On Tue, 2006-08-01 at 18:02 -0700, jdow wrote:
> From: "Rob Mangiafico" <[EMAIL PROTECTED]>
>
> > On Mon, 31 Jul 2006, Derek Harding wrote:
> >> rawbody INLINE_IMAGE /src\s*=\s*["']cid:/i
> >> describe INLINE_IMAGE Inline Images
> >> score INLINE_IMAGE 1.5
> >>
> >> I haven't tested this against the SA corpus so YMMV.
> >
> > Anyone else find this to be a good rule to catch these image stock spams
> > without too much collateral damage?
>
> Unless it is hidden in SARE rules some place I have not tried it. That
> would likely detect ANY embedded image, which would be bad.
One thing I've noticed with most of the image spam is that there's
a TAB character after the "Date:" string of the Date header, e.g.:
Date:<tab>Wed, 2 Aug 2006 01:42:58 -0900
I haven't seen this in other emails (usually, it's a space character).
It may not be safe to use by itself, but in combination with other
rules may be helpful.
-Bill
