Re: [PLUG] Graphic spam

Art Alexion <art.alexion@verizon.net> · Sat, 5 Aug 2006 09:16:06 -0400

On Friday 04 August 2006 15:48, TuskenTower wrote:
> On 8/4/06, Art Alexion <art.alexion@verizon.net> wrote:
> > I have been getting a lot of spam lately that is very clever at evading
> > filters.  The message text is random, so spamassassin and bogofilter
> > can't see a pattern.  The actual spam solicitation is contained in a
> > floating graphic -- touting the same stock, but binarily (?) different.
> >
> > I figured the best way to filter it is to find out what is common and
> > create a manual filter to catch it.
> >
> > diff came to mind as to how to find differences in the messages, but is
> > there a corollary command for detecting common lines?
>
> Art,
>   Check out this Mac Mail.app specific article
> http://www.hawkwings.net/2006/08/01/mailapp-rule-fix-for-image-spam .
> The key part is that most of these graphic spam emails contain a
> "Content-Type" header with a vlaue of "multipart/related".

That seems to do it except that one of the mac mail tests is "sender is not a 
previous recipient" using kmail.  This is supposed to minimize false 
positives because the <From> header is always unique.

Thanks for the tip.  For now, I've defined a filter that uses the tests
<any header> contains multipart/related
and
<From> is not in my address book
and that seems to be working.
I have the filter flagging the emails and sending them to a Junk folder.  I'll 
watch the flags for false positives.

Thanks again.
-- 

_____________________________________________________________
Art Alexion
Arthur S. Alexion LLC

PGP fingerprint: 52A4 B10C AA73 096F A661  92D2 3B65 8EAC ACC5 BA7A
The attachment - signature.asc - is my electronic signature; no need for 
alarm.
Info @ 
http://mysite.verizon.net/art.alexion/encryption/signature.asc.what.html
_____________________________________________________________