it, these spammers are getting smart/crafty  :(
>
> _______________________________________________
> Link mailing list
> Link at mailman.anu.edu.au
> http://mailman.anu.edu.au/mailman/listinfo/link

--
Kim Holburn
IT Network & Security Consultant
Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request
Cacert Root Cert: http://www.cacert.org/cacert.crt
Aust. Spam Act: To stop receiving mail from me: reply and let me know.
Use ISO 8601 dates [YYYY-MM-DD] http://www.saqqara.demon.co.uk/ 
datefmt.htm

Democracy imposed from without is the severest form of tyranny.
                           -- Lloyd Biggle, Jr. Analog, Apr 1961

More information about the Link mailing list