Jonathan Engbrecht wrote: > hello assassin-types, > > I'm seeing a lot of image-only spam of the following form: > > rcpt to: <userid>@domain.com > Subject: Fw: <userid> > > Is there a way to create a simple spamassassin rule that will hit on > this? I could use () and \1 in regular expressions and a giant, > multi-line matching RE (probably), but I'm worried about processing time > - two regular expressions would probably be better. > > thoughts? >
You'd need to write a plugin to do this efficiently. That said, I get a lot of them too, with drug-spam ads in them. My most recent one racked up a hell of a score without any extra help on my part. X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=37.608, required 5, autolearn=spam, BAYES_50 0.00, DATE_IN_PAST_06_12 0.83, DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77, EXTRA_MPART_TYPE 1.09, HELO_DYNAMIC_ADELPHIA 1.79, HTML_IMAGE_ONLY_12 1.87, HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_2 1.58, INFO_GREYLIST_NOTDELAYED -0.00, INFO_TLD 0.50, RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50, RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.56, RCVD_IN_NJABL_DUL 1.95, URIBL_AB_SURBL 3.81, URIBL_BLACK 2.50, URIBL_JP_SURBL 4.09, URIBL_OB_SURBL 3.01, URIBL_SBL 1.64, URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14) Admittedly most of that score comes from the image being wrapped as a HTML link to the drug-spammer's website, which racked up all the URIBLS and Razor's e8...