Re: [anti-spam-wg] Imaged spam
-
From: Walter Ian Kaye walter@localhost
-
Date: Wed, 21 Jun 2006 10:59:50 -0700
At 02:35p +0200 06/21/2006, Frank Altpeter didst inscribe upon an
electronic papyrus:
these days i see more and more spam coming in in a quite new format: as a
HTML mail without any text content but with the spam message contained as
an image.
Does anyone here see similar approaches the last days and are there
already any ideas to get spamfilters catch this?
Assuming the HTML content is not Base64 encoded, you can filter using
regexp for an image tag contained in an anchor link. If it is Base64
encoded, you could perhaps filter on that itself (risky but usually
worth it).
These are a couple of old ones:
<img\s+src=.+([a-z]+\.)?[a-z0-9]{3,20}\.com\x2F[a-z]?[\d]+\.(gif|jpg)\"\s+border=0><\x2Fa>
<a\s+href=(3D)?"?http:[^>]+"?>\s*<img\s+[^>]+><\x2Fa>
I think I need to add a new one to catch </img></a>:
<a\s+href=(3D)?"?http:[^>]+"?>\s*<img\s+[^>]+><\x2Fimg><\x2Fa>
Gitchee gumee, that'll do me. :-)