RE: [SAtalk] Image-ONLY e-mails not filtered?

Sat, 17 Jan 2004 08:15:51 -0800 


> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 16, 2004 8:08 PM
> To: [EMAIL PROTECTED]
> Subject: [SAtalk] Image-ONLY e-mails not filtered?
> 
> 
> FYI -- I'm noticing SPAMs which contain ONLY an image are not 
> being filtered
> at all. Specifically, the HTML message only contains simple 
> open/close BODY
> and HTML tags with just the IMG SRC tag in the middle - which 
> in turn loads
> a spam-related promotion from somewhere... I was assuming this type of
> e-mail should be a huge red-flag and/or filtered under the 
> existing "this is
> an HTML message" rules, but it doesn't appear to be.
> 
> Sorry I don't know the product version as I didn't install 
> this, but it's
> one of the more recent releases. Also, here's a copy of the 
> message code
> that seems to be getting through every time:
> 
> <html><body>
> <center><!--srZkEeuXfpqH--><a
> href="http://www.richdd.com?rid=**somenumber**";><img
> src="http://www.canzzd.com/v9.gif"; border=0></a></center>
> <body></html>
> 

I posted a rule earlier to catch these. The second one is in TESTING, but
this first one works perfect. Watch out for line wraps when reading this in
email. 

rawbody __VDRUG1 /^\<html\>\<body\>/
rawbody __VDRUG2 /^\<center\>\<\!\-\-.{10,15}\-\-\>\<a href\=\"http\:\/\//
rawbody __VDRUG3 /[a-zA-Z]\d\.gif\" border\=0\>\<\/a\>\<\/center\>/
rawbody __VDRUG4 /^\<\/?body\>\<\/html\>/
meta MRWIGGLY (__VDRUG1 && __VDRUG2 && __VDRUG3 && __VDRUG4)
describe MRWIGGLY Mr. Wiggly enhance drug spam.
score MRWIGGLY 1.0


rawbody __VDRUG1B /^<html>$/
rawbody __VDRUG2B /^<body>pic is loading/
rawbody __VDRUG3B /\/(?:[a-zA-Z]|\d)\.gif\" border\=0\>\<\/a\>$/
rawbody __VDRUG4B />0pt out<\/a>$/
meta MRWIGGLY3 (__VDRUG1B && __VDRUG2B && __VDRUG3B && __VDRUG4B)
score MRWIGGLY3 1.0

ENjoy

--Chris


-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to