On Sun, Sep 25, 2022 at 1:56 PM Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> On 25.09.22 13:35, Alex wrote: > >I've asked variations of this question in the past, but I'm still not sure > >what to do about it. Should an email with just an image attachment, with > no > >subject and no body be treated as spam? This is the circumstance where > >users are using email as a file transfer device. > > > >There seems to be one irregularity with this email that causes it to be > >marked as spam: > > > > * 1.8 MIME_IMAGE_JPG contains wrong MIME type image\\/jpg > > correct mime type is image/jpeg > All indications are that this message was crafted and sent by Gmail. I don't see that an email client connecting to gmail was used. > > >but should that be enough? Here are the other spam indicators for this > >message where only a 9MB attachment was included: > > > > * 0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60% > > you can train these, if it makes sense > Yes, I've been doing that, but there are apparently too many slight variations. > > * 0.2 KAM_BLANKSUBJECT Message has a blank Subject > > * 0.2 FREEMAIL_ENVFROM_END_DIGIT Envelope-from freemail username ends in > > * 0.8 MPART_ALT_DIFF BODY: HTML and text parts are different > > so, does the message contain something or doesn't it? looks like either > HTML > or text part does contain something. > Content-Type: text/html; charset="UTF-8" <div><img src="cid:1836721ea9843a698751" style="max-width: 100%;"><div><img src="cid:1836721f684735c7cef2" style="max-width: 100%;"></div></div> sending empty message with empty subject really looks like spam > Do we have more info on what percentage of similar messages are actually spam? It sure seems to me like people are just using email to share pictures (licenses, legal docs, as well as pictures of the kids.) > >It otherwise hit no local rules, passed SPF and DKIM as it went through > >gmail, and even had TXREP deduct a point. > > > >Perhaps we create a meta rule that deducts points for instances where all > >of these rules are hit, indicating it was just an image attachment? > > > >What are others doing here? This is with the latest SA v4 from svn. > > If you can advise the sender not to send blank subject/body, AND possibly > to > fix the mime type, your problem is over > There are too many variations and one-timers for this to be practical. > >
