[LINK] getting rid of image spam

Adam Todd link at todd.inoz.com
Sun Oct 29 12:46:16 AEDT 2006 

I didn't say ALL image spam, I said most - based on the sample I have anyway.

You have some interesting ones in there similar to image spam I've started 
to receive in the last 10 days , but haven't had time to really look at 
yet.  (Obviously the image spam that I'm not yet filtering.)

There has to be a better way!

At 10:44 AM 29/10/2006, Kim Holburn wrote:
>Odd, I looked through a few today and I get these.  No height and width at 
>all:
>
><IMG alt="Denied" hspace=0
>src="<cid:000901c6fad1>cid:000901c6fad1$0f812ab0$ee9554db at mychat58829494"
>align=baseline border=0>
>
><IMG alt="" hspace=0
>src="<cid:000301c634d3>cid:000301c634d3$5e87f4f0$aa0fa8c0 at sanya" 
>align=baseline
>border=0>
>
><img border=0 id=rueful.7.gif
>src="<cid:5.0.0.24.0.28283979172251.59261367 at blair.brookfld.com.7>cid:5.0.0.24.0.28283979172251.59261367 at blair.brookfld.com.7">
>
><img hspace=0  src="<cid:5QFBLJUA06G09LH1FQKI>cid:5QFBLJUA06G09LH1FQKI" 
>align=baseline>
>
><IMG alt= "" hspace=0
>src= "<cid:086501c6faba>cid:086501c6faba$32de5350$6601a8c0 at D7X25071" 
>align=baseline
>border=0>
>
><IMG alt= "talking" hspace=0
>src="<cid:000701c6fae0>cid:000701c6fae0$5e828c30$447028d5 at Dandermatt" 
>align=baseline
>border=0>
>
><IMG alt= "accounting" hspace=0
>src="<cid:000e01c6fae5>cid:000e01c6fae5$ef0ded80$9db51148 at D62J2R31" 
>align=baseline
>border=0>
>
><IMG alt= "bundled" hspace=0
>src="<cid:000301c6fae6>cid:000301c6fae6$f588e790$47516255 at bsemihy53rdjd3"
>align=baseline border=0>
>
>
>
>On 2006 Oct 28, at 2:38 PM, Adam Todd wrote:
>>Not only are they getting crafty but they break the rules!
>>
>>Most embedded image SPAM messages have an incorrect construct:
>>
>>IMG alt="" hspace=0  width79 heightF8 src="<cid:000b01>cid:000b01
>>
>>
>>So what I did was this:
>>
>>body -case 'width\S\d height\S\d' drop
>>
>>
>>the regexs (in '') hopefully won't toss too many real ones which should 
>>read using the correct width= syntax.
>>
>>I wonder if this is a "quirk" of the spammer?  Because it's the part that 
>>stands out like a sore thumb!
>>
>>Much better than the multipart suggestion that will catch everything, 
>>even true messages.
>>
>>
>>At 10:01 AM 28/10/2006, Howard Lowndes wrote:
>>>Jan Whitaker wrote:
>>>>At 07:04 AM 28/10/2006, Kim Holburn wrote:
>>>>
>>>>>>He noticed that the image spam emails always have two
>>>>>>distinguishing marks: they come from a different address each time
>>>>>>and the Content-Type header begins with "multipart/related".
>>>>this filtering supposedly works in Eudora as well. I'm having a go 
>>>>since you brought it up. I looked at one of the more recent ones that 
>>>>are mixed color courier font stock info, and it has "multipart/mixed" . 
>>>>I added that to the filter as well in the "any headers" qualifier. It 
>>>>may trash embedded graphics email that I want to get, though, so this 
>>>>may be a risky strategy. I know, I know, but I have family who aren't 
>>>>quite cluey on this stuff and do send email with embedded graphics. 
>>>>What's a person to do?
>>>
>>>Educate them  :)
>>>
>>>An interesting aspect of this type of spam (mostly stock pumps) that I 
>>>have noticed is that, from one that I have just studied, it is coming 
>>>from a dynamic DSL address (the RDNS says so), BUT, the (I assume) 
>>>zombie that is sending it is not a "fire and forget" zombie, but is 
>>>retrying if it doesn't get through first time.  I know this because I 
>>>run greylisting and the greylist software has inserted a header into the 
>>>email to say that it was greylisted for 339 seconds, which means that it 
>>>was allowed in on the second attempt.
>>>
>>>Damn it, these spammers are getting smart/crafty  :(
>>
>>_______________________________________________
>>Link mailing list
>><mailto:Link at mailman.anu.edu.au>Link at mailman.anu.edu.au
>>http://mailman.anu.edu.au/mailman/listinfo/link
>
>--
>Kim Holburn
>IT Network & Security Consultant
>Ph: +61 2 61258620 M: +61 417820641  F: +61 2 6230 6121
><mailto:kim at holburn.net>mailto:kim at holburn.net 
><aim://kimholburn>aim://kimholburn
><skype://kholburn>skype://kholburn - PGP Public Key on request
>Cacert Root Cert: 
><http://www.cacert.org/cacert.crt>http://www.cacert.org/cacert.crt
>Aust. Spam Act: To stop receiving mail from me: reply and let me know.
>Use ISO 8601 dates [YYYY-MM-DD] 
><http://www.saqqara.demon.co.uk/datefmt.htm>http://www.saqqara.demon.co.uk/datefmt.htm
>
>Democracy imposed from without is the severest form of tyranny.
>                           -- Lloyd Biggle, Jr. Analog, Apr 1961
>
>

More information about the Link mailing list