View previous topic :: View next topic |
Author |
Message |
daveg
Joined: 06 Aug 2006 Posts: 8 Location: Sarasota, FL, US
|
Posted: Wed Oct 04, 2006 7:22 pm Post subject: Multipart spams with .gif as message |
|
|
I receive large numbers of 'Pump & Dump' multipart spam messages, which consist of an html part which is all word-salad, and a .gif part, which is an image of the actual spam message. I see that the default blacklist contains a rule to kill all messages with inline images, but that rule is, by default, disabled.
I haven't tried it, but I imagine that enabling this rule would solve the problem, but it would also kill quite a bit of legitimate mail. I would think I could write a rule to check the Content-Type: header for 'Image/gif', but I receive mail from folks who use Incredimail (ugh!), which is always loaded with .gifs.
Bottom line: Looking for rule/ruleset suggestions to get ride of these troublesome messages in which the spammer's message is displayed as a .gif. Any enlightenment appreciated... |
|
Back to top |
|
|
JimKyle
Joined: 07 Aug 2006 Posts: 16 Location: Oklahoma City, OK, USA
|
Posted: Thu Oct 05, 2006 2:16 am Post subject: |
|
|
I simply trained the Sniper on several dozen such messages without worrying about writing any special rules. It now classifies them as spam and gives as the reason "spammy attachment" so it has apparently learned that a message with little coherence that's accompanied by a single GIF or JPG file is one of these... |
|
Back to top |
|
|
daveg
Joined: 06 Aug 2006 Posts: 8 Location: Sarasota, FL, US
|
Posted: Thu Oct 05, 2006 10:18 am Post subject: |
|
|
JimKyle wrote: | I simply trained the Sniper on several dozen such messages without worrying about writing any special rules. It now classifies them as spam and gives as the reason "spammy attachment" so it has apparently learned that a message with little coherence that's accompanied by a single GIF or JPG file is one of these... |
Thanks for your reply, Jim. Makes me wonder what the difference is between your setup and mine, because I receive a couple of hundred of these things per week, and the system has been trained on every one of them. But it resolutely refuses to classify them as spam! I've been back over my configuration many times to see whether I've caused the problem, and have reverted to the default rule set that came with ASS, to no avail.
I make no claim to knowing the inner workins of ASS, but it would seem to me that since the actual spam message is not text, but a .gif image of text, it has no way to train on that part of the email. It can, of course, train on the word-salad, coherent or not, but that doesn't seem to do much good. At least not here.
Hmmm... |
|
Back to top |
|
|
vetaltm Author
Joined: 05 Feb 2006 Posts: 748
|
Posted: Fri Oct 06, 2006 1:46 am Post subject: Re: Multipart spams with .gif as message |
|
|
daveg wrote: | I receive large numbers of 'Pump & Dump' multipart spam messages. |
The messages with an image and a piece of machine-generated text are classified with good probability if they contain some unique words, that rarely met in normal messages. It seems that the plug-in was trained on good messages containing the same set of words and it is a reason why the filter cannot differentiate that spam. The current version of classification algorithm cannot differentiate the messages having the same words in different order. But there are several methods implemented as a workaround in such cases:
- The plug-in calculates the checksums for the spammy attachments. The messages with similar attachments will be recognized as spam independently from the other contents.
- The messages with inline images may be blocked with the black rule:
Body =~ src="?cid:
If you have sometimes good mail with the pictures, then go to Exceptions dialog and add there some items to a list of white extensions - gif, jpg, png etc. Also you can set there the minimum size for good pictures, e.g. 20K. In this case the plug-in will block most of emails with the small inline images. The messages containing images will be marked as good in the following cases:
- The messages from friends with images of any size.
- The messages containing the pictures from Exceptions list, larger than the specified minimum in size.
- The messages with the pictures sent as usual attachments (with no links to attached image from message body).
(As it turned out, the minimum size of attachment in Exceptions is not updated correctly and always reverts to 10K after restarting TheBat. Here is the latest build that is free from this bug:
http://dl.antispamsniper.com/download/1.6.8/sniper-en.exe
It is a pre-release with several additional changes. There are no new features in it, just a few bugfixes and several updates for increasing the overall performance.)
- The methods for blocking spam by headers are helpful in case of messages with images only. If DNSBL checking doesn?t identify the spam by source IP, then the message can be classified as spam by black words in subject. A list of black words is empty by default, but it can be filled up automatically, during training the plug-in on saved spam. Also you can download the predefined list of spammy keywords and import it in the Black keywords dialog: http://antispamsniper.com/misc/black_words.txt
(After importing please try to classify your saved good emails to make sure that the list doesn't contain the keywords that may appear in good emails) |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|