Re: How to detect current images-only messages?
On 21.06.2006 03:22 CE(S)T, jdow wrote: SARE and SpamAssassin plus the BLs have not let a ONE of either of those through yet this year. Can you please explain me, what exact rules you added from SARE? I cannot find anything usable there. -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory.
Re: How to detect current images-only messages?
On 6/21/06, Matt [EMAIL PROTECTED] wrote:
Ditto... having the same problem.
Here are the headers from one.. it got only a 2.0!
Is there somethign I can do to just block any inline images?
C{UT}
Received: from ntmail2.shscares.org (10.193.16.28 [10.193.16.28]) by
ntmail1.shscares.org with SMTP (Microsoft Exchange Internet Mail
Service Version 5.5.2653.13)
id L4MRBC9T; Wed, 14 Jun 2006 07:55:40 -0400
Received: (qmail 14909 invoked by uid 508); 14 Jun 2006 13:03:49 -
Received: from [EMAIL PROTECTED] by ntmail2.shscares.org by uid 502 with
SpamCobra Virus And Spam Protection
(spamassassin: 2.64. Clear:RC:0(88.241.210.218):SA:0(2.1/5.0):.
Processed in 5.118316 secs); 14 Jun 2006 13:03:49 -
X-Spam-Status: No, hits=2.1 required=5.0
X-Spam-Level: ++
Received: from unknown (HELO enaiyy) (88.241.210.218)
by 0 with SMTP; 14 Jun 2006 13:03:44 -
Received: from hj.eg ([88.241.218.148])
by enaiyy (8.13.5/8.13.5) with SMTP id k5EC0ao8072049;
Wed, 14 Jun 2006 15:00:36 +0300
Message-ID: [EMAIL PROTECTED]
From: Julius Clayton [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Subject: debut dormitory
Date: Wed, 14 Jun 2006 14:50:04 +0300
MIME-Version: 1.0
Content-Type: multipart/related;
type=multipart/alternative;
boundary==_NextPart_000_0021_01C68FC2.A03F56FA
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on ntmail2.shscares.org
X-Spam-Status: No, hits=2.1 required=5.0 tests=CHILI_IMG_ONLY,HTML_70_80,
HTML_IMAGE_ONLY_12,HTML_MESSAGE autolearn=no version=2.64
X-Spam-Pyzor: Reported 0 times.
On 6/21/06, Yves Goergen [EMAIL PROTECTED] wrote:
On 21.06.2006 03:22 CE(S)T, jdow wrote:
SARE and SpamAssassin
plus the BLs have not let a ONE of either of those through yet this
year.
Can you please explain me, what exact rules you added from SARE? I
cannot find anything usable there.
--
Yves Goergen LonelyPixel [EMAIL PROTECTED]
http://beta.unclassified.de – My web laboratory.
RE: How to detect current images-only messages?
Title: Re: How to detect current images-only messages?
This thread might be dead,
but I just read this and thought it might provide some insight, or thought, or
something:
Network World's Messaging Newsletter, 06/20/06
How IronPort tackles image-based spam
By Michael Osterman
Following my discussion with Vircom about the problems the e-mail security
firm is finding with image-based spam (as reported in last week's newsletter), I spoke with IronPort about the
issue.
IronPort is finding that about 12% of all spam is currently image-based, but
that only a small handful of spammers are currently using it. However, because
of the inability of many spam filters to adequately detect and stop this type of
spam, the capture rate is much lower than for conventional spam. The result is
that upwards of 50% of the spam received by end users is image-based spam.
Conventional anti-spam systems using heuristics are quite poor at stopping
image spam. Signature-based approaches are also inadequate because randomization
techniques easily bypass these signatures. Randomization can take the form of
inserting random pixels in a GIF image, which are imperceptible to viewers but
that can easily break traditional binary signatures, or by changing palette or
border colors. While randomization capabilities for image-based spam are not yet
built into spam tool kits available on the Web, it's probably only a matter of
time before this is the case.
IronPort's approach is to use what it calls Context Adaptive Scanning -
basically, profiling image spam to look for patterns across the message, the
reputation of the sender, whether or not a dynamic IP address is used, how the
message is constructed and other information. IronPort's approach also looks for
color patterns within an image that can identify the presence of text within an
image, since the vast majority of valid images sent through e-mail rarely
contain a substantial quantity of text. Using these techniques, IronPort is
currently able to stop about 98% of image-based with a very low false positive
ratio.
How much of a problem is image-based spam for your organization? Are you
finding an increase in this type of spam and are you having difficulty detecting
and stopping it?
From: Alan Premselaar
[mailto:[EMAIL PROTECTED]Sent: Tue 6/20/2006 12:57 AMTo:
jdowCc: users@spamassassin.apache.orgSubject: Re: How to
detect current images-only messages?
