Jeremy Morton wrote: > Recently I've been receiving some new image spams, subtly different > from the one this rule is designed to mark: > http://markmail.org/message/zio642mxs5p42kxa > > ... in that it actually does have a blank text MIME part. > > Here's an example of one such spam: > http://rafb.net/p/ppyJAS34.html
Actually, there only seems to be one MIME part in what you have pasted, so amending John's rule and the inbuilt one as follows should do it: header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\//i because I've also recall them coming in as multipart/related. The inbuilt rule only looked for "image/jpeg", so: mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpe?g|png)/ I don't think image/jpg is a standard MIME type, so we could also create: mimeheader MIME_IMAGE_JPG Content-Type =~ /image\/jpg/ describe MIME_IMAGE_JPG contains wrong MIME type image\/jpg score MIME_IMAGE_JPG 1.0 Also, it's not really a JPEG but a PNG, and one with a consistent header over the last few weeks: full PILL_IMAGE_PNG_HEAD /^U29mdHdhcmUAQWRvYmUgSW1hZ2VSZWFkeXHJZTwAAADAUExU/m describe PILL_IMAGE_PNG_HEAD 2nd line of base64 of autogenerated PNG score PILL_IMAGE_PNG_HEAD 1.5 I have seen spam come as you say with a minimal body part, as in: rawbody PILL_IMAGE_HTML /<body bgcolor="\#ffffff" text="\#000000">\s<img src="[a-z]+.(?:png|jpe?g|gif)">\s<\/body>/s describe PILL_IMAGE_HTML Very simple HTML part as in image-only May 09 score PILL_IMAGE_HTML 0.1 I think image with not text in the body part at all is pretty rare, but I might do something like that if I was sending a picture to myself. Meta rules based on some combination of the above could probably catch it all at the moment. Your sample hit DCC_CHECK and BAYES_80 for me, but not the iXhash rules. Hope these are of some use. CK
