|
FastMail Forum All posts relating to FastMail.FM should go here: suggestions, comments, requests for help, complaints, technical issues etc. |
|
Thread Tools |
14 Nov 2006, 09:52 AM | #1 |
Intergalactic Postmaster
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102
Representative of:
Fastmail.FM |
Catching image spam
As mentioned elsewhere, I've enabled OCR scanning on about half the incoming emails, which seems to have helped a lot, but there's still quite a few getting through. I'd like to enable the OCR on all emails, but I'm not sure the load can handle it at the moment. I might give it a go tomorrow.
For those looking for a rule to block these emails, I'd recommend something like this. You can use it either as a "Discard" rule or a "File into folder" rule to put them in your Junk Mail folder. Make sure you set the "Message with" field to "Advanced". Ignore the "That" field. And copy this text exactly as one line and paste it into the "The text" field (it's easiest just to triple click the line to select the whole line for copying) Code:
allof(not header :contains "X-Spam-known-sender" "yes", header :contains "X-Attached" ".gif", header :contains "Content-Type" "multipart/related", header :contains "X-Spam-hits" "RCVD_NUMERIC_HELO", size :over 10K, size :under 90K) 1. If it's not from someone in your address book 2. And it contains a gif attachment 3. And it's a multipart/related email (a type of email with embeded attachments) 4. And it was received from a host that used a numeric HELO string 5. And it's between 10k and 90k in size Assume it's spam. I think this is a pretty good heuristic at the moment. Rob |
14 Nov 2006, 03:39 PM | #2 |
Senior Member
Join Date: May 2006
Posts: 121
|
I have just put in this line and asked it to move to Junk and Flag messages, so they can be tracked...to see how it is doing.
|
15 Nov 2006, 06:12 PM | #3 |
Essential Contributor
Join Date: Jun 2002
Location: AU
Posts: 471
|
thanks rob
its a good idea to give us some rules for things like this. I appreciate it. Now if we could have a per user graylisting option that would be great - I want aggressive graylisting personally but some don't.... cheers |
17 Nov 2006, 12:17 PM | #4 |
Intergalactic Postmaster
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102
Representative of:
Fastmail.FM |
Hmmm, I've realised that a lot of the spamming machines don't use numeric IPs, so dropping that requirement, this is probably better:
Code:
allof(not header :contains "X-Spam-known-sender" "yes", header :contains "X-Attached" ".gif", header :contains "Content-Type" "multipart/related", size :over 10K, size :under 90K) |
17 Nov 2006, 08:50 PM | #5 |
The "e" in e-mail
Join Date: Feb 2002
Posts: 2,937
|
How do I put that smiley in sieve?
|
17 Nov 2006, 09:52 PM | #6 |
The "e" in e-mail
Join Date: Oct 2002
Location: Holon, Israel.
Posts: 4,837
|
Like this:
Code:
allof(not header :contains "X-Spam-known-sender" "yes", header :contains "X-Attached" ".gif", header :contains "Content-Type" "multipart/related", size :over 10K, size :under 90K) |
17 Nov 2006, 10:31 PM | #7 | |
Senior Member
Join Date: Apr 2006
Location: London, England
Posts: 166
|
Re: Catching image spam
Quote:
FYI I've just seen a new twist on the GIF based emails that has managed to slip though the system we use at work. The background of the image is made up of random coloured shapes with the text over it. The baseline of the text is randomly moved up or down so it looks like its set on a wave. Some of the lines touch the one above or below but don't overlap. I guess its an attempt to defeat an OCR scanner. MessageLabs gave it a spam score of 0. I've still got a copy if you want any info. Regards Alan |
|
17 Nov 2006, 11:20 PM | #8 |
Guest
Posts: n/a
|
|
17 Nov 2006, 11:36 PM | #9 | |
The "e" in e-mail
Join Date: May 2002
Posts: 2,804
|
Re: Re: Catching image spam
Quote:
I wouldn't really expect the FuzzyOCR plugin to be successful for long. It's based on gocr which was never intended for this kind of thing. |
|
21 Nov 2006, 08:30 AM | #10 |
Intergalactic Postmaster
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102
Representative of:
Fastmail.FM |
apl: Is it like this one: http://www.iwayafrica.com/piously.gif
It's already been reported on the FuzzyOCR mailing list. DrStrabismus: FuzzyOCR can also use ocrad. I've been subscribed to the mailing list for a month now, and apparently most people think ocrad is much better. I'm planning on trying it shortly. Rob |
21 Nov 2006, 08:50 AM | #11 | |
Senior Member
Join Date: Apr 2006
Location: London, England
Posts: 166
|
Quote:
Yes its close enough, the coloured shapes are much larger though. I'd not seen anything like it until a few days ago when I first posted the message here. The ones I mostly get are text over 'hairy' backgrounds, they look like scratches. Regards Alan |
|
21 Nov 2006, 09:06 AM | #12 |
The "e" in e-mail
Join Date: May 2002
Posts: 2,804
|
The thing is that these projects are for conventional character recognition. For them to remain effective they will have have to become antispam projects.
|
21 Nov 2006, 11:26 AM | #13 |
Intergalactic Postmaster
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102
Representative of:
Fastmail.FM |
You're probably right. It depends how good they are in the average sense and just pulling information from a page. My guess is that the worst would be something like using outline or shadow fonts. People are probably read that easily but hard for machines. On the other hand, I have no idea. Even the best captcha type systems can apparently now be broken. And at some point, with captcha systems you have to concentrate on the actual text to transcribe it, how worthwhile is a spam people actually have to concentrate on?
Anyway, I'd prefer to see more efforts at fixing the root of the problem, which is mostly zombie bot infected Windows machines with spam sending trojans on them. The main things I see are: 1. I think ISPs should block port 25 connections. To be honest, I see little reason for most users to require outgoing port 25 connections. Most real email providers have alternate ports, or you should use SSL ports. 2. ISPs/users should have proper forward and reverse DNS on their machines. If everyone had proper DNS, it would at least make identifying the source of emails easier 3. Users shouldn't be such idiots. Sorry who are all these people that clearly install and click on things that install this malware crap. You wouldn't stick random crap someone at a road stall is selling into the oil sump/transmission fluid of your automobile, so why do people do it on their computers? 4. Microsoft should have got off their *** ages back and locked down Windows more. The default user should never have been priviledged. I can't believe it's only Vista that's going to fix this. On the other hand, lets see in 2 years time how many compromised Vista machines there are, maybe there's just too many holes that let this stuff onto a persons machine Just some random thoughts... Rob |
22 Nov 2006, 01:21 AM | #14 | |
Master of the @
Join Date: Feb 2004
Location: New Hampshire, USA
Posts: 1,561
|
Quote:
But blocking outgoing port 25 - as it has become common to do - doesn't protect anyone as near as I can tell. It just keeps the ISP's customers from using someone else's SMTP server to which they might have legitimate access - such as I have to mail.messagingengine.com, for instance. -jeff- |
|
24 Nov 2006, 08:21 AM | #15 |
Intergalactic Postmaster
Join Date: Oct 2001
Location: Melbourne, Australia
Posts: 6,102
Representative of:
Fastmail.FM |
I do mean block outgoing.
Yes, that would affect the average person trying to send via port 25 to us, but any real email provider will provide alternate ports to port 25, most notably an SSL 465 port or an official SMTP submission 587 port. Rob |