-BEGIN PGP SIGNED MESSAGE-Hash: SHA1jdow
wrote: From: "Chris Santerre"
[EMAIL PROTECTED] From: Yves Goergen [mailto:[EMAIL PROTECTED]]
Hello, I keep receiving messages that contain of nothing but
composed images. They're HTML messages with only img/
tags in them. There seems to be a rule that checks if the
message has *any* image and compares it to its length. That gave
my spam some scores recently but not so today. I received a
message that looks just like the others but has no score at all
due to the fact that it only contains of images.
Is there any way to detect this type of message with SpamAssassin?
I cannot think of a regular _expression_ that would do it, and
even if I could, SA offered no way to match it reliably. (See
the line-by-line problem with 'rawbody' and encoding problems
with 'full'.) I keep hearing this is a problem, but I'm
not seeing it on my end. Most are being caught:
I'll have to adjust for those 2. :)
In case he means no score and no SA markup there is still a way this can
happen. If an email comes in during a very tiny window when spamd is
reloading its configuration (-HUP) the email can sneak through.
{^_^}Of course this can also happen if the message size is greater than
theupper size limit set (default 250k) ... being that it's an image
only,I'd say it's definitely a possibility. (I've seen that happen on
mysystem in the past)Alan-BEGIN PGP
SIGNATURE-Version: GnuPG v1.4.1 (Darwin)Comment: Using GnuPG with
Mozilla - http://enigmail.mozdev.orgiD8DBQFEl45SE2gsBSKjZHQRAmKdAKCmcutB8fkoZZQCVMDsZSfBHXpwxACffS9X5T96aD/02CijQdHB+uoy54c==XRir-END
PGP SIGNATURE-
Re: How to detect current images-only messages?
I am imagining the amount of processor resource scanning 100,000
messages per day let alone the tens of millions or more that some
sites see. I think Google could do it with their machine.
It's not needed, either. VERY few get through in practice. All ya
need is SpamAssassin and SARE. Then Bob's your uncle.
(I figured checksum right off. Thirty millisecond later I figured
the random pixels - one is enough per image - counter. And maybe 60
milliseconds later I realized that the image is just a large captcha
and that the captcha problem has been solved, although it takes a
lot of computational resource. About a day later a lower usage
solution presented itself - take blocks of data from the image
and look at their average color. For an optimal size and number of
such blocks you can create a fairly reliable signature. Ba-da-bing.
Then multiple images appeared. Of course, during the whole flight of
thought I kept in mind the question, But WHY? SARE and SpamAssassin
plus the BLs have not let a ONE of either of those through yet this
year.)
{^_^}
- Original Message -
From: Thomas Raef [EMAIL PROTECTED]
This thread might be dead, but I just read this and thought it might provide some insight,
or thought, or something:
Network World's Messaging Newsletter, 06/20/06
How IronPort tackles image-based spam
By Michael Osterman
Following my discussion with Vircom about the problems the e-mail security firm is finding
with image-based spam (as reported in last week's newsletter), I spoke with IronPort about
the issue.
IronPort is finding that about 12% of all spam is currently image-based, but that only a
small handful of spammers are currently using it. However, because of the inability of
many spam filters to adequately detect and stop this type of spam, the capture rate is
much lower than for conventional spam. The result is that upwards of 50% of the spam
received by end users is image-based spam.
Conventional anti-spam systems using heuristics are quite poor at stopping image spam.
Signature-based approaches are also inadequate because randomization techniques easily
bypass these signatures. Randomization can take the form of inserting random pixels in a
GIF image, which are imperceptible to viewers but that can easily break traditional binary
signatures, or by changing palette or border colors. While randomization capabilities for
image-based spam are not yet built into spam tool kits available on the Web, it's probably
only a matter of time before this is the case.
IronPort's approach is to use what it calls Context Adaptive Scanning - basically,
profiling image spam to look for patterns across the message, the reputation of the
sender, whether or not a dynamic IP address is used, how the message is constructed and
other information. IronPort's approach also looks for color patterns within an image that
can identify the presence of text within an image, since the vast majority of valid images
sent through e-mail rarely contain a substantial quantity of text. Using these techniques,
IronPort is currently able to stop about 98% of image-based with a very low false positive
ratio.
How much of a problem is image-based spam for your organization? Are you finding an
increase in this type of spam and are you having difficulty detecting and stopping it?
RE: How to detect current images-only messages?
