I've been encountering some Spam which plays a particularly nasty trick. However I'm not running my own mail server. My web-hosting company is doing that for me. They run Spam Assassin, and I've set up my mail client to filter on the "X-Spam-Score: " header line. So, I don't really know Spam Assassin or have access to the mail host. On the other hand, I've been a software developer for several decades, and I can write regular expressions in my sleep.
Having said that, let me mention a particularly nasty feature I've found in a spam message I've received several times a day for the last month or so. Its Content-Type is "text/html" and it contains a pornographic image. But what's got me really steamed is the contents of the "src=" attribute on the <img> tag that fetches the image. In addition to the hostname and path to the image, it sends CGI arguments which contain MY email address! Ingenious of someone to figure out that CGI arguments are not limited to <a href=...>, and you can send them in <img src=...> as well, but nasty! It doesn't even permit me the option of choosing not to click on a link. As soon as I ask my mail reader to view the email, it fetches the image, in the course of which it notifies their server that my address is a live one! Here's the offensive HTML:
<img src="http://www.valodata.com/secretary/me.jpg?ba=secretaryvw&bb=mbr&bc=arlsoft.com"; border=0>
It seems like it would be pretty easy to write a little Perl to do the following:
1. Break the email address in the "To: " header line into $uid and $domain.
2. Look for <img> tags, extract the value of the "src=" attribute, and match it against:
\b$uid\b.*\b$domain\b
and
\b$domain\b.*\b$uid\bIf it matches either, then it's reporting the email address of the recipient whenever it fetches an image. There's no reason any legitimate email should ever want to do that. This should bump up this email's X-Spam-Score by a huge amount.
As I said, I'm not running the mail server myself, and I don't have the time to delve into the guts of Spam Assassin myself right now. But if someone could impmlement the rule I described, it would be a BIG help.
Below, I've included a typical example of this email with each line prefixed by " > ".
Mark Rosenthal
[EMAIL PROTECTED]> From - Sat Jun 28 11:06:23 2003
> X-UIDL: 1056791946.28352.rohan.npsis.com,S=2713
> X-Mozilla-Status: 0011
> X-Mozilla-Status2: 00000000
> Return-Path: <[EMAIL PROTECTED]>
> Delivered-To: [EMAIL PROTECTED]
> Received: (qmail 28349 invoked from network); 28 Jun 2003 09:19:06 -0000
> Received: from unknown (HELO mx.npsis.com) (65.121.176.25)
> by mail.npsis.com with SMTP; 28 Jun 2003 09:19:06 -0000
> Received: from [203.15.67.214] (helo=valodata.com)
> by mx.npsis.com with smtp (Exim 4.20)
> id 19WBrS-000IRU-Lf
> for [EMAIL PROTECTED]; Sat, 28 Jun 2003 03:19:10 -0600
> Received: (qmail 20714 invoked by uid 501); 28 Jun 2003 03:06:36 -0000
> Delivered-To: [EMAIL PROTECTED]
> Date: 28 Jun 2003 03:06:36 -0000
> Message-ID: <[EMAIL PROTECTED]>
> From: "Cecilia Roddey" <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: RE: Delivery Problem
> X-Mailer: MSN Explorer 6.00.0010.0912
> X-OriginalArrivalTime: 16 Jun 2003 13:31:02.0726 (UTC) FILETIME=[5D92B660:01C33342
> X-Originating-Ip: [192.168.1.1]
> X-Message-Info: JGTYoYF78jEHjJx36Oi8+Q1OJDRSDidP
> MIME-Version: 1.0
> Content-Type: text/html;
> charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> X-Spam-Score: -1.1 (-)
>
> <body bgcolor=black>
> <center>
> <table border="0" cellspacing="0" cellpadding="0">
> <tr>
> <td>
> <a href="http://www.valodata.com/secretary/index.html?aa=secretaryvw&ab=mbr&ac=arlsoft.com";>
> <img src="http://www.valodata.com/secretary/me.jpg?ba=secretaryvw&bb=mbr&bc=arlsoft.com"; border=0>
> </a></td>
> </tr>
> </table>
> <Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
> <Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
> <Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
> <Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
> <Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
> <Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br><Br><Br><br><br>
> <p><font size="2"><br>
> <a href="http://www.valodata.com/nomore/search.html?ca=secretaryvw&cb=mbr&cc=arlsoft.com";>
> <img src="http://www.valodata.com/secretary/nothanks.gif?da=secretaryvw&db=mbr&dc=arlsoft.com"; border=0></a></font></p>
> <br><br> > <p><font size="2" color=black>
> -----BEGIN PGP SIGNATURE-----
> i3A/A9UAPmf7ZbesiT+lEZdqEQJJ6QCeJcBgl19C3ErrfhM3h7z5Kg49xU89oKHG
> L79MJrvpvQ0ofECdfGbuRfwe
> =u41Z
> -----END PGP SIGNATURE-----
> <br>
> ammo grafted blooms newness gridiron aligning none sympathizing turtles retrying burlesque increments eject afflicted julia magnified leo bystander angie unnerve inscription tenney pounded demandingly wreckage tilted derailed resynchronizing thwarting biharmonic
> commissioning inflamed coveting scottsdale dominated malabar white hardscrabble artful flicks RzneXzoeRzneXneyfbsg.pbzRzneX allotment axing toppled fabrics adventitious acetate pediatrics detective faraday sizable
> </font></p>
> </div>
> </body>
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
![http://www.valodata.com/secretary/me.jpg?ba=secretaryvw&bb=mbr&bc=arlsoft.com"](http://www.valodata.com/secretary/me.jpg?ba=secretaryvw&bb=mbr&bc=arlsoft.com"){kind=link}
![http://www.valodata.com/secretary/nothanks.gif?da=secretaryvw&db=mbr&dc=arlsoft.com"](http://www.valodata.com/secretary/nothanks.gif?da=secretaryvw&db=mbr&dc=arlsoft.com"){kind=link}