The eclectic musings of a bitter software engineer.

I've been getting flooded with a particularly annoying and very tricky spam email lately. It's a multipart HTML message containing a bunch of random words, so it defeats Bayesian filters. The actual advertisement is in the form of an attached image, which begins with the following text:

***ATTENTION ALL DAY TRADERS AND INVESTORS***

INVESOTR ALERT!
IT LOOKS LIKE ANOTHER RUN FOR SWNM!
WATCH SWNM LIKE A HAWK ON Tuesday August 1, 2006

Since it's impossible for a spam filter to actually parse the image, this message is especially hard to block. However, the message does contain one string that's not random and is very unlikely to show up in a legitimate email. Here's a SpamAssassin rule that will assign two points to the message based on that string:

# "INVESOTR ALERT!" image spam
rawbody __LOCAL_INVESOTR_IMG_TEST1 /^font-family:Arial'><img width=429 height=558 id="_x0000_i1025"/m
rawbody __LOCAL_INVESOTR_IMG_TEST2 /^src="cid:image001.gif@/
meta LOCAL_INVESOTR_IMG (__LOCAL_INVESOTR_IMG_TEST1 && __LOCAL_INVESOTR_IMG_TEST2)
score LOCAL_INVESOTR_IMG 2.0
describe LOCAL_INVESOTR_IMG BODY: Contains INVESOTR ALERT! image

(if you're a Jetpants customer, this rule is already in effect for you)

Update: Here's another rule to catch a new variant with a "CRITICAL INVESTOR ALERT!" image:

# "CRITICAL INVESTOR ALERT!" image spam
rawbody __LOCAL_CRIT_INVEST_IMG_TEST1 /^font-family:Arial'><img width=371 height=627 id="_x0000_i1025"/m
rawbody __LOCAL_CRIT_INVEST_IMG_TEST2 /^src="cid:image001.gif@/
meta LOCAL_CRIT_INVEST_IMG (__LOCAL_CRIT_INVEST_IMG_TEST1 && __LOCAL_CRIT_INVEST_IMG_TEST2)
score LOCAL_CRIT_INVEST_IMG 2.0
describe LOCAL_CRIT_INVEST_IMG BODY: Contains CRITICAL INVESTOR ALERT! image

Comments

I get tons of these too, and have noticed that the image size varies based on the textual content that was rendered. Here is an rule revision that handles the dynamic image size (Note: I also bumped the score up to 4.0 for my configuration, you may want to change)

# "CRITICAL INVESTOR ALERT!" image spam - added dynamic image size
rawbody __LOCAL_CRIT_INVEST_IMG_TEST1 /^font-family:Arial'><img width=[345]\d{2} height=\d{3} id="_x0000_i1025"/m
rawbody __LOCAL_CRIT_INVEST_IMG_TEST2 /^src="cid:image001.gif@/
meta LOCAL_CRIT_INVEST_IMG (__LOCAL_CRIT_INVEST_IMG_TEST1 && __LOCAL_CRIT_INVEST_IMG_TEST2)
score LOCAL_CRIT_INVEST_IMG 4.0
describe LOCAL_CRIT_INVEST_IMG BODY: Contains CRITICAL INVESTOR ALERT! image
Monday August 07, 2006 @ 09:34 AM (PDT) Posted by David Bennett

Most sites give you the option of 'html' vs 'plain text' email messages, why not filter most spam by auto-deleting all html email and only using plain text mail? Just a thought.

Monday August 07, 2006 @ 10:54 PM (PDT) Posted by Mark

Because then I'd have to train Grandma to stop sending HTML email.

Monday August 07, 2006 @ 11:13 PM (PDT) Posted by Ryan Grove

I wonder how hard it would be to do a Razor-type central DB for image-based spam like this. Just hash through all attachments and if they match, reject the spam. It's a lot more CPU intensive for a spammer to poison an image hash yet still have the result readable than it is to insert random hashbusting text.

Thursday August 10, 2006 @ 06:30 PM (PDT) Posted by Michael Fischer

Looks like the spammer(s) updated their software yesterday. No more spam caught by your rule.

Tuesday August 22, 2006 @ 03:09 AM (PDT) Posted by Ann
Now - why could'nt you just have let it go by without any notice?
You KNOW the spam'ers are watching wonco.com for tips , tricks and... pie!

