spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Karsten Br├Ąckelmann <guent...@rudersport.de>
Subject Re: spamc not scanning file, spamassassin command ok
Date Mon, 25 Oct 2010 17:47:12 GMT
> In case its of interested to the list, the spam in question gets very  
> high spamassassin rating of 15.3 but was passing by the scanner on the  
> size limit. The attachment is a JPG of 600k which is a scan of a scam  

600k JPEG? That'd be about 800k base64 encoded.

> letter about bank transfers etc with south africa. It does not seem to  
> contain any virus (shows as clean with Clam AV and Microsoft SE) so  
> inst blocked on this.
> Looks a bit like they stuck the JPG in just to get past this type of  
> spam scan size limit...

Frankly, I don't think it is deliberately to get past the threshold.

I've been observing a recent casino spam run, featuring an all-shiny
HTML message almost exclusively assembled by images. A few of them
exceeded my threshold. Most don't. Which makes it appear more like an
accidental evasion.

Regarding your specific sample -- well, honestly, I don't think the
average 419 scammer is even smart enough to worry about a threshold. Too
often they even screw up the copy-n-paste, not to mention all the
horrible, brain-hurting things I've seen reviewing the scam corpus.


-- 
char *t="\10pse\0r\0dtu\0.@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i<l;i++){ i%8? c<<=1:
(c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
}}}


Mime
View raw message