Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Blocking img src=cid messages
  FAQ FAQ  Forum Search   Register Register  Login Login

Blocking img src=cid messages

 Post Reply Post Reply Page  12>
Author
MartinC View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Topic: Blocking img src=cid messages
    Posted: 14 November 2005 at 4:38am
We seem to receiving a large number of img src=cid type spam messages the last few days, Outlook displays them and doesn't block them since they aren't remote web beacons.

We can use Regex on our incoming mail messages but I can't see anything that I could match against.

No websites or real text listed in the body and no discernible subjects to pickup on either which makes it difficult.

Just something like "img src=cid:long list of hex digits"    

I wondered if any sites are blocking these entirely?

Are there legitimate domains/ newsletters actually sending using this technique? (I have yet to spot any so far but there probably are)
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 14 November 2005 at 4:45am
bump, forgot to login for replies.  Martin
Back to Top
Alan View Drop Down
Groupie
Groupie


Joined: 06 May 2005
Location: United States
Status: Offline
Points: 43
Post Options Post Options   Thanks (0) Thanks(0)   Quote Alan Quote  Post ReplyReply Direct Link To This Post Posted: 14 November 2005 at 1:08pm
Seems like just using "img src=cid" in your keyword filter would do what you want.
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 15 November 2005 at 4:30am
Originally posted by Alan Alan wrote:

Seems like just using "img src=cid" in your keyword filter would do what you want.


this I know... pretty obvious.

however, if its valid for some sites to use it, I'll be causing some false positives doing that.

has anyone worked out a nicer regex expression rather than just blocking all...

for example, can I do img src=cid AND subject="news report" or similar in Regex>?

wasn't sure if you could mix a regex expression for both message body and subject together.


Edited by MartinC
Back to Top
Marcus View Drop Down
Newbie
Newbie


Joined: 25 July 2005
Location: United States
Status: Offline
Points: 21
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marcus Quote  Post ReplyReply Direct Link To This Post Posted: 15 November 2005 at 4:05pm

right click the msg and "view source"

paste the html source in so we can see it, there is bound to be something there to target

 

Marcus

Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 15 November 2005 at 4:20pm

Originally posted by Alan Alan wrote:

Seems like just using "img src=cid" in your keyword filter would do what you want.
however, if its valid for some sites to use it, I'll be causing some false positives doing that.

 

Unfortunately,  there are probably valid newsletters with this code.  The mailers of newsletters seem hell bent on making it nearly impossible to kill Spam by doing "spammy" things in their messages/headers/FROM's etc.

The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 16 November 2005 at 3:25am

Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach?

I am using that filter for quite some time, no probs here, but then again, im not an ISP :)

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 16 November 2005 at 4:44am
Originally posted by Marco Marco wrote:

Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach?

I am using that filter for quite some time, no probs here, but then again, im not an ISP :)


yes, suppose it would but with lots of users its not really an approach we can take. as an individual, I certainly would be doing this though.

a lot of people don't know when they are going to receive a newsletter either, so wouldn't know about the bounce if we had it at the server level. relies on the senders to contact us which isn't going to happen.

here's an example,

subject "breaking news"
source <img src=cid:e86a81e69220472974bcbd61a7c8fa6b>
approx 17kb and the message does have an attachment (which is the graphic displayed).

Outlook doesn't block this since its not an offsite web link that could be a beacon, its just an attachment.

messages are all to do with stock tips, prices etc.

there is no embedded clickable web link, so nothing else in the source.
Back to Top
Desperado View Drop Down
Senior Member
Senior Member
Avatar

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Posted: 16 November 2005 at 11:29am
Originally posted by Marco Marco wrote:

Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach?

I am using that filter for quite some time, no probs here, but then again, im not an ISP :)

Marco,

"valid newsletter senders" don't seem to give a rats arse about Spam issues and do what ever they want and then throw the blame at the ISP (Us).  Many newsletters are totally indistinguishable from Spam and use all the techniques that spammers use to get past normal filters.  Every time I put in a real good filter to stop some new Spam technique, some newsletters start getting blocked.



