Tiled gif spam

Gareth list-mailscanner at linguaphone.com
Thu Aug 23 19:05:36 IST 2007 

> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info]On Behalf Of Denis
> Beauchemin
> Sent: 23 August 2007 16:44
> To: MailScanner discussion
> Subject: Re: Tiled gif spam
> 
> 
> Gareth a écrit :
> > On Thu, 2007-08-23 at 15:51, Denis Beauchemin wrote:
> >   
> >> Glenn Steen a écrit :
> >>     
> >>> On 23/08/07, Andrew MacLachlan <andy.mac at global-domination.org> wrote:
> >>>   
> >>>       
> >>>> Sorry - this is the analysis from Mailwatch:
> >>>>
> >>>> Spam Report:
> >>>> Score   Matching Rule
> >>>>         score=3.919
> >>>> 4       required
> >>>> 0.00    DKIM_SIGNED
> >>>> -0.00   DKIM_VERIFIED
> >>>> 2.50    HTML_IMAGE_ONLY_16
> >>>> 0.00    HTML_MESSAGE
> >>>> 1.42    SARE_GIF_ATTACH
> >>>>
> >>>> As you can see, it was almost trapped. Of course I could 
> always up the
> >>>> scores for SARE_GIF_ATTACH and HTML_IMAGE_ONLY_16, but I think an
> >>>> additional rule for side-by-side gifs might be a better approach? I'm
> >>>> not sure what the best score might be for such a rule - but something
> >>>> around the 1.0 mark would probably be appropriate.
> >>>>
> >>>> -Andy
> >>>>
> >>>>     
> >>>>         
> >>> Why don't you use ImageInfo? Or do you do that and it didn't trigger
> >>> even one little rule? If so... Strange...
> >>>
> >>> Cheers
> >>>   
> >>>       
> >> Glenn,
> >>
> >> Just installed it and fed it the email and... nothing...  I ran SA in 
> >> debug and saw it there, but no scoring...
> >>
> >> How can I tell it to look for n side-by-side gifs?  I didn't see 
> >> anything about side-by-side images, just the total amount of images, 
> >> which could trigger on many FP...
> >>
> >> Thanks!
> >>
> >> Denis
> >>     
> >
> > Can you post the image up somewhere then we can take a look.
> >
> >   
> I'm not the one who started this thread.  I just saved the original 
> email to disk and ran it through my own SA setup.  The original email 
> was from andy.mac at global-domination.org (Andrew MacLachlan).
> 
> Denis

I didn't see it. I guess the sanesecurity signatures caught it :)

More information about the MailScanner mailing list