I wrote a small quasi-solution to this a while back, a rule which detected 1 pixel "invisible" images. Because generally speaking spammers tend to use invisible 1 pixel images for tracking purposes (but they dont want it to be visible on the email to dilute the spam) it seems to cover most instances..
I can forward it along to you if you want - but it wouldn't help in this particular instance. :( I suppose the larger question is - how likely is it that an image in a legitimate email would be generated dynamically? (i.e. include "?" in the URI) Daz > -----Original Message----- > From: MBR [mailto:[EMAIL PROTECTED] > Sent: 29 June 2003 00:13 > To: Tony Earnshaw > Cc: Mathew Hendry; [EMAIL PROTECTED] > Subject: Re: [SAtalk] Need rule to filter out spying <img> tags > > > I think Tony misunderstands. [EMAIL PROTECTED] is the victim > here, so we > wouldn't want to filter out arlsoft. And the villain's domain is > valodata today, > but could be anything tomorrow. What I was looking for was a way to > increase the X-SpamScore of any email which contained a tag which when > executed would send the email recipient's address back to > some server. > Hardcoding a string so that I ([EMAIL PROTECTED]) am the only > victim protected > would be much too specific. As Mathew rightly pointed out, a smart > spammer could easily get around my proposed solution by including an > obfuscated form of the recipient's address as part of the value of the > src= attribute of the <img> tag. On the other hand, I would > argue that > not all spammers are that smart, and it wouldn't hurt to > allow SpamAssassin > to identify the dumb ones. > > Mark > > Tony Earnshaw wrote: > > > Mathew Hendry wrote: > > > >> That's a very old trick. SpamAssassin is not the program > to defeat it > >> though. > > > > > > Not exactly. Probably unique to this message, but make a rule to > > filter uri arlsoft or valodata and give that enough points. > > > > save Mark's ">" commented stuff, then: > > > > vi mark > > :g/ >/s///g > > > > local.cf: > > > > uri ARL /(arlsoft|valodata)/i > > describe ARL SystemAddition: ARLSOFT > > score ARL 10.0 > > > > Like "it works for me." > > > > > > Drawbacks: nothing to do with any image. And next time it will be > > something else, but neither arlsoft nor valodata uris will > ever make > > it again. Pity for the real arlsoft and/or valodata. > > > > Or as I've suggested before, have SA analyse and learn from > images on > > porn sites. Something for the developers to do in their > spare time ;) > > > > Tony > > > > > > > > ------------------------------------------------------- > This SF.Net email sponsored by: Free pre-built ASP.NET sites including > Data Reports, E-commerce, Portals, and Forums are available now. > Download today and enter to win an XBOX or Visual Studio .NET. > http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_06 > 1203_01/01 > _______________________________________________ > Spamassassin-talk mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/spamassassin-talk > ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100006ave/direct;at.asp_061203_01/01 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
