Jump to content


Photo

Stopping the single-gif-spam


  • This topic is locked This topic is locked
20 replies to this topic

#1 PerHoff

PerHoff
  • Members
  • 3 posts

Posted 24 April 2006 - 06:12 AM

I have been asking around, and reading the forums, on how to stop the massive amount of single-gif-image spam we're receiving. Mailsweeper solves the problem by using a md5-hash of the image as a recognizer, as the image will be identical in most cases, and they keep an updated list, of course. So, my challenge to Barracuda, why haven't you guys solved this yet? Teaching the filter by marking them as spam is neither a short nor long-term solution, as the pictures will change, eventually, and you have to start all over. So, with our approximately 25K users, I need an answer from Barracuda what your roadplan is on this. Any suggestions other than the already stated?

#2 Phueschen

Phueschen
  • Members
  • 17 posts

Posted 25 April 2006 - 10:50 AM

This one has been driving me nuts for some time and is our only complaint about the Cuda system. It seems that nearly all the new Stock Spam we get is simply the embedded image files now so they bypass our 400's easily leading some managers to question the value of the system. While I could simply block all GIF, JPG, etc attachments I know I would catch legitmate mail using this method. The same can happen if I train those. If anyone has any ideas on this please also let me know as I can see this becoming more and more of an issue.

#3 Sean Fahey

Sean Fahey
  • Members
  • 4 posts

Posted 26 April 2006 - 08:45 AM

Would adding jpg, bmp, gif extenstions to your Quarantined Attachment Extensions help? I'm a new Barracuda user, so apologies if it's a useless suggestion.

#4 Phueschen

Phueschen
  • Members
  • 17 posts

Posted 26 April 2006 - 03:24 PM

While we could add tose files to the list it would catch a lot of legitimate mail also then. I think that is why its so popular now as a spamming method as its nearly impossible to stop without impacting your users in a negative way.

#5 stokash

stokash
  • Members
  • 75 posts

Posted 27 April 2006 - 08:35 AM

A lot of legitimate mail will get blocked (or quarantined) for most if you add those file extensions, especially the gif extension.

#6 larryt

larryt
  • Members
  • 7 posts

Posted 27 April 2006 - 09:33 AM

For an ISP or large number of users doing that would create a lot of false positives and block some legit email.I have been having trouble with this also, and I posted something about it a while back. I suspect that this has stumped more than just me so I don't feel so bad anymore haha. :lol:

#7 Michael Manning

Michael Manning
  • Members
  • 270 posts
  • LocationOhio, USA

Posted 28 April 2006 - 09:59 AM

We get a lot of these types of messages. One thing we found though is that while the header does show a line about HTML_IMAGE_ONLY and teh message itself does look like it only contains an image, if you scroll down and read the header information more carefully you will sometimes find that there is indeed text in the message body, though it is formated as color="#FFFFFF" or white. Also, if you select all in the message view you will be able to see the text as well.Even though this text is clearly added as poison, I have been marking them as spam and the cuda has progressively been quarantining and blocking more and more of this junk.

#8 wildadmin

wildadmin
  • Members
  • 1 posts

Posted 28 April 2006 - 11:39 AM

I am receiving heat from my manager to take care of these messages. He is already researching desktop products to take care of what the Barracuda can not. OUCH! I am going to have difficulty justifying the cost of the yearly subscription if my own manager is purchasing additional software to solve his SPAM problems.Hopefully Barracuda Networks will find a solution to this soon.___________WildAdmin_______________

#9 Randall Jones

Randall Jones
  • Members
  • 0 posts

Posted 28 April 2006 - 12:00 PM

Teaching the filter by marking them as spam is neither a short nor long-term solution, as the pictures will change, eventually, and you have to start all over.

You will have to continually train your spam filter for all types of spam, not just image-only. Accurate spam filtering has never been-- and I suspect never will be-- a "set it and forget it" activity.

#10 tschett

tschett
  • Members
  • 36 posts

Posted 28 April 2006 - 12:13 PM

Would adding jpg, bmp, gif extenstions to your Quarantined Attachment Extensions help? I'm a new Barracuda user, so apologies if it's a useless suggestion.

I have a question related to this. Does anyone know that if you have Quarantine disabled on Spam Scoring can you still use the Quarantined Attachment under Attachment Quarantine?

yeah, it will still quarantine the attachment.

#11 Paul Dyer

Paul Dyer
  • Members
  • 27 posts

Posted 28 April 2006 - 12:38 PM

I sorted through a ton of these... and found the following in each message.
align=3Dbaseline=20 border=3D0
So far I can't find any legit mails with this... check guys!(Of course I'm sure the #$$@#$@ spammers will figure this out if it's true).

#12 egoboy

egoboy
  • Members
  • 2 posts

Posted 01 May 2006 - 09:06 AM

This is exactly why I joined this forum, to research ways to block this particular type of email. I thought it would just be simple to give us the ability to customize the scoring based on the rules. For example, this is from the header of one of these gif-only emails I want to stop:X-Barracuda-Spam-Report: Code version 3.02, rules version 3.0.11767Rule breakdown below pts rule name description ---- ---------------------- -------------------------------------------------1.36 HELO_DYNAMIC_IPADDR Relay HELO'd using suspicious hostname (IP addr 1)0.70 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME0.14 MPART_ALT_DIFF BODY: HTML and text parts are different2.88 HTML_IMAGE_ONLY_04 BODY: HTML: images with 0-400 bytes of wordsX-Priority: 5 (Lowest)It seems to me that the easiest solution is to raise the score based on rule 2.88. I couldn't find a way to do this in the web interface, is this something that is customizable?egoboy :mrgreen:

#13 stokash

stokash
  • Members
  • 75 posts

Posted 01 May 2006 - 11:36 AM

We currently don't have the ability to customize the scoring. I'm pretty sure there has already been a post on the Feature Request forum. Best thing would be to add your input there.

