Ned Slider wrote: > I had one sneak through today which didn't hit any rules at all (it hits > a few DNSBLs now but not when I received it). It contained an inline png: > > Content-Type: image/png > Content-Transfer-Encoding: base64 > Content-Disposition: inline > > here's the full message: > > http://pastebin.com/m608defa5 > > Any idea how to tackle these? I have the DSCxxxx png rule in place but > obviously that doesn't apply to this example. > > Perhaps I need a rule for "Content-Type: image/png" too?
I know you said it hit a few DNSBLs since you got it, but just to double-check with some non-standard things that it tripped for me: Content analysis details: (10.0 points, 5.0 required) pts rule name description --- ------------------ ---------------------------------------------- 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL [77.27.247.28 listed in bb.barracudacentral.org] 1.7 RCVD_IN_JMF_BL RBL: Relay listed in JunkEmailFilter BLACK (bad) [77.27.247.28 listed in hostkarma.junkemailfilter.com] 1.8 RCVD_IN_PSBL RBL: Received via a relay in PSBL Spamikaze trap [77.27.247.28 listed in psbl.surriel.com] 0.4 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4984] 0.1 HOSTEUROPE_IXHASH BODY: iXhash found @ hosteurope.ixhash.ne 0.1 GENERIC_IXHASH BODY: iXhash found @ generic.ixhash.net 0.9 RDNS_NONE Delivered to trusted network by a host with no rDNS 2.0 IXHASH_FOUND BODY: MD5 checksum matches known spam 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL This uses iXhash with the following extra rule: ifplugin Mail::SpamAssassin::Plugin::iXhash # see http://ixhash.sourceforge.net meta IXHASH_FOUND ( GENERIC_IXHASH || NIXSPAM_IXHASH || CTYME_IXHASH || HOSTEUROPE_IXHASH ) describe IXHASH_FOUND BODY: MD5 checksum matches known spam score IXHASH_FOUND 0 2 0 2 endif KHOP_DNSBL_BUMP is a rule that trusts certain DNSBLs if they aren't already totaling something high. RCVD_IN_BRBL_LASTEXT (which is in SA svn), RCVD_IN_JMF_BL, and RCVD_IN_PSBL are all great additions added with KHOP_DNSBL_BUMP in my khop-bl sa-update channel, with directions at http://khopesh.com/Anti-spam#sa-update_channels