Re: new spam image with random body message

[Jeremy Morton]

I'm getting a ton of these lately and they're fscking annoying.  If it 
helps at all, here's an example of one I got:
http://pastebin.com/m6670fab1
Got a positive score, but not high enough.  My SA only seems to be 
checking the Spamhaus PBL - how do I add the other blacklists to my 
scanning, that were mentioned by rich...@buzzhost?  Is there a good 
reason why a default cPanel install might not include these, like 
checking in them takes up significantly more resources?

Best regards,
Jeremy Morton (Jez)

Cory Hawkless wrote:
The RBL is a good point, I'm only getting these when i turn of zen.spamhaus(For 
testing)
BUT the emails i got did NOT have sex in the subject, "How To Give Her strong Harder 
Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And More" is what i got

-----Original Message-----
From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk]
Sent: Wednesday, 17 June 2009 9:43 PM
To: Paweł Tęcza
Cc: users@spamassassin.apache.org
Subject: Re: new spam image with random body message

On Wed, 2009-06-17 at 13:33 +0200, Pawe? T?cza wrote:
Ibrahim Harrani pisze:
Hi,

another header from another image spams.
All images contain god, bad and a url with numbers.
The spamers are cunning... It seems that they have stopped sending spams
with X-Mailer: header containing something like "PHP v5.2.0" or
"PHP/4.4.5". Also they don't use only digits in attachment filenames.
So I'm affraid that my Spamassassin rules are not effective for that
kind of spam :(

It seems that ocrad can't decode the strings in the images.
FuzzyOcr version is 3.6.0
I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word
file, but unfortunately FuzzyOcr didn't recognise them :(

Maybe someone has better idea how to fight that image spam?

Cheers,

P.

But this is all totally academic; Why jump through all the hoops to
block the image when the original connecting IP is showing 'unknown' in
the hostname

Received: from unknown (HELO ognh.user.ono.com)

Is listed on piles of policy and RBL lists;

62.57.252.74     listed in b.barracudacentral.org.
62.57.252.74     listed in PBL (SPAMHAUS)
62.57.252.74     listed in XBL NJABL
62.57.252.74     listed in dul.dnsbl.sorbs.net
62.57.252.74     listed in cbl.abuseat.org.
62.57.252.74     listed in bl.spamcop.net.
62.57.252.74     listed in no-more-funn.moensted.dk.

and has SEX twice in the subject.

Why would it ever get as far as blocking it on the content? What has
gone so wrong it ever got that far?