This image is turning frequent..
This type of image spam is getting more common, and is not detected.. At least not here.. -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
RE: This image is turning frequent..
Title: RE: This image is turning frequent.. > > > This type of image spam is getting more common, and is not > detected.. At > least not here.. A solution is on its way :) Stay tuned.. Might be end of day. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
RE: This image is turning frequent..
Even I am getting lot of those. Warm Regards, Suhas System Admin QualiSpace - A QuantumPages Enterprise === Tel India: +91 (22) 6792 - 1480 Tel US: +1 (614) 827 - 1224 Fax India: +91 (22) 2530 - 3166 URL: http://www.qualispace.com === For Any Technical Query Please Use: http://helpdesk.qualispace.com QualiSpace Community Discussion forum: http://forum.qualispace.com -Original Message- From: Anders Norrbring [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 7:32 PM To: users@spamassassin.apache.org Subject: This image is turning frequent.. This type of image spam is getting more common, and is not detected.. At least not here.. -- Anders Norrbring Norrbring Consulting
Re: This image is turning frequent..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anders Norrbring wrote: > This type of image spam is getting more common, and is not > detected.. At least not here.. Yes, this picture is indeed hard to detect... I'd need a blackbox like Input: Animated gif of any kind Output: NonAnimated gif which shows what the user will see But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... Best regards, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFNOuPJQIKXnJyDxURAsLVAKDIdS8QJ38I6snB/lq4mejK8y9r6gCfSoSg PGMfmUQ35Aez6I7kfJB91h8= =nHuo -END PGP SIGNATURE-
Re: This image is turning frequent..
-BEGIN PGP SIGNED MESSAGE- But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... Sure there is: http://phil.ipal.org/tc.html Check out the GIF at the top left of the page. And there is a library to generate them in that format. Granted, probably nobody uses it, but it does exist. :-) - Logan
Re: This image is turning frequent..
decoder wrote: But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... If "offset frames" means what I think it does, they're actually a fairly common technique in animated GIFs where you only need to change part of the image. After all, if you're changing a 30x50 section of a 200x200 image, why waste space on an extra 38,500 pixels? -- Kelson Vibber SpeedGate Communications
Re: This image is turning frequent..
Anders Norrbring wrote: This type of image spam is getting more common, and is not detected.. At least not here.. score SARE_GIF_STOX 2.5 2.5 2.5 2.5 That's all it took, and we don't see it any more. -- Jo Rhett Network/Software Engineer Net Consonance
Re: This image is turning frequent..
I think you guys are going down a much harder road. This only makes sense if and when e-mail with only a GIF is a normal type of e-mail that people find acceptable. Otherwise, just score e-mail with only a GIF and/or some extra bayes poison high and don't bother analyzing it. Kelson wrote: decoder wrote: But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... If "offset frames" means what I think it does, they're actually a fairly common technique in animated GIFs where you only need to change part of the image. After all, if you're changing a 30x50 section of a 200x200 image, why waste space on an extra 38,500 pixels? -- Jo Rhett Network/Software Engineer Net Consonance
RE: This image is turning frequent..
Title: RE: This image is turning frequent.. Exactly... and that SARE ruleset is coming very soon :) --Chris > -Original Message- > From: Jo Rhett [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 17, 2006 1:28 PM > To: Kelson > Cc: users@spamassassin.apache.org > Subject: Re: This image is turning frequent.. > > > I think you guys are going down a much harder road. This only makes > sense if and when e-mail with only a GIF is a normal type of > e-mail that > people find acceptable. Otherwise, just score e-mail with only a GIF > and/or some extra bayes poison high and don't bother analyzing it. > > Kelson wrote: > > decoder wrote: > >> But that is a difficult task considering how many things > are possible > >> with the GIF standard. This picture uses offsets and slow > frame rates, > >> others use transparency etc. A simple way to block these > images would > >> be to scan the GIF for offset frames. I don't think there > is any valid > >> GIF which makes use of these techniques... > > > > If "offset frames" means what I think it does, they're > actually a fairly > > common technique in animated GIFs where you only need to > change part of > > the image. After all, if you're changing a 30x50 section > of a 200x200 > > image, why waste space on an extra 38,500 pixels? > > > > > -- > Jo Rhett > Network/Software Engineer > Net Consonance >
Re: This image is turning frequent..
