Jonathan Engbrecht wrote:
> hello assassin-types,
>
> I'm seeing a lot of image-only spam of the following form:
>
> rcpt to: <userid>@domain.com
> Subject: Fw: <userid>
>
> Is there a way to create a simple spamassassin rule that will hit on
> this? I could use () and \1 in regular expressions and a giant,
> multi-line matching RE (probably), but I'm worried about processing time
> - two regular expressions would probably be better.
>
> thoughts?
>
You'd need to write a plugin to do this efficiently.
That said, I get a lot of them too, with drug-spam ads in them. My most recent
one racked up a hell of a score without any extra help on my part.
X-EVI-MailScanner-SpamCheck: spam, SpamAssassin (score=37.608, required 5,
autolearn=spam, BAYES_50 0.00, DATE_IN_PAST_06_12 0.83,
DCC_CHECK 1.50, DIGEST_MULTIPLE 0.77, EXTRA_MPART_TYPE 1.09,
HELO_DYNAMIC_ADELPHIA 1.79, HTML_IMAGE_ONLY_12 1.87,
HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_2 1.58,
INFO_GREYLIST_NOTDELAYED -0.00, INFO_TLD 0.50,
RAZOR2_CF_RANGE_51_100 0.50, RAZOR2_CF_RANGE_E8_51_100 1.50,
RAZOR2_CHECK 0.50, RCVD_IN_BL_SPAMCOP_NET 1.56,
RCVD_IN_NJABL_DUL 1.95, URIBL_AB_SURBL 3.81, URIBL_BLACK 2.50,
URIBL_JP_SURBL 4.09, URIBL_OB_SURBL 3.01, URIBL_SBL 1.64,
URIBL_SC_SURBL 4.50, URIBL_WS_SURBL 2.14)
Admittedly most of that score comes from the image being wrapped as a HTML link
to the drug-spammer's website, which racked up all the URIBLS and Razor's e8...
