Re: Blocking GIF Spam -> Image SPAM Increase?

[Graham Toal <gtoal () UTPA EDU>]

> -----Original Message-----
> From: Kay Sommers [mailto:ksommers () VCU EDU] 
> Sent: Monday, April 24, 2006 3:03 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Blocking GIF Spam
>
> Has anybody had success in blocking the market advice spam 
> messages that 
> have been appearing lately?    The problem is that the messages are 
> images, and while our Brightmail scanner has the ability to 
> devise a signature for attachments, each of these images is 
> just a bit different which causes problems for signature 
> matching.  The senders are usually different too.  There must 
> be thousands of bots invoved.
> If we block the GIF files, the end users will still get an 
> empty message which might actually be worse (more confusing 
> for many of the users).
> Any ideas for a good solution?  

By an amazing coincidence, we've just been discussing this
very subject in a thread entitled "Image SPAM Increase?" :-)

Summary: use a spamassassin-like product that weighs several
factors, including the ratio of non-text+images to text; and
the source IP of the sender (i.e. DNS-based BLs for botnets,
dialup/cable senders without business service IPs, etc).

(Not mentioned in that thread but also very effective against
these spams, since they mostly all come from botnets, is
greylisting)

Anything that is solely signature-based has been useless for
spam detection for at least a year.  We're lucky such systems
still work for viruses, but it's only a matter of time there
too.  The arms race has moved on.

G