<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
<br>
<br>
John Rudd wrote:
<blockquote cite="mid67649949ab7076239f54964d81083f92@ucsc.edu"
type="cite"><br>
On Apr 25, 2006, at 11:35, Matt Kettler wrote:
<br>
<br>
<blockquote type="cite">Derek Chee wrote:
<br>
<blockquote type="cite">Hi,
<br>
<br>
We've been getting bombarded recently with a lot of the embedded GIF
<br>
image OTCBB stock, pump and dump spam. The one with the random
subject,
<br>
from and sender lines.
<br>
<br>
Has anybody had any luck creating SpamAssassin rules that would help
<br>
boost the score? Or better yet a good RBL that blocks them? For RBLs,
<br>
we only run the Spamhaus lists. Being a university, we can't run a
very
<br>
aggressive RBL list as it would cause too many complaints about
blocking
<br>
legitimate email.
<br>
<br>
</blockquote>
<br>
the SARE stock ruleset helps here. As do hash-based tests like Razor
and DCC.
<br>
</blockquote>
<br>
As has been pointed out, the hash based tests aren't going to catch all
image spam, because the spammers are smart enough to make small changes
to images that aren't caught by the human eye, but which do produce
unique hash results (meaning that they aren't caught by hash based
systems). As I mentioned last week, someone over on the mimedefang
list is working on a OCR perl module for feeding those images to, so
that you can get a bunch of text. The suggestion on the list is to
then attach that text to the message, so that when you feed it to Spam
Assassin, it gets picked up by bayes (both for training and scoring).<br>
</blockquote>
Here's a thought, how about using the <font
face="Courier New, Courier, monospace">identify</font> command from
the ImageMagick package. (<a class="moz-txt-link-freetext" href="http://www.magickwand.org/">http://www.magickwand.org/</a>) With the the <font
face="Courier New, Courier, monospace">-verbose</font> option, it
gives back a lot of info on the image, including a "signature" string
that could be used to feed SA.<br>
Here's a sample output of a random image I have handy:<br>
<br>
<font face="Courier New, Courier, monospace">[user@develop]# identify
-verbose gb.jpg<br>
Image: gb.jpg<br>
Format: JPEG (Joint Photographic Experts Group JFIF format)<br>
Geometry: 2550x4200<br>
Class: DirectClass<br>
Type: TrueColor<br>
Endianess: Undefined<br>
Colorspace: RGB<br>
Channel depth:<br>
Red: 8-bits<br>
Green: 8-bits<br>
Blue: 8-bits<br>
Channel statistics:<br>
Red:<br>
Min: 92 (0.360784)<br>
Max: 255 (1)<br>
Mean: 241.566 (0.947317)<br>
Standard deviation: 17.3827 (0.0681675)<br>
Green:<br>
Min: 84 (0.329412)<br>
Max: 255 (1)<br>
Mean: 239.353 (0.93864)<br>
Standard deviation: 19.6521 (0.0770672)<br>
Blue:<br>
Min: 81 (0.317647)<br>
Max: 255 (1)<br>
Mean: 234.329 (0.918937)<br>
Standard deviation: 20.5236 (0.0804845)<br>
Colors: 13126<br>
Rendering-intent: Undefined<br>
Resolution: 300x300<br>
Units: PixelsPerInch<br>
Filesize: 436kb<br>
Interlace: None<br>
Background Color: white<br>
Border Color: #DFDFDF<br>
Matte Color: grey74<br>
Dispose: Undefined<br>
Iterations: 0<br>
Compression: JPEG<br>
Quality: 32<br>
Orientation: Undefined<br>
Comment: LEAD Technologies Inc. V1.01<br>
JPEG-Colorspace: 2<br>
JPEG-Sampling-factors: 1x1,1x1,1x1<br>
Signature:
3fb7fe8ae960ad9879b90c25bc88da1f5c76e51937fc407437bc8549e37f605f<br>
Tainted: False<br>
User Time: 5.340u<br>
Elapsed Time: 0:06<br>
Pixels per second: 2.0mb<br>
Version: ImageMagick 6.2.5 02/13/06 Q16
<a class="moz-txt-link-freetext" href="file:/usr/share/ImageMagick-6.2.5/doc/index.html">file:/usr/share/ImageMagick-6.2.5/doc/index.html</a><br>
<br>
</font><br>
</body>
<br />--
<br />This transmission may contain information that is privileged, confidential
<br />and/or exempt from disclosure under applicable law. If you are not the
<br />intended recipient, you are hereby notified that any disclosure, copying,
<br />distribution, or use of the information contained herein (including any
<br />reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
<br />in error, please immediately contact the sender and destroy the material in
<br />its entirety, whether in electronic or hard copy format. Thank you.
<br />
<br />--
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href="http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>