Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Blocking img src=cid messages
  FAQ FAQ  Forum Search   Register Register  Login Login

Blocking img src=cid messages

 Post Reply Post Reply Page  <12
Author
gbrayut View Drop Down
Newbie
Newbie
Avatar

Joined: 17 May 2006
Location: United States
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote gbrayut Quote  Post ReplyReply Direct Link To This Post Posted: 13 June 2006 at 3:37pm
I had a problem with these types of messages before, and I was able to remove a lot of them by detecting a pattern in the HTML (ie.. DIV contains Font style and IMG tag... ).

Here is an example of the regex I used

((?i)div[<>]+font\sface=3DArial\ssize=3D2[<>]+img\salt=3D""\shspace=3D0=20\s+src=3D"cid\:00)

The emails in paticular had a common pattern of tags, and the cid always started with 00. If you view the source of the email you may be able to pickup on this type of pattern.
--
Greg Bray
IT Manager
OQ Measures LLC
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 14 June 2006 at 5:14am
thats interesting Greg...

so just going for the first line of html before the cid information...

like this one I just got with <DIV><FONT face=Arial size=2><IMG alt="" hspace=0 then a new line and starts
src=cid:....

I've seen people with thunderbird doing a src=cid now with a business card attachment so you do have to be a bit careful.

the big flaw to us talking about this is that we are No1 on Google searching for "blocking src=cid". :)
Back to Top
Ray View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Ray Quote  Post ReplyReply Direct Link To This Post Posted: 08 July 2006 at 9:25am

I think the spammers have programmed MS Office into being an automated spam generator. These messages seem to be created by converting text into a .gif file that is split into smaller .gif files and re-assembled in MS Word.

When you view the email html you donít see the attached document or images only cid: references to the original document.

If Word is the default mail editor in Outlook, you can click reply and are then able to select the individual image elements. If you copy the entire document (ctrl-a, ctrl-c) you can paste it into MS FrontPage and see the original html produced by Word. The images are embedded in the original Word document and referenced by the Outlook as src=cid: So you never see the original message in Outlook. Surprisingly Outlook does not indicate that the message/images are actually an attachment. Also Outlooks filters do not seem look at the html so you can't filter the src=cid.

Unless someone knows of a MS solution, it appears that a third party program will have to be used by Outlook users.

Back to Top
MokiTheGeek View Drop Down
Newbie
Newbie
Avatar

Joined: 29 June 2006
Location: United States
Status: Offline
Points: 5
Post Options Post Options   Thanks (0) Thanks(0)   Quote MokiTheGeek Quote  Post ReplyReply Direct Link To This Post Posted: 10 July 2006 at 1:39pm
I was using the follwing RegEx that was working great but found too many newsletters and community sites that triggered false positives by including embedded images within their mail.

Found several SPAM that tried to get through by breaking up the parts of the IMG tag so I made it look for many characters as long as it didn't run into the start of another tag.

Use it if you like:
(<img\x20)(.*?)(cid:[^<]*)(>)
Back to Top
 Post Reply Post Reply Page  <12
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.061 seconds.

Copyright © 2002-2016 LogSat Software LLC - Sales: sales@LogSat.com
Contact Us