Pollywog wrote: > On 12/11/2005 05:31 pm, Kai Schaetzl wrote: > >>Craig Zeigler wrote on Sun, 11 Dec 2005 11:11:15 -0500: >> >>>The filename is Part 1.1.jpg. >> >>Use MailScanner or another tool to reject/delete mail with that name. If >>it is coming from zombies, just disallow zombies at MTA level. Not >>everything anti-spam should be done with SA. > > > > Spammers are stupid, but not THAT stupid; they do use different names for > their files, the ones I have gotten seem to have random filenames using mixed > case. I think it's a job better suited to Procmail or Maildrop, though. I > am trying to find a way to do it with a Maildrop filter.
FWIW, the most recent version of this that I got was on Dec 9, and the attachment was an embedded type named "22.jpg". It wound up containing a link to their site in it's limited text, and the URIBLs tore it to bits. Also bth hash-systems I use (razor and DCC) nailed it, and it was a SPF forgery. X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=29.637, required 5, autolearn=spam, BAYES_50 0.00, DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77, DNS_FROM_RFC_DSN 2.60, DNS_FROM_RFC_POST 1.71, HTML_IMAGE_ONLY_08 3.13, HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_1 0.95, INFO_GREYLIST_NOTDELAYED -0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_SOFTFAIL 1.38, URIBL_BLACK 2.50, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64, URIBL_SC_SURBL 4.50, URI_NOVOWEL 0.88) And one before that from Dec 7, it's file was "mute30.gif" X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=12.791, required 5, BAYES_50 0.00, DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77, FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_IMAGE_ONLY_12 1.87, HTML_MESSAGE 0.00, INFO_GREYLIST_NOTDELAYED -0.00, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RELAY_UK 0.01, URIBL_BLACK 2.50, URIBL_SBL 1.64) Body hash systems like Razor's e4 and DCC both really help a lot against embedded/attached image spams. In both of these emails the DCC/Razor combined (plus DIGEST_MULTIPLE) resulted in 6.27 points. And that's with me trimming down the DCC_CHECK score to 1.5 from 2.17. In a stock SA 3.1.0 config the combined hits from these two would have been over 7 points.