Tristan Miller wrote:
Greetings.
I'm using SpamAssassin 3.0.4 with local Bayesian filtering, Vipul's Razor,
and several daily-updated SARE rulesets [1]. Nonetheless, there's one
particular kind of spam lately that always seems to slip through; it
consists of a bunch of random words plus a graphic attachment. The
graphic is usually a page of text advertising something -- almost always a
stock, though I've had a few penis-enlargement product ads. See
<http://www.dfki.uni-kl.de/~miller/tmp/stock_spam.txt> for some examples
(mbox format).
Does anyone have a filterset or other recommended settings that will block
this kind of spam?
Regards,
Tristan
[1] SARE rulesets: SARE_REDIRECT_POST300 SARE_EVILNUMBERS0
SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 SARE_BAYES_POISON_NXM SARE_HTML
SARE_HEADER SARE_SPECIFIC SARE_ADULT SARE_BML SARE_FRAUD SARE_SPOOF
SARE_RANDOM SARE_SPAMCOP_TOP200 SARE_OEM SARE_GENLSUBJ SARE_HIGHRISK
SARE_UNSUB SARE_URI0 SARE_URI1 SARE_URI2 SARE_WHITELIST SARE_OBFU
I have seen the same thing. And I think the real answer here is no...I
have looked into OCR for detecting this stuff, but to do this properly,
you would have to scan every graphic attachment...which means valid
graphics...and I don't know if you've seen what OCR does to graphics,
but it isn't pretty...
You could scan for a text part of the attachment, but from what I've
seen these generally have a date encoded somewhere which means it is
regenerated every day...
These graphics also contain a non-white background color and odd fonts
which make OCR more difficult...
Have you looked at the SaneSecurity rules for ClamAV? These seemed to
help us some...
--
Regards,
Mike
