How to block "INVESOTR ALERT!" image spam with SpamAssassin

I’ve been getting flooded with a particularly annoying and very tricky spam email lately. It’s a multipart HTML message containing a bunch of random words, so it defeats Bayesian filters. The actual advertisement is in the form of an attached image, which begins with the following text:

***ATTENTION ALL DAY TRADERS AND INVESTORS***

INVESOTR ALERT!
IT LOOKS LIKE ANOTHER RUN FOR SWNM!
WATCH SWNM LIKE A HAWK ON Tuesday August 1, 2006

Since it’s impossible for a spam filter to actually parse the image, this message is especially hard to block. However, the message does contain one string that’s not random and is very unlikely to show up in a legitimate email. Here’s a SpamAssassin rule that will assign two points to the message based on that string:

# "INVESOTR ALERT!" image spam
rawbody __LOCAL_INVESOTR_IMG_TEST1 /^font-family:Arial'><img width=429 height=558 id="_x0000_i1025"/m
rawbody __LOCAL_INVESOTR_IMG_TEST2 /^src="cid:image001.gif@/
meta LOCAL_INVESOTR_IMG (__LOCAL_INVESOTR_IMG_TEST1 && __LOCAL_INVESOTR_IMG_TEST2)
score LOCAL_INVESOTR_IMG 2.0
describe LOCAL_INVESOTR_IMG BODY: Contains INVESOTR ALERT! image

(if you’re a Jetpants customer, this rule is already in effect for you)

Update: Here’s another rule to catch a new variant with a “CRITICAL INVESTOR ALERT!” image:

# "CRITICAL INVESTOR ALERT!" image spam
rawbody __LOCAL_CRIT_INVEST_IMG_TEST1 /^font-family:Arial'><img width=371 height=627 id="_x0000_i1025"/m
rawbody __LOCAL_CRIT_INVEST_IMG_TEST2 /^src="cid:image001.gif@/
meta LOCAL_CRIT_INVEST_IMG (__LOCAL_CRIT_INVEST_IMG_TEST1 && __LOCAL_CRIT_INVEST_IMG_TEST2)
score LOCAL_CRIT_INVEST_IMG 2.0
describe LOCAL_CRIT_INVEST_IMG BODY: Contains CRITICAL INVESTOR ALERT! image