Since you posted this article, i have started to recive these #£%§ spam mails. I get ~1½ a day at this time :-(

Murphy strikes again - i wish we could defeat him on this on though :-/
Wednesday August 23, 2006 @ 10:09 AM (PDT) Posted by Weasel

What are they attempting to sell with this spam? Do they really think ANYONE capable of ordering a stock trade will fall for this trick? If the random words aren't enough to scare off anyone with a brain cell, who in this day and age would put any faith in an unsolicited spam email? Are people really (still) that stupid? (I'm afraid of the real answer)

Monday August 28, 2006 @ 10:39 AM (PDT) Posted by KStebleton

If they don't get an error report or a bounce, they know the e-mail adres is valid.
If the found a valid e-mail, they can sell that e-mail to anyone wanting to spam with something "really" interesting.
Next there is a test if it is possible to get past the spam blocks. Looks like anti-spam programs still can't handle this type of... Spam.
Maybe rendering the image is the solution, but with the amount of spam coming in daily, I'd need a faster machine.

Monday August 28, 2006 @ 11:21 AM (PDT) Posted by Herman

has anybody found a solution to that new spam-mail yet?
thx (can email me if you dont want to post the solution)

Tuesday August 29, 2006 @ 12:46 AM (PDT) Posted by Rudi

I don't want to block this $%*# email! I want to f*cking rip the heart out of the bastard who is sending it. Is there NO legal recourse to punish those whose ONLY intent is to MOLEST email users? It is their ONLY intent! I want to scream everytime I get one of those and shake the god dammed person and rip out their hearts. People should not be subject to this.

Friday September 01, 2006 @ 04:14 AM (PDT) Posted by James Andrews

i just wish these botnet computers around the internet would just blow up. If it blows the end user against the wall that can't keep his windows updates, antivirus, and software/hardware firewall up to date.. fine!

Thursday September 07, 2006 @ 09:27 PM (PDT) Posted by cellx

Hello here's a suggestion- isn't there some way to make it appear to the spammers hat the email was bounced ?

Friday September 08, 2006 @ 08:43 AM (PDT) Posted by ?

The Chinese are behind this one. Vengance is a dish served cold. The day will come when the heart of this bastard will be ripped out. meanwhile keep the cool! Let them spam us. The more the spams the more pain they will feel in the end.

Friday September 08, 2006 @ 11:10 PM (PDT) Posted by Mohamed bin Yusuf

I found the method to block it , I block all *.gif file. Don't care whoever send it. I told my user to tell their colleague not to send *.gif file to us or convert to any graphic format.

Sunday September 10, 2006 @ 06:56 AM (PDT) Posted by ton

How come when I get a 'legit' mail with images (e.g. newsletters) Outlook Express will ask me whether I want to download or not, but not with these Stock spams?

Friday September 15, 2006 @ 03:47 PM (PDT) Posted by Andy

These gif files are attached as part of the e-mail. outlook express only asks you if the e-mail links to external images which could be used to track when the message is read.

Wednesday November 01, 2006 @ 03:20 PM (PST) Posted by Michael
the ones i got a zillion of have an image tag like the folloring....I wish it was a gif, i would understand it then.. anyone know how this works? Outlook 2k3.

<IMG alt="Mario" hspace=0
src="cid:000601c705bb$14cad990$00000000@dsy8egscgc2zh6" align=baseline
border=0>
Sunday November 12, 2006 @ 02:39 AM (PST) Posted by Cary Price

I found this spamassassin rule that looks promising:
http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200608.mbox/%3C20060803235540.3B87F1A981A@eris.apache.org%3E

Monday November 27, 2006 @ 11:10 AM (PST) Posted by christophe

Why can't I use Outlook's Rule Wizard to create a filter which blocks mail will specified words in the body = src="cid:
I have tried this but they still get through.

Saturday March 03, 2007 @ 08:15 AM (PST) Posted by Eric

I keep getting an email about viagra and I tried to create a message rule in outlook to block messages contianing, but I then figured out that it was an html image. I even set outlook to block images but it still shows up. I get about one a day and I'd really like to know how to get rid of it, even if it's to make the email seem like it bounced back or was recieved in error.

Tuesday March 20, 2007 @ 10:22 AM (PDT) Posted by Seania
Post a comment

Basic XHTML (including links) is allowed, just don't try anything fishy. Your comment will be auto-formatted unless you use your own <p> tags for formatting. You're also welcome to use Textile.

Don't type anything here unless you're an evil robot:


And especially don't type anything here:

Copyright © 2002-2008 Ryan Grove. All rights reserved.
Powered by Thoth.