Mailing List Archive: SpamAssassin: users

New Image Spam

Index | Next | Previous | View Threaded

jbennett at gcftech

Aug 10, 2007, 7:00 PM

Post #1 of 10 (1259 views)
Permalink

New Image Spam

Hi everyone.

I'm receiving some new image spam and was wondering if anyone had a technique for it. The image is now an actual image of some porn with a URL at the top of it. I'm using Fuzzy OCR to scan but I don't think Fuzzy checks the URL's. Any ideas? For those that are interested, you can see a sample at:

http://www.gcftech.com/spam.jpg

Thanks

Jason

No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.476 / Virus Database: 269.11.11/944 - Release Date: 8/9/2007 2:44 PM

jhardin at impsec

May 24, 2009, 9:08 AM

Post #2 of 10 (1146 views)
Permalink

Re: New image spam [In reply to]

On Sun, 24 May 2009, John Hardin wrote:

> On Sun, 24 May 2009, Cedric Knight wrote:
>
>> I think image with not text in the body part at all is pretty rare, but
>> I might do something like that if I was sending a picture to myself.
>
> I think most mailers will do that if you compose a message and drop an image
> on it without entering any text. The multipart/mixed with _no_ text body
> parts at all is pretty clearly spam.

Whoops, that was unclear. I think most mailers will create an empty text
body part if you just drop an image on an empty message. But I haven't
tested that assumption.

--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin [at] impsec FALaholic #11174 pgpk -a jhardin [at] impsec
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Look at the people at the top of both efforts. Linus Torvalds is a
university graduate with a CS degree. Bill Gates is a university
dropout who bragged about dumpster-diving and using other peoples'
garbage code as the basis for his code. Maybe that has something to
do with the difference in quality/security between Linux and
Windows. -- anytwofiveelevenis on Y! SCOX
-----------------------------------------------------------------------
Tomorrow: Memorial Day - honor those who sacrificed for our liberty

scheidell at secnap

Nov 14, 2009, 5:03 AM

Post #3 of 10 (977 views)
Permalink

Re: New image spam [In reply to]

Alex wrote:
> Hi all,
>
> Has anyone else seen an increase in image spam lately?
>
> http://pastebin.com/m47617898
>
> The LOC_IMGSPAM is a local rule I created that simply checks for
> /inline/ content disposition. I've changed the @ to # to pass the
> pastebin filters.
>
>
no way of helping.. someone (something) truncated the email in pastbin..
doesn't have the mime headers with any attachment, in fact, don't see an
attachment.

> Any ideas what I could be missing on catching this one? Please let me
> know if I can provide any additional information.
>
> Thanks,
> Alex
>

_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________

me at junc

Nov 14, 2009, 6:36 AM

Post #4 of 10 (977 views)
Permalink

Re: New image spam [In reply to]

On lør 14 nov 2009 07:25:20 CET, Alex wrote
> Any ideas what I could be missing on catching this one? Please let me
> know if I can provide any additional information.

score DKIM_SIGNED 5
score USER_IN_DKIM_WHITELIST -5.0
whitelist_from_dkim friend [at] sbcglobal

--
xpoint

gene.heskett at verizon

Nov 14, 2009, 7:25 AM

Post #5 of 10 (977 views)
Permalink

Re: New image spam [In reply to]

On Saturday 14 November 2009, Alex wrote:
>Hi all,
>
>Has anyone else seen an increase in image spam lately?
>
>http://pastebin.com/m47617898
>
>The LOC_IMGSPAM is a local rule I created that simply checks for
>/inline/ content disposition. I've changed the @ to # to pass the
>pastebin filters.
>
>Any ideas what I could be missing on catching this one? Please let me
>know if I can provide any additional information.
>
>Thanks,
>Alex
>
Yes, sometimes with no mention of it in the text.

--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
The NRA is offering FREE Associate memberships to anyone who wants them.
<https://www.nrahq.org/nrabonus/accept-membership.asp>

God requireth not a uniformity of religion.
- Roger Williams

mysqlstudent at gmail

Nov 14, 2009, 8:31 AM

Post #6 of 10 (977 views)
Permalink

Re: New image spam [In reply to]

> no way of helping.. someone (something) truncated the email in pastbin..
> doesn't have the mime headers with any attachment, in fact, don't see an
> attachment.

Please find updated one here:

http://pastebin.com/m291e486b

Benny,

> score DKIM_SIGNED 5
> score USER_IN_DKIM_WHITELIST -5.0
> whitelist_from_dkim friend [at] sbcglobal

That's a good idea, but an administrative nightmare with many users,
particularly with the "fail first, correct later" attitude, they would
kill me.

Thanks,
Alex

me at junc

Nov 14, 2009, 9:58 AM

Post #7 of 10 (980 views)
Permalink

Re: New image spam [In reply to]

On lør 14 nov 2009 17:31:11 CET, Alex wrote
> That's a good idea, but an administrative nightmare with many users,
> particularly with the "fail first, correct later" attitude, they would
> kill me.

i maked a script in php that dump horde addressbook to whitelist_auth.cf

put that in a daily cron, solved

--
xpoint

hparker at homershut

Nov 14, 2009, 11:11 AM

Post #8 of 10 (974 views)
Permalink

Re: New image spam [In reply to]

On Sat, 2009-11-14 at 18:58 +0100, Benny Pedersen wrote:
> i maked a script in php that dump horde addressbook to
> whitelist_auth.cf

Only if everyone uses webmail...

--
Homer Parker <hparker [at] homershut>

me at junc

Nov 14, 2009, 11:22 AM

Post #9 of 10 (978 views)
Permalink

Re: New image spam [In reply to]

On lør 14 nov 2009 20:11:09 CET, Homer Parker wrote
> On Sat, 2009-11-14 at 18:58 +0100, Benny Pedersen wrote:
>> i maked a script in php that dump horde addressbook to
>> whitelist_auth.cf
> Only if everyone uses webmail...

so how do i solve other problems ?

if you make me a ldap addressbook and would like to host it for me or
even just provide me a ebuild let me know :)

but i begin to think about why not make a dkim or spf patch to use
webbased addressebooks in generic ?

whats the point in outlook ldap addressebooks if its not working for mail ?

yes please mail me back on my new email address you find in body type of spams

KISS :)

--
xpoint

kremels at kreme

Nov 14, 2009, 7:24 PM

Post #10 of 10 (965 views)
Permalink

Re: New image spam [In reply to]

On 14-Nov-2009, at 10:58, Benny Pedersen wrote:
> On lør 14 nov 2009 17:31:11 CET, Alex wrote
>> That's a good idea, but an administrative nightmare with many users,
>> particularly with the "fail first, correct later" attitude, they would
>> kill me.
>
> i maked a script in php that dump horde addressbook to whitelist_auth.cf
>
> put that in a daily cron, solved

Assuming everyone uses Horde.

Oh, wait…

--
I DID NOT INVENT IRISH DANCING
Bart chalkboard Ep. 5F03

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads