RE: SPAM with images (and some junk text)
|
Logged in as: Guest
|
|
Users viewing this topic:
none
|
|
Login  | |
|
RE: SPAM with images (and some junk text) - 7.Aug.2006 10:23:13 AM
|
|
|
randybw1
Posts: 10
Joined: 12.Feb.2005
From: Fort Worth, TX
Status: offline
|
I've tried the suggestions, nothing is stopping them. The image is an embedded GIF, the last word count I saw was 2671. Help.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 7.Aug.2006 10:49:06 AM
|
|
|
bjriffel
Posts: 4
Joined: 7.Aug.2006
Status: offline
|
I don't think that GFI really knows what we are talking about. We are seeing spam messages with random words in the subject line, coming from random addresses and IP addresses. They have an attached .gif image pushing some stock and a couple of hundred words randomly generated and formatted to resemble sentences. If anybody is unsure as to what I'm talking about, I could forward you the messages. I'm getting at least 1 or 2 a day. And so are nearly every one of our users!!!
Brandon
|
|
|
|
|
RE: SPAM with images (and some junk text) - 7.Aug.2006 11:15:54 AM
|
|
|
justinr
Posts: 129
Joined: 6.Mar.2006
From: New York, NY
Status: offline
|
i've collected a few of these that haven't been caught by anything. maybe this will help gfi find a solution?
since i can't attach them to this message, you/gfi can download a zipped version:
http://mail.pollackassociates.com/image_spam.zip
|
|
|
|
|
RE: SPAM with images (and some junk text) - 7.Aug.2006 9:02:45 PM
|
|
|
jerry
Posts: 9
Joined: 4.Apr.2006
Status: offline
|
Brandon,
I agree. There are multiple threads regarding this same problem. I've sent GFI all of the troubleshooter info & example SPAM that they've requested in the various threads, but their internal communication seems rather poor & they have yet to post anything that shows that they understand the issue.
By the way, the response I got from support was that I should set the SPF filter to high since most of the SPAM I'm seeing comes from spoofed addresses. It is true that this would probably significantly reduce the number of messages getting through. Unfortunately, we can't do this until SPF is more widely accepted because we miss too many valid messages from potential clients that don't have SPF records yet.
< Message edited by jerry -- 7.Aug.2006 9:05:54 PM >
|
|
|
|
RE: SPAM with images (and some junk text) - 8.Aug.2006 9:26:24 AM
|
|
|
bjriffel
Posts: 4
Joined: 7.Aug.2006
Status: offline
|
Here is my correspondense thus far, you'll have to start at the bottom and read your way up. I've also started forwarding ALL of these types of spam messages to support@gfi.com since it is obvious that they don't understand what our problem is. I guess whatever software they use for spam filtering works better than what we use. :)
Now, since obviously GFI isn't getting spam like this, I thought I would forward you the last say 6 that I've received. You can tell me if they are embedded or attached. I find it extremely hard to believe that you are not seeing these sort of messages yourselves. Mainly because it is obvious that YOUR CUSTOMERS ARE! Are you seriously telling us that blocking ALL imbedded images is the only solution? That would remove all background images, all signature images, all company newsletter images. THIS IS NOT A GOOD SOLUTION.
Thank you for your help.
Brandon Riffel
Senior System Administrator
From: GFI Support [mailto:support@gfi.com]
Sent: Tuesday, August 08, 2006 2:29 AM
To: Riffel Brandon
Subject: RE: All Forums >> GFI MailEssentials for Exchange/SMTP >> SPAM with images (and some junk text) - Your posts [116784:292479]
Hi Reffel,
Thank you for your Mail,
Can you please clarify if the image is embedded within the email, or if it attached to the email?
By default, MailEssentials will check for embedded and remote images. The following registry key will be able to determine if embedded images are scanned or not:
HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\Config\checkforallimages
If this Registry key is set to 1, embedded images and remote are blocked. If this key is set to 0, then only remote images shall be blocked.
Can you please send us a copy of the SPAM email in question in MSG or EML format for further analysis?
Thank you for your co operation!
Regards,
Mark Busuttil- support@gfi.com
Check our knowledgebase for answers to most common questions: http://kbase.gfi.com
Register your software on http://register.gfi.com
to receive important notifications & new license keys (if you qualify). Product registration is required to obtain product support.
Should you wish to forward any comments regarding the level of support you have received please email customerservice@gfi.com
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailSecurity - FAXmaker - MailEssentials - LANguard
-----Original Message-----
From: "Riffel Brandon"
Received: 8/7/2006 4:41 PM
To: support@gfi.com
Subject: RE: All Forums >> GFI MailEssentials for Exchange/SMTP >> SPAM with images (and some junk text) - Your posts
Mark,
Below is the response that you gave to the problem of these stock spam messages. However, this is not a fix for the problem. These spam messages are not remote, as I thought you should have already known. They are attached images. Please post some sort of function option for us who are plagued by this sort of spam.
