Spam with only an image?

[Matt Kettler]

At 09:52 AM 10/24/2003, Max Kipness wrote:
>I had just lowered the score on a domain complaining about spam to 5, yet
>when checking some of the spam that got through, I noticed that most of
>them have a score lower than 5 and just consist of an image with maybe a
>line of text at the bottom.
>
>Does anybody have a way to stop these? Seems like an easy way for a
>spammer to get through.

The best ways I've found to deal with these are:
         1) razor
         2) rbl's
         3) training them into bayes.
         4) keep up-to-date on spamassassin

Now, admittedly none of the above techniques are 100% foolproof, but they
work pretty well for me.

The most recent pic.gif type embedded image spam got this result from my sa
2.60 setup (note: I have RCVD_IN_DYNABLOCK forced to a low score for
debugging reasons):

X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=31.856, required 5,
         BAYES_99 5.40, DATE_SPAMWARE_Y2K 4.20, DNS_FROM_RFCI_DSN 0.29,
         FORGED_MUA_OUTLOOK 2.57, FORGED_OUTLOOK_HTML 1.00,
         FORGED_OUTLOOK_TAGS 1.00, FROM_HAS_MIXED_NUMS 0.26,
         FROM_HAS_MIXED_NUMS3 3.25, HTML_50_60 0.10, HTML_IMAGE_ONLY_04 1.00,
         HTML_MESSAGE 0.10, MIME_HTML_NO_CHARSET 0.56, MIME_HTML_ONLY 0.32,
         MIME_HTML_ONLY_MULTI 1.10, MISSING_MIMEOLE 1.59, PENIS_ENLARGE 2.69,
         RCVD_IN_BL_SPAMCOP_NET 1.50, RCVD_IN_DSBL 0.71,
         RCVD_IN_DYNABLOCK 0.01, RCVD_IN_SORBS 0.10, RCVD_IN_SORBS_HTTP 1.10,
         RCVD_IN_SORBS_MISC 1.20, X_MSMAIL_PRIORITY_HIGH 0.50,
         X_PRIORITY_HIGH 1.30)

The body of this particular spam was just a few embedded images, and some
HTML to link them to a website. The subject line is what caused the
PENIS_ENLARGE rule to fire, but even without it, it would have scored very
high.