SPAM with images (and some junk text)
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
SPAM with images (and some junk text) - 24.Jul.2006 10:42:32 AM
|
|
|
petertodd
Posts: 18
Joined: 29.Dec.2004
From: North Carolina
Status: offline
|
I'm getting a lot of spam that's for junk bonds. The emails have primarily on image containing some dribble about break away stock and then some junk text. Enough text to get around the remote image check. None of the other checks seem to catch this stuff.
Can I submit some of these for GFI to review?
|
|
|
|
RE: SPAM with images (and some junk text) - 25.Jul.2006 5:01:47 AM
|
|
|
Mark Busuttil
Posts: 4836
Joined: 16.Oct.2005
Status: offline
|
You are able to change the maximum amount of characters an email with a remote image (and embedded image if checkallimages registry value is enabled) can have to be detected as spam by changin the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\remoteimagebodysize
Thank You!
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
|
RE: SPAM with images (and some junk text) - 31.Jul.2006 9:00:30 AM
|
|
|
MobiusYuger
Posts: 20
Joined: 5.May2005
From: Columbus, OH
Status: offline
|
Do I need to restart GFI after chaning this registry value?
Thanks!
|
|
|
|
|
RE: SPAM with images (and some junk text) - 31.Jul.2006 9:56:50 AM
|
|
|
tomko
Posts: 18
Joined: 23.Jan.2006
Status: offline
|
Mark,
Can you elaborate on this please?
I have the default registry setting of 512 characters...
I copied the text of one of these emails that got through into Word and the word count was 589 characters (654 with spaces).
So would I want to increase the reg value to say 1024 so that this email would have been checked and blocked?
Thanks.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 31.Jul.2006 3:19:47 PM
|
|
|
MobiusYuger
Posts: 20
Joined: 5.May2005
From: Columbus, OH
Status: offline
|
Mark,
I just realized my situation is a little different...my users are getting hundreds of spam emails with attached images (not remote) embedded in the HTML and a slew of random text after the image. I've tried feeding the bayesian filter hundreds of these but i don't think it will work since the words are so random!! I tried attachment blocking at the gateway but the images files are named different each time (image01.gif, vommit.gif, cannot.gif, etc.). IP Blacklisting doesn't work since it comes from varing IPs/hosts each time. Registry setting HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\checkforallimages = 1 is enabled.
I don't believe the remote images check works on this right? What do you suggest?
Thanks,
Helios
< Message edited by MobiusYuger -- 31.Jul.2006 3:24:40 PM >
|
|
|
|
|
RE: SPAM with images (and some junk text) - 1.Aug.2006 5:29:54 AM
|
|
|
mwaddell
Posts: 5
Joined: 1.Aug.2006
From: England
Status: offline
|
I too am getting a lot of these emails, they have an embedded image with a load of random words. Currently the word count is over 200 and the number of characters including spaces is over 1500.
How would you recommend that these get blocked, what registery changes are needed?
Thanks
|
|
|
|
|
RE: SPAM with images (and some junk text) - 1.Aug.2006 1:56:21 PM
|
|
|
randybw1
Posts: 10
Joined: 12.Feb.2005
From: Fort Worth, TX
Status: offline
|
Getting these as well. Embedded gif files, random names. Nothing picks them up.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 2.Aug.2006 3:23:30 AM
|
|
|
Soren.Fors
Posts: 39
Joined: 26.Jan.2004
From: Sweden
Status: offline
|
Same here in Sweden. Mails with no text and an attached GIF-file.
How can we get rid of this mails?
/Soren
|
|
|
|
|
RE: SPAM with images (and some junk text) - 2.Aug.2006 9:14:16 AM
|
|
|
Mark Busuttil
Posts: 4836
Joined: 16.Oct.2005
Status: offline
|
You are able to increase the the maximum amount of characters an email with a remote image (and embedded image if checkallimages registry value is enabled) can have to be detected as spam.
You can change this value within the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\remoteimagebodysize
Thank You!
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
|
RE: SPAM with images (and some junk text) - 2.Aug.2006 1:09:00 PM
|
|
|
gpinson
Posts: 214
Joined: 2.Sep.2003
From: Denver, CO
Status: offline
|
Mark, I have seen a couple of references to the checkallimages registry, but no real detail on it, even after a search, could you please go into a little more detail on this particular registry item?
|
|
|
|
|
RE: SPAM with images (and some junk text) - 2.Aug.2006 2:28:19 PM
|
|
|
tomko
Posts: 18
Joined: 23.Jan.2006
Status: offline
|
Mark - you pretty much cut and pasted the same answer when we wanted clarification...
