A Mail.app rule fix for image spam
MacInTouch reader Bill Benson posted a rule 
in the .Mac section of that site yesterday which will catch much of the current “image spam” plague.
He noticed that the image spam emails always have two distinguishing marks: they come from a different address each time and the Content-Type header begins with “multipart/related”.
So a rule that matches both those conditions like the one below will snag them before they hit your inbox:
The only tricky thing here is selecting the “Edit Header List…” from the list of conditions and then entering “Content-Type” in the next window. “Content-Type” will now appear in the list of conditions. You will need to select it and enter as its content “multipart/related”.
You might choose to replace the “Not in my previous recipients list” condition with “Not in my Address Book” depending on your own correspondence patterns. Adjust to suit your own tastes.
There is a small downside. It seems likely that this rule will move some “false positives” into the Junk folder. But checking that from time to time is much better than wading through the image spam that Mail.app’s Junk filter is currently missing.
UPDATE: It will be easier to spot any false positives moved by this rule, if you add a “Set Color of Message” action to it, choosing a unique colour. That will help them stand out in an overstuffed Junk folder.
Similar Posts:
- Another Mail.app rule to catch image spam
- Image spam: Spam gets more canny
- A new wave of high brow “empty spam”
- Image spam surge powered by Russian bot-net
- Spam: Reducing false positives in Mail.app
Tags: Apple Mail, image spam, Junk, mail.app, rules, spam, stocks
August 1st, 2006 at 11:59 pm
Ehm, or not. with dozens of spam emails a day I’d rather delete the image spam from my normal mail folder then play ‘spot the false positive’ in a sea of spam.
I think I’ll have a look at how much of my normal mail has that content type thingie seeing as I have no idea what that ‘related’ header specifies.
August 2nd, 2006 at 12:06 am
I see your point, although this still seems like the best attempt at a solution that I’ve seen.
I’d be interested to see what you discover.
August 2nd, 2006 at 12:18 am
Yes, I don’t want false positives either.
I’ve implemented the above rule with a few extra options.
1) my email is “first-name@domain.com”. So for this rule to work I’ve added “if any recipient does not contain (my last name)”. I assume most people emailing me will have my last name.
2) The message content in these graphical spams seems to be blank. So I’ve added the rule “if message content does not contain (my first name)”.
I figure that’ll knock out any and all false positives…. time will tell.
Greg
August 2nd, 2006 at 12:21 am
Thank you so much. Thats exactly what I needed.
August 2nd, 2006 at 12:29 am
Well, I haven’t had a false-positive yet that I really care about.
Strangely, I was on my 3rd year using .Mac mail with probably fewer than 10 junk mails throughout that whole time. Since I went freelance however and started sending my book around a lot, whammo, 2 junk mails or so a day.
Anyhow, I’ve added the rule as most spams I get are image based. Will post only if results are poor.
I also have JunkMatcher installed and train it often.
August 2nd, 2006 at 12:50 am
Sounds like a very logical approach, since the image-solution is intended to pass the systems already on guard.
However, there are some people that do send image-mails that are not intended to go to junk, so if you know one this might not be for you. But for the office, it almost certainly is.
August 2nd, 2006 at 2:05 am
Awesome! Thanks! I was looking on how to create a rule for these just last night.
August 2nd, 2006 at 2:10 am
I like the idea of this, but in my case it had way too many false positives. I noticed that it moved several emails from sites that I actually subscribe to their newsletter, and it also marked anything from services like evite. As Greg mentions above, I would suggest everyone add more rules to customize it for their own needs.
August 2nd, 2006 at 2:43 am
Ironically half the comment mails from here ended up in my spam folder btw.
August 2nd, 2006 at 2:52 am
^^^ None did for me… ?
August 2nd, 2006 at 3:08 am
I would also encourage people to make rules to forward junk mail to your ISP’s abuse email address. As well as junk mail coming from yahoo, hotmail, ebay, paypal, etc. The email that’s just useless junk still comes, but it seems that the more harmful and potentially damaging phishing attacks start to go down.
August 2nd, 2006 at 4:45 am
i’ve noticed that most ‘image spam’ is sent as a .gif, so i have a filter looking for “.gifs” from people not in my address book/previous recipients.. and that’s working very well. If i’d used the “multipart/related” filter mentioned above, it would be matching a lot of jpgs and pngs that i get from friends of mine. It’d also be nice if you could tell Mail “message content is ‘empty’”, but i don’t see a way to do that.
