image spam again :)
Jonas A. Larsen
jonas at vrt.dk
Tue Aug 25 10:04:03 IST 2009
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-
> bounces at lists.mailscanner.info] On Behalf Of Michael Mansour
> Sent: 25. august 2009 10:04
> To: MailScanner discussion
> Subject: RE: image spam again :)
> Hi Jonas,
> > From: Jonas A. Larsen <jonas at vrt.dk>
> > Subject: RE: image spam again :)
> > To: "'MailScanner discussion'" <mailscanner at lists.mailscanner.info>
> > Received: Tuesday, 25 August, 2009, 4:18 PM
> > > > we are seeing a lot of
> > image spam again. we are running sa update and
> > > > the image tings they publish / imageinfo.cf and
> > others. But lately a lot
> > > > is getting through.
> > > >
> > >
> > > I hadn't noticed... use zen.spamhaus.org and
> > bl.spamcop.net at SMTP time
> > > along with 15 mins of greylisting for unknown
> > hosts. Problem solved.
> > >
> > > Regards,
> > > Steve.
> > Mmmm well let's be frank Steve, that’s just simply
> > entirely untrue :)
> > The past weeks have seen a rise in image based spam, where
> > many of them (the
> > ones that doesn’t hit obvious rbl's etc) slip by even ocr
> > plugins etc.
> > If you take a look at the SA list you can see lots of
> > people are seeing this
> > new bunch of image spams and pretty penetrating.
> > So far there's no sure fire way of stopping it if you are
> > to judge by the sa
> > users responses.
> > I use spamhaus and spamcop in mta and greylist, and I've
> > gotten a few of
> > them myself.
> > Many of them use the so called "flag" method where the
> > image looks "wavy"
> > like a flag, which is probably whats disabling the ocr
> > techniques.
> > If anybody got any advice I'd love to hear it.
> From my end, I haven't noticed any image spam getting through. But, I use
> SaneSecurity clam signatures which import the MSRBL image spam
> definitions, so maybe that is why?
> I don't have time to go through the virus infected emails, but I'd suggest
> if you don't use SaneSecurity signatures in ClamAV, you should.
I did deploy all the 3rd party clamav sigs as a test last week, and they are doing great. Thanks to julians latest addition I can score them in SA instaid of blocking them completely, so I wont be so vulnerable to FP's. I'm using bill landry's script to pull all of them auto.
They do hit on a part of the new image spams. But not all of them unfortunately. But the problem would definitely be bigger without the 3rd party sigs.
Med venlig hilsen / Best regards
Jonas Akrouh Larsen
Laplandsgade 4, 2. sal
2300 København S
Office: 7020 0979
Direct: 3336 9974
Mobile: 5120 1096
Fax: 7020 0978
More information about the MailScanner