Image-only adult themed spam

Lately there is a new batch of spam going out that tends to use adult themed subjects, but has no content in the body aside from a single image.

It has been reported that this SpamAssassin rule helps:

header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i
meta MIME_IMAGE_ONLY (__CTYPE_MULTIPART_MXD && __ANY_IMAGE_ATTACH && !__ANY_TEXT_ATTACH)
score MIME_IMAGE_ONLY 2.00
describe MIME_IMAGE_ONLY Image body part but no text body parts

To use it, copy these five lines into the bottom of your \MDaemon\SpamAssassin\rules\local.cf file, then either restart MDaemon or create a mdspamd.sem file in the \MDaemon\App\ directory.

You may want to tweak the “Score”, but start with 2.0 as this rule hasn’t been aggressively tested so there is a higher risk of false positives then with the default SpamAssassin rules.

Lastly, it’s also worth mentioning that Outbreak Protection (part of SecurityPlus 4 and higher) is flagging these messages as spam.

UPDATE 2009/05/19: The above rule only works in MDaemon 10 and higher, for earlier versions, you’ll need one more line:

mimeheader __ANY_IMAGE_ATTACH Content-Type =~ /image\/(?:gif|jpeg|png)/
(Thanks goes to “Greg Vancardo” for tracking this one down)

MDaemon’s use of batch files

I’ve recently become aware that not everyone knows what midnight.bat is, so I thought I’d discuss MDaemon’s batch files a little.

MDaemon can act upon a number of batch files in the \MDaemon\App\ directory.

learn.bat — MDaemon creates this one each time a spamlearn session is about to run. Do not edit this file, your changes will simply be overwritten. Feel free to run this batch file yourself or through a scheduler if you wanted to schedule learning manually.

mylearn.bat — Each time MDaemon is about to run learn.bat, MDaemon will first look for the existance of mylearn.bat. If mylearn.bat exists, it will be run instead of learn.bat. If you want to modify learn.bat’s behaviour, copy it to mylearn.bat and edit to your heart’s content, just be warned that if you change any options in MDaemon’s spam learning dialog, you need to update mylearn.bat manually.

cleanup.bat — This is similar to learn.bat, but is used by MDaemon to launch the accountpruner and listpruner. Like learn.bat, you shouldn’t edit this file, your changes will be eaten.

mycleanup.bat — This is similar to mylearn.bat, but applies to cleanup.bat’s functionality. All the same rules and caviets apply.

midnight.bat — This batch file is executed by MDaemon at midnight each night. The purpose is as a simple scheduler, to allow you to run your own mycleanup.bat type tasks, but without disabling cleanup.bat in the process.

startup.bat — This batch file is executed as part of MDaemon’s startup process. This allows you to do some scheduled/scripted cleanup when MDaemon starts. You can also start or stop other services here.

In all cases, if the batch file you want doesn’t exist, you can create it.

ORDB.org blacklisting all IP addresses

Since yesterday, March 25 ORDB.org – one of the old SPAM blacklist databases – started to blacklist all IP addresses. As a result, all mail servers using a spam filtering solution that still references ORDB (relays.ordb.org) started to immediately block all incoming e-mails. I got some reports into my personal e-mail yesterday, that finally got fixed by my provider today.

If you’re running MDaemon 9.60 or newer (released June 12, 2007) then MDaemon’s installer automatically removed relays.ordb.org from your spam blocker configuration, but if you’re on an earlier version you might want to double check your configuration.

To check to see whether or not you’re using ORDB, open the MDaemon GUI, go to the Security menu, look for either “DNS Blacklist” (in newer versions) or “Spam Blocker” (older versions), and see if you see any mention of “ordb.org” in your list — If you find it, select and remove that entry and you should be good to go.

Although ORDB.org was shut down on December 18, 2006, yesterday they changed their behaviour, and instead of timing out, they are blocking all IP addresses, that is, every e-mail server queried is being reported as an open relay — Depending on your configuration, this may result in all mail being blocked, or it may simply increase the chances that legitimate mail is treated as spam.