How to filter body that's all image...

Eisenson

My MWP setup is better than 99% effective now, thanks to help from the experts here. But two all-image spamgrams slipped through today, and I wonder if there's an effective way to treat them.

The subjects were misleading and could not be used as filter criteria. FirstAlert, DNS Blacklist, Bayesian, and existing filters all passed them.

Even when I examined the raw data, content was all image except for a one-line "to be removed" at the bottom. Problem is that the same one-liner appears on some emails that I want to see. I couldn't even use the domain of that address because it's nothing special.

So... is there a way?

rogerw · Posted: Sun Jun 06, 2004 1:16 pm Post subject:

Look as the raw source of the email in the preview window.

Emails with images that are embedded have a multipart format and one of the parts will have a Content-Type: of image, gif, jpeg, etc.

Many emails just have html links to images out on web sites. Those will have Html tags for "img src = ".

You need to build filters that recognize these tricks.

Gary's filters might give a leg-up on writing such a filter (but I don't know for sure, as I've not looked at them in ages). They also haven't been actively updated/corrected in over a year. I know you know of them and where to find them, but for the benefit of others, Gary's sample filters are here: http://www.w5hq.com/MailWasher/

Eisenson · Posted: Sun Jun 06, 2004 1:46 pm Post subject:

If DNS blacklist or FirstAlert don't catch it, I think these are just doomed to trickle in. There doesn't seem to be a way to differentiate between a legit and illegitimate "img src ="

MWP's smart, but probably can't be told how to tell whether an image is a requested product sheet or a porn-o-gram.

rogerw · Posted: Sun Jun 06, 2004 1:55 pm Post subject:

Well, that's why the cascade of various tools (in the specific order) are provided.

Friends list trumps all, so images from friends are OK. If you then construct a filter to trap all other images, then once you build your friends list up - any "img src ="'s you get probably aren't in a 'good' email.

You'll note, too, that many web references in spam are pretty bizarre. There're often not "http://www.server.com/...." - but more like "http://eats_your_lunch.hubba_hubba.biz/...". You could trap on any web references that don't begin as "http://www" to get a feel for how that'll help.

AlphaCentauri · Captain Joined: Nov 20, 2003 Posts: 302 Location: USA

Lots of firms get URL's that don't include the www nowadays. It's considered a "premium" web address.

My very last filter is for emails that only have an image source and an href. It isn't very specific, and it's a different color because I do have to look at the subject lines, but unfortunately there are lots of spams that don't trigger anything else.

[enabled],image,image,16777088,AND,Body,containsRE,"img src|<IMG src=|<IMG id=",Body,contains,"a href"

Ikeb · Posted: Tue Jun 08, 2004 1:57 pm Post subject:

But your filter doesn't distinguish between a single image / link reference and multiple image / link references. Trouble is that many legit emails use image references as well as link references (but USUALLY not a single one, and certainly not with anything but the image). Building a filter to look for a msg with only a single image, and nothing but the image is somewhat more challenging I'm sure.

AlphaCentauri · Captain Joined: Nov 20, 2003 Posts: 302 Location: USA

That's why it's my lowest priority filter. Most individuals include the photo instead of linking to it. Otherwise it's pretty broad and will trigger on most commercial emails.


	Home ˇ Topics ˇ Submit News ˇ Top 10 This entire site, Cops Themes, and Computer Cops are Š 2002 - 2004 Computer Cops, LLC. All rights reserved. You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0. Acceptable Use Policy. Use signifies your agreement. Engine Copyright Š 2002 by PHP-Nuke, GNU/GPL Licensed. ICRA Member. Paul Laudanski, Member of Computer Cops, LLC Server Load: 1122 pages served in previous 5 minutes. Page Rendered: 0.409 seconds.