Catching image spam

[robmueller]

As mentioned elsewhere, I've enabled OCR scanning on about half the incoming emails, which seems to have helped a lot, but there's still quite a few getting through. I'd like to enable the OCR on all emails, but I'm not sure the load can handle it at the moment. I might give it a go tomorrow.

For those looking for a rule to block these emails, I'd recommend something like this. You can use it either as a "Discard" rule or a "File into folder" rule to put them in your Junk Mail folder.

Make sure you set the "Message with" field to "Advanced". Ignore the "That" field. And copy this text exactly as one line and paste it into the "The text" field (it's easiest just to triple click the line to select the whole line for copying)

Code:

allof(not header :contains "X-Spam-known-sender" "yes", header :contains "X-Attached" ".gif", header :contains "Content-Type" "multipart/related", header :contains "X-Spam-hits" "RCVD_NUMERIC_HELO", size :over 10K, size :under 90K)

So this means:
1. If it's not from someone in your address book
2. And it contains a gif attachment
3. And it's a multipart/related email (a type of email with embeded attachments)
4. And it was received from a host that used a numeric HELO string
5. And it's between 10k and 90k in size

Assume it's spam. I think this is a pretty good heuristic at the moment.

Rob

[newhampshire]

I have just put in this line and asked it to move to Junk and Flag messages, so they can be tracked...to see how it is doing.

[eggman]

thanks rob

its a good idea to give us some rules for things like this. I appreciate it.

Now if we could have a per user graylisting option that would be great - I want aggressive graylisting personally but some don't....

cheers

[robmueller]

Hmmm, I've realised that a lot of the spamming machines don't use numeric IPs, so dropping that requirement, this is probably better:

Code:

allof(not header :contains "X-Spam-known-sender" "yes", header :contains "X-Attached" ".gif", header :contains "Content-Type" "multipart/related", size :over 10K, size :under 90K)

Rob

[sflorack]

How do I put that smiley in sieve?

[hadaso]

Like this:

Code:

allof(not header :contains "X-Spam-known-sender" "yes", header :contains "X-Attached" ".gif", header :contains "Content-Type" "multipart/related", size :over 10K, size :under 90K)

(quoted and then checked "Disable Smilies in This Post" before posting.)

[apl]

Quote:

Originally posted by robmueller
As mentioned elsewhere, I've enabled OCR scanning on about half the incoming emails, which seems to have helped a lot, but there's still quite a few getting through. I'd like to enable the OCR on all emails, but I'm not sure the load can handle it at the moment. I might give it a go tomorrow.

Hi Rob,

FYI I've just seen a new twist on the GIF based emails that has managed to slip though the system we use at work.

The background of the image is made up of random coloured shapes with the text over it. The baseline of the text is randomly moved up or down so it looks like its set on a wave. Some of the lines touch the one above or below but don't overlap.

I guess its an attempt to defeat an OCR scanner. MessageLabs gave it a spam score of 0.

I've still got a copy if you want any info.

Regards Alan

or like this

Code:

:over

http://www.emaildiscussions.com/...threadid=24768

[DrStrabismus]

Quote:

Originally posted by apl
The background of the image is made up of random coloured shapes with the text over it. The baseline of the text is randomly moved up or down so it looks like its set on a wave. Some of the lines touch the one above or below but don't overlap.

I've heard some use animated gifs where each individual frame is illegible even to a human viewer.

I wouldn't really expect the FuzzyOCR plugin to be successful for long. It's based on gocr which was never intended for this kind of thing.

[robmueller]

apl: Is it like this one: http://www.iwayafrica.com/piously.gif

It's already been reported on the FuzzyOCR mailing list.

DrStrabismus: FuzzyOCR can also use ocrad. I've been subscribed to the mailing list for a month now, and apparently most people think ocrad is much better. I'm planning on trying it shortly.

Rob

[apl]

Quote:

Originally posted by robmueller
apl: Is it like this one: http://www.iwayafrica.com/piously.gif

It's already been reported on the FuzzyOCR mailing list.

Hi Rob,

Yes its close enough, the coloured shapes are much larger though.

I'd not seen anything like it until a few days ago when I first posted the message here. The ones I mostly get are text over 'hairy' backgrounds, they look like scratches.

Regards Alan

[DrStrabismus]

The thing is that these projects are for conventional character recognition. For them to remain effective they will have have to become antispam projects.

[robmueller]

You're probably right. It depends how good they are in the average sense and just pulling information from a page. My guess is that the worst would be something like using outline or shadow fonts. People are probably read that easily but hard for machines. On the other hand, I have no idea. Even the best captcha type systems can apparently now be broken. And at some point, with captcha systems you have to concentrate on the actual text to transcribe it, how worthwhile is a spam people actually have to concentrate on?

Anyway, I'd prefer to see more efforts at fixing the root of the problem, which is mostly zombie bot infected Windows machines with spam sending trojans on them.

The main things I see are:

1. I think ISPs should block port 25 connections. To be honest, I see little reason for most users to require outgoing port 25 connections. Most real email providers have alternate ports, or you should use SSL ports.
2. ISPs/users should have proper forward and reverse DNS on their machines. If everyone had proper DNS, it would at least make identifying the source of emails easier
3. Users shouldn't be such idiots. Sorry who are all these people that clearly install and click on things that install this malware crap. You wouldn't stick random crap someone at a road stall is selling into the oil sump/transmission fluid of your automobile, so why do people do it on their computers?
4. Microsoft should have got off their *** ages back and locked down Windows more. The default user should never have been priviledged. I can't believe it's only Vista that's going to fix this. On the other hand, lets see in 2 years time how many compromised Vista machines there are, maybe there's just too many holes that let this stuff onto a persons machine

Just some random thoughts...

Rob

[JRobert]

Quote:

Originally posted by robmueller
1. I think ISPs should block port 25 connections. To be honest, I see little reason for most users to require outgoing port 25 connections. Most real email providers have alternate ports, or you should use SSL ports.

I assume you are you referring to incoming port 25? Authenticating or blocking incoming port 25 makes sense because it keeps strangers off your SMTP server. Authenticating instead of blocking allows the ISP's customers to use it from the net.

But blocking outgoing port 25 - as it has become common to do - doesn't protect anyone as near as I can tell. It just keeps the ISP's customers from using someone else's SMTP server to which they might have legitimate access - such as I have to mail.messagingengine.com, for instance.

-jeff-

[robmueller]

I do mean block outgoing.

Yes, that would affect the average person trying to send via port 25 to us, but any real email provider will provide alternate ports to port 25, most notably an SSL 465 port or an official SMTP submission 587 port.

Rob