Tiny image only spam [OT]

Randal, Phil prandal at herefordshire.gov.uk
Mon May 11 10:00:28 IST 2009 

These rules were posted to the spamassassin-users mailing list by John Hardin  a few days ago
 
header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
score MIME_IMAGE_ONLY 2.00
describe MIME_IMAGE_ONLY Image body part but no text body parts

Cheers,

Phil 

-- 
Phil Randal | Networks Engineer 
Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division 
Thorn Office Centre, Rotherwas, Hereford, HR2 6JT 
Tel: 01432 260160 
email: prandal at herefordshire.gov.uk 

Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council.

This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it.

 

________________________________

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Jason Ede
Sent: 11 May 2009 07:55
To: MailScanner discussion
Subject: RE: Tiny image only spam [OT]



Fuzzy OCR does the job, but bear in mind there is a significant overhead with using it. We stopped using it as it was significantly increasing the load on our servers and other measures were working better.

Jason

From: mailscanner-bounces at lists.mailscanner.info [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Gary Faith
Sent: 11 May 2009 04:21
To: mailscanner at lists.mailscanner.info
Subject: Re: Tiny image only spam [OT]

 

I have seen this too.  I ran across several sites that pointed me to some software that has solved this problem.  I looked at this first:

 

http://www.nabble.com/GIF-Spam----Setting-up-the-%27OCR-scanner-and-image-validator-SA-plugin%27-to5622534.html

 

But this is the one that I adapted from MaiaMailGuard to MailScanner.

 

http://www.maiamailguard.com/files/SLES10_MaiaMailGuard_Gateway_102.pdf

 

Basically, I installed 

 

-rw-r--r-- 1 root root  124418 Jan  7  2007 fuzzyocr-3.5.1-devel.tar.gz
-rw-r--r-- 1 root root  248889 Apr  4 01:15 gifsicle-1.55.tar.gz
-rw-r--r-- 1 root root  700288 Oct 22  2008 gocr-0.46.tar.gz
-rw-r--r-- 1 root root  363267 Mar 29 16:54 gocr-0.47.tar.gz
-rw-r--r-- 1 root root   95139 May  5 16:06 ocrad-0.18-rc1.tar.gz
-rw-r--r-- 1 root root   37544 May  5 16:26 sample-mails.tar.gz

 

and I needed to install:  giflib-progs-4.1.4-14.2 needed by gif conversion programs and I needed to install several perl modules.

 

BTW, gocr-0.47 has a build problem with linker flags not being specified but I was able to work around it eventually.

 

I only implemented it earlier last week, and so far stopped 502 e-mails with image based spam:

 

FUZZY_OCR Mail contains an image with common spam text inside 502 0 0 502 100

 

Gary Faith

>>> Alessandro Bianchi <alex at skynet-srl.com> 5/10/2009 12:37 PM >>>
In the last days I'm getting a lot of image only spam.

It contains no links and no text at all

The size of the image is different every time, and it advertizes pharmacy inviting users to visit funny sites with always different names like www.8654.org and similar.

I've palayed around spamassassin rules with some luck (somettimes I catch sometimes I don't).

Has anyone else seen something similar?

Any ideas about how to stop it?

Best regards and thanks

Alessandro Bianchi

-- 



SkyNet SRL

P.zza XXV Aprile 14 - 28021 Borgomanero (NO) - ITALY

Tel. +39 0322 836487/834765 - Fax.+39 0322.836608

info at skynet-srl.com -www.skynet-srl.com <http://www.skynet-srl.com> 

 

 

 

Le informazioni contenute in questo messaggio sono riservate e confidenziali e ne é vietata la diffusione in qualunque forma.

Qualora Lei non fosse la persona a cui il presente messaggio é destinato, La invitiamo ad eliminarlo dandocene gentilmente comunicazione.

Per qualsiasi informazione in merito si prega di contattare info at skynet-srl.com <mailto:info at skynet-srl.com> . ( Rif. D.L. 196/200 )

More information about the MailScanner mailing list