Pollywog wrote:
> On 12/11/2005 05:31 pm, Kai Schaetzl wrote:
>
>>Craig Zeigler wrote on Sun, 11 Dec 2005 11:11:15 -0500:
>>
>>>The filename is Part 1.1.jpg.
>>
>>Use MailScanner or another tool to reject/delete mail with that name. If
>>it is coming from zombies, just disallow zombies at MTA level. Not
>>everything anti-spam should be done with SA.
>
>
>
> Spammers are stupid, but not THAT stupid; they do use different names for
> their files, the ones I have gotten seem to have random filenames using mixed
> case. I think it's a job better suited to Procmail or Maildrop, though. I
> am trying to find a way to do it with a Maildrop filter.
FWIW, the most recent version of this that I got was on Dec 9, and the
attachment was an embedded type named "22.jpg".
It wound up containing a link to their site in it's limited text, and the URIBLs
tore it to bits. Also bth hash-systems I use (razor and DCC) nailed it, and it
was a SPF forgery.
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=29.637, required 5,
autolearn=spam, BAYES_50 0.00, DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77,
DNS_FROM_RFC_DSN 2.60, DNS_FROM_RFC_POST 1.71,
HTML_IMAGE_ONLY_08 3.13, HTML_MESSAGE 0.00,
HTML_SHORT_LINK_IMG_1 0.95, INFO_GREYLIST_NOTDELAYED -0.00,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, SPF_SOFTFAIL 1.38,
URIBL_BLACK 2.50, URIBL_JP_SURBL 4.09, URIBL_SBL 1.64,
URIBL_SC_SURBL 4.50, URI_NOVOWEL 0.88)
And one before that from Dec 7, it's file was "mute30.gif"
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=12.791, required 5,
BAYES_50 0.00, DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77,
FORGED_RCVD_HELO 0.14, HTML_30_40 0.37, HTML_IMAGE_ONLY_12 1.87,
HTML_MESSAGE 0.00, INFO_GREYLIST_NOTDELAYED -0.00,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E4_51_100 1.50,
RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RELAY_UK 0.01,
URIBL_BLACK 2.50, URIBL_SBL 1.64)
Body hash systems like Razor's e4 and DCC both really help a lot against
embedded/attached image spams. In both of these emails the DCC/Razor combined
(plus DIGEST_MULTIPLE) resulted in 6.27 points. And that's with me trimming down
the DCC_CHECK score to 1.5 from 2.17. In a stock SA 3.1.0 config the combined
hits from these two would have been over 7 points.