Edited by Desperado
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com

Back to Top
kspare View Drop Down
Senior Member
Senior Member


Joined: 26 January 2005
Location: Canada
Status: Offline
Points: 334
Post Options Post Options   Thanks (0) Thanks(0)   Quote kspare Quote  Post ReplyReply Direct Link To This Post Posted: 17 November 2005 at 12:49am
you know, I say .... too bad. That's why we got the autowhitelist. I'm adding this to my spam list.
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 17 November 2005 at 4:18am
Originally posted by Desperado Desperado wrote:

Originally posted by Marco Marco wrote:

Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach?

I am using that filter for quite some time, no probs here, but then again, im not an ISP :)

Marco,

"valid newsletter senders" don't seem to give a rats arse about Spam issues and do what ever they want and then throw the blame at the ISP (Us).  Many newsletters are totally indistinguishable from Spam and use all the techniques that spammers use to get past normal filters.  Every time I put in a real good filter to stop some new Spam technique, some newsletters start getting blocked.

 

Kspare said it, if newsletter authors choose to behave  spam-like, they choose the risk to get blocked, if they don't care, then why should we? In the end there is allways the whitelist, and usually all the unsollicited newsletters do is generate traffic and cost us bandwidth.

 

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 17 November 2005 at 5:32am
Originally posted by MartinC MartinC wrote:

[QUOTE=Alan]has anyone worked out a nicer regex expression rather than just blocking all...
for example, can I do img src=cid AND subject="news report" or similar in Regex>?


no-one answered my question,
can I put a regex filter in that does something in the body AND the subject?

so a boolean essentially.

If I could do this, it would be relatively simple to block these messages.
Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 17 November 2005 at 4:51pm
MartinC,

Unfortunately the answer is "now". SpamFilter separates searches in the subject from those in the content, so each "line" (expression) in your keyword file can only search in either the subject or the body, not in both.
Roberto Franceschetti

LogSat Software

Spam Filter ISP
Back to Top
Ann View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Ann Quote  Post ReplyReply Direct Link To This Post Posted: 23 November 2005 at 3:34pm

How do I apply this rule with Outlook? I tried creating a rule that blocked by content but it didn't work. The statement is in the source code, not the actual body content. Does Outlook look at the source code?

I am so sick of having porn pics showing up. Thanks, Ann

Back to Top
pcmatt View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 February 2005
Location: United States
Status: Offline
Points: 116
Post Options Post Options   Thanks (0) Thanks(0)   Quote pcmatt Quote  Post ReplyReply Direct Link To This Post Posted: 29 November 2005 at 10:20am

We've found it effective to block the cid's that are found in offensive unwanted email.  You'll find that they are the same per spamvertiser. So you would add:

cid:e86a81e69220472974bcbd61a7c8fa6b

to your keyword list, for example, if that image was an offensive image.  Obviously they can change the image and foil this, but spammers are pretty lazy.

-Matt R
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 29 November 2005 at 2:22pm
Originally posted by pcmatt pcmatt wrote:

We've found it effective to block the cid's that are found in offensive unwanted email.  You'll find that they are the same per spamvertiser. So you would add:

cid:e86a81e69220472974bcbd61a7c8fa6b

to your keyword list, for example, if that image was an offensive image.  Obviously they can change the image and foil this, but spammers are pretty lazy.



afraid not in this case Matt... the spammers aren't lazy - they're automated by the looks of it, and probably using some block of hijacked PCs to send these messages out.

the cid changes everytime and they are coming from many ip addresses.

we are getting hundreds of these per day and no way to block the messages - apart from blocking all img cid messages - this will cause a good number of false positives, probably newsletters of some sort.

outlook 2003's builtin spam filter does seem to catch some of these but not all.

I've tried running a separate outlook 2003 filter to see if any other messages I have use this style format, it seems not... img src=cid: in the message header doesn't show anything for 1000 messages of mine with various newsletters (so I might just be ok to block it globably).

however, this doesn't help my users any at the moment since they are running different email clients.

any ideas Roberto & others... really pulling my hair out on this one...


okay, to reiterate...

no text in the message body, apart from the img src=cid: and an ever changing 28-30 character hex string.

various subjects like Top News, Headline News, Press Release ...


