Martin Gregorie wrote:
On Thu, 2009-08-20 at 12:22 +0100, Martin Hepworth wrote:
2009/8/20 Marc Muñoz Salvador <m...@atcubic.com>
Hello to every body. Sorry If I'm repeating the subject, but
I'm new to the list, and I've been searching before about it
with no success.
I'm having lot of incoming spam with an attached image which
is flag styled (as the one attached).
Best idea would be to paastbin the full email and send the link. There
maybe something in the full email that may well trigger existing
rules.
I've had a couple of those through. They are hard to hit because the
text, although gibberish, has been spell checked and had few, if any,
common features. In fact about the only common features have been the
JPG attachment (which I didn't try to recognise - no OCR module so far)
and the subject, which varies, but is entirely lower case.
They were scoring around 2.5 here but I added a couple of nibbles, e.g.
a tendency to arrive via a seldom used address, and got them above my
threshold of 6.0.
To the OP: loo through the headers and add fairly low scoring rules that
hit on anything that's not normal for your usual non-spam incoming mail.
Keep the scores low so that triggering one or two won't cause an FP.
Ive been doing battle with this type of "flag" image spam the last week
or so, my normal rules didnt touch a lot of them. I run FuzzyOCR, gocr
and ocrad did not detect anything however I tried the tesseract OCR
engine and that managed to get 1 word out of the image - fortuntly that
word was a well known drug :)
However it seems to have evolved again and tesseract is not extracting
any useable words.
I hate to plug commercial services but I had a lot of users complaining
so as of about 3 hours ago im trialling SNF4SA (google it), initial
results so far look promising, quite a few of these "new" variations of
the image spam have been caught which wouldnt have without it.
Obvisouly to early to tell how effective it is but ill update the list
of my findings.
Paul
