Print Page | Close Window

Spam with PNG attachments

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: http://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6670
Printed Date: 16 October 2017 at 8:32pm


Topic: Spam with PNG attachments
Posted By: __M__
Subject: Spam with PNG attachments
Date Posted: 13 May 2009 at 8:22am
Hi everyone, has anyone noticed an increase in the number of spam messages with a .png attachment. Seems there is a trend to deliver spam in the same way as they did with .pdf a while ago.

Anyone have a technique to reduce the PNG spam that is getting through SFI?



Replies:
Posted By: mohr
Date Posted: 15 May 2009 at 11:09am
Yes, I have noticed this as well. I have tried to put a RegEx expression in the "attachments" black list to filter out .png, but I haven't found the proper syntax. The RegEx test says that ".png" (w/o the quotes) is found and that it should be placed in parenthesis. This would make the expression "(.png)"  (again w/o quotes), but it has just proven not to work either.....still research how to write a RegEx for SF......(sigh).


Posted By: mohr
Date Posted: 15 May 2009 at 11:16am
Currently trying:

(.*\.png)

fingers crossed.


Posted By: mohr
Date Posted: 15 May 2009 at 11:26am
Hmm.....I stand corrected.  (.png) does appear to work according to my logfiles.
We'll see about (.*\.png) ......


Posted By: mohr
Date Posted: 15 May 2009 at 12:45pm
yep (.*\.png) works as well!!!

Happy Hunting!


Posted By: Desperado
Date Posted: 15 May 2009 at 4:02pm
Problem with this is .png is a very valid format and we email our graphs back and forth using png so you really may get some unwanted blocking.

-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com



Posted By: LogSat
Date Posted: 15 May 2009 at 4:02pm
We're working to try stopping this wave of spam with either a new filter or a reliable RegEx expression.

The base keyword expression we're working with is:

Content-Transfer-Encoding: base64,Content-Disposition: inline,Content-Type: image/png

However that is stopping a bit more legitimate emails we'd like and are trying to tweak it. It is however more reliable than stopping all the .png inline attachments by just having the (.*\.png).


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: yapadu
Date Posted: 19 May 2009 at 6:00am
Just to confirm that we are also seeing an increased amount of this type of SPAM.  Interesting though, most of the messages appear to be blank, only the inline png image.

I don't understand why the blank email option is not kicking in, I thought it used to be a configurable option but I don't see it anywhere that can be configured on a per domain level.


Posted By: WebGuyz
Date Posted: 19 May 2009 at 10:34am
Originally posted by LogSat LogSat wrote:

We're working to try stopping this wave of spam with either a new filter or a reliable RegEx expression.

The base keyword expression we're working with is:

Content-Transfer-Encoding: base64,Content-Disposition: inline,Content-Type: image/png


 
I have this exact line and its not stopping the spam. Just got one myself today and verified that all 3 phrases are in the email, but it didn't stop it. Got a few more over the weekend as well from some customers. Is there some setting in the ini that I might not have set that would allow it to work on the format of the message, not just the text body??


-------------
http://www.webguyz.net


Posted By: LogSat
Date Posted: 20 May 2009 at 4:48pm
Webguyz,

Can you try changing the following setting in the SpamFilter.ini file to 1:

ScanReceivedHeaders=1


-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: WebGuyz
Date Posted: 20 May 2009 at 5:28pm
Was already set to 1 Confused

-------------
http://www.webguyz.net


Posted By: __M__
Date Posted: 20 May 2009 at 9:00pm
I have the same problem as WebGuyz and have confirmed that the ScanReceivedHeaders=1 setting is in my .ini file too.


Posted By: __M__
Date Posted: 02 June 2009 at 11:07pm
Has anyone made any progress on this?


Posted By: LogSat
Date Posted: 03 June 2009 at 4:55am
We've pre-released SpamFilter v4.1.2.811 in the registered user area, and this version supports a variation in the keyword blacklist options that is helping in catching this spam. That release, along with the following keyword:

Content,(content-transfer-encoding: base64),(content-disposition: inline),((content-type: image/png)|(content-type: image/jpg)),((text/plain)|(text/html))::NEGATE

is helping in stopping this category of spam.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP


Posted By: yapadu
Date Posted: 04 June 2009 at 1:42am
Originally posted by LogSat LogSat wrote:


Content,(content-transfer-encoding: base64),(content-disposition: inline),((content-type: image/png)|(content-type: image/jpg)),((text/plain)|(text/html))::NEGATE


Wow, big one. Let met try and break down down.

Content - A plain keyword, not a regex as per documentation some word (any word) is required. In this case you use the word content
as it will be in all email messages.

content-transfer-encoding: base64 - Must contain this phrase
content-disposition: inline - Must contain this phrase
(content-type: image/png)|(content-type: image/jpg) - Either of these
((text/plain)|(text/html))::NEGATE - Message must not be text/plain or text/html?

The NEGATE affects only the last REGEX?


Posted By: LogSat
Date Posted: 04 June 2009 at 2:21am
We modified this last build of SpamFilter to support a couple of features.
The first one is that you can't use RegEx (at least we haven't figured out a way to do it ourselves...) to specify a keyword that will look for the presence of two different words. For example, we can use RegEx to look for either DOG or CAT, or we can use RegEX to look for the word DOG followed by the word CAT, or to look for the word CAT followed by the word DOG. But for the life of us we could not find a RegEx expression that looked for the presence of both words, in any order, in the text (other than looking for "DOG followed by CAT or CAT followed by DOG" - something like (DOG.*CAT)|(CAT.*DOG). This later expression would be rather complex when looking for the presence of 4 item as we'd have to spell out every single possibility.

So we added an option to be able to specify multiple RegEx expressions on a single line separated by commas. This allows us to look for the presence of *all* the RegEx expressions, thus allowing us to use an AND with RegEx. The only trick here is that, in order to be compatible with all current keyword expressions, when using this format we must specify a "norma" non-RegEx keyword to appear first in the list. All this regression to explain why we need the "Content" keyword to appear first in the list.

The new ::NEGATE option applies only to the specific keyword entry it follows, so here it only applies to the (text/plain)|(text/html)) - neither of these must be present for the entry to match.

-------------
Roberto Franceschetti

http://www.logsat.com" rel="nofollow - LogSat Software

http://www.logsat.com/sfi-spam-filter.asp" rel="nofollow - Spam Filter ISP



Print Page | Close Window