On Wed, 2009-06-17 at 22:16 +0930, Cory Hawkless wrote: > The RBL is a good point, I'm only getting these when i turn of > zen.spamhaus(For testing) > BUT the emails i got did NOT have sex in the subject, "How To Give Her strong > Harder Orgasms - 3 Spectaceular Tips To Make Her Beeg For More And More" is > what i got > > -----Original Message----- > From: rich...@buzzhost.co.uk [mailto:rich...@buzzhost.co.uk] > Sent: Wednesday, 17 June 2009 9:43 PM > To: Paweł Tęcza > Cc: users@spamassassin.apache.org > Subject: Re: new spam image with random body message > > On Wed, 2009-06-17 at 13:33 +0200, Pawe? T?cza wrote: > > Ibrahim Harrani pisze: > > > Hi, > > > > > > another header from another image spams. > > > All images contain god, bad and a url with numbers. > > > > The spamers are cunning... It seems that they have stopped sending spams > > with X-Mailer: header containing something like "PHP v5.2.0" or > > "PHP/4.4.5". Also they don't use only digits in attachment filenames. > > So I'm affraid that my Spamassassin rules are not effective for that > > kind of spam :( > > > > > It seems that ocrad can't decode the strings in the images. > > > FuzzyOcr version is 3.6.0 > > > > I've added "BAD", "GOOD" and exemplary domain name to my FuzzyOcr word > > file, but unfortunately FuzzyOcr didn't recognise them :( > > > > Maybe someone has better idea how to fight that image spam? > > > > Cheers, > > > > P. > > > But this is all totally academic; Why jump through all the hoops to > block the image when the original connecting IP is showing 'unknown' in > the hostname > > Received: from unknown (HELO ognh.user.ono.com) > > Is listed on piles of policy and RBL lists; > > 62.57.252.74 listed in b.barracudacentral.org. > 62.57.252.74 listed in PBL (SPAMHAUS) > 62.57.252.74 listed in XBL NJABL > 62.57.252.74 listed in dul.dnsbl.sorbs.net > 62.57.252.74 listed in cbl.abuseat.org. > 62.57.252.74 listed in bl.spamcop.net. > 62.57.252.74 listed in no-more-funn.moensted.dk. > > and has SEX twice in the subject. > > Why would it ever get as far as blocking it on the content? What has > gone so wrong it ever got that far? > > > But there are certain words you would never expect to see in the subjects of legitimate mail none the less unless you often get mail with words like 'Orgasms' in it :-) If you do, please *share* your friends with us all!
Seriously, the RBL's would have killed this, the missing hostname, the hint that it is a 'user' ip connecting (not a legit mail server), the key words - all could have been used by the MTA to drop this message on the floor without troubling SA to scan it. Looking at the content of the mail is the last resort - if it's got that far in to your system, the spammer wins