Please answer the following...
If remoteimagebodysize is set to 512 and an email with remote image comes through with 511 characters what happens? What happens if the email has 513 characters?
Also are blank spaces counted as characters?
Thanks again.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 2.Aug.2006 4:14:53 PM
|
|
|
justinr
Posts: 129
Joined: 6.Mar.2006
From: New York, NY
Status: offline
|
for what it's worth, we're getting these, too.
on the bright side, most are caught by dnsbl.
we're using these:
relays.ordb.org
list.dsbl.org
dnsbl.njabl.org
sbl-xbl.spamhaus.org
bl.spamcop.net
..the remainder are being picked up by bayesian.
a couple get through, but i'd venture around 98% of these are caught.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 3.Aug.2006 10:24:35 AM
|
|
|
MobiusYuger
Posts: 20
Joined: 5.May2005
From: Columbus, OH
Status: offline
|
Mark,
I think the problem with these emails is that they don't contain remote images...the GIFs are embedded/attached. Therefore I'm not quite sure the remote images check is effective or valid. The text is so random and varied that I'm not sure the Bayesian filter is that effective: the text has nothing to do with the spam itself. Everything the spam is trying to convey is in the image and there are no hyperlinks. I'm afraid that if i keep feeding these messages to the bayesian trainer my spam filter will start blocking emails with everyday words.
Please advise.
Thanks!
quote:
ORIGINAL: Mark Busuttil
You are able to increase the the maximum amount of characters an email with a remote image (and embedded image if checkallimages registry value is enabled) can have to be detected as spam.
You can change this value within the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\remoteimagebodysize
Thank You!
|
|
|
|
|
RE: SPAM with images (and some junk text) - 7.Aug.2006 7:37:00 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi all,
I'll start by giving a short explanation on how the following registry keys work in relation to the "Check if email contains remote images only" feature. This feature is intended to block emails which have the spam message written in an image. The image is normally loaded directly from the spammers site. Normally these type of emails will only have a small ammount of text
At [HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\], we find the following 2 DWORD values:
remoteimagebodysize : This registry value have the maximum ammount of characters which need to be found in an email. If there is less characters then what is specified in this value, and the message contains a remote image, the email is blocked. The default value is 512 characters.
checkforallimages : This registry value can be either 0 (disabled) or 1 (enabled). If the registry value does not exist, the value is assumed to be disabled. When this value is enabled, the functionality of the "Check if email contains remote images only" feature will be extended so that it also blocks emails which have an embedded image. These images are not loaded from the internet, but they are attached to the email, and loaded in the message body.
Therefore, if you enable checkforallimages, you should be able to block the spam emails discussed in this post. You may also need to alter the remoteimagebodysize so as to start blocking more emails.
NOTES: - Some email clients like Outlook or Outlook express allow you to alter the background of the message body. These emails will be blocked if checkforallimages is enabled.
- Some users make use of a small image in the signature. This signature is sometimes loaded in the message body as a remote image, and othertimes, it is embedded in the message body. These emails will also be blocked.
Luckily most legitiamate emails will have more then 512 characters, therefore even if they have remote images or embedded images, they will normally not be blocked.
Let us know how it goes.
---EDIT---
Small change in the name of the registry value. The registry value is already created, therefore the mistake may have gone unnoticed. The correct registry value is checkforallimages, which is enabled by default in the latest builds of MailEssentials.
< Message edited by Nicks -- 24.Aug.2006 4:35:16 AM >
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: SPAM with images (and some junk text) - 7.Aug.2006 9:27:11 AM
|
|
|
justinr
Posts: 129
Joined: 6.Mar.2006
From: New York, NY
Status: offline
|
quote:
ORIGINAL: Nicks
checkallimages : This registry value can be either 0 (disabled) or 1 (enabled). If the registry value does not exist, the value is assumed to be disabled. When this value is enabled, the functionality of the "Check if email contains remote images only" feature will be extended so that it also blocks emails which have an embedded image. These images are not loaded from the internet, but they are attached to the email, and loaded in the message body.
i went to double-check my registry, and i appear to have an entry for 'checkforallimages' already enabled. note the spelling there. i've only used ME12 on this machine, and never modified anything other than the 'debug' registry entry.
any thoughts on where this came from?
< Message edited by justinr -- 7.Aug.2006 9:36:37 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
