filtering imc src=cid spam

filtering imc src=cid spam

am 06.12.2005 04:26:42 von nooneinparticular314159

I've been receiving a lot of spam with a single word header, and a tag
in the body with the form , where ______ is a
long string of random characters (I believe this is normally a
reference to a background image in Outlook).

I've tried to filter out this spam using each of the following filters,
none of which seem to block it. Can you please tell me what I am doing
wrong?

:0
* .*img src=cid\:.*
/dev/null

:0B
* .*src=cid.*
/dev/null

:0B
* .*src=cid:.*
/dev/null

:0B
* .*src\=cid\:.*
/dev/null

:0B
* .*src=cid\:.*
/dev/null

:0B
* .*\ /dev/null

:0B
* .* /dev/null

Thanks!

Re: filtering imc src=cidspam

am 07.12.2005 00:21:40 von Sam

This is a MIME GnuPG-signed message. If you see this text, it means that
your E-mail or Usenet software does not support MIME signed messages.
The Internet standard for MIME PGP messages, RFC 2015, was published in 1996.
To open this message correctly you will need to install E-mail or Usenet
software that supports modern Internet standards.

--=_mimegpg-commodore.email-scan.com-7988-1133911299-0001
Content-Type: text/plain; format=flowed; charset="US-ASCII"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

nooneinparticular314159@yahoo.com writes:

> I've been receiving a lot of spam with a single word header, and a tag
> in the body with the form , where ______ is a
> long string of random characters (I believe this is normally a
> reference to a background image in Outlook).

No, it's not. It's a reference to another MIME section of a
multipart/related section.

>
> I've tried to filter out this spam using each of the following filters,
> none of which seem to block it. Can you please tell me what I am doing
> wrong?
>
> :0
> * .*img src=cid\:.*
> /dev/null

Betcha the spam uses quoted-printable transfer encoding. Either that, or
there's a newline or multiple whitespace, somewhere in there.

Look at the _RAW_ contents of the E-mail message.

Generally, using simple filtering against message body isn't reliable unless
all you're scanning for are simple words in the 7bit Latin character set.
Anything more than that, and MIME encoding will throw pretty much everything
off the kilter.

You're probably better off scanning for "multipart/related" in the
Content-Type: header.

Keep in mind that this will not only nail this kind of spam, but anything
anyone mails you from an HTML-capable E-mailer that contains any kind of a
background image or a graphic.




--=_mimegpg-commodore.email-scan.com-7988-1133911299-0001
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQBDlh0Dx9p3GYHlUOIRAjAlAJ4rLbGcqzS8Z4fUXuBRlZREAJI8dACf d3kl
I5iHSxER+w295G2sGSdv3Ho=
=k4Sr
-----END PGP SIGNATURE-----

--=_mimegpg-commodore.email-scan.com-7988-1133911299-0001--