image spam again :)

Jonas A. Larsen jonas at vrt.dk
Tue Aug 25 10:04:03 IST 2009



> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Michael Mansour
> Sent: 25. august 2009 10:04
> To: MailScanner discussion
> Subject: RE: image spam again :)
> 
> Hi Jonas,
> 
> > From: Jonas A. Larsen <jonas at vrt.dk>
> > Subject: RE: image spam again :)
> > To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>
> > Received: Tuesday, 25 August, 2009, 4:18 PM
> > > > we are seeing a lot of
> > image spam again. we are running sa update and
> > > > the image tings they publish / imageinfo.cf and
> > others. But lately a lot
> > > > is getting through.
> > > >
> > >
> > > I hadn't noticed... use zen.spamhaus.org and
> > bl.spamcop.net at SMTP time
> > > along with 15 mins of greylisting for unknown
> > hosts.  Problem solved.
> > >
> > > Regards,
> > > Steve.
> >
> > Mmmm well let's be frank Steve, that’s just simply
> > entirely untrue :)
> >
> > The past weeks have seen a rise in image based spam, where
> > many of them (the
> > ones that doesn’t hit obvious rbl's etc) slip by even ocr
> > plugins etc.
> >
> > If you take a look at the SA list you can see lots of
> > people are seeing this
> > new bunch of image spams and pretty penetrating.
> >
> > So far there's no sure fire way of stopping it if you are
> > to judge by the sa
> > users responses.
> >
> > I use spamhaus and spamcop in mta and greylist, and I've
> > gotten a few of
> > them myself.
> >
> > Many of them use the so called "flag" method where the
> > image looks "wavy"
> > like a flag, which is probably whats disabling the ocr
> > techniques.
> >
> > If anybody got any advice I'd love to hear it.
> 
> From my end, I haven't noticed any image spam getting through. But, I use
> SaneSecurity clam signatures which import the MSRBL image spam
> definitions, so maybe that is why?
> 
> I don't have time to go through the virus infected emails, but I'd suggest
> if you don't use SaneSecurity signatures in ClamAV, you should.
> 
> Regards,
> 
> Michael.
> 

I did deploy all the 3rd party clamav sigs as a test last week, and they are doing great. Thanks to julians latest addition I can score them in SA instaid of blocking them completely, so I wont be so vulnerable to FP's. I'm using bill landry's script to pull all of them auto.

They do hit on a part of the new image spams. But not all of them unfortunately. But the problem would definitely be bigger without the 3rd party sigs.



Med venlig hilsen / Best regards
 
Jonas Akrouh Larsen
 
TechBiz ApS
Laplandsgade 4, 2. sal
2300 København S
 
Office: 7020 0979
Direct: 3336 9974
Mobile: 5120 1096
Fax:    7020 0978
Web: www.techbiz.dk






More information about the MailScanner mailing list