August 2nd, 2006 at 4:58 am
I’m not sure how much good that’ll do without including several message headers (e.g. Received) that Mail excludes when forwarding.
August 2nd, 2006 at 5:09 am
Try redirecting instead of forwarding.
August 2nd, 2006 at 5:33 am
I use SpamSieve with Mail, and it does a great job of filtering out image spam.
August 2nd, 2006 at 7:38 am
Redirecting with Mail doesn’t preserve the useful Received headers.
August 2nd, 2006 at 10:03 am
Can someone make up this rule for Entourage. It would be much appreciated.
August 5th, 2006 at 7:23 am
I have almost forgot what spam is, last time I got one was 3 months ago (and that was my 4:th spam for the last 2 years).
Some tips that have helped me:
1. Never post your email on a website, in an irc channel, newsgroup etc.
2. Use shortmail.net or similair whenever possible, instead of your email.
3. Buy a domain, activate catch-all. When you give out your email to a company, use domain-of-company@yourdomain.com. That way you will know whom has sold your email, and can easily shut it down.
August 5th, 2006 at 11:31 am
I can’t get ‘Content-Type’ to stick! It stays in Options popup but when I click OK the first rule paramater reverts back to whatever it was before…
August 5th, 2006 at 11:33 am
In fact I can’t get any of the ‘Edit Header List…’ options to STICK! any ideas?
August 5th, 2006 at 5:01 pm
Shazam! Thank you bhamm! I had noticed the same feature. So, along with the rest of the insights gleaned here, I just added:: “If all of the following conditions are met:” + Any Attachment Name + Ends With + .gif
Along with: “Perform the following actions:” +Set Color +of background + color
I then purged my Spam box and waited. Lo and behold, the first one in is a ‘worst offender’ that WAS escaping the filter.
August 5th, 2006 at 10:26 pm
Une règle anti Mail image de spam…
Je suis en grande période anti-spam ces jours-ci… Je pense que vous avez du remarquer la nouvelle vague de spam en ce moment, spam basé par un mail contenant une image, et donc passant à travers les systèmes de filtrage…
August 6th, 2006 at 3:08 am
[...] Posted Aug 4th 2006 4:00PM by David Chartier Filed under: Software, Tips and tricks, Internet Tools It seems that I’m not the only one being inflicted with a new wave of image spam, as Bill Benson, a MacInTouch reader, has posted his rule solution for this junk that seems to so easily elude Mail.app’s filters. Tim Gaden at Hawk Wings, also a victim, elaborates on how to set up this rule, as a trick is involved. To summarize: [...]
August 6th, 2006 at 10:33 pm
Mike, same for me. I can’t find it either.
August 6th, 2006 at 10:55 pm
Mike and kobak – First you need to select the “Edit Header List…” option from the drop-down menu of conditions and create a Content-Type category.
Then you need to select the Content-Type condition which will now appear in the drop-down list towards the top with the To:, Cc: Subject: and other header categories.
Are you not seeing it towards the top of the list after you have created it through the Edit Header List… ?
August 6th, 2006 at 11:21 pm
I’ve spotted that the bulk of the image spam I get has the image named “image001.gif” – so that’s a separate rule I’ve set and which has helped me no end.
August 7th, 2006 at 6:03 am
[...] 10 years = on every list imaginable), and we’ll see. Archived in Email, Mac | Trackback | del.icio.us | Top OfPage [...]
August 8th, 2006 at 10:29 pm
[...] Hawk Wings posted a handy tip which I just implemented on killing the ever increasing volume of image spam slipping through my current Spam Sieve settings. Seems to have solved the issue for now. [...]
August 11th, 2006 at 9:03 am
Re (Tim): “First you need to select the “Edit Header List…†option from the drop-down menu of conditions and create a Content-Type category.”
Oh yeah, I see that alright the problem is after selecting Content-Type and clicking OK the field reverts back to whatever was in there before. “It doesn’t stick.”
September 4th, 2006 at 8:27 am
[...] It’s painful to watch the many approximate pattern-based spam-fighting attempts that come up from time to time that we all know will eventually be made obsolete. Ultimately such tricks will only end up leading to more time spent weeding out false positives while the spammers stay ahead of the curve (it is their business, after all). [...]
