Hello.
From: Craig Baird <[EMAIL PROTECTED]>
Subject: Image spam
Date: Thu, 26 Jan 2006 10:21:14 -0700
> Since the first of the year, we've seen a barrage of image spam. Some of it
> gets nailed by SA, but a lot of it seems to get through. Most of it has a
> text/plain part with random or non-sensical text. It also has a text/html
> part, also with random text. Then, the actual spam (usually a stock spam) is
> contained in a 15k-20k .gif image. I've found that many of these hit very
> few
> rules, and due to the random text, Bayes appears to be ineffective. I'm
> using
> SA 3.04, most of the SARE rules, and network tests, Razor, SURBL/URIBL. Has
> anyone come up with a good way to stop these?
>
> Craig
Your SA is old, so I recommend upgrade SA 3.1.0.
And, it seems to me that some rules failed to detect the image spam's
characteristics.
Especially, HTML_FONT_SIZE_*** rules don't seem to work correctly.
## --- rule examples ---
meta ___HTMLIMG HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12
|| HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 ||
HTML_IMAGE_ONLY_28 || HTML_IMAGE_ONLY_32 || HTML_IMAGE_RATIO_02
rawbody HTML_FONT_SIZE_TINY2 /<FONT +(face=\w |)size=\"{0,1}[0-5]\"{0,1}>/i
describe HTML_FONT_SIZE_TINY2 <FONT face=Arial size=2>
score HTML_FONT_SIZE_TINY2 0.5
meta IMGONLYHTML1 HTML_FONT_SIZE_TINY2 && ___HTMLIMG && BAYES_99
rawbody ___OBSCURED_TEXT1 /^(,|\!)($| \w)/
rawbody ___OBSCURED_TEXT2 /\w (,|\!) \w/
meta IMGONLYHTML2 ___OBSCURED_TEXT1 && ___OBSCURED_TEXT2 && ___HTMLIMG &&
BAYES_99
## --- rule examples ---
There are several types of image only spams.
I wrote two types image spams in a hurry.
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/diary/ (only Japanese)