#14 Duditts

Duditts
  • Members
  • 2 posts

Posted 02 May 2006 - 01:31 PM

I too have been troubled with this inability. It seems that all too often a message can be easily blocked by a heavier weight and that can't be done. I spoke with support yesterday regarding a nigerian money 'ish e-mail and requested weighing a rule as a feature request, again. I would suggest you call into support and have them enter it for you. From what I can tell the biggest benefit to the Cuda is the immediate ROI that you get because of it's simplistic interface and easy web gui. The trade-off however is that after you use the system for a while you begin to notice it's limitations and what was once the feature that made it great, becomes the feature that makes it bad. I wish for an advanced type mode where you can change the weight of a rule, edit report formats, and change the view's of the message log for a more specific view.

#15 randhall

randhall
  • Members
  • 41 posts

Posted 08 May 2006 - 08:59 AM

How well trained is your Bayes? Do you aggressively use DUL RBLs?The single image gif spam we're getting is getting a consistent:X-Barracuda-Spam-Score: 1.69You can't blame Barracuda for giving this an ambiguous score. They don't have much to go on. We tag at 1.2 so this does effectively get "caught." We don't get much legit mail above 1.0. Since most of this stuff is coming from zombies, your best bet is to reject mail from dialup clients. If you can get away with, reject stuff wholesale from second and third world countries.Yesterday, on 30,000 inbound messages we dropped these:# Top RBL Matches Count 1 sbl-xbl.spamhaus.org 13754 2 dul.dnsbl.sorbs.net 2622 3 dynablock.njabl.org 400 4 dnsbl.njabl.org 271 5 psbl.surriel.com 210 6 list.dsbl.org 165 7 cn-kr.blackholes.us 96 8 cbl.abuseat.org 89

#16 ncblues

ncblues
  • Members
  • 5 posts

Posted 10 May 2006 - 09:27 AM

I have been using SpamAssassin for some time and having the same problem. I just switched to Barracuda and was hoping this problem would go away. :cry:

#17 lespinoza

lespinoza
  • Members
  • 5 posts

Posted 17 May 2006 - 03:55 PM

hey Guys...I've been Up to this problem since at least 8 month and still can not find any effective way to block it.Rgds,-Lorenzo Espinoza-SoftronCHILE

#18 pejacoby

pejacoby
  • Members
  • 1,822 posts

Posted 22 May 2006 - 08:54 AM

I sorted through a ton of these... and found the following in each message.

align=3Dbaseline=20 border=3D0

I'd love to use this, but there is currently a bug with Body Filter (#6900) that keeps most attempts to filter these single-GIF messages from working.The parser can't handle multipart MIME envelopes that have imbalanced boundaries. And unfortunately it seems most of the GIF messages have this imbalance.Support indicated they don't have an ETA for a fix on this one.An example: notice how the text/plain section uses the same boundary as the text/html section, but with only ONE closing boundary.

------=_NextPart_000_0005_01C67DE9.084EC5FD Content-Type: multipart/alternative; boundary="----=_NextPart_001_0006_01C67DE9.084EC60A" ------=_NextPart_001_0006_01C67DE9.084EC60A Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: quoted-printable ------=_NextPart_001_0006_01C67DE9.084EC60A Content-Type: text/html; charset="windows-1252" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Dwindows-1252"> <META content=3D"MSHTML 6.00.2800.1409" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2><IMG alt=3D"" hspace=3D0=20 src=3D"cid:000401c67d9d$98671df0$a7e1ecde@evn.ik" align=3Dbaseline=20 border=3D0></FONT></DIV> </BODY></HTML> ------=_NextPart_001_0006_01C67DE9.084EC60A-- ------=_NextPart_000_0005_01C67DE9.084EC5FD Content-Type: image/gif; name="questionable.gif" Content-Transfer-Encoding: base64 Content-ID: <000401c67d9d$98671df0$a7e1ecde@evn.ik> R0lGODdhGAKyAoQAAP///w0ODuDe4aOjpTYsNwkBEY2DidfGxG11Z0lOWoucmCchGjQ/OW9+fAIE... Xid2Zqd2elkHbKd3fucohAAAOw== ------=_NextPart_000_0005_01C67DE9.084EC5FD--



#19 ncblues

ncblues
  • Members
  • 5 posts

Posted 22 May 2006 - 09:06 AM

The best way I found to stop it, is to quarantine .gif images. The only problem is you need to be able to whitelist the good guys, which is currently not working. Barracuda tells me that will be fixed in the 3.4 firmware release.

#20 kakthompson

kakthompson
  • Members
  • 2 posts

Posted 29 May 2006 - 07:28 AM

Has there been any discussion regarding the Barracuda implementing a "challenge / response" system? Something along the lines of what Earthlink has done where when a non-whitelisted person sends a message, they get a reply back explaining a process for them to go through to validate who they are and the legitimacy of their message. Seems like something along this line would help resolve the issues with all the ways creative users figure out how to circumvent the Barracuda rules, Baysian, etc.