Image spam

There’s been this rash of really irritating image spam lately, difficult for spam filters to catch because of its nature. 

For example, if you look at this spam:

and view the HTML source, you see the following:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="MSHTML 6.00.2800.1106" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2><IMG alt="" hspace=0
src="cid:000001c66dfc$24202377$7a47e8c8@legunj.hqyivu"
align=baseline
border=0></FONT></DIV>
</BODY></HTML>

Not necessarily a lot for a spam filter to go off of, unless you simply want to ban HTML emails (not entirely practical for most…).

So, we are killing it with a regex expression in our Ninja messaging security product, which looks like this:

^\s*?\<!doctype\s+?html\s+?public\s+?"[^"]+?"\s*?\>\s*?\<html\>\s*?\<head\>\s*?\<meta\s+?[^>]*?content\s*?=\s*?(["'])[^\1]*?\1\s*?name\s*?=\s*?["']?GENERATOR["']?\s*?\>\s*?\<style[^>]*?\>.*?\</style\s*?\>\s*?\</head\s*?\>\s*?\<body\s+?bgColor\s*?=\s*?\S{7,7}\s*?\>\s*?\<div[^>]*?\>.*?\<font\s+?face\s*?=\s*?arial\s+?size\s*?=\s*?2\*?\>[^<]*?\<img\s+?alt\s*?=\s*?(["'])\2\s+?hspace\s*?=\s*?0\s+?src\s*?=\s*?(["'])cid\:[^@]{30,30}@[^\3]*?\3\s+?align\s*?=\s*?baseline\s+?border\s*?=\s*?0\>\s*?\</font\>\s*?\</div\>\s*?\</body\>\s*?\</html\>\s*?$

Alex Eckelberry