Re: Image SPAM Increase?

[Paul Russell <prussell () ND EDU>]

On 4/19/2006 12:51, Bruggeman, John wrote:
> I'm seeing the same thing here at HUC-JIR, my Baraccuda is not detecting
> them.  I've tagged probably 50-75 emails in the Baraccuda but so far (24
> -48 hours after tagging) the 'Cuda has not tagged them as BULK.
>
> I'm just hoping that the 'Cuda folks create some rules to get these
> marked.

Our Barracuda has caught quite a bit of this stuff over the past few weeks,
but our site-wide tag and quarantine scores are a bit more aggressive than
the vendor's default values of 3.5 and 7.0, respectively. We tag at 1.0 and
quarantine at 2.0. Of course, individual users can override these values for
their own accounts.

Appended below are the X-Barracuda headers from a recent specimen. If we
had been using the vendor's recommended tag and quarantine scores, this
message would have been tagged and delivered, not quarantined.

> X-Barracuda-Spam-Score: 4.60
> X-Barracuda-Spam-Status: Yes, SCORE=4.60 using per-user scores of
>    TAG_LEVEL=1000.0 QUARANTINE_LEVEL=1.0 KILL_LEVEL=1000.0
>    tests=HELO_DYNAMIC_SPLIT_IP, HTML_IMAGE_ONLY_04, MIME_HTML_MOSTLY,
>    MPART_ALT_DIFF
> X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.11036
>    Rule breakdown below
>    pts  rule name              description
>    ---- ---------------------- -------------------------------------------
>    0.88 HELO_DYNAMIC_SPLIT_IP  Relay HELO'd using suspicious hostname
>                                    (Split IP)
>    0.70 MIME_HTML_MOSTLY       BODY: Multipart message mostly text/html
>                                    MIME
>    0.14 MPART_ALT_DIFF         BODY: HTML and text parts are different
>    2.88 HTML_IMAGE_ONLY_04     BODY: HTML: images with 0-400 bytes of words

--
Paul Russell, Senior Systems Administrator
OIT Messaging Services Team
University of Notre Dame
prussell () nd edu