Need advice for filtering out a particular kind of spam.

Discuss our MailScanner install script and MailScanner itself
Post Reply
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43

Need advice for filtering out a particular kind of spam.

Post by jols »

Lately, our hosted customers have been hammered by (male sex) drug spam. The message only contains a single image. Most of them advertise http://www.7766.org

The messages are obviously coming from all over, broken/hacked PCs servers, proxies, you name it. The Spam Assassin score never seems to get above 3 or so.

Is there any way we can battle this? We are getting plenty of complaints.
Sarah
Moderator
Posts: 934
Joined: 09 Dec 2006, 22:49

Post by Sarah »

We're testing a SpamAssassin rule on our servers that is meant to target this kind of image spam. Looks like it's identifying them but we may need to bump up the score to make sure they get over the minimum spam score. I found this on the MailScanner mailing list.

If you want to try it, add these lines to a .cf file in /etc/mail/spamassassin (to make sure that it doesn't get overwritten when you upgrade SpamAssassin):

Code: Select all

header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
score MIME_IMAGE_ONLY 2.00
describe MIME_IMAGE_ONLY Image body part but no text body parts
If you have had our MailScanner service done, you can add these lines to /etc/mail/spamassassin/configserver.cf. Then restart MailScanner (not strictly necessary but it'll reload the rules more quickly that way). You could try changing the score line once you've seen how it's working on your server. To check after a day or two to see how it's working, go into MailWatch > Reports, and create a filter for "Spam Report" contains "MIME_IMAGE_ONLY".

Regards,
Sarah
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43

Post by jols »

Great! I'll try this and report back when I get a chance.

One thing, it looks as if the could be defeated by the spammer, if they just added random text at the bottom (like we've seen before), but if so at least this would be some kind of defense against single image only spam.

Thanks!
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43

Post by jols »

Okay, this worked great for a while, but now they have changed the content type. So this line in the new rule no longer applies:

header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i

The new content type they are using is in the email header like this:

Content-Type: image/jpg;

So I am wondering if I can just add a line to the rule, something like this:

header __CTYPE_IMAGE_JPG Content-Type =~ /image\/jpg/i

But here is where I am stuck. The following line would also of course need to include the new CTYPE_IMAGE_JPG statement, but I am not sure how to implement it.

meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)

Namely, I am wondering what the command is for "or". I get it that "&&" is "and", and "!" is "not", but I have no idea what the or command would be in this case.

Anyone?
jols
Junior Member
Posts: 111
Joined: 08 May 2007, 04:43

Post by jols »

Wait a minute - Now I am confused again. In the original set, where does "__ANY_IMAGE_ATTACH" come from? Where is it defined. Is this a system variable?
Sarah
Moderator
Posts: 934
Joined: 09 Dec 2006, 22:49

Post by Sarah »

1. I *believe* you should use "||" for OR. More information on writing spamassassin rules can be found here: http://wiki.apache.org/spamassassin/WritingRules

2. The test ANY_IMAGE_ATTACH is one of the default tests installed with spamassassin. The default rules are located in /usr/share/spamassassin/.

Regards,
Sarah
Post Reply