[EDIT]
okay... thinking about this...

a Regex string that blocks img src=cid: but with a string greater than say 28 characters?

that should get me pretty close rather than a global block.
Back to Top
vrspock View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote vrspock Quote  Post ReplyReply Direct Link To This Post Posted: 30 November 2005 at 10:58pm
Originally posted by Marco
<P>Kspare said it, if newsletter authors choose to behave  spam-like, they choose the risk to get blocked, if they don't care, then why should we? In the end there is allways the whitelist, and usually all the unsollicited newsletters do is generate traffic and cost us bandwidth.</P>
<P> </P>
<P>[/QUOTE Marco

Kspare said it, if newsletter authors choose to behave  spam-like, they choose the risk to get blocked, if they don't care, then why should we? In the end there is allways the whitelist, and usually all the unsollicited newsletters do is generate traffic and cost us bandwidth.

 

[/QUOTE wrote:

I have to agree.  We tell our users that newsletters tend to get caught by the spam filter because they have a lot of similarities to spam.  There's always the auto forced delivery white list.  We just tell folks to check their quarantine anytime shortly after subscribing to a new newsletter if they do

I have to agree.  We tell our users that newsletters tend to get caught by the spam filter because they have a lot of similarities to spam.  There's always the auto forced delivery white list.  We just tell folks to check their quarantine anytime shortly after subscribing to a new newsletter if they don't see any confirmations of their subscriptions shortly after subscribing.

Most of our users realize that this is just part of life in an email world where 90% of email is spam.  It's either deal with a few inevitable false positives from time to time or receive 200 spams in your inbox each day.

We do have a mod on our site that allows senders who bother to read the NDR message to send a notification to recipients with a canned subject line and body to alert them to something really important that has landed in their quarantine amidst the few tons of spam.  It seems to work fairly well in most false positive cases involving business oriented emails and sends us a CC of the notice to help give us an idea of how often a false positive hits the quarantine.

Back to Top
Brian Dayton View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Brian Dayton Quote  Post ReplyReply Direct Link To This Post Posted: 02 December 2005 at 1:07pm
I've been seeing a lot of these spam messages too and think that regex would fit the bill quite nicely since the spam message is nothing but a cid string and nothing else. Most messages with cid strings in them have atleast other data within the source message so they will likely not be blocked as long as the regex is filtering on messages that have a cid string and nothing following it.
Back to Top
friesk View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote friesk Quote  Post ReplyReply Direct Link To This Post Posted: 06 December 2005 at 11:56am
we have been getting a lot of these messages as of late.  MartinC did you find a regex string that worked? Any more ideas on how to block these typ eof messages would be helpful, thanks.
Back to Top
Ken Bour View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Ken Bour Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2005 at 8:58am

Here is the regex that I am using to block these messages:

src\=(\"c|c)id\:

This policy has been in place for about 3-4 days, but I am only logging for the time being.  So far, only 1 false positive which I am trying to analyze. 

I agree that, if newsletters use this technique, then they subject themselves to being filtered. 

 

Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2005 at 9:55am
Originally posted by Ken Bour Ken Bour wrote:

Here is the regex that I am using to block these messages:

src\=(\"c|c)id\:



thats a bit vague to be honest, blocks all src=cid.

I ended up putting in something a bit more specific.

(img src=cid:[a-zA-Z0-9]{16,20})

you can vary the numbers to whatever you want, 32,32 or whatever.
Back to Top
pcmatt View Drop Down
Senior Member
Senior Member
Avatar

Joined: 15 February 2005
Location: United States
Status: Offline
Points: 116
Post Options Post Options   Thanks (0) Thanks(0)   Quote pcmatt Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2005 at 10:10am

MartinC:

I'm a bit of a Regex novice. Can you explain how this works like what the varied numbers will do:


(img src=cid:[a-zA-Z0-9]{16,20})

you can vary the numbers to whatever you want, 32,32 or whatever.

Thanks!

MattR

 

-Matt R
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2005 at 10:18am
Originally posted by pcmatt pcmatt wrote:

MartinC:

I'm a bit of a Regex novice. Can you explain how this works like what the varied numbers will do:


bit of a novice with it myself, so my explanation might not be spot on.

the first number is the minimum length of string to match, the second one the length of the entire string? something like that.

so if the jumble of letters and numbers was 16 characters long and you wanted to match the entire thing, you could put 16,16 in the brackets.

if it was 16 characters but you were happy to match after a minimum of 8, then 8,16 would do the trick.

worth downloading "the Regex Coach" which I think someone linked off here... its a windows gui program that lets you try things out and see how the things will work.

I'm sure someone will come up with an even more efficient version of this expression.. but this one is fine for now.