Title: RE: How to detect current images-only messages? -Original Message- From: Yves Goergen [mailto:[EMAIL PROTECTED]] Sent: Sunday, June 18, 2006 5:50 AM To: users@spamassassin.apache.org Subject: How to detect current images-only messages? Hello, I keep receiving messages that contain of nothing but composed images. They're HTML messages with only img/ tags in them. There seems to be a rule that checks if the message has *any* image and compares it to its length. That gave my spam some scores recently but not so today. I received a message that looks just like the others but has no score at all due to the fact that it only contains of images. Is there any way to detect this type of message with SpamAssassin? I cannot think of a regular _expression_ that would do it, and even if I could, SA offered no way to match it reliably. (See the line-by-line problem with 'rawbody' and encoding problems with 'full'.) I keep hearing this is a problem, but I'm not seeing it on my end. Most are being caught: Some examples X-Spam-Status: Yes, score=7.6 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100, HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF, MY_ALT,MY_DSL,RCVD_IN_NJABL_DUL X-Spam-Status: Yes, score=7.6 required=5.0 tests=HTML_90_100, HTML_IMAGE_ONLY_08,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF, MSGID_DOLLARS,MY_ALT X-Spam-Status: Yes, score=9.2 required=5.0 tests=HTML_90_100, HTML_IMAGE_ONLY_04,HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF, MSGID_DOLLARS,MY_ALT,SARE_BOUNDARY_09 X-Spam-Status: Yes, score=8.6 required=5.0 tests=EXTRA_MPART_TYPE, HELO_DYNAMIC_DHCP,HELO_DYNAMIC_IPADDR,HTML_90_100,HTML_IMAGE_ONLY_08, HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,SPF_HELO_SOFTFAIL X-Spam-Status: Yes, score=5.6 required=5.0 tests=HTML_90_100,HTML_MESSAGE, MIME_HTML_MOSTLY,MPART_ALT_DIFF,MSGID_DOLLARS,MY_ALT Ahhh...occasional slip thru... X-Spam-Status: No, score=4.4 required=5.0 tests=EXTRA_MPART_TYPE,HTML_90_100, HTML_MESSAGE,MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,RCVD_IN_NJABL_DUL X-Spam-Status: No, score=4.4 required=5.0 tests=EXTRA_MPART_TYPE, FORGED_RCVD_HELO,HTML_90_100,HTML_IMAGE_ONLY_16,HTML_MESSAGE, MIME_HTML_MOSTLY,MPART_ALT_DIFF,MY_ALT,MY_HELO,SPF_HELO_PASS I'll have to adjust for those 2. :) Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
Re: How to detect current images-only messages?
From: Chris Santerre [EMAIL PROTECTED]
From: Yves Goergen [mailto:[EMAIL PROTECTED]
Hello,
I keep receiving messages that contain of nothing but composed images.
They're HTML messages with only img/ tags in them. There
seems to be a
rule that checks if the message has *any* image and compares it to its
length. That gave my spam some scores recently but not so today. I
received a message that looks just like the others but has no score at
all due to the fact that it only contains of images.
Is there any way to detect this type of message with SpamAssassin? I
cannot think of a regular expression that would do it, and even if I
could, SA offered no way to match it reliably. (See the line-by-line
problem with 'rawbody' and encoding problems with 'full'.)
I keep hearing this is a problem, but I'm not seeing it on my end. Most are
being caught:
I'll have to adjust for those 2. :)
In case he means no score and no SA markup there is still a way this
can happen. If an email comes in during a very tiny window when spamd
is reloading its configuration (-HUP) the email can sneak through.
{^_^}
Re: How to detect current images-only messages?
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
jdow wrote:
From: Chris Santerre [EMAIL PROTECTED]
From: Yves Goergen [mailto:[EMAIL PROTECTED]
Hello,
I keep receiving messages that contain of nothing but composed images.
They're HTML messages with only img/ tags in them. There seems to be a
rule that checks if the message has *any* image and compares it to its
length. That gave my spam some scores recently but not so today. I
received a message that looks just like the others but has no score at
all due to the fact that it only contains of images.
Is there any way to detect this type of message with SpamAssassin? I
cannot think of a regular expression that would do it, and even if I
could, SA offered no way to match it reliably. (See the line-by-line
problem with 'rawbody' and encoding problems with 'full'.)
I keep hearing this is a problem, but I'm not seeing it on my end.
Most are
being caught:
I'll have to adjust for those 2. :)
In case he means no score and no SA markup there is still a way this
can happen. If an email comes in during a very tiny window when spamd
is reloading its configuration (-HUP) the email can sneak through.
{^_^}
Of course this can also happen if the message size is greater than the
upper size limit set (default 250k) ... being that it's an image only,
I'd say it's definitely a possibility. (I've seen that happen on my
system in the past)
Alan
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEl45SE2gsBSKjZHQRAmKdAKCmcutB8fkoZZQCVMDsZSfBHXpwxACffS9X
5T96aD/02CijQdHB+uoy54c=
=XRir
-END PGP SIGNATURE-
How to detect current images-only messages?
Hello, I keep receiving messages that contain of nothing but composed images. They're HTML messages with only img/ tags in them. There seems to be a rule that checks if the message has *any* image and compares it to its length. That gave my spam some scores recently but not so today. I received a message that looks just like the others but has no score at all due to the fact that it only contains of images. Is there any way to detect this type of message with SpamAssassin? I cannot think of a regular expression that would do it, and even if I could, SA offered no way to match it reliably. (See the line-by-line problem with 'rawbody' and encoding problems with 'full'.) -- Yves Goergen LonelyPixel [EMAIL PROTECTED] http://beta.unclassified.de – My web laboratory.
