Re: Flooded by a SPAM always containing the same picture

Tue, 05 May 2009 18:59:34 -0700 

Ned Slider wrote:
> I had one sneak through today which didn't hit any rules at all (it hits
> a few DNSBLs now but not when I received it). It contained an inline png:
> 
> Content-Type: image/png
> Content-Transfer-Encoding: base64
> Content-Disposition: inline
> 
> here's the full message:
> 
> http://pastebin.com/m608defa5
> 
> Any idea how to tackle these? I have the DSCxxxx png rule in place but
> obviously that doesn't apply to this example.
> 
> Perhaps I need a rule for "Content-Type: image/png" too?

I know you said it hit a few DNSBLs since you got it, but just to
double-check with some non-standard things that it tripped for me:

Content analysis details:   (10.0 points, 5.0 required)

pts rule name          description
--- ------------------ ----------------------------------------------
1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
                      [77.27.247.28 listed in bb.barracudacentral.org]
1.7 RCVD_IN_JMF_BL    RBL: Relay listed in JunkEmailFilter BLACK (bad)
                [77.27.247.28 listed in hostkarma.junkemailfilter.com]
1.8 RCVD_IN_PSBL      RBL: Received via a relay in PSBL Spamikaze trap
                      [77.27.247.28 listed in psbl.surriel.com]
0.4 BAYES_50          BODY: Bayesian spam probability is 40 to 60%
                      [score: 0.4984]
0.1 HOSTEUROPE_IXHASH BODY: iXhash found @ hosteurope.ixhash.ne
0.1 GENERIC_IXHASH    BODY: iXhash found @ generic.ixhash.net
0.9 RDNS_NONE      Delivered to trusted network by a host with no rDNS
2.0 IXHASH_FOUND      BODY: MD5 checksum matches known spam
2.0 KHOP_DNSBL_BUMP   Hits a trusted non-overlapping DNSBL

This uses iXhash with the following extra rule:

ifplugin Mail::SpamAssassin::Plugin::iXhash # see
http://ixhash.sourceforge.net
  meta IXHASH_FOUND     ( GENERIC_IXHASH || NIXSPAM_IXHASH ||
CTYME_IXHASH || HOSTEUROPE_IXHASH )
  describe IXHASH_FOUND BODY: MD5 checksum matches known spam
  score IXHASH_FOUND    0 2 0 2
endif

KHOP_DNSBL_BUMP is a rule that trusts certain DNSBLs if they aren't
already totaling something high.  RCVD_IN_BRBL_LASTEXT (which is in SA
svn), RCVD_IN_JMF_BL, and RCVD_IN_PSBL are all great additions added
with KHOP_DNSBL_BUMP in my khop-bl sa-update channel, with directions at
http://khopesh.com/Anti-spam#sa-update_channels

Reply via email to