Thank you.
Mark Busuttil
You are able to change the maximum amount of characters an email with a remote image (and embedded image if checkallimages registry value is enabled) can have to be detected as spam by changin the following registry value:
HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\remoteimagebodysize
Thank You!
< Message edited by bjriffel -- 8.Aug.2006 9:27:31 AM >
|
|
|
|
|
RE: SPAM with images (and some junk text) - 9.Aug.2006 9:26:10 AM
|
|
|
Mark Busuttil
Posts: 4836
Joined: 16.Oct.2005
Status: offline
|
We are currently invesitigating this issue, therefore it would be extremely helpful to us, if you are able to send us an original copy of the spam email which you have recieved in your inbox.
It is important that this SPAM is not forwarded since we require the full message header of the email as it was read by MailEssentials.
Simply attach these emails and sent them to forums@gfi.com with reference to this thread.
Thank you for your co operation!
< Message edited by Mark Busuttil -- 9.Aug.2006 9:39:55 AM >
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
|
RE: SPAM with images (and some junk text) - 10.Aug.2006 7:03:20 AM
|
|
|
Mark Busuttil
Posts: 4836
Joined: 16.Oct.2005
Status: offline
|
Currently, the best ways of Fighting these type of SPAM emails are the following:
A. Check if email contains remote images only
a) Enable the header checking feature "Check if email contains remote images only"
b) Ensure that you have the following registry key set to 1, to ensure that you are able to block embedded images:
At [HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\], with the DWORD Value "checkallimages" must be set to 1
c) Generally, most of these SPAM emails contain 1500 - 2000 characters, therefore you must set the following registry DWORD value to 2000
At [HKEY_LOCAL_MACHINE\SOFTWARE\GFI\ME12\config\], with the DWORD Value "remoteimagebodysize" must be set to 2000
Please Note:
1) Some email clients like Outlook or Outlook express allow you to alter the background of the message body. These emails will be blocked if checkallimages is enabled.
2) Some users make use of a small image in the signature. This signature is sometimes loaded in the message body as a remote image, and othertimes, it is embedded in the message body. These emails will also be blocked.
B. Bayesian Filter
The text within the message body of these emails can be detected by the Bayesian Filter; if you constantly update the Bayesian Filter with these type of emails.
You are able to update the Bayesian filter using the GFI AntiSPAM Public Folders, and placing multiple copies of these emails in question in the "this is spam" public folder.
C. DNS BlackList
We have attempted to check the IP addresses of the SMTP Servers contained in the Message Header of the emails you have sent us with our known DNS BlackLists, however none appear to be blacklisted.
However, we would recommend you to also include the following DNS BlackList within the MailEssentials DNS BlackList Module:
a) Open the GFI MailEssentials Configuration
b) Anti Spam --> Right Click on the DNS BlackList --> Properties
c) Tick the DNS Black List "bl.spamcop.net"
d) Save and Exit the GFI MailEssentials Configuration
Thank You!
_____________________________
Regards,
Mark Busuttil
GFI Software Ltd - www.gfi.com
Messaging, Content Security & Network Security Software
GFI: MailEssentials - MailSecurity - MailArchiver - FAXmaker - LANguard – WebMonitor
|
|
|
|
|
RE: SPAM with images (and some junk text) - 10.Aug.2006 8:07:52 AM
|
|
|
Jim
Posts: 7
Joined: 10.Aug.2006
Status: offline
|
I attached the header of one of this type of spam at the bottom of this message. Those in italic are replaced for privacy.
At first they put random words with the spam, but now they seem to put random "sentences" with the spam, which perhaps make it harder to be detected as spam.
Microsoft Mail Internet Headers Version 2.0
Received: from fl-71-3-71-237.dyn.embarqhsd.net ([71.3.71.237]) by (DN of my Exchange server) with Microsoft SMTPSVC(6.0.3790.1830);
Tue, 8 Aug 2006 17:58:37 +0800
Received: from local (unknown [10.66.1.9])
by duplicity.mightymitedoggear.com (Postfix) with ESMTP id B224496D67
for <(my email address)>; Tue, 8 Aug 2006 06:56:18 +0500
Received: from lists.mysql.com (lists2.mysql.com [213.136.52.31])
by 71.3.71.237 (8.13.0/8.12.10) with SMTP id k28Ia7t7229111
for <(my email address)>; Tue, 8 Aug 2006 05:57:35 +0500
Date: Tue, 8 Aug 2006 04:54:47 +0500
From: "Anthony Garcia" <ScottgXlWilliams@mightymitedoggear.com>
X-Major: 0
Original-recipient: rfc822;(my email address)
MIME-Version: 1.0
Message-Id: <47487355366211.qn57CvRnAm@duplicate>
To: jim@sad-age.com
Subject: Re[4]:
Content-Type: multipart/related;
boundary="------------Next_Part44046736.ExMSB_1"
Return-Path: ScottgXlWilliams@mightymitedoggear.com
X-OriginalArrivalTime: 08 Aug 2006 09:58:37.0537 (UTC) FILETIME=[37E5B510:01C6BAD1]
--------------Next_Part44046736.ExMSB_1
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
--------------Next_Part44046736.ExMSB_1
Content-Type: image/gif;
name="earring.16.gif"
Content-Transfer-Encoding: base64
Content-ID: <8.0.0.63.0.91626004246209.85967107@earn.mightymitedoggear.com.4>
Content-Disposition: inline;
filename="earring.16.gif"
--------------Next_Part44046736.ExMSB_1--
|
|
|
|
|
RE: SPAM with images (and some junk text) - 15.Aug.2006 6:56:02 PM
|
|
|
gpinson
Posts: 214
Joined: 2.Sep.2003
From: Denver, CO
Status: offline
|
I also have the same setting, and I am wondering if I should just create the one that nicks has mentioned, of if the checkforallimages is the correct key.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 16.Aug.2006 3:01:25 PM
|
|
|
luma
Posts: 1
Joined: 16.Aug.2006
Status: offline
|
I'm watching this with some interest as it appears that these things are hitting just about everybody and getting through just about everywhere.
