On Mon, 20 Sep 2010, Chip M. wrote:
The second part is a new-ish spin: an image using "application/octet-stream" as the Content Type, but otherwise sanely constructed (i.e. it has a full filename with ".jpg", which is the ACTUAL image encoding used, unlike some of his previous morphs).
Dangit, I can't believe I didn't include that in my existing obfuscation rules. Added.
Sadly, I've seen this particular stupid-spammer-trick before... in ham. :( It's rare enough, and the senders broken enough, that some may feel comfortable penalizing this pattern (maybe a simple test of app/oct with an image file extension?). On the other hand, a significant percentage of the broken mailing lists that use this, do tend to have high value with their recipients. A cautious score is advisable.
meta it with "not mailing list". I'll review masscheck results for that sort of thing.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- The Constitution is a written instrument. As such its meaning does not alter. That which it meant when adopted, it means now. -- U.S. Supreme Court SOUTH CAROLINA v. US, 199 U.S. 437, 448 (1905) ----------------------------------------------------------------------- 88 days until TRON Legacy