Just FYI increasing SARE_GIX_STOX has removed this spam from my mailbox. It's doing something right. (I was getting 1-2 an hour prior to increasing that rule's score) Chris Santerre wrote: Exactly... and that SARE ruleset is coming very soon :) --Chris > -Original Message- > From: Jo Rhett [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 17, 2006 1:28 PM > To: Kelson > Cc: users@spamassassin.apache.org > Subject: Re: This image is turning frequent.. > > > I think you guys are going down a much harder road. This only makes > sense if and when e-mail with only a GIF is a normal type of > e-mail that > people find acceptable. Otherwise, just score e-mail with only a GIF > and/or some extra bayes poison high and don't bother analyzing it. > > Kelson wrote: > > decoder wrote: > >> But that is a difficult task considering how many things > are possible > >> with the GIF standard. This picture uses offsets and slow > frame rates, > >> others use transparency etc. A simple way to block these > images would > >> be to scan the GIF for offset frames. I don't think there > is any valid > >> GIF which makes use of these techniques... > > > > If "offset frames" means what I think it does, they're > actually a fairly > > common technique in animated GIFs where you only need to > change part of > > the image. After all, if you're changing a 30x50 section > of a 200x200 > > image, why waste space on an extra 38,500 pixels? > > > > > -- > Jo Rhett > Network/Software Engineer > Net Consonance > -- Jo Rhett Network/Software Engineer Net Consonance
RE: This image is turning frequent..
Title: RE: This image is turning frequent.. I'm embarrassed to ask but, what cf file is that from? --Chris > -Original Message- > From: Jo Rhett [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, October 17, 2006 1:45 PM > To: Chris Santerre > Cc: Kelson; users@spamassassin.apache.org > Subject: Re: This image is turning frequent.. > > > Just FYI increasing SARE_GIX_STOX has removed this spam from > my mailbox. > It's doing something right. (I was getting 1-2 an hour prior to > increasing that rule's score) > > Chris Santerre wrote: > > Exactly... and that SARE ruleset is coming very soon :) > > > > --Chris > > > > > -Original Message- > > > From: Jo Rhett [mailto:[EMAIL PROTECTED]] > > > Sent: Tuesday, October 17, 2006 1:28 PM > > > To: Kelson > > > Cc: users@spamassassin.apache.org > > > Subject: Re: This image is turning frequent.. > > > > > > > > > I think you guys are going down a much harder road. > This only makes > > > sense if and when e-mail with only a GIF is a normal type of > > > e-mail that > > > people find acceptable. Otherwise, just score e-mail > with only a GIF > > > and/or some extra bayes poison high and don't bother > analyzing it. > > > > > > Kelson wrote: > > > > decoder wrote: > > > >> But that is a difficult task considering how many things > > > are possible > > > >> with the GIF standard. This picture uses offsets and slow > > > frame rates, > > > >> others use transparency etc. A simple way to block these > > > images would > > > >> be to scan the GIF for offset frames. I don't think there > > > is any valid > > > >> GIF which makes use of these techniques... > > > > > > > > If "offset frames" means what I think it does, they're > > > actually a fairly > > > > common technique in animated GIFs where you only need to > > > change part of > > > > the image. After all, if you're changing a 30x50 section > > > of a 200x200 > > > > image, why waste space on an extra 38,500 pixels? > > > > > > > > > > > > > -- > > > Jo Rhett > > > Network/Software Engineer > > > Net Consonance > > > > > > > > -- > Jo Rhett > Network/Software Engineer > Net Consonance >
Re: This image is turning frequent..
Chris Santerre wrote:
I'm embarrassed to ask but, what cf file is that from?
[EMAIL PROTECTED] /usr/local/etc]$ find /var/lib/spamassassin -type f
-exec grep -l SARE_GIF_STOX {} \;
/var/lib/spamassassin/3.001004/70_sare_stocks_cf_sare_sa-update_dostech_net/200609222100.cf
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: This image is turning frequent..
