The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

IRRITATING SPAM with Graphics

Discussion in 'General Discussion' started by brendanrtg, Nov 8, 2006.

  1. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Snart spammers are beginning to attach their messages with graphics attachments or links to one.

    We are getting hundreds a day and spam assassin seems helpless against them.

    Anyone has any idea as to how we can tweak pop / sendmail to REJECT emails with attachments?
     
  2. mohit

    mohit Well-Known Member

    Joined:
    Jul 12, 2005
    Messages:
    553
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Sticky On Internet
    Filtering all attachment mails in NO GOOD

    hi,
    rejecting all emails with attachment is infact a bad idea, you should use some spam control method like mailscanner or exiscan to sort this out.

    see ya,
    mohit
     
  3. chae

    chae Well-Known Member

    Joined:
    Apr 19, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Auckland, New Zealand
    I've seen the Mailscanner method listed but what method does (Exim) exiscan use ??? If it's the RBL for blocking attachements then doesn't that mean if valid users sending email through with their logo's embedded etc get dropped also ?
     
  4. ramprage

    ramprage Well-Known Member

    Joined:
    Jul 21, 2002
    Messages:
    667
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Canada
    I noticed these as well, usually stock ones. After reviewing a few of them I found a common attribute that we can probably block with a filter.

    The problem is that while most of the messages that include the content=3d are spam, some are not. I guess the best thing might be to create a SA ruleset, that checks for this 3D header in the message and increases the score which should already take spammy looking messages score and give it enough to dump them.

    Regular messages that use this should still be low enough to not get dumped - eg score below 5.

    HTML:
    <head>
    <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-2">
    <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
    
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; =
    charset=3Dwindows-1252">
    <META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR>
    <STYLE></STYLE>
    
    <DIV align=3Dcenter><FONT face=3DArial size=3D2><IMG alt=3D""
    
    
    
    
    
    <META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
    charset=3Dus-ascii">
    <meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
    
    
    
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; =
    charset=3Dwindows-1250">
    <META content=3D"MSHTML 6.00.2900.2873" name=3DGENERATOR>
    <STYLE></STYLE>
    </HEAD>
    <BODY bgColor=3D#ffffff>
    <DIV align=3Dcenter><FONT face=3DArial size=3D2>
    <IMG alt=3D""=20
    
    
    
    
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=3DContent-Type content=3D"text/html; =
    charset=3Dwindows-1250">
    <META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
    <STYLE></STYLE>
    
    
    
     
  5. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    So we use spam assassin to check the BODy of the message and add the score?
     
  6. sukil

    sukil Member

    Joined:
    Nov 15, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    How do we do that? I thought we can only increase/decrease score of existing rules. Do you mean we can create new rules or in other words train spamassassin to understand this type of new threat?
     
  7. mambovince

    mambovince Well-Known Member

    Joined:
    Jan 15, 2005
    Messages:
    192
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    London, UK
  8. brendanrtg

    brendanrtg Well-Known Member

    Joined:
    Oct 4, 2006
    Messages:
    311
    Likes Received:
    0
    Trophy Points:
    16
    Kewl

    I just added the recommended and got a 2.2 score when emails comes with graphical attachments.

    Anyone interested, here's the quote:

    ++++++++++++++++++++++++++++++++++++++++
    http://svn.apache.org/viewvc?view=rev&revision=428587

    Put both files in /etc/mail/.spamassassin.

    Chmod 755 Image*.pm
    ++++++++++++++++++++++++++++++++++++++++
     
  9. sukil

    sukil Member

    Joined:
    Nov 15, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
     
    #9 sukil, Nov 13, 2006
    Last edited: Nov 13, 2006
  10. ujr

    ujr Well-Known Member

    Joined:
    Mar 19, 2004
    Messages:
    290
    Likes Received:
    0
    Trophy Points:
    16
    That is ALL WRONG ... In CPanel boxes,

    the conf files (module.cf) for the spamassassin modules goes in :

    /usr/share/spamassassin

    these should be chmoded 644, and chowned to root


    and the modules (module.pm) go in:

    /usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/

    these should be chmoded 444, and chowned to root
     
  11. Rooter

    Rooter Well-Known Member

    Joined:
    Apr 23, 2003
    Messages:
    146
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    Root Administrator
    Prerelease SpamAssassin Components

    On the contrary, I believe the specific source for these two prerelease files intended for them to be loaded in the same directory, and in this case to the best of my knowledge, /etc/mail/spamassassin/ is the best choice until they are officially included in the SpamAssassin distribution.
     
    #11 Rooter, Nov 13, 2006
    Last edited: Nov 13, 2006
  12. sukil

    sukil Member

    Joined:
    Nov 15, 2005
    Messages:
    24
    Likes Received:
    0
    Trophy Points:
    1
    Is there any way to uninstall it if it appears to tag legitimate emails also? :eek:
     
  13. Rooter

    Rooter Well-Known Member

    Joined:
    Apr 23, 2003
    Messages:
    146
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    Root Administrator
    Simply delete both files:
    70_imageinfo.cf
    ImageInfo.pm
     
  14. Rooter

    Rooter Well-Known Member

    Joined:
    Apr 23, 2003
    Messages:
    146
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Houston, Texas, U.S.A.
    cPanel Access Level:
    Root Administrator
    Fight Image Spam using Prerelease SpamAssassin Rules and Perl Module: ImageInfo

    Yes, it should be:
    /etc/mail/spamassassin/

    You could either run each of these commands individually:
    Code:
    cd /etc/mail/spamassassin/
    wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/70_imageinfo.cf?view=co" -O"70_imageinfo.cf"
    wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/ImageInfo.pm?view=co" -O"ImageInfo.pm"
    replace "@@LOCAL_RULES_DIR@@" "/etc/mail/spamassassin" -- 70_imageinfo.cf
    Or you could run just this (all of them combined into one line; easier to copy-n-paste):
    Code:
    /etc/mail/spamassassin/;wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/70_imageinfo.cf?view=co" -O"70_imageinfo.cf"; wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/ImageInfo.pm?view=co" -O"ImageInfo.pm"; replace "@@LOCAL_RULES_DIR@@" "/etc/mail/spamassassin" -- 70_imageinfo.cf
     
Loading...

Share This Page