My recommendation is to take this approach.... Penalize emails with inline gifs, and penalize them even more if they hit in combination with HTML_IMAGE_ONLY_*.
meta __IMG_ONLY (HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 || HTML_IMAGE_ONLY_12 || HTML_IMAGE_ONLY_16 || HTML_IMAGE_ONLY_20 || HTML_IMAGE_ONLY_24 ) full SARE_GIF_ATTACH /name=\"[a-z]{3,18}\.gif\"/ describe SARE_GIF_ATTACH Email has a inline gif score SARE_GIF_ATTACH 0.75 meta SARE_GIF_STOX ( SARE_GIF_ATTACH && __IMG_ONLY ) describe SARE_GIF_STOX Inline Gif with little HTML score SARE_GIF_STOX 1.75 Realize that some of the new stox spam is coming with addition bayes garbage to screw up the HTML to Image ratio, and cause HTML_IMAGE_ONLY_* to not even fire. If that is the case, you may just want to pump SARE_GIF_ATTACH up a bit. Realize SARE_GIF_ATTACH "will" FP if you score it too high. Neither of the above rules are published by SARE. 70_sare_stocks.cf contains the following rules because the have very good S/O's. Although we have masschecked the above SARE_GIF_STOX have it had a very nice S/O as well, we just never published it.. Not sure why. Those masscheck results are below from 5 different corpii. OVERALL% SPAM% HAM% S/O RANK SCORE NAME 1244 1244 0 1.000 0.42 1.25 SARE_GIF_STOX 88 87 1 0.957 0.68 1.25 SARE_GIF_STOX 1582 1581 1 0.998 0.59 1.25 SARE_GIF_STOX 44 44 0 1.000 0.89 1.25 SARE_GIF_STOX 115 115 0 1.000 0.89 1.25 SARE_GIF_STOX The current published rules for image only stock spam look like this... #----------------------------------------------------------------------- ------------ # 02/01/06 ## Contributed by Dallas full __SHORT_GIF /name=\"[a-z]{3,8}\.gif\"/ full __SHORT_GIF2 /filename=\"[a-z]{3,8}\"/ meta SARE_STOX_IMG_ONLY ( __SHORT_GIF && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )) describe SARE_STOX_IMG_ONLY Image only stock spam score SARE_STOX_IMG_ONLY 1.25 ##counts SARE_STOX_IMG_ONLY 1s/0h of 27159 corpus (19368s/7791h FT) 01/31/06 ##counts SARE_STOX_IMG_ONLY 20s/0h of 11689 corpus (6129s/5560h CT) 01/31/06 ##counts SARE_STOX_IMG_ONLY 2s/0h of 8032 corpus (5812s/2220h AxB) 02/01/06 ##counts SARE_STOX_IMG_ONLY 44s/0h of 37291 corpus (31813s/5478h MY) 01/31/06 ##counts SARE_STOX_IMG_ONLY 487s/0h of 58996 corpus (45504s/13492h ML) 01/31/06 ##counts SARE_STOX_IMG_ONLY 536s/1h of 206158 corpus (52568s/153590h RM) 02/03/06 ##counts SARE_STOX_IMG_ONLY 925s/0h of 88486 corpus (49109s/39377h DOC) 01/31/06 meta SARE_STOX_IMG_ONLY2 ( __SHORT_GIF2 && ( HTML_IMAGE_ONLY_04 || HTML_IMAGE_ONLY_08 )) describe SARE_STOX_IMG_ONLY2 Image only stock spam score SARE_STOX_IMG_ONLY2 1.66 ##counts SARE_STOX_IMG_ONLY2 0s/0h of 11689 corpus (6129s/5560h CT) 01/31/06 ##counts SARE_STOX_IMG_ONLY2 0s/0h of 206158 corpus (52568s/153590h RM) 02/03/06 ##counts SARE_STOX_IMG_ONLY2 0s/0h of 37291 corpus (31813s/5478h MY) 01/31/06 ##counts SARE_STOX_IMG_ONLY2 160s/0h of 27159 corpus (19368s/7791h FT) 01/31/06 ##counts SARE_STOX_IMG_ONLY2 230s/0h of 8032 corpus (5812s/2220h AxB) 02/01/06 ##counts SARE_STOX_IMG_ONLY2 30s/0h of 58996 corpus (45504s/13492h ML) 01/31/06 ##counts SARE_STOX_IMG_ONLY2 98s/0h of 88486 corpus (49109s/39377h DOC) 01/31/06 Cya, Dallas > -----Original Message----- > From: Craig Baird [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 07, 2006 10:54 > To: users@spamassassin.apache.org > Subject: Re: All image spam > > I'm having similar results here. As others have mentioned, > the SARE stock rules do help somewhat, but it's by no means > the proverbial "silver bullet". > As someone else also mentioned, it helps to increase the > HTML_IMAGE_ONLY_XX rules. I increased 12,16,20, and 24 by > one point each. However, that still doesn't nail all of > them. I have seen some come through without even hitting any > HTML_IMAGE_ONLY_XX rules. > > It seems to me that with these image-only spams, spammers may > have finally stumbled onto a pretty good weapon to counter > SA, and to defeat Bayes. With broadband connections being > dirt cheap these days, and with all the zombie nets at their > disposal, spammers can now blast out large spams in a short > amount of time, without causing much drain on their own > network resources. > I'm getting image-only spam with attachments ranging in size > from about 12K to 70K. > > I'll bet it's only a matter of time before we start seeing > spam larger than 256K, which I believe is the threshold that > most people use to determine whether to send a message to SA > for scanning or not. We'll probably all be bumping up that > threshold at some point. :( > > Craig > > > Quoting Jack Gostl <[EMAIL PROTECTED]>: > > > I've seen some references to this in threads, but I didn't > see an answer. > > > > Starting in late November, we started getting hit with spam > that was > > almost entirely a jpeg. They seem to be mostly "stock > > recommendations". There is minimal message, usually HTML, > and the real spam content is in the image. > > Despite al the trainging that I do, this seems to slip through the > > Bayes algorithms with no more than a 50%, and the rest of the tests > > don't drive the score up high enough to help. > > > > I am currently running SpamAssassin 3.0.3. I tried running these > > messages through SpamAssassin 3.1 and it doesn't seem to help. > > > > Any suggestions? > > > > Thanks - Jack > > > > >