Chris Santerre wrote: I'm embarrassed to ask but, what cf file is that from? [EMAIL PROTECTED] rulesets]$ grep SARE_GIF_STOX * -R | grep meta 70_sare_stocks.cf/20060803.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) 70_sare_stocks.cf/200608271034.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) 70_sare_stocks.cf/200609062000.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) 70_sare_stocks.cf/200609100500.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) 70_sare_stocks.cf/200609100600.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) 70_sare_stocks.cf/200609220500.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) 70_sare_stocks.cf/200609222100.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) [EMAIL PROTECTED] rulesets]$
RE: This image is turning frequent..
Title: RE: This image is turning frequent..
> -Original Message-
> From: Jo Rhett [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, October 17, 2006 2:41 PM
> To: Chris Santerre
> Cc: users@spamassassin.apache.org
> Subject: Re: This image is turning frequent..
>
>
> Chris Santerre wrote:
> > I'm embarrassed to ask but, what cf file is that from?
>
> [EMAIL PROTECTED] /usr/local/etc]$ find
> /var/lib/spamassassin -type f
> -exec grep -l SARE_GIF_STOX {} \;
>
> /var/lib/spamassassin/3.001004/70_sare_stocks_cf_sare_sa-updat
e_dostech_net/200609222100.cf
Ahahahah I must be burnt. I'm looking all thru those files and couldn't find it.
...because I was searching for "gix_stox"! I'm going to go pour some coffee!
Thanks
--Chris
RE: This image is turning frequent..
Even I did the same thing and it worked pretty well. Warm Regards, Suhas System Admin QualiSpace - A QuantumPages Enterprise === Tel India: +91 (22) 6792 - 1480 Tel US: +1 (614) 827 - 1224 Fax India: +91 (22) 2530 - 3166 URL: http://www.qualispace.com === For Any Technical Query Please Use: http://helpdesk.qualispace.com QualiSpace Community Discussion forum: http://forum.qualispace.com -Original Message- From: Jo Rhett [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 10:56 PM To: Anders Norrbring Cc: users@spamassassin.apache.org Subject: Re: This image is turning frequent.. Anders Norrbring wrote: > This type of image spam is getting more common, and is not detected.. At > least not here.. score SARE_GIF_STOX 2.5 2.5 2.5 2.5 That's all it took, and we don't see it any more. -- Jo Rhett Network/Software Engineer Net Consonance
Re: This image is turning frequent..
* Jo Rhett <[EMAIL PROTECTED]> [10-17-2006 10:25]: > > score SARE_GIF_STOX 2.5 2.5 2.5 2.5 > Can you tell me what each corresponding 2.5 represents? -- Regards, Matt Florido
Re: This image is turning frequent..
Matt Florido wrote: * Jo Rhett <[EMAIL PROTECTED]> [10-17-2006 10:25]: score SARE_GIF_STOX 2.5 2.5 2.5 2.5 Can you tell me what each corresponding 2.5 represents? http://spamassassin.apache.org/tests_3_1_x.html Pay particular attention to the rightmost column heading in the table. -Jim
RE: This image is turning frequent..
Matt Florido wrote: > * Jo Rhett <[EMAIL PROTECTED]> [10-17-2006 10:25]: > > > > > score SARE_GIF_STOX 2.5 2.5 2.5 2.5 > > > > Can you tell me what each corresponding 2.5 represents? man Mail::SpamAssassin::Conf score SYMBOLIC_TEST_NAME n.nn [ n.nn n.nn n.nn ] Assign scores (the number of points for a hit) to a given test. Scores can be positive or negative real numbers or integers. "SYMBOLIC_TEST_NAME" is the symbolic name used by SpamAssassin for that test; for example, 'FROM_ENDS_IN_NUMS'. If only one valid score is listed, then that score is always used for a test. If four valid scores are listed, then the score that is used depends on how SpamAssassin is being used. The first score is used when both Bayes and network tests are disabled (score set 0). The second score is used when Bayes is disabled, but network tests are enabled (score set 1). The third score is used when Bayes is enabled and network tests are disabled (score set 2). The fourth score is used when Bayes is enabled and network tests are enabled (score set 3). Setting a rule's score to 0 will disable that rule from running. -- Bowie
Re: This image is turning frequent..
