Embedded image spam getting through - ORF Forums

Embedded image spam getting through RSS Back to forum


We've been getting an increase in emails that are nothing but an embedded JPG with a message claiming that the recipients account has been hacked and demanding payment to a bitcoin wallet.

The HELO/EHLO domain is proper. The SPF check result is "pass". The domains and IP's are different every time.

Any suggestions on how to stop these?

by aeleus 1 year ago

@aeleus: Hello aeleus,

Are the "From:" and "To:" addresses (in the message header) identical in those emails by any chance? Is the spammer spoofing your domain in the From address field? If so, you should add a special header filter to ORF as described in the “Other campaigns: MIME sender spoofing” section of our related article:


by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


@Daniel Novak (Vamsoft): Thanks for the suggestion, but the from: and to: are not identical or spoofed. I already reject emails that are from a recipient domain. The source IP seems to be completely different each time as well.

About the only thing that stands out as unusual is that the body consists of only the embedded JPG. That makes it difficult to reject based on content.

Is there a way to block emails that have no text in the body?

by aeleus 1 year ago
(in reply to this post)


@aeleus: Yes, you could try to block empty emails, but I think it would be better to approach this spam problem from a different angle. Based on the description you provided, it sounds like you are being hit by snowshoe (+sextortion scam) spam which is indeed a headache and it is remarkably successful at evading DNSBLs/SURBLs. In any case, there is often room for improvement or problems with ORF configurations that contribute toward a worse-than-ideal spam filtering performance. The best way to identify these is to do a comprehensive review of your configuration and logs. Once this review is completed, we can provide you with an analysis and recommendations (if any) to achieve more with ORF. If you agree, please send us (to ) the following files for analysis:

+ Your configuration file orfent.ini. This can be found in the ORF program directory, \Program Files (x86)\ORF Fusion by default.

+ A few recent ORF log files. These have .log extension (e.g. orf-2019-04-23.log for yesterday) and can be found on the configured ORF logging path.

by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)


@Daniel Novak (Vamsoft): Thanks for the offer Daniel. I did notice that the MIME sender is spoofed in the emails I was able to examine. I applied the keyword blacklisting as described in the link you posted.


I will be checking to see if that blocks most of these.

by aeleus 1 year ago
(in