Just to add my 2 Euro-Cent:
Something like this might actually exist (in as far as gif-only spams
are of interest).
Bert Ungerer, an editor with the German IT magazine 'iX', developed a
procmail-based AntiSpam-System he called 'NiXSpam'.
One part of it is a list of MD5-hashes of parts of the body of mails
that fail diverse whitelisting criteria. A mail that comes in later and
whose body returns the same hash value is considered spam. The
procmail-Recipe in question can be found here:
ftp://ftp.ix.de/pub/ix/ix_listings/2004/05/checksums
Now, these hashes have been available by DNS for some time now. I've put
together a plugin for SpamAssassin to use these hashes (to be found at
http://wiki.apache.org/spamassassin/iXhash) and set up my own RBL (with
our own input) to boot. Work quite well here, but then it's (propably)
not enough spam to come to real conclusions
Anyone willing to experiment is welcome, expecially Sven, the original
poster (who lives in Munich just like I do- the world's a small
place...). More info to be found at the wiki.
Dirk
Rob Skedgell schrieb:
On Sunday 10 Jul 2005 06:41, William Stearns wrote:
Good evening, all,
On Thu, 9 Jun 2005, Chris Santerre wrote:
From: Sven Riedel [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 09, 2005 10:19 AM
has anyone developed a good strategy against spams
that contain a random text and the actual spam in
an image within a multipart/alternative mail?
Short of entirely blocking mails containing images, that
is.
Check out the interesting idea at www.rulesemporium.com/forums/
entitled: Image attachment MD5 footprint RBL
Pretty cool.
The forums appear to be down at the moment, so I couldn't read the
thread involved.
I'm guessing the idea is to have a set of md5sums of known spam
attachments (images and others), so when a new message comes in, the
spam filter md5sums/sha1sums each mime part and does a dns lookup on
6f2b009a213b916d391407a7f86c0300.attach.uribl.com
, which returns a 127.0.0.2 if that's a known spam attachment?
razor, pyzor, and dcc do this with custom client apps and
protocols (just try getting the razor protocol from Vipul or Jordan
;-). I kind of like the idea of doing it with dns and simple md5 or
sha1 checksums. Enough so that I extracted around 21,000 unique
attachments from the 3.5G of the last 3 years of hand-checked spam.
I hand-checked 9,791 of those attachments (*) and placed their
md5sums and sha1sums up at http://www.stearns.org/spamattach/
(http://www.stearns.org/spamattach/combined.md5sums and
http://www.stearns.org/spamattach/combined.sha1sums hold all of the
sums)
Is someone willing to do the SA plugin to ms5/sha1 sum each
non-text mime part (or even just the images for efficiency)? If so,
I'd be glad to create a zone to test from.
For all those that aren't sure it's worth redoing the razor,
pyzor, and dcc work in a dns-based rbl, I guess I'd answer I'm not
sure either. :-) On the other hand, I've already done a
hand-checked set of sums, the plugin shouldn't be all that hard, and
we can throw it at a corpus to see how well it works. It might just
help enough to be worth it....
Cheers,
- Bill
* I had to stop when my eyes glazed over. :-)
I would certainly be interested in this as I've been replacing all but
the first and last lines of base64 from spam attachments in NANAS
postings with somthing like this (from diploma mill spam) posted as
<news:[EMAIL PROTECTED]>:
*** Attachment "subliminal.GIF" elided:
*** file(1) : GIF image data, version 89a, 642 x 485
*** size: 11443 bytes
*** md5sum: ac5d8f032c58938a821771ef96eb970d
*** sha1sum: ac029c1f85000f028233d4ad60a0e860e973a806
*** clamscan: OK
***
*** Phone number in image: +1-206-984-0021
***
(Not found amongst the 1299 entries in
<http://www.stearns.org/spamattach/diploma.md5sums>).
The only problem I can see with this is that once it caught on the
spammers would be able to frustrate it quite easily. Obviously, I won't
suggest how in a public forum...
