right click the msg and "view source"

paste the html source in so we can see it, there is bound to be something there to target

Marcus

Alan wrote: Seems like just using "img src=cid" in your keyword filter would do what you want. however, if its valid for some sites to use it, I'll be causing some false positives doing that.

Unfortunately,  there are probably valid newsletters with this code.  The mailers of newsletters seem hell bent on making it nearly impossible to kill Spam by doing "spammy" things in their messages/headers/FROM's etc.

Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach?

I am using that filter for quite some time, no probs here, but then again, im not an ISP :)

Marco wrote: Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach? I am using that filter for quite some time, no probs here, but then again, im not an ISP :)

Marco,

"valid newsletter senders" don't seem to give a rats arse about Spam issues and do what ever they want and then throw the blame at the ISP (Us).  Many newsletters are totally indistinguishable from Spam and use all the techniques that spammers use to get past normal filters.  Every time I put in a real good filter to stop some new Spam technique, some newsletters start getting blocked.

Desperado wrote: Marco wrote: Wouldn't blocking all mails with "img src=cid" content, sortof 'force' the valid newsletter senders to reconsider their approach? I am using that filter for quite some time, no probs here, but then again, im not an ISP :) Marco, "valid newsletter senders" don't seem to give a rats arse about Spam issues and do what ever they want and then throw the blame at the ISP (Us).  Many newsletters are totally indistinguishable from Spam and use all the techniques that spammers use to get past normal filters.  Every time I put in a real good filter to stop some new Spam technique, some newsletters start getting blocked.

Kspare said it, if newsletter authors choose to behave  spam-like, they choose the risk to get blocked, if they don't care, then why should we? In the end there is allways the whitelist, and usually all the unsollicited newsletters do is generate traffic and cost us bandwidth.

How do I apply this rule with Outlook? I tried creating a rule that blocked by content but it didn't work. The statement is in the source code, not the actual body content. Does Outlook look at the source code?

I am so sick of having porn pics showing up. Thanks, Ann

We've found it effective to block the cid's that are found in offensive unwanted email.  You'll find that they are the same per spamvertiser. So you would add:

cid:e86a81e69220472974bcbd61a7c8fa6b

to your keyword list, for example, if that image was an offensive image.  Obviously they can change the image and foil this, but spammers are pretty lazy.

Marco Kspare said it, if newsletter authors choose to behave  spam-like, they choose the risk to get blocked, if they don't care, then why should we? In the end there is allways the whitelist, and usually all the unsollicited newsletters do is generate traffic and cost us bandwidth.   [/QUOTE wrote: I have to agree.  We tell our users that newsletters tend to get caught by the spam filter because they have a lot of similarities to spam.  There's always the auto forced delivery white list.  We just tell folks to check their quarantine anytime shortly after subscribing to a new newsletter if they do

I have to agree.  We tell our users that newsletters tend to get caught by the spam filter because they have a lot of similarities to spam.  There's always the auto forced delivery white list.  We just tell folks to check their quarantine anytime shortly after subscribing to a new newsletter if they don't see any confirmations of their subscriptions shortly after subscribing.

Most of our users realize that this is just part of life in an email world where 90% of email is spam.  It's either deal with a few inevitable false positives from time to time or receive 200 spams in your inbox each day.

We do have a mod on our site that allows senders who bother to read the NDR message to send a notification to recipients with a canned subject line and body to alert them to something really important that has landed in their quarantine amidst the few tons of spam.  It seems to work fairly well in most false positive cases involving business oriented emails and sends us a CC of the notice to help give us an idea of how often a false positive hits the quarantine.

Here is the regex that I am using to block these messages:

src\=(\"c|c)id\:

This policy has been in place for about 3-4 days, but I am only logging for the time being.  So far, only 1 false positive which I am trying to analyze. 

I agree that, if newsletters use this technique, then they subject themselves to being filtered. 

MartinC:

I'm a bit of a Regex novice. Can you explain how this works like what the varied numbers will do:

(img src=cid:[a-zA-Z0-9]{16,20})

you can vary the numbers to whatever you want, 32,32 or whatever.

