Re: [anti-spam-wg] Imaged spam


At 02:35p +0200 06/21/2006, Frank Altpeter didst inscribe upon an electronic papyrus:

these days i see more and more spam coming in in a quite new format: as a
HTML mail without any text content but with the spam message contained as
an image.

Does anyone here see similar approaches the last days and are there
already any ideas to get spamfilters catch this?

Assuming the HTML content is not Base64 encoded, you can filter using regexp for an image tag contained in an anchor link. If it is Base64 encoded, you could perhaps filter on that itself (risky but usually worth it).

These are a couple of old ones:

<img\s+src=.+([a-z]+\.)?[a-z0-9]{3,20}\.com\x2F[a-z]?[\d]+\.(gif|jpg)\"\s+border=0><\x2Fa>

<a\s+href=(3D)?"?http:[^>]+"?>\s*<img\s+[^>]+><\x2Fa>

I think I need to add a new one to catch </img></a>:

<a\s+href=(3D)?"?http:[^>]+"?>\s*<img\s+[^>]+><\x2Fimg><\x2Fa>

Gitchee gumee, that'll do me. :-)