On Sat, 25 Apr 2009, Gary Forrest wrote:
We are receiving the same image spam many times, random text within the
body. The only common thing is a image attachment, with the filename in
the following format
DSL1234.png
I have made the following ' RAWBODY ' rule
/dsl[0-9]{4}\.png/i
You need to use a 'full' rule to scan attachment names.
While you are at it, you can also scan for
full /Content-Type: image\/gif;\n[^a-z]+name=""/
As this seems to be the next evolution of the spam. Nameless gifs.... :)
Enjoy!
- Charles