On Wed, October 18, 2006 10:18 am, Jim Maul wrote: > Matt Florido wrote: >> * Jo Rhett <[EMAIL PROTECTED]> [10-17-2006 10:25]: >> >>> score SARE_GIF_STOX 2.5 2.5 2.5 2.5 >>> >> >> Can you tell me what each corresponding 2.5 represents? >> > > http://spamassassin.apache.org/tests_3_1_x.html > > Pay particular attention to the rightmost column heading in the table. > > -Jim > Thanks Jim. (local, net, with bayes, with bayes+net) Matt Florido
Re: This image is turning frequent..
Yeah, I'm seeing that too. Any ideas on how to do that? For now I've been falling back on a procmail hack to toss all messages with images embedded in the HTML of the message into their own folder. At 04:02 PM 10/17/2006 +0200, Anders Norrbring wrote: This type of image spam is getting more common, and is not detected.. At least not here.. Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community
Re: This image is turning frequent..
Just added this to my user prefs file. We'll see what happens. Thanks. :D At 10:44 AM 10/17/2006 -0700, Jo Rhett wrote: Just FYI increasing SARE_GIX_STOX has removed this spam from my mailbox. It's doing something right. (I was getting 1-2 an hour prior to increasing that rule's score) Chris Santerre wrote: Exactly... and that SARE ruleset is coming very soon :) --Chris > -Original Message- > From: Jo Rhett [mailto:[EMAIL PROTECTED] > Sent: Tuesday, October 17, 2006 1:28 PM > To: Kelson > Cc: users@spamassassin.apache.org > Subject: Re: This image is turning frequent.. > > > I think you guys are going down a much harder road. This only makes > sense if and when e-mail with only a GIF is a normal type of > e-mail that > people find acceptable. Otherwise, just score e-mail with only a GIF > and/or some extra bayes poison high and don't bother analyzing it. > > Kelson wrote: > > decoder wrote: > >> But that is a difficult task considering how many things > are possible > >> with the GIF standard. This picture uses offsets and slow > frame rates, > >> others use transparency etc. A simple way to block these > images would > >> be to scan the GIF for offset frames. I don't think there > is any valid > >> GIF which makes use of these techniques... > > > > If "offset frames" means what I think it does, they're > actually a fairly > > common technique in animated GIFs where you only need to > change part of > > the image. After all, if you're changing a 30x50 section > of a 200x200 > > image, why waste space on an extra 38,500 pixels? > > > > > -- > Jo Rhett > Network/Software Engineer > Net Consonance > -- Jo Rhett Network/Software Engineer Net Consonance Steven Lake Owner/Technical Writer Raiden's Realm www.raiden.net A friendly web community
Re: This image is turning frequent..
Steve Lake raiden.net> writes: > Yeah, I'm seeing that too. Any ideas on how to do that? For now > I've been falling back on a procmail hack to toss all messages with > images embedded in the HTML of the message into their own folder. I just wrote a little program which - examinates GIF animation files - detects the left and top offsets and the delay times - calls gifasm to extract the single pictures - calls giftopnm to convert the single pictures - creates one PNM file according to the global width and height - copies all the extracted PNM pictures into the big file according to the detected offsets - stops working when the delay time of the current picture is much bigger than the previous delay times - saves the big PNM file This PNM file looks exactly like the animation after it has finished moving, and can be passed to GOCR with a good result. Paul Lenz
Re: This image is turning frequent..
Steve Lake raiden.net> writes: > Yeah, I'm seeing that too. Any ideas on how to do that? I just wrote a little program which - examines a GIF animation and stores its size - stores delay time, size, left offset, and top offset of each single picture - calls gifasm to extract the single pictures - calls giftopnm to convert them into PNM files - creates one empty PNM according to the size of the GIF file - copies the content of each single PNM file according to its offsets into the empty PNM file - stops working if the delay time is much bigger then the previous ones - saves the PNM file After that I got a PNM file which looks exactly like the GIF animation when it has finished to move. This PNM file can be passed to GOCR and converted into plain text with good results. Paul Lenz
