Lately, our hosted customers have been hammered by (male sex) drug spam. The message only contains a single image. Most of them advertise http://www.7766.org
The messages are obviously coming from all over, broken/hacked PCs servers, proxies, you name it. The Spam Assassin score never seems to get above 3 or so.
Is there any way we can battle this? We are getting plenty of complaints.
Need advice for filtering out a particular kind of spam.
We're testing a SpamAssassin rule on our servers that is meant to target this kind of image spam. Looks like it's identifying them but we may need to bump up the score to make sure they get over the minimum spam score. I found this on the MailScanner mailing list.
If you want to try it, add these lines to a .cf file in /etc/mail/spamassassin (to make sure that it doesn't get overwritten when you upgrade SpamAssassin):
If you have had our MailScanner service done, you can add these lines to /etc/mail/spamassassin/configserver.cf. Then restart MailScanner (not strictly necessary but it'll reload the rules more quickly that way). You could try changing the score line once you've seen how it's working on your server. To check after a day or two to see how it's working, go into MailWatch > Reports, and create a filter for "Spam Report" contains "MIME_IMAGE_ONLY".
Regards,
Sarah
If you want to try it, add these lines to a .cf file in /etc/mail/spamassassin (to make sure that it doesn't get overwritten when you upgrade SpamAssassin):
Code: Select all
header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
score MIME_IMAGE_ONLY 2.00
describe MIME_IMAGE_ONLY Image body part but no text body partsRegards,
Sarah
Okay, this worked great for a while, but now they have changed the content type. So this line in the new rule no longer applies:
header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
The new content type they are using is in the email header like this:
Content-Type: image/jpg;
So I am wondering if I can just add a line to the rule, something like this:
header __CTYPE_IMAGE_JPG Content-Type =~ /image\/jpg/i
But here is where I am stuck. The following line would also of course need to include the new CTYPE_IMAGE_JPG statement, but I am not sure how to implement it.
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
Namely, I am wondering what the command is for "or". I get it that "&&" is "and", and "!" is "not", but I have no idea what the or command would be in this case.
Anyone?
header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
The new content type they are using is in the email header like this:
Content-Type: image/jpg;
So I am wondering if I can just add a line to the rule, something like this:
header __CTYPE_IMAGE_JPG Content-Type =~ /image\/jpg/i
But here is where I am stuck. The following line would also of course need to include the new CTYPE_IMAGE_JPG statement, but I am not sure how to implement it.
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
Namely, I am wondering what the command is for "or". I get it that "&&" is "and", and "!" is "not", but I have no idea what the or command would be in this case.
Anyone?
1. I *believe* you should use "||" for OR. More information on writing spamassassin rules can be found here: http://wiki.apache.org/spamassassin/WritingRules
2. The test ANY_IMAGE_ATTACH is one of the default tests installed with spamassassin. The default rules are located in /usr/share/spamassassin/.
Regards,
Sarah
2. The test ANY_IMAGE_ATTACH is one of the default tests installed with spamassassin. The default rules are located in /usr/share/spamassassin/.
Regards,
Sarah