RE: SPAM with images (and some junk text)
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
RE: SPAM with images (and some junk text) - 17.Nov.2006 12:35:38 PM
|
|
|
shorelinetrading
Posts: 5
Joined: 17.Nov.2006
Status: offline
|
Check out this thread I just posted: http://forums.gfi.com/My_Working_Anti-spam_Configuration_for_GFI/m_900740697/tm.htm. It may be of some help to those posting in this thread. This configuration has been working well for us, and our spam level is 82% of messages received.
Using a hybrid combo of blacklists, module priority and smart keywords, you can get this down to a reasonable level.
Spam sucks.
_____________________________
-Michael Waldron
IT Director
|
|
|
|
|
RE: SPAM with images (and some junk text) - 17.Nov.2006 3:56:54 PM
|
|
|
Mhuijgen
Posts: 41
Joined: 4.Aug.2005
From: Rotterdam
Status: offline
|
For your information: http://www.newscientisttech.com/article/dn10605-inboxes-drowning-in-image-spam.html
I agree GFI ME has remained the same, BUT nowadays an antispamsoftwaremaker (300 scrabble points) has to keep up with spammers. You could say that whereas the zero-line used to be lineair, it is now expensional: you have to improve your product at a certain rate to stay at the same level.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 17.Nov.2006 7:05:21 PM
|
|
|
justinr
Posts: 129
Joined: 6.Mar.2006
From: New York, NY
Status: offline
|
relevant slashdot article related to this: http://it.slashdot.org/article.pl?sid=06/11/17/1415244
70,000+ zombies sending stock spam; so far, our gfi setup is holding back the flood fairly well.
|
|
|
|
RE: SPAM with images (and some junk text) - 20.Nov.2006 9:54:05 AM
|
|
|
pbateman
Posts: 11
Joined: 13.Nov.2006
Status: offline
|
I'm still waiting for an official solution to the problem.
This started in August and it is now late November.
This is unacceptable.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 20.Nov.2006 10:49:59 AM
|
|
|
Patrizia
Posts: 8474
Joined: 18.Aug.2003
From: Malta
Status: offline
|
Please note the availability of a patch in response to recent trends being adopted by spammers. This patch should help to combat the on-going wave of image spam.
It can be downloaded from: ftp://ftp.gfisoftware.com/patches/ME12_PATCH_20061107_01.zip
Installation instructions and further details are found in the readme.txt.
Notes:
- Whilst our tests have proved that this patch does help against image spam we do not exclude the possibility that there may be some false positives.
It is therefore recommended that you set the action for the Header Checking module to 'Move to subfolder of user's mailbox' so the end-user can analyze this folder and identify any e-mails that have been incorrectly marked as SPAM.
- We also suggest that you use this patch in conjunction with the autowhitelist feature of GFI MailEssentials, in order to reduce the chances of a false positive.
- Mails will only be blocked if the email contains less then a certain amount of characters. The default is 512. Further information on how to change this can be found at: http://kbase.gfi.com/showarticle.asp?id=KBID001797
Furthermore, some of our partners have found the following DNSRBL lists to be effective in catching such image spam, so you may want to consider adding a maximum of two of these to help in reducing them:
dnsbl.sorbs.net (recommended)
dnsbl.ahbl.org
dnsbl.tqmcube.com
l2.spews.dnsbl.sorbs.net (www.spews.org)
It is important that you enable no more than 3 lists at one go, otherwise you risk a slow down of mail flow.
_____________________________
Patrizia Caruana
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: SPAM with images (and some junk text) - 20.Nov.2006 2:58:15 PM
|
|
|
bhamren
Posts: 36
Joined: 28.Jul.2005
From: Sidney, OH
Status: offline
|
Patrizia,
Can you expound on the dnsbl entries?
Here is the list of the 7 dnsbl entries I use and the number of spam each one caught in the past 3 months. Can you recommend changes to what I have? Is there a FAQ section on this?
Thanks
bl.spamcop.net
2777
dnsbl.njabl.org
608
list.dsbl.org
3651
relays.ordb.org
8741
sbl.spamhaus.org
925
sbl-xbl.spamhaus.org
28
xbl.spamhaus.org
17779
Grand Total
34509
|
|
|
|
|
RE: SPAM with images (and some junk text) - 21.Nov.2006 5:50:25 AM
|
|
|
Jim
Posts: 7
Joined: 10.Aug.2006
Status: offline
|
Finally! Hope this patch does get the job done.
Though I have one question: those image spams usually contain 2000-2500 random words. Do I have to set the registry higher than 2000 or 2500 to catch those?
bhamren:
You don't need to enable sbl.spamhaus.org and xbl.spamhau.org if you have enabled sbl-xbl.spamhaus.org.
