> In case its of interested to the list, the spam in question gets very
> high spamassassin rating of 15.3 but was passing by the scanner on the
> size limit. The attachment is a JPG of 600k which is a scan of a scam
600k JPEG? That'd be about 800k base64 encoded.
> letter about bank transfers etc with south africa. It does not seem to
> contain any virus (shows as clean with Clam AV and Microsoft SE) so
> inst blocked on this.
> Looks a bit like they stuck the JPG in just to get past this type of
> spam scan size limit...
Frankly, I don't think it is deliberately to get past the threshold.
I've been observing a recent casino spam run, featuring an all-shiny
HTML message almost exclusively assembled by images. A few of them
exceeded my threshold. Most don't. Which makes it appear more like an
accidental evasion.
Regarding your specific sample -- well, honestly, I don't think the
average 419 scammer is even smart enough to worry about a threshold. Too
often they even screw up the copy-n-paste, not to mention all the
horrible, brain-hurting things I've seen reviewing the scam corpus.
--
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
