Educause Security Discussion mailing list archives
Re: Blocking GIF Spam -> Image SPAM Increase?
From: Graham Toal <gtoal () UTPA EDU>
Date: Mon, 24 Apr 2006 15:42:53 -0500
-----Original Message----- From: Kay Sommers [mailto:ksommers () VCU EDU] Sent: Monday, April 24, 2006 3:03 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Blocking GIF Spam Has anybody had success in blocking the market advice spam messages that have been appearing lately? The problem is that the messages are images, and while our Brightmail scanner has the ability to devise a signature for attachments, each of these images is just a bit different which causes problems for signature matching. The senders are usually different too. There must be thousands of bots invoved. If we block the GIF files, the end users will still get an empty message which might actually be worse (more confusing for many of the users). Any ideas for a good solution?
By an amazing coincidence, we've just been discussing this very subject in a thread entitled "Image SPAM Increase?" :-) Summary: use a spamassassin-like product that weighs several factors, including the ratio of non-text+images to text; and the source IP of the sender (i.e. DNS-based BLs for botnets, dialup/cable senders without business service IPs, etc). (Not mentioned in that thread but also very effective against these spams, since they mostly all come from botnets, is greylisting) Anything that is solely signature-based has been useless for spam detection for at least a year. We're lucky such systems still work for viruses, but it's only a matter of time there too. The arms race has moved on. G
Current thread:
- Re: Blocking GIF Spam -> Image SPAM Increase? Graham Toal (Apr 24)