I found that certain patterns of jpg and gif files were in a large
majority of the spam which made it through my implementation of SA with
BigEvil and some of the other custom rules. I started off with a URI
rule to try and catch these. This worked in testing but not in actual
production. I first thought that might be because SA wasn't processing
the rule before pulling the html information out of the emails. I then
tried using a rawbody rule to try and catch these emails. Could anyone
who has worked with these types of rules offer any suggestions?
Sample rule:
rawbody BlackList_IMG
/gb\.gif|gbtb\.gif|best-b\.jpg|outw\.gif|01\.jpg|01\.gif/i
describe BlackList_IMG Offensive material Spam images.
score BlackList_IMG 5.0
OR
uri BlackList_IMG
/gb\.gif|gbtb\.gif|best-b\.jpg|outw\.gif|01\.jpg|01\.gif/i
describe BlackList_IMG Offensive material Spam images.
score BlackList_IMG 5.0
-Patrick Clary
majority of the spam which made it through my implementation of SA with
BigEvil and some of the other custom rules. I started off with a URI
rule to try and catch these. This worked in testing but not in actual
production. I first thought that might be because SA wasn't processing
the rule before pulling the html information out of the emails. I then
tried using a rawbody rule to try and catch these emails. Could anyone
who has worked with these types of rules offer any suggestions?
Sample rule:
rawbody BlackList_IMG
/gb\.gif|gbtb\.gif|best-b\.jpg|outw\.gif|01\.jpg|01\.gif/i
describe BlackList_IMG Offensive material Spam images.
score BlackList_IMG 5.0
OR
uri BlackList_IMG
/gb\.gif|gbtb\.gif|best-b\.jpg|outw\.gif|01\.jpg|01\.gif/i
describe BlackList_IMG Offensive material Spam images.
score BlackList_IMG 5.0
-Patrick Clary