Why doesn't DCC help against image spam?

Glenn Steen glenn.steen at gmail.com
Tue Dec 26 18:26:11 CET 2006


On 26/12/06, Ken A <ka at pacific.net> wrote:
>
>
> Glenn Steen wrote:
> > On 26/12/06, Scott Silva <ssilva at sgvwater.com> wrote:
> >> Remco Barendse spake the following on 12/24/2006 7:43 AM:
> >> > Now that ORDB is down my mailscanner is not filtering any spam anymore,
> >> > i might as well disable it.
> >> >
> >> > But out of curiosity, why doesn't DCC work for the image spam?
> >> >
> >> > A checksum should be reasonably effective against the image spam i
> >> > think? Assuming that they are not dynamically building each picture a
> >> > bit differently for each e-mail that is sent?
> >> But that could be what they are doing. Spammers are like cockroaches.
> >> They
> >> adapt very quickly, and after they mass-fire their crap, they change
> >> up a bit,
> >> and reload for the next salvo.
> >>
> >> It's war, and we are always on the defense.
> > Depressing but true... I think I'll have another Julsnaps... To
> > enliven my defenses... (If the snaps fails to do that.... well, at
> > least I'll be having more fun...:-)
> >
> > Seriously though, I think the only real effective defenses (on my
> > sysytems at least) against image-based spam has been a combination of
> > the digests (yes, they do take _some_ of it), RFC "strictness" checks
> > (in PF) and ImageInfo (and some TVD rules picked up by an sa-update).
> > When these fail I'll be going for FuzzyOcr (have just tested this so
> > far, but ... it really needs muscle that the production boxes lack).
> > Or someone really clever will have found another method:-).
>
> FuzzyOCR runs by default with a low priority (runs as last SA test), so
> it only run when the SA score (so far) is > $X, so set that to your low
> threshold, and FuzzyOCR only runs on spam that hasn't been tagged yet.
> Works quite well, and doesn't take all that much cpu, since > 70% of the
> image spam is caught by the other methods.
True enough... When I've been testing I haven't been taking that into
consideration (looking at "synthetic" situations can blind one to
things:-). Will likely implement it in production some time early next
year then. Thanks Ken.

> > Ceers
Hm, perhaps I should take it easy with that Snaps:-). Or not....
Cheers,
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se


More information about the MailScanner mailing list