IRRITATING SPAM with Graphics

[brendanrtg]

Snart spammers are beginning to attach their messages with graphics attachments or links to one.

We are getting hundreds a day and spam assassin seems helpless against them.

Anyone has any idea as to how we can tweak pop / sendmail to REJECT emails with attachments?

 

[mohit]

Filtering all attachment mails in NO GOOD

hi,
rejecting all emails with attachment is infact a bad idea, you should use some spam control method like mailscanner or exiscan to sort this out.

see ya,
mohit

 

[chae]

I've seen the Mailscanner method listed but what method does (Exim) exiscan use ??? If it's the RBL for blocking attachements then doesn't that mean if valid users sending email through with their logo's embedded etc get dropped also ?

 

[ramprage]

I noticed these as well, usually stock ones. After reviewing a few of them I found a common attribute that we can probably block with a filter.

The problem is that while most of the messages that include the content=3d are spam, some are not. I guess the best thing might be to create a SA ruleset, that checks for this 3D header in the message and increases the score which should already take spammy looking messages score and give it enough to dump them.

Regular messages that use this should still be low enough to not get dumped - eg score below 5.

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-2">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR>
<STYLE></STYLE>

<DIV align=3Dcenter><FONT face=3DArial size=3D2><IMG alt=3D""





<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">




<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2873" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>
<IMG alt=3D""=20




<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>

 

[brendanrtg]

So we use spam assassin to check the BODy of the message and add the score?

 

[sukil]

So we use spam assassin to check the BODy of the message and add the score?

How do we do that? I thought we can only increase/decrease score of existing rules. Do you mean we can create new rules or in other words train spamassassin to understand this type of new threat?

 

[mambovince]

I suppose you guys have seent his post, or rather, the reply:

http://forums.cpanel.net/showthread.php?t=60174

- Vince

 

[brendanrtg]

Kewl

I just added the recommended and got a 2.2 score when emails comes with graphical attachments.

Anyone interested, here's the quote:

++++++++++++++++++++++++++++++++++++++++
http://svn.apache.org/viewvc?view=rev&revision=428587

Put both files in /etc/mail/.spamassassin.

Chmod 755 Image*.pm
++++++++++++++++++++++++++++++++++++++++

 

[sukil]

Put both files in /etc/mail/.spamassassin.
QUOTE]

Is that .spamassassin or spamassassin? I only have /etc/mail/spamassassin on my server. Also, any clue as to the ownership of the files? Or just chmod will do?

 

[ujr]

That is ALL WRONG ... In CPanel boxes,

the conf files (module.cf) for the spamassassin modules goes in :

/usr/share/spamassassin

these should be chmoded 644, and chowned to root


and the modules (module.pm) go in:

/usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/

these should be chmoded 444, and chowned to root

 

[Rooter]

Prerelease SpamAssassin Components

That is ALL WRONG ... In CPanel boxes,

the conf files (module.cf) for the spamassassin modules goes in :

/usr/share/spamassassin

these should be chmoded 644, and chowned to root


and the modules (module.pm) go in:

/usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/

these should be chmoded 444, and chowned to root

On the contrary, I believe the specific source for these two prerelease files intended for them to be loaded in the same directory, and in this case to the best of my knowledge, /etc/mail/spamassassin/ is the best choice until they are officially included in the SpamAssassin distribution.

 

[sukil]

Is there any way to uninstall it if it appears to tag legitimate emails also?

 

[Rooter]

Is there any way to uninstall it if it appears to tag legitimate emails also?

Simply delete both files:
70_imageinfo.cf
ImageInfo.pm

 

[Rooter]

Fight Image Spam using Prerelease SpamAssassin Rules and Perl Module: ImageInfo

Put both files in /etc/mail/.spamassassin.

Is that .spamassassin or spamassassin? I only have /etc/mail/spamassassin on my server. Also, any clue as to the ownership of the files? Or just chmod will do?

Yes, it should be:
/etc/mail/spamassassin/

You could either run each of these commands individually:

cd /etc/mail/spamassassin/
wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/70_imageinfo.cf?view=co" -O"70_imageinfo.cf"
wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/ImageInfo.pm?view=co" -O"ImageInfo.pm"
replace "@@LOCAL_RULES_DIR@@" "/etc/mail/spamassassin" -- 70_imageinfo.cf

Or you could run just this (all of them combined into one line; easier to copy-n-paste):

/etc/mail/spamassassin/;wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/70_imageinfo.cf?view=co" -O"70_imageinfo.cf"; wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/ImageInfo.pm?view=co" -O"ImageInfo.pm"; replace "@@LOCAL_RULES_DIR@@" "/etc/mail/spamassassin" -- 70_imageinfo.cf