Mailing List Archive: SpamAssassin: users

Multiple embedded images rule

Index | Next | Previous | View Threaded

pavel.bazika at icewarp

Aug 5, 2013, 5:03 AM

Post #1 of 4 (47 views)
Permalink

Multiple embedded images rule

Hello,

attached is an spam email that contains a few embedded images via <img> tag in HTML part. SpamAssassin 3.3.1 on isnotspam.org reports these matches: 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-blockfor more information. [URIs: list-manage2.com] 1.0 DK_SIGNED DK_SIGNED 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area 0.1 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5665] 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 LOTS_OF_MONEY Huge... sums of money X-Spam-Status: Yes, hits=1.5 required=-20.0 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DK_SIGNED,HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOTS_OF_MONEY, MIME_QP_LONG_LINE,URIBL_BLOCKED autolearn=no version=3.3.1 X-Spam-Score: 1.5 I was wondering if there is some rule that will match mails with many embedded images. There is already T_REMOTE_IMAGE in 72_active.cf, but with no score assigned and it also doesn't take into account the number of images in the messages. What about a ruleset matching multiple images in the HTML mail part?
Regards

Pavel Bazika

Attachments:

message-rfc822.eml (16.6 KB)

pavel.bazika at icewarp

Aug 9, 2013, 12:22 AM

Post #2 of 4 (26 views)
Permalink

Multiple embedded images rule [In reply to]

Hello,

attached is an spam email that contains a few embedded images via <img> tag in HTML part.

SpamAssassin 3.3.1 on isnotspam.org reports these matches:

0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-blockfor more information. [URIs: list-manage2.com]
1.0 DK_SIGNED DK_SIGNED
0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area
0.1 HTML_MESSAGE BODY: HTML included in message
0.0 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5665]
0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars
0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid
-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
0.0 LOTS_OF_MONEY Huge... sums of money

X-Spam-Status: Yes, hits=1.5 required=-20.0 tests=BAYES_50,DKIM_SIGNED,
DKIM_VALID,DK_SIGNED,HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOTS_OF_MONEY, MIME_QP_LONG_LINE,URIBL_BLOCKED autolearn=no version=3.3.1
X-Spam-Score: 1.5

I was wondering if there is some rule that will match mails with many embedded images. There is already T_REMOTE_IMAGE in 72_active.cf, but with no score assigned and it also doesn't take into account the number of images in the messages.

Regards

Pavel Bazika

info at emailitis

Aug 9, 2013, 2:07 AM

Post #3 of 4 (26 views)
Permalink

RE: Multiple embedded images rule [In reply to]

We too get a lot of these emails which are largely an image only. T_REMOTE_IMAGE comes up a lot - but it is not listed in http://spamassassin.apache.org/tests_3_3_x.html and the previous email suggests there is no score attached to it.

I found somewhere before (cannot find it again) that if we put a refined score in brackets into local.cf, it ADDS that score to the Spamassassin default - is that correct? So like this:
score T_REMOTE_IMAGE (3.5)

or do I just have to give it a new score like:
score T_REMOTE_IMAGE 3.5

Can someone remind me how to turn on the "verbose" so that for a short monitoring time we can see the scores being given to all our rules in maillog?

Many thanks, as ever, in advance.

Kind Regards,

Christoph Kuhle
-----Original Message-----
From: Pavel Bazika [mailto:pavel.bazika [at] icewarp]
Sent: 05 August 2013 13:03
To: users [at] spamassassin
Subject: Multiple embedded images rule

Hello,

attached is an spam email that contains a few embedded images via <img> tag in HTML part. SpamAssassin 3.3.1 on isnotspam.org reports these matches: 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-blockfor more information. [URIs: list-manage2.com] 1.0 DK_SIGNED DK_SIGNED 0.4 HTML_IMAGE_RATIO_02 BODY: HTML has a low ratio of text to image area 0.1 HTML_MESSAGE BODY: HTML included in message 0.0 BAYES_50 BODY: Bayes spam probability is 40 to 60% [score: 0.5665] 0.0 MIME_QP_LONG_LINE RAW: Quoted-printable line longer than 76 chars 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 LOTS_OF_MONEY Huge... sums of money X-Spam-Status: Yes, hits=1.5 required=-20.0 tests=BAYES_50,DKIM_SIGNED, DKIM_VALID,DK_SIGNED,HTML_IMAGE_RATIO_02,HTML_MESSAGE,LOTS_OF_MONEY, MIME_QP_LONG_LINE,URIBL_BLOCKED autolearn=no version=3.3.1 X-Spam-Score: 1.5 I was wondering if there is some rule that will match mails with many embedded images. There is already T_REMOTE_IMAGE in 72_active.cf, but with no score assigned and it also doesn't take into account the number of images in the messages. What about a ruleset matching multiple images in the HTML mail part?
Regards

Pavel Bazika

me at junc

Aug 9, 2013, 4:12 AM

Post #4 of 4 (25 views)
Permalink

RE: Multiple embedded images rule [In reply to]

emailitis.com skrev den 2013-08-09 11:07:

> score T_REMOTE_IMAGE (3.5)

soft score adjust, score will be adjusted from corpus on apache.org

> score T_REMOTE_IMAGE 3.5

hard score forcement, score will not be adjusted but keep as you want

note on T_ is that is a testing score rule not mean to be publiced :(

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads