spamassassin-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Cole" <sausers-20150...@billmail.scconsult.com>
Subject Re: Ransom spam body is .jpg
Date Sat, 25 May 2019 07:24:59 GMT
On 24 May 2019, at 21:11, Chris Pollock wrote:

> This is the 2nd of these ransom spams I've received where the body of
> the message is a .jpg.
[...]
>  1.7 HTML_IMAGE_ONLY_08     BODY: HTML: images with 400-800 bytes of
>                             words
[...]
> I don't know if a rule exists for something like this or not.

The HTML_IMAGE_ONLY_* rules date back to when the tactic was mostly used for stock pump &
dump spams. For all of that time it has been unsafe to score them much higher than the 1-2
range because of the simple fact that people often share images with very little text via
email.

People have built SA plugins to do OCR on embedded images but they have not been maintained
or even developed to the point where they could be included in the SA distribution. My understanding
of the underlying reason for those efforts fizzling out is that the yield was too low to justify
the resource cost of OCR'ing every image. It is worth noting that P&D spam went through
an evolution similar to that which we've seen with extortion spam: polymorphic text ->
charset tricks -> pictures of text. There wasn't a next step for P&D spam, which isn't
entirely gone today but is no longer a significant fraction of uncaught spam. I believe this
implies good news for the extortion spam phenomenon, in that it has reached the point where
filter evasion tactics have become so extreme that they are evident to end users as a marker
of fraudulent spam whose content is to be ignored. That's a death sentence for any variety
of spam.

-- 
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)

Mime
View raw message