Thanks!

MattR

pcmatt wrote: MartinC: I'm a bit of a Regex novice. Can you explain how this works like what the varied numbers will do:

bit of a novice with it myself, so my explanation might not be spot on.

the first number is the minimum length of string to match, the second one the length of the entire string? something like that.

so if the jumble of letters and numbers was 16 characters long and you wanted to match the entire thing, you could put 16,16 in the brackets.

if it was 16 characters but you were happy to match after a minimum of 8, then 8,16 would do the trick.

worth downloading "the Regex Coach" which I think someone linked off here... its a windows gui program that lets you try things out and see how the things will work.

I'm sure someone will come up with an even more efficient version of this expression.. but this one is fine for now.

If only the bill gates' of this world would issue rewards on the heads of virus programmers, "wanted, dead or alive, $$$$$$ for the one that....." etc etc.

Sounds funny eh? but you think about it... lets put a bounty on the head of the ones that created the latest wave of spamming viruses of, let's say, $200,000.

I mean, thats peanuts for Bill, and seeing his OS is mostly responsible for all the crap out there it seems fair to me he should be the one to pick up the tab.

With such an insentive i can allmost guarantee success in bringing the virus-geek(s) to justice. (i'd rather see them shot on the spot btw. ).

The zombie networks are beeing used for all sorts of illegal practises, only one of the 'features' is sending spam, the virus programmers made this all happen, they should be dealt with radically and decisively.

sorry, just need to vent sometimes

Another pet peeve of mine with newsletters and some shopping carts is when the use the recipients email address as the from address in the emails they are sending from their own mail servers.

We reject emails that fail SPF checking, including our own domains.

Marco wrote: If only the bill gates' of this world would issue rewards on the heads of virus programmers, "wanted, dead or alive, $$$$$$ for the one that....." etc etc. Sounds funny eh? but you think about it... lets put a bounty on the head of the ones that created the latest wave of spamming viruses of, let's say, $200,000. I mean, thats peanuts for Bill, and seeing his OS is mostly responsible for all the crap out there it seems fair to me he should be the one to pick up the tab. With such an insentive i can allmost guarantee success in bringing the virus-geek(s) to justice. (i'd rather see them shot on the spot btw. ). The zombie networks are beeing used for all sorts of illegal practises, only one of the 'features' is sending spam, the virus programmers made this all happen, they should be dealt with radically and decisively. sorry, just need to vent sometimes

I agree whole heartidly, LOL.  I think we should enfoce a law that I saw on the old 80's show, Max Headroom.  If you crashed the net in the world of Max Headroom, it was a capital punishment offense!  Surely under that train of thought, severly slowing down parts of the net would deserve a good caining.

MartinC wrote: Ken Bour wrote: Here is the regex that I am using to block these messages: src\=(\"c|c)id\: thats a bit vague to be honest, blocks all src=cid. I ended up putting in something a bit more specific. (img src=cid:[a-zA-Z0-9]{16,20}) you can vary the numbers to whatever you want, 32,32 or whatever.

Why does it even matter what comes after the cid:?  If the message contains the match from the first regex, then it should be canned.

I do see a flaw in the first regex, if there is a newline character before or after the "=" then it won't match.

I think the spammers have programmed MS Office into being an automated spam generator. These messages seem to be created by converting text into a .gif file that is split into smaller .gif files and re-assembled in MS Word.

When you view the email html you don’t see the attached document or images only cid: references to the original document.

If Word is the default mail editor in Outlook, you can click reply and are then able to select the individual image elements. If you copy the entire document (ctrl-a, ctrl-c) you can paste it into MS FrontPage and see the original html produced by Word. The images are embedded in the original Word document and referenced by the Outlook as src=cid: So you never see the original message in Outlook. Surprisingly Outlook does not indicate that the message/images are actually an attachment. Also Outlooks filters do not seem look at the html so you can't filter the src=cid.

Unless someone knows of a MS solution, it appears that a third party program will have to be used by Outlook users.