< Message edited by Jim -- 21.Nov.2006 5:58:30 AM >
|
|
|
|
|
RE: SPAM with images (and some junk text) - 21.Nov.2006 10:45:06 AM
|
|
|
Nicks
Posts: 2741
Joined: 17.Mar.2003
Status: offline
|
Hi all,
The DNS blacklists are quite difficult to document because:
- They are maintained by 3rd parties
- They seem to affect emails differently depending on the country. E.g. if you recieve a lot of emails (and spam) from the Eastern countries, you may be better off using a specfic DNS RBL. However, we currently do not have enough data to provide exact information on this, apart from the fact that the information can change.
Ultimatly, you will need to find the best match for your organisation. I also confirm what Jim said - sbl-xbl.spamhaus.org has information from both sbl.spamhaus.org and xbl.spamhaus.org, therefore you just need to add sbl-xbl.spamhaus.org.
Jim,
The new image check feature implemented in the patch does NOT make use of the "remoteimagebodysize" registry value. It will just check the properties of the image to determine if the message could be coming from a spammer. So now, when you enable "Check if email contains remote images only", you will be enabling both the old image check and the new image check.
_____________________________
Nicholas Sciberras
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: SPAM with images (and some junk text) - 21.Nov.2006 10:50:30 AM
|
|
|
justinr
Posts: 129
Joined: 6.Mar.2006
From: New York, NY
Status: offline
|
quote:
ORIGINAL: Nicks
The new image check feature implemented in the patch does NOT make use of the "remoteimagebodysize" registry value. It will just check the properties of the image to determine if the message could be coming from a spammer.
is this correct? when i received the patch, i was instructed to modify the registry value to 2000. just want a little verification which is accurate; i'd like to reset the value back to the default, if possible.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 21.Nov.2006 2:59:09 PM
|
|
|
Mhuijgen
Posts: 41
Joined: 4.Aug.2005
From: Rotterdam
Status: offline
|
Hi all. Reverted to GFI today :)
I have one question: if I have six blacklists enabled (yeah yeah I know that's too many), and the third blacklist responds positively (as in: this is spam), will ME still check the remaining three lists? It wouldn't be necesary because now you know it's spam.
Also, does ME cache blacklist results? This would speed up mail flow significantly. If it does, can we (perhaps per a reg setting) customize the caching time?
< Message edited by Mhuijgen -- 21.Nov.2006 3:02:13 PM >
|
|
|
|
|
RE: SPAM with images (and some junk text) - 22.Nov.2006 3:33:07 AM
|
|
|
Patrizia
Posts: 8474
Joined: 18.Aug.2003
From: Malta
Status: offline
|
Mhuijgen,
If one blacklist replies positively, then no further tests will be done by the other blacklists.
GFI MailEssentials caches blacklist results for 4 days. Is there any particular reason why you would like to alter this?
_____________________________
Patrizia Caruana
GFI Software - www.gfi.com
Messaging, Content Security & Network Security Software
|
|
|
|
|
RE: SPAM with images (and some junk text) - 22.Nov.2006 4:47:48 AM
|
|
|
Mhuijgen
Posts: 41
Joined: 4.Aug.2005
From: Rotterdam
Status: offline
|
No particular reason. I guess the same reason I like to see if I can have my microwave oven have the text "Feed me!" scroll in it's clock display :P
Four days sounds reasonable to me.
However we do business to business and I can imagine that if you do business with private persons in stead of other businesses your whitelist is out of date faster and you want your blacklists rotate faster because you'd get a lot of e-mail from new addresses.
Oh yeah, I forgot to ask. What exactly does that infamous patch do? I mean in technical terms. I know it "improves GFI ME" and that it "filters picture stock spam" and such, but how does it go about doing that?
< Message edited by Mhuijgen -- 22.Nov.2006 4:50:50 AM >
|
|
|
|
|
RE: SPAM with images (and some junk text) - 22.Nov.2006 8:40:55 AM
|
|
|
justinr
Posts: 129
Joined: 6.Mar.2006
From: New York, NY
Status: offline
|
quote:
ORIGINAL: Mhuijgen
What exactly does that infamous patch do? I mean in technical terms. I know it "improves GFI ME" and that it "filters picture stock spam" and such, but how does it go about doing that?
i've been wondering the same thing. not that i'm complaining, but a little more detail on how it's deciding what's spam would be nice.
fwiw: it appears to miss a lot of the newer generation 'stock' image spam, specifically the ones with animated gifs and/or anti-ocr flecks in the background, but it's still catching them as 'remote images' -- just not tagging them with 'newimagecheck'.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 22.Nov.2006 1:19:44 PM
|
|
|
Ceth Eslick
Posts: 26
Joined: 2.Nov.2003
Status: offline
|
Spamhaus has added a new address for their combined dnsbl. It is:
zen.spamhaus.org
It adds their new pbl block list, which won't be active until December. According to their page, the xbl-sbl address will go away sometime in the future, so it's in everybody's best interest to switch to the new address.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 22.Nov.2006 1:28:09 PM
|
|
|
Mhuijgen
Posts: 41
Joined: 4.Aug.2005
From: Rotterdam
Status: offline
|
Which page is that? I can't find it on Spamhaus.org...
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
