Monday, August 21, 2006
Fighting Image Spam with SpamAssassin
My servers at F4 Systems are getting a lot of image based spam lately; you know the ones, where all the text is presented as an image (usually a stock scam) and as such the spam filters don't have a chance to scan and tag it.
My first attempt was to add this rule:
It blocked quite a few, I'd say about half, but I know I can do better. The first thing I'm doing is upgrading SpamAssassin from v3.1.1 to v3.1.4 to see if that helps. If not, it's on to try an OCR Plugin. Great... more CPU load. Did I mention about 80% of all the email my server receives is recognized as spam?
Update: Well the upgrade didn't seem to help at all, so I'll tackle the OCR plugin soon.
My first attempt was to add this rule:
# "CRITICAL INVESTOR ALERT!" image spam - added dynamic image size
rawbody __LOCAL_CRIT_INVEST_IMG_TEST1 /^font-family:Arial'<>img width=[345]\d{2} height=\d{3} id="_x0000_i1025"/m
rawbody __LOCAL_CRIT_INVEST_IMG_TEST2 /^src="cid:image001.gif@/
#rawbody __LOCAL_CRIT_INVEST_IMG_TEST3 /^ name="wetback.gif"$/
meta LOCAL_CRIT_INVEST_IMG (__LOCAL_CRIT_INVEST_IMG_TEST1 && __LOCAL_CRIT_INVEST_IMG_TEST2)
score LOCAL_CRIT_INVEST_IMG 3.0
describe LOCAL_CRIT_INVEST_IMG BODY: Contains CRITICAL INVESTOR ALERT! image
It blocked quite a few, I'd say about half, but I know I can do better. The first thing I'm doing is upgrading SpamAssassin from v3.1.1 to v3.1.4 to see if that helps. If not, it's on to try an OCR Plugin. Great... more CPU load. Did I mention about 80% of all the email my server receives is recognized as spam?
Update: Well the upgrade didn't seem to help at all, so I'll tackle the OCR plugin soon.
# posted by Skye Poier Nott : 11:09 PM
