[EMAIL PROTECTED] wrote:
> FYI -- I'm noticing SPAMs which contain ONLY an image are not being
> filtered at all. Specifically, the HTML message only contains simple
> open/close BODY and HTML tags with just the IMG SRC tag in the middle
> - which in turn loads a spam-related promotion from somewhere... I
> was assuming this type of e-mail should be a huge red-flag and/or
> filtered under the existing "this is an HTML message" rules, but it
> doesn't appear to be.
>
> <html><body>
> <center><!--srZkEeuXfpqH--><a
> href="http://www.richdd.com?rid=**somenumber**";><img
> src="http://www.canzzd.com/v9.gif"; border=0></a></center>
> <body></html>
>
>
Try this out for size, they are a few custom rules I have created myself.
# Catch Image ONLY spams!
rawbody __FVGT_rb_HTML_HAS_AHREF eval:html_tag_exists('a')
rawbody __FVGT_rb_HTML_HAS_IMG eval:html_tag_exists('img')
full __FVGT_rb_HTML_LEN_80_375 /<(?:html|body).{80,375}<\/(?:body|html)>/is
full __FVGT_rb_A_THEN_IMG /<a.{12,155}<img/is
meta FVGT_m_IMAGE_ONLY_SPAM (__FVGT_rb_HTML_LEN_80_375 &&
__FVGT_rb_HTML_HAS_AHREF && __FVGT_rb_HTML_HAS_IMG && __FVGT_rb_A_THEN_IMG)
describe FVGT_m_IMAGE_ONLY_SPAM Short HTML message with IMG and A HREF
score FVGT_m_IMAGE_ONLY_SPAM 3.5
The size of 80,375 might need to be tweaked but this rule does what you are
looking for!
-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
![http://www.canzzd.com/v9.gif"](http://www.canzzd.com/v9.gif"){kind=link}