Edited by MartinC
Back to Top
Marco View Drop Down
Senior Member
Senior Member
Avatar

Joined: 07 June 2005
Location: Netherlands
Status: Offline
Points: 137
Post Options Post Options   Thanks (0) Thanks(0)   Quote Marco Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2005 at 10:55am

If only the bill gates' of this world would issue rewards on the heads of virus programmers, "wanted, dead or alive, $$$$$$ for the one that....." etc etc.

Sounds funny eh? but you think about it... lets put a bounty on the head of the ones that created the latest wave of spamming viruses of, let's say, $200,000.

I mean, thats peanuts for Bill, and seeing his OS is mostly responsible for all the crap out there it seems fair to me he should be the one to pick up the tab.

With such an insentive i can allmost guarantee success in bringing the virus-geek(s) to justice. (i'd rather see them shot on the spot btw. ).

The zombie networks are beeing used for all sorts of illegal practises, only one of the 'features' is sending spam, the virus programmers made this all happen, they should be dealt with radically and decisively.

sorry, just need to vent sometimes

Anyone who is capable of getting himself made president, should on no account be allowed to do the job. D.Adams
Back to Top
vrspock View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote vrspock Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2005 at 3:05pm

Another pet peeve of mine with newsletters and some shopping carts is when the use the recipients email address as the from address in the emails they are sending from their own mail servers.

We reject emails that fail SPF checking, including our own domains.

Back to Top
vrspock View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote vrspock Quote  Post ReplyReply Direct Link To This Post Posted: 14 December 2005 at 3:11pm
Originally posted by Marco Marco wrote:

If only the bill gates' of this world would issue rewards on the heads of virus programmers, "wanted, dead or alive, $$$$$$ for the one that....." etc etc.

Sounds funny eh? but you think about it... lets put a bounty on the head of the ones that created the latest wave of spamming viruses of, let's say, $200,000.

I mean, thats peanuts for Bill, and seeing his OS is mostly responsible for all the crap out there it seems fair to me he should be the one to pick up the tab.

With such an insentive i can allmost guarantee success in bringing the virus-geek(s) to justice. (i'd rather see them shot on the spot btw. ).

The zombie networks are beeing used for all sorts of illegal practises, only one of the 'features' is sending spam, the virus programmers made this all happen, they should be dealt with radically and decisively.

sorry, just need to vent sometimes

I agree whole heartidly, LOL.  I think we should enfoce a law that I saw on the old 80's show, Max Headroom.  If you crashed the net in the world of Max Headroom, it was a capital punishment offense!  Surely under that train of thought, severly slowing down parts of the net would deserve a good caining.

Back to Top
suomynona View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote suomynona Quote  Post ReplyReply Direct Link To This Post Posted: 01 June 2006 at 12:28am
Originally posted by MartinC MartinC wrote:

Originally posted by Ken Bour Ken Bour wrote:

Here is the regex that I am using to block these messages:

src\=(\"c|c)id\:



thats a bit vague to be honest, blocks all src=cid.

I ended up putting in something a bit more specific.

(img src=cid:[a-zA-Z0-9]{16,20})

you can vary the numbers to whatever you want, 32,32 or whatever.

Why does it even matter what comes after the cid:?  If the message contains the match from the first regex, then it should be canned.

I do see a flaw in the first regex, if there is a newline character before or after the "=" then it won't match.

Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 01 June 2006 at 4:31am
why does it matter?

simple - because there are some valid src=cid formats.

spammers tend to use badly formatted ones so easier to block.

I've not seen many programs do it, but have seen some false positives from standard email clients.

Back to Top
JohnD View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote JohnD Quote  Post ReplyReply Direct Link To This Post Posted: 02 June 2006 at 11:55am
Where do I put this settinng ???
Back to Top
MartinC View Drop Down
Newbie
Newbie


Joined: 29 July 2005
Status: Offline
Points: 25
Post Options Post Options   Thanks (0) Thanks(0)   Quote MartinC Quote  Post ReplyReply Direct Link To This Post Posted: 02 June 2006 at 12:04pm
in the keywords.txt file.

I have a variety of these to block spammers.

things like this for some of this weeks junk.

(cid:[\w]{12}\$[\w]{8}\$[\w]{8}@[\w]{4,5}\.[\w]{2,5}")

Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.363 seconds.