I’ve been getting flooded with a particularly annoying and very tricky spam email lately. It’s a multipart HTML message containing a bunch of random words, so it defeats Bayesian filters. The actual advertisement is in the form of an attached image, which begins with the following text:
***ATTENTION ALL DAY TRADERS AND INVESTORS*** INVESOTR ALERT! IT LOOKS LIKE ANOTHER RUN FOR SWNM! WATCH SWNM LIKE A HAWK ON Tuesday August 1, 2006
Since it’s impossible for a spam filter to actually parse the image, this message is especially hard to block. However, the message does contain one string that’s not random and is very unlikely to show up in a legitimate email. Here’s a SpamAssassin rule that will assign two points to the message based on that string:
# "INVESOTR ALERT!" image spam rawbody __LOCAL_INVESOTR_IMG_TEST1 /^font-family:Arial'><img width=429 height=558 id="_x0000_i1025"/m rawbody __LOCAL_INVESOTR_IMG_TEST2 /^src="cid:image001.gif@/ meta LOCAL_INVESOTR_IMG (__LOCAL_INVESOTR_IMG_TEST1 && __LOCAL_INVESOTR_IMG_TEST2) score LOCAL_INVESOTR_IMG 2.0 describe LOCAL_INVESOTR_IMG BODY: Contains INVESOTR ALERT! image
(if you’re a Jetpants customer, this rule is already in effect for you)
Update: Here’s another rule to catch a new variant with a “CRITICAL INVESTOR ALERT!” image:
# "CRITICAL INVESTOR ALERT!" image spam rawbody __LOCAL_CRIT_INVEST_IMG_TEST1 /^font-family:Arial'><img width=371 height=627 id="_x0000_i1025"/m rawbody __LOCAL_CRIT_INVEST_IMG_TEST2 /^src="cid:image001.gif@/ meta LOCAL_CRIT_INVEST_IMG (__LOCAL_CRIT_INVEST_IMG_TEST1 && __LOCAL_CRIT_INVEST_IMG_TEST2) score LOCAL_CRIT_INVEST_IMG 2.0 describe LOCAL_CRIT_INVEST_IMG BODY: Contains CRITICAL INVESTOR ALERT! image
Comments
Updated for dynamic image size.
I get tons of these too, and have noticed that the image size varies based on the textual content that was rendered. Here is an rule revision that handles the dynamic image size (Note: I also bumped the score up to 4.0 for my configuration, you may want to change)
# "CRITICAL INVESTOR ALERT!" image spam - added dynamic image size rawbody __LOCAL_CRIT_INVEST_IMG_TEST1 /^font-family:Arial'><img width=[345]\d{2} height=\d{3} id="_x0000_i1025"/m rawbody __LOCAL_CRIT_INVEST_IMG_TEST2 /^src="cid:image001.gif@/ meta LOCAL_CRIT_INVEST_IMG (__LOCAL_CRIT_INVEST_IMG_TEST1 && __LOCAL_CRIT_INVEST_IMG_TEST2) score LOCAL_CRIT_INVEST_IMG 4.0 describe LOCAL_CRIT_INVEST_IMG BODY: Contains CRITICAL INVESTOR ALERT! imageNo title
Most sites give you the option of 'html' vs 'plain text' email messages, why not filter most spam by auto-deleting all html email and only using plain text mail? Just a thought.
Re: No title
Because then I'd have to train Grandma to stop sending HTML email.
Razor for image spam?
I wonder how hard it would be to do a Razor-type central DB for image-based spam like this. Just hash through all attachments and if they match, reject the spam. It's a lot more CPU intensive for a spammer to poison an image hash yet still have the result readable than it is to insert random hashbusting text.
As of some time yesterday, it doesn't work
Looks like the spammer(s) updated their software yesterday. No more spam caught by your rule.
*sigh*
You KNOW the spam'ers are watching wonco.com for tips , tricks and... pie!
Since you posted this article, i have started to recive these #£%§ spam mails. I get ~1½ a day at this time :-(
Murphy strikes again - i wish we could defeat him on this on though :-/
What are they actually selling?
What are they attempting to sell with this spam? Do they really think ANYONE capable of ordering a stock trade will fall for this trick? If the random words aren't enough to scare off anyone with a brain cell, who in this day and age would put any faith in an unsolicited spam email? Are people really (still) that stupid? (I'm afraid of the real answer)
They are not selling but gathering
If they don't get an error report or a bounce, they know the e-mail adres is valid.
If the found a valid e-mail, they can sell that e-mail to anyone wanting to spam with something "really" interesting.
Next there is a test if it is possible to get past the spam blocks. Looks like anti-spam programs still can't handle this type of... Spam.
Maybe rendering the image is the solution, but with the amount of spam coming in daily, I'd need a faster machine.
Any solution yet?
has anybody found a solution to that new spam-mail yet?
thx (can email me if you dont want to post the solution)
No title
I don't want to block this $%*# email! I want to f*cking rip the heart out of the bastard who is sending it. Is there NO legal recourse to punish those whose ONLY intent is to MOLEST email users? It is their ONLY intent! I want to scream everytime I get one of those and shake the god dammed person and rip out their hearts. People should not be subject to this.
return feedback
i just wish these botnet computers around the internet would just blow up. If it blows the end user against the wall that can't keep his windows updates, antivirus, and software/hardware firewall up to date.. fine!
Trick
Hello here's a suggestion- isn't there some way to make it appear to the spammers hat the email was bounced ?
china
The Chinese are behind this one. Vengance is a dish served cold. The day will come when the heart of this bastard will be ripped out. meanwhile keep the cool! Let them spam us. The more the spams the more pain they will feel in the end.
No title
I found the method to block it , I block all *.gif file. Don't care whoever send it. I told my user to tell their colleague not to send *.gif file to us or convert to any graphic format.
Gifs not blocked??
How come when I get a 'legit' mail with images (e.g. newsletters) Outlook Express will ask me whether I want to download or not, but not with these Stock spams?
Re: Gifs not blocked
These gif files are attached as part of the e-mail. outlook express only asks you if the e-mail links to external images which could be used to track when the message is read.
strange image tag
<IMG alt="Mario" hspace=0
src="cid:000601c705bb$14cad990$00000000@dsy8egscgc2zh6" align=baseline
border=0>
No title
I found this spamassassin rule that looks promising:
http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200608.mbox/%3C20060803235540.3B87F1A981A@eris.apache.org%3E
No title
Why can't I use Outlook's Rule Wizard to create a filter which blocks mail will specified words in the body = src="cid:
I have tried this but they still get through.
No title
I keep getting an email about viagra and I tried to create a message rule in outlook to block messages contianing, but I then figured out that it was an html image. I even set outlook to block images but it still shows up. I get about one a day and I'd really like to know how to get rid of it, even if it's to make the email seem like it bounced back or was recieved in error.