Some important notes that have been mentioned here in this thread that bear repeating:
1) The subject line, sender name, and body text are random text. As noted, the text in the body is roughly "email sized" (1000-5000 characters) and now seems to consist of random sentances of normal english text.
2) The image is attached inline, not loaded from some spammer's site. The image name is randomized.
Just setting 1-image w/ character limit won't help. Blocking mail with off-site images won't help. The sentances of included text now flow like regular english and are almost certainly designed to nail Bayesian analysis.
I'm not sure what would help outside the the aforementioned OCR, which would be time intensive both for GFI's programmers and our mail servers.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 16.Aug.2006 3:34:42 PM
|
|
|
gpinson
Posts: 214
Joined: 2.Sep.2003
From: Denver, CO
Status: offline
|
We are running our GFi MailEssentials v12 on a gateway server, and the only thing that seems to appear common about 60% of these that are getting through on my side, is that they regularly fail RDNS lookups, which does absolutely no good, as GFi really doesn't parse the header for us to block when it sees the RDNS failure. (beating dead horse in regards to GFi only checking mail after it arrives in SMTP queue)
G
|
|
|
|
|
RE: SPAM with images (and some junk text) - 17.Aug.2006 11:13:23 AM
|
|
|
bjriffel
Posts: 4
Joined: 7.Aug.2006
Status: offline
|
Here is my current correspondence with Mark at gfi support. As you can see I'm getting a bit dizzy from all the run around I've been getting.
Mark,
I apologize for my tone, but this is a very frustrating situation. The issue hasn’t changed a bit. We can not use the solution you provided. That would involve blocking ALL imbedded images, which as most administrators will agree, is not an option. Please update us all with a better solution.
Brandon Riffel
Senior System Administrator
Ottawa University
w: 785-229-1093
c: 785-248-1257
From: GFI Support [mailto:support@gfi.com]
Sent: Thursday, August 17, 2006 6:00 AM
To: Riffel Brandon
Subject: RE: All Forums >> GFI MailEssentials for Exchange/SMTP >> RE: SPAM with images (and some junk text) [116784:294339]
Importance: High
Hello again,
I refer to my email of a few days back regarding the issue you were encountering.
Could you please give us an update on your issue?
We look forward to your reply so as to update our records.
Regards,
Mark Busuttil - support@gfi.com
|
|
|
|
|
RE: SPAM with images (and some junk text) - 19.Aug.2006 6:31:33 AM
|
|
|
Jim
Posts: 7
Joined: 10.Aug.2006
Status: offline
|
I enabled he Intelligent Message Filter on our Exchange 2003 server (which wasn't working due to the SP1 and IMF v1 conflict issue). Apparently, those stock spams (a embedded GIF with lots of random sentences) are being blocked successfully by IMF v2. All those spams were moved to the Junk E-mail folder in Outlook / OWA automatically. I'm not sure whether the Bayesian Filter is able to caught those spam, but the built-in IMF works very well agaist them and certainly worth a try.
|
|
|
|
|
RE: SPAM with images (and some junk text) - 21.Aug.2006 10:43:14 AM
|
|
|
dwarren
Posts: 68
Joined: 16.Feb.2006
Status: offline
|
Mark, we are having this same issue. An embedded image with a bunch of random text at the end keeps making it thru the filter. Is there any fix besides increasing the character count in the registry? We, along with the other poster, do not want to block ALL embedded images, which in essense is what the fix is doing.
I have submitted an email with an example to forums@gfi.com
Thanks
David Warren
ETA: I just received an automated reply. My email with the attached spam email has a reference number of 118608:296656
< Message edited by dwarren -- 21.Aug.2006 10:44:47 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
|
Printable Version
