Influx of spam recently - ORF Forums

@Joshua Colombo: these sounds like scam emails (http://en.wikipedia.org/wiki/Advance-fee_fraud). Regular spam filtering methods can do little against these, as they are not spam, actually: spam are unsolicited bulk commercial emails, which means they are distributed in large quantities (sent to thousands of addresses) and try to sell you something, so they contain links to spamvertized websites. The sender hosts are usually part of a larger botnet: this means the DNS Blacklist test detects most of them, and the rest are caught by the URL Blacklist test which detects the spamvertized URIs, or by the SPF test as the sender domain is usually spoofed, etc.

Scam is a different matter: they are usually sent by human beings to single recipients, using free email providers like Hotmail and Yahoo Mail, so the DNS Blacklist test will allow them thru (since the senders are legitimate hosts). This means Greylisting won't help either: as Yahoo and Hotmail servers work as per standards, they will re-attempt delivering the scam if they encounter a temporary rejection. Scam emails do not contain any URLs, so the URL blacklist test won't pick them up.

Your best shot is Keyword filtering: sentences, phrases like "It is understandable that you might be a little bit apprehensive because you do not know me but I have a lucrative business proposal of mutual interest to someone who suits my proposed business relationship." or "I'm a dying widow" will hardly come up in legitimate email correspondences. I suggest checking these emails for similarities, phrases which are not present in valid emails, then you can build Keyword expressions to detect them (e.g., if the email contains all of the following expressions: "Dear Friend" and "next of kin" and "dollars" and "bank", blacklist it).

You can also try using the anti-scam definitions of ClamAV as an External Agent (http://www.vamsoft.com/clamav-guide-part2.asp) but please consider that some false positives may occur (the quality of these signatures vary), so it is strongly suggested to only tag emails detected by the agent, and to use the Auto Sender Whitelist feature to lower the risk.

@mike g: There might be a way to deal with them directly (by looking for specific patterns), but that is usually quite time-consuming and difficult. I am not sure if you have seen our best practices guide at http://vamsoft.com/downloads/getmostguide.pdf - implementing the recommendations from this document usually improves spam detection rate significantly.

@mike g: theoretically, it is possible to write a regex which detects if there is no "Content-Type: text/plain;" and "Content-Type: text/html;" parts in the email header (only "Content-Type: image/gif;" or something like that), but the spam samples I checked with embedded images had both, even if there was no text in the email at all, so I do not think it is the best way to catch such spam.

You could try adding

^\s*$

to the Keyword Blacklist with "body" scope to detect emails with no text, but this does not check the existence of embedded images, so it might catch legitimate emails sent with no text but attachments only.

Fortunately, (as Peter mentioned) such emails are detected by other tests, so if you started filtering these emails with ORF, I think this would be a non-issue.

@Joshua Colombo: Yes, we definitely plan to address this in future versions.