Re: spam mail with flagged style images

Thu, 20 Aug 2009 11:07:54 -0700 

Hi,

> Text added to e-mail is a bogus one, never repeated, same as the old styled
> spam mail with attached images. The OCR doesn't detect nothing, I understand
> because of flagged effect. Also, image file name changes, if it have.

A few of these have slipped through on my systems, but for the most
part, these rules have worked here:

mimeheader AS_090505_CDIS_INLINE  Content-Disposition =~ /inline/
score      AS_090505_CDIS_INLINE  0.5
describe   AS_090505_CDIS_INLINE  Rule by AS: Content-Disposition: inline

mimeheader AS_090508_CTYP_PNG     Content-Type =~ /image\/png/
score      AS_090508_CTYP_PNG     0.5
describe   AS_090508_CTYP_PNG     Rule by AS: Content-Type: PNG

mimeheader AS_090508_CTYP_JPG     Content-Type =~ /image\/jpg/
score      AS_090508_CTYP_JPG     0.5
describe   AS_090508_CTYP_JPG     Rule by AS: Content-Type: JPG

mimeheader AS_090508_CTYP_JPEG     Content-Type =~ /image\/jpeg/
score      AS_090508_CTYP_JPEG     0.5
describe   AS_090508_CTYP_JPEG     Rule by AS: Content-Type: JPEG

meta       AS_090508_PNGSPAM      (AS_090505_CDIS_INLINE && AS_090508_CTYP_PNG)
score      AS_090508_PNGSPAM      0.5
describe   AS_090508_PNGSPAM      Rule by AS: Probably an Inline PNG spam

meta       AS_090508_JPGSPAM      (AS_090505_CDIS_INLINE && AS_090508_CTYP_JPG)
score      AS_090508_JPGSPAM      0.5
describe   AS_090508_JPGSPAM      Rule by AS: Probably an Inline JPEG spam

meta       AS_090508_JPEGSPAM      (AS_090505_CDIS_INLINE &&
AS_090508_CTYP_JPEG)
score      AS_090508_JPEGSPAM      0.5
describe   AS_090508_JPEGSPAM      Rule by AS: Probably an Inline JPEG spam

meta       LOCAL_BOTNET_JPG    (BOTNET && AS_090508_JPGSPAM)
score      LOCAL_BOTNET_JPG     1.5
describe   LOCAL_BOTNET_JPG     Rule by AS: Probably an Inline JPEG spam

meta       LOCAL_BOTNET_JPEG    (BOTNET && AS_090508_JPEGSPAM)
score      LOCAL_BOTNET_JPEG    1.5
describe   LOCAL_BOTNET_JPEG    Rule by AS: Probably an Inline JPEG spam

The LOCAL_* are mine, adapted to others I found some time ago. I'd be
interested in people's input on these. Can they be simplified? Do you
agree with the scoring?

How about bayes poisoning? The messages also all have random text,
mostly spelled correctly, but nonsensical. If they are trained, could
it adversely affect my bayes db?

Thanks,
Alex

Reply via email to