I get tons of these too, and have noticed that the image size varies based on the textual content that was rendered. Here is an rule revision that handles the dynamic image size (Note: I also bumped the score up to 4.0 for my configuration, you may want to change)

# "CRITICAL INVESTOR ALERT!" image spam - added dynamic image size
rawbody __LOCAL_CRIT_INVEST_IMG_TEST1 /^font-family:Arial'><img width=[345]\d{2} height=\d{3} id="_x0000_i1025"/m
rawbody __LOCAL_CRIT_INVEST_IMG_TEST2 /^src="cid:image001.gif@/
meta LOCAL_CRIT_INVEST_IMG (__LOCAL_CRIT_INVEST_IMG_TEST1 && __LOCAL_CRIT_INVEST_IMG_TEST2)
score LOCAL_CRIT_INVEST_IMG 4.0
describe LOCAL_CRIT_INVEST_IMG BODY: Contains CRITICAL INVESTOR ALERT! image

Most sites give you the option of 'html' vs 'plain text' email messages, why not filter most spam by auto-deleting all html email and only using plain text mail? Just a thought.

Because then I'd have to train Grandma to stop sending HTML email.

I wonder how hard it would be to do a Razor-type central DB for image-based spam like this. Just hash through all attachments and if they match, reject the spam. It's a lot more CPU intensive for a spammer to poison an image hash yet still have the result readable than it is to insert random hashbusting text.

Looks like the spammer(s) updated their software yesterday. No more spam caught by your rule.

Now - why could'nt you just have let it go by without any notice?
You KNOW the spam'ers are watching wonco.com for tips , tricks and... pie!

Since you posted this article, i have started to recive these #£%§ spam mails. I get ~1½ a day at this time :-(

Murphy strikes again - i wish we could defeat him on this on though :-/

What are they attempting to sell with this spam? Do they really think ANYONE capable of ordering a stock trade will fall for this trick? If the random words aren't enough to scare off anyone with a brain cell, who in this day and age would put any faith in an unsolicited spam email? Are people really (still) that stupid? (I'm afraid of the real answer)

If they don't get an error report or a bounce, they know the e-mail adres is valid.
If the found a valid e-mail, they can sell that e-mail to anyone wanting to spam with something "really" interesting.
Next there is a test if it is possible to get past the spam blocks. Looks like anti-spam programs still can't handle this type of... Spam.
Maybe rendering the image is the solution, but with the amount of spam coming in daily, I'd need a faster machine.

has anybody found a solution to that new spam-mail yet?
thx (can email me if you dont want to post the solution)

I don't want to block this $%*# email! I want to f*cking rip the heart out of the bastard who is sending it. Is there NO legal recourse to punish those whose ONLY intent is to MOLEST email users? It is their ONLY intent! I want to scream everytime I get one of those and shake the god dammed person and rip out their hearts. People should not be subject to this.

i just wish these botnet computers around the internet would just blow up. If it blows the end user against the wall that can't keep his windows updates, antivirus, and software/hardware firewall up to date.. fine!

Hello here's a suggestion- isn't there some way to make it appear to the spammers hat the email was bounced ?

The Chinese are behind this one. Vengance is a dish served cold. The day will come when the heart of this bastard will be ripped out. meanwhile keep the cool! Let them spam us. The more the spams the more pain they will feel in the end.

I found the method to block it , I block all *.gif file. Don't care whoever send it. I told my user to tell their colleague not to send *.gif file to us or convert to any graphic format.

How come when I get a 'legit' mail with images (e.g. newsletters) Outlook Express will ask me whether I want to download or not, but not with these Stock spams?

These gif files are attached as part of the e-mail. outlook express only asks you if the e-mail links to external images which could be used to track when the message is read.

the ones i got a zillion of have an image tag like the folloring....I wish it was a gif, i would understand it then.. anyone know how this works? Outlook 2k3.

<IMG alt="Mario" hspace=0
src="cid:000601c705bb$14cad990$00000000@dsy8egscgc2zh6" align=baseline
border=0>

I found this spamassassin rule that looks promising:
http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200608.mbox/%3C20060803235540.3B87F1A981A@eris.apache.org%3E

Why can't I use Outlook's Rule Wizard to create a filter which blocks mail will specified words in the body = src="cid:
I have tried this but they still get through.

I keep getting an email about viagra and I tried to create a message rule in outlook to block messages contianing, but I then figured out that it was an html image. I even set outlook to block images but it still shows up. I get about one a day and I'd really like to know how to get rid of it, even if it's to make the email seem like it bounced back or was recieved in error.