Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: More on dealing with image spam - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
More on dealing with image spam
During my last shift on 15 Jan, I did a story on dealing with the image spam that I was getting on the little mail server I run at home.  I got quite a few excellent responses to that story, so I wanted to summarize those and share them with our readers.  My thanx to Steve, Dave, Tim, Alexander, Joanne, and John (I hope I didn't miss anyone).


Several people suggested looking at dspam.  Some people said they had given up on SpamAssassin and gone strictly with dspam.  I've added dspam to the mix, and mostly get pretty good results.  The biggest problem I'm seeing with dspam is that it still is not detecting some of the image spam that takes its text from legit sources on the internet.  FuzzyOCR and some of the blocklists seem to catch most of these, but even feeding all the false negatives back through dspam for training, some are still getting through.  Having said that, I like dspam and will definitely keep it in the mix.  I've had a suggestion (that I haven't tried yet) that I should run dspam outside of amavisd-new rather than from within it which is how I am running it now.


Steve suggested I take a look at the clamav phish and scam rules from which can be found here.  I haven't tried them out, yet.  If you do, let me know what you think.


I didn't mention it, but I do, in fact, do greylisting using gld (readers also suggested postgrey and sqlgrey) in my postfix setup.  Unfortunately, because most of the addresses that receive mail on my server are forwarded from elsewhere, and those other sites have already accepted the e-mail, greylisting is only moderately useful in my personal situation, but I recommend trying it out.  I also should note that because I sometimes *want* to get spam and viruses at some of these e-mail addresses (including my address), I turn off spam and virus filtering at these forwarding services.  If your job (or hobby) doesn't include playing with malware, leaving that filtering turned on might save you from some of the problems that I've been seeing.

DNS blocklists

Several folks suggested the blocklists such as the Spamhaus sbl+xbl list.  I actually have those configured in postfix and I have the DNSBL SpamAssassin rules ( enabled.  As with greylisting, the postfix use of the blocklists doesn't help if another MTA has already accepted the mail and is forwarding it to me, but the SpamAssassin usage then increases the score if it detects those source IPs in the Received: headers.

block dynamic IPs

This argument tends to take on the tone of religious argument and I'm not going to rehash that all here.  Yes, I'm aware that most spambots seem to be infected home machines and that if I rejected all mail from them and/or if ISPs blocked outbound e-mail from them that would greatly reduce the problem.  It would also punish people like me who have a domain website and e-mail (very low volume) hosted on my home system connected to the internet via cable modem.  Having said that, some of the DNSBLs discussed above, do, in fact, block e-mail from dynamic IP ranges.  Also, as noted above, that isn't quite as useful in my particular case as it might be because of the forwarding.

block all gif images

One suggestion was to block all gif images (either block e-mail containing them or strip them from the e-mail).  This is another suggestion I haven't tried and probably won't in the near future.  There can certainly be some backlash and/or collateral damage with this one, but since I'm reading my e-mail as plain text, I wouldn't really miss most of those images.  One reader suggested that there was some fallout because of the company logo gifs getting dropped, so this person adjusted the rules to block gifs over a certain size.  Of course, if you drop gifs, what about jpegs?  other image types?  mis-identified image types?

playing with SA scores for mailing lists

Finally, another reader commented that they were able to cut out some of the mailing list spam by some judicious playing with the scores assigned by SpamAssassin.  This amounts to, giving mail to the mailing list an initial negative score (assume that most mail to the list is not spam) and then giving it an additional higher score if the Bayes tests show it is likely to be spam (e.g., add back another few points if it hits on BAYES_95 or BAYES_99, etc.).  As a result of discussions with this reader I joined the spamassassin-users list and have had to tweak some of my own scoring to deal with (half-)false positives on that list.  Imagine, a mailing list that deals with a tool from assassinating spam, might actually include samples of spam.  Doh!

Jim Clausing, jclausing ++at++ isc dot sans dot orgI will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022


423 Posts
ISC Handler
Feb 6th 2007

Sign Up for Free or Log In to start participating in the conversation!