September 16th, 2006 at 5:22 pm
This is great. Thank you; I’ve been looking for a way to filter image spam. I reproduced this in Eudora 7.0a9 (my mailer of choice) by
(1) creating a new filter
(2) turning on the “manual” checkbox
(3) entering “Content-Type:” into the Header text field (with the colon included, not the quote marks), setting the pull-down to “contains”, and the target to “multipart/related”
(4) enabling the “and” pull-down
(5) entering “From:” into the next Header text field, setting the pull-down to “doesn’t intersect”, and the target pull-down to “History List”
(6) setting the action to “Junk”
It works wonderfully! Thanks again.
October 13th, 2006 at 5:19 am
[...] Abhilfe verschafft ein Regelset aus dem Mail.app Blog überhaupt: Hawk Wings – A Mail.app rule fix for image spam. [...]
October 28th, 2006 at 12:38 pm
I hate to say it but this isn’t as good as it seems. Here is a message I sent to a mail list where someone forewarded this url:
Actually I’m trying some filters on this very matter presently.
I’ve been hoarding SPAM messages for about 5 years and it’s reasonably true that most (95%) of SPAM containing images has the content-type herder set as described.
What I don’t have to prove yet, whether using such a rule will trap intended mail with images from being delivered.
From a few “genuine” messages I have received they contain a header similar:
Content-Type: multipart/related;
type=”multipart/alternative”;
boundary=”—-_=_NextPart_001_01C6051A.7E7799D2″
Content-Type: multipart/related;
boundary=”—-=_NextPart_000_0009_01C5F376.773241C0″
So to be honest, filtering it to /dev/null might result in you NOT getting mail you actually do want to get.
However, as I intend putting this into a Challenge/Response system, the sender will be able to authorise the message through, if they aren’t already in the whitelist :)
But I’d say filtering it in your Mail Client might lead you to have to spend hours filtering through a junkbox trying to find good mail, rather than the other way around where your good mail stands out in it’s larger collective in your inbox.
October 29th, 2006 at 9:59 am
Adam — I don’t see the rule as it is currently formatted catching too many false positives. Do you?
October 29th, 2006 at 11:20 am
Well as noted above, those two examples are from my friends sending me pictures of their kids and Christmas greetings.
I guess if you consider that most email I get has attachements rather than mutlipart inclusions sure, the filter only grabs a few false positives.
But do you REALLY want to go through ten thousand spam messages just to find one or two treasured memories that have been sent by family (not that I have that category) or friends?
I’d rather lock the spam out from the start and get my positives properly!
Now I have a suggestion, but to be honest I don’t want to publicly announce it for the simple reason that spammers will yet again change their method. But do I have a choice?
I can tell people to email me directly but no doubt a spammer will do that too. So what the hell right!
So here’s what I wrote on another list. It works this week :) Probably not next!
Most embedded image SPAM messages have an incorrect construct:
IMG alt=”" hspace=0 width79 heightF8 src=”cid:000b01
So what I did was this:
body -case ‘width\S\d height\S\d’ drop
the regexs (in ”) hopefully won’t toss too many real ones which should read using the correct width= syntax.
I wonder if this is a “quirk” of the spammer? Because it’s the part that stands out like a sore thumb!
Much better than the multipart suggestion that will catch everything, even true messages.
October 29th, 2006 at 11:24 am
Here’s another I got in this morning. I get a LOT to postmaster – I usually ignore it, but still need to check postmaster mail at some stage in case something is wrong.
IMG alt=”Forum” hspace=0 src=”cid:000501c6fa8b$601031b0$f6af2a52@mypc”
align=baseline border=0
Embedded Content: on.gif: 00000001,2041e573,00000000,00000000
And here is the “same” one from yesterday
IMG alt=”Forums” hspace=0
src=”cid:000a01c6f9ec$dc00b5f0$ad409b51@tmj56y1abif6gd” align=baseline
border=0
Embedded Content: out.gif: 00000001,560f16b7,00000000,00000000
These are the COMMON elements to the two messages. The “text” surrounding them are random words and phrases designed to up the score of proability on phrase checking spam systems.
I’ve got ten years of archives spam records here in mbox format. If anyone is interested in parsing the lot and creating a more intelligent spam filter set, I’m more than happy to make the gigs of data available :)
October 30th, 2006 at 7:47 am
Adam, thanks for all this (which I think I only half-understand).
