IRRITATING SPAM with Graphics

brendanrtg

Well-Known Member
Oct 4, 2006
311
0
166
Snart spammers are beginning to attach their messages with graphics attachments or links to one.

We are getting hundreds a day and spam assassin seems helpless against them.

Anyone has any idea as to how we can tweak pop / sendmail to REJECT emails with attachments?
 

mohit

Well-Known Member
Jul 12, 2005
553
0
166
Sticky On Internet
Filtering all attachment mails in NO GOOD

hi,
rejecting all emails with attachment is infact a bad idea, you should use some spam control method like mailscanner or exiscan to sort this out.

see ya,
mohit
 

chae

Well-Known Member
Apr 19, 2003
145
0
166
Auckland, New Zealand
I've seen the Mailscanner method listed but what method does (Exim) exiscan use ??? If it's the RBL for blocking attachements then doesn't that mean if valid users sending email through with their logo's embedded etc get dropped also ?
 

ramprage

Well-Known Member
Jul 21, 2002
655
0
166
Canada
I noticed these as well, usually stock ones. After reviewing a few of them I found a common attribute that we can probably block with a filter.

The problem is that while most of the messages that include the content=3d are spam, some are not. I guess the best thing might be to create a SA ruleset, that checks for this 3D header in the message and increases the score which should already take spammy looking messages score and give it enough to dump them.

Regular messages that use this should still be low enough to not get dumped - eg score below 5.

HTML:
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Diso-8859-2">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<META content=3D"MSHTML 6.00.2900.2180" name=3DGENERATOR>
<STYLE></STYLE>

<DIV align=3Dcenter><FONT face=3DArial size=3D2><IMG alt=3D""





<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">




<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2873" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV align=3Dcenter><FONT face=3DArial size=3D2>
<IMG alt=3D""=20




<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1250">
<META content=3D"MSHTML 6.00.2900.2963" name=3DGENERATOR>
<STYLE></STYLE>
 

brendanrtg

Well-Known Member
Oct 4, 2006
311
0
166
So we use spam assassin to check the BODy of the message and add the score?
 

sukil

Active Member
Nov 15, 2005
25
0
151
cPanel Access Level
Root Administrator
So we use spam assassin to check the BODy of the message and add the score?
How do we do that? I thought we can only increase/decrease score of existing rules. Do you mean we can create new rules or in other words train spamassassin to understand this type of new threat?
 

brendanrtg

Well-Known Member
Oct 4, 2006
311
0
166
Kewl

I just added the recommended and got a 2.2 score when emails comes with graphical attachments.

Anyone interested, here's the quote:

++++++++++++++++++++++++++++++++++++++++
http://svn.apache.org/viewvc?view=rev&revision=428587

Put both files in /etc/mail/.spamassassin.

Chmod 755 Image*.pm
++++++++++++++++++++++++++++++++++++++++
 

ujr

Well-Known Member
Mar 19, 2004
290
0
166
That is ALL WRONG ... In CPanel boxes,

the conf files (module.cf) for the spamassassin modules goes in :

/usr/share/spamassassin

these should be chmoded 644, and chowned to root


and the modules (module.pm) go in:

/usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/

these should be chmoded 444, and chowned to root
 

Rooter

Well-Known Member
Apr 23, 2003
146
1
168
Houston, Texas, U.S.A.
cPanel Access Level
Root Administrator
Prerelease SpamAssassin Components

That is ALL WRONG ... In CPanel boxes,

the conf files (module.cf) for the spamassassin modules goes in :

/usr/share/spamassassin

these should be chmoded 644, and chowned to root


and the modules (module.pm) go in:

/usr/lib/perl5/site_perl/5.8.7/Mail/SpamAssassin/Plugin/

these should be chmoded 444, and chowned to root
On the contrary, I believe the specific source for these two prerelease files intended for them to be loaded in the same directory, and in this case to the best of my knowledge, /etc/mail/spamassassin/ is the best choice until they are officially included in the SpamAssassin distribution.
 
Last edited:

Rooter

Well-Known Member
Apr 23, 2003
146
1
168
Houston, Texas, U.S.A.
cPanel Access Level
Root Administrator
Is there any way to uninstall it if it appears to tag legitimate emails also? :eek:
Simply delete both files:
70_imageinfo.cf
ImageInfo.pm
 

Rooter

Well-Known Member
Apr 23, 2003
146
1
168
Houston, Texas, U.S.A.
cPanel Access Level
Root Administrator
Fight Image Spam using Prerelease SpamAssassin Rules and Perl Module: ImageInfo

Put both files in /etc/mail/.spamassassin.
Is that .spamassassin or spamassassin? I only have /etc/mail/spamassassin on my server. Also, any clue as to the ownership of the files? Or just chmod will do? :confused:
Yes, it should be:
/etc/mail/spamassassin/

You could either run each of these commands individually:
Code:
cd /etc/mail/spamassassin/
wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/70_imageinfo.cf?view=co" -O"70_imageinfo.cf"
wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/ImageInfo.pm?view=co" -O"ImageInfo.pm"
replace "@@[email protected]@" "/etc/mail/spamassassin" -- 70_imageinfo.cf
Or you could run just this (all of them combined into one line; easier to copy-n-paste):
Code:
/etc/mail/spamassassin/;wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/70_imageinfo.cf?view=co" -O"70_imageinfo.cf"; wget "http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/felicity/ImageInfo.pm?view=co" -O"ImageInfo.pm"; replace "@@[email protected]@" "/etc/mail/spamassassin" -- 70_imageinfo.cf