There's a new morph from our old nuisance, the inline PNG/RTF, and
all manner of wavy image insecure-boy-drugs spammer. :(
Here's a sample:
http://puffin.net/software/spam/samples/0009_jpg_oct.txt
It began (here) on Sep 10, and replaced his (relatively boring)
"Your wife photos attached" zipped JPEG.
This time, it has two parts. The first is plain text, with his
often seen before anti-Bayes chunk of text from a copyright expired
book.
The second part is a new-ish spin:
an image using "application/octet-stream" as the Content Type, but
otherwise sanely constructed (i.e. it has a full filename with
".jpg", which is the ACTUAL image encoding used, unlike some of his
previous morphs).
Sadly, I've seen this particular stupid-spammer-trick before...
in ham. :( It's rare enough, and the senders broken enough, that
some may feel comfortable penalizing this pattern (maybe a simple
test of app/oct with an image file extension?). On the other hand,
a significant percentage of the broken mailing lists that use this,
do tend to have high value with their recipients. A cautious score
is advisable.
On a bright note, it does have the exact same JPEG header size that
I've previously reported (623 bytes). It also continues this
spammer's use of random (ALWAYS wrong) Realnames in the To header.
Those two tests, plus nation of origin, are my main test hits.
So far, none have snuck thru my last layers of defense.
- "Chip"