The bottom line for me is whether Mail.app can make a rule on the basis of your findings.
I think I’ll have to stick with my cruder rule and just be thankful that I don’t get ten thousand spam messages!
November 7th, 2006 at 6:01 am
[...] Applescript is the balm that heals most wounds. I base many opinions of applications based on their support for applescript. Here, applescript can help fix image spam. Sure, there’s a fix that purports to can this spam. That fix should work fairly well for most. I, however, don’t like the idea of catching false positives. Applescript can further refine the results and help eliminate false positives. [...]
November 10th, 2006 at 12:16 am
[...] HawkWings.net has a good write-up on MacInTouch reader Bill Benson’s rule for fighting image based spam. Basically, most of this image spam contains a heading Content-Type which contains multipart/related. You have to add the header to your rules in Mail.app, but that’s the only tough part. I would recommend you set the filter to change the background colour until you know everything is working. http://www.hawkwings.net/2006/08/01/mailapp-rule-fix-for-image-spam/ [...]
November 20th, 2006 at 5:15 pm
[...] A Mail.app rule fix for image spam [...]
December 3rd, 2006 at 7:09 am
Very helpful – I’ve been getting tonnes of this junk daily lately. Thanks!
December 12th, 2006 at 2:52 pm
I’m a bit confused here…almost all those image-spam mails also contain a huge paragraph of garbage text below the inline picture — how come the regular spam filters can’t work with that to sort that crap out…?!
December 12th, 2006 at 2:54 pm
Much of these text doesn’t contains the words of the combination of words that trigger a Junk filter.
Some of it is drawn from English literature classics (I’ve seen text I recognise from Tolstoy and Dickens) or other “harmless” sources.
December 12th, 2006 at 3:01 pm
Although I wouldn’t consider Tolstoy English literature, I see your point. ;)
But I still think that’s an exception anyway…?! Most of the spam mails I get contain loads of text like this excerpt here:
—-
Vargo verinox views ninja mrwoot trojan.
Burn images allsep quicktime qt mov need xpsep shrink.
Cell terror login rate member loginuser, sign upforgot! Time watch consider donating. An award winning film making oreilly oprah.
Topsearch raquofind booksign up title, emails newest receive offers.
Peoplefrom human openerthis rebecca opener crazy opening chick goal. Hao, atlanta spirit, google searchsign inbook maps. Many bigname studios universal.
Encode decode xpdec iconcool manage extract enlarge.
Start freefront matterix top, authoring, df board.
Popular mobile devices adventures jimmy vargo verinox views.
Openerthis rebecca opener, crazy!
—-
Shouldn’t there be some way to recongize that kind of gibberish and sort it out…?! :(
December 12th, 2006 at 9:47 pm
You would think so, but I don’t know of anything. Do you?
You’re quite right about Tolstoi. I am such a linguistic imperialist :(
December 12th, 2006 at 10:15 pm
I wish I knew some great secret about how to recognize that garbage…especially since I have always been quite satisified with Mail’s spam filtering…until that nasty image smap came up…! :(
January 24th, 2007 at 3:32 am
I’ve been getting hit my Image spam like the rest of you, its getting damn annoying and every time I get a mail, I get excited and only to see that its JUNK !
The “Multitype/related”is not a good solution, I get mails with that and its not junk. The headers changes, the image *.gif filename changes too (sadly).. BUT.. there is one thing that does not change. ITS THE IMAGE SIZE (507×423), and again sadly, most mail filters can’t detect image sizes. I’ve yet to check if ALL the image spam has the same file size (12.5KB)
Filtering is ONE thing, it simply filters the junk and sends it to the rubbish chute but the only true way (IMHO) to fight them back is for (1) sysadmins, abuse teams in ISPs to start waking up and do something (2) users must report it (i use spamcop.net to send reports to the ISPs involved)
If we have enough people to start reporting it to the ISP, maybe… Just Maybe… we’ll be able to get that S-hole who has been sending it, and hang him/her. So PLEASE start reporting it with SpamCop.net or some thing similar. (please)
March 25th, 2007 at 12:35 am
How can i block image containing email in Alt MDaemon Pro 7.1.0?
Please reply?
March 25th, 2007 at 12:41 am
Shahzad, Google tells me that MDaemon is a mail server package. I don’t know the first thing about it, but my guess is that you need to apply the criteria outlined in this post using MDaemon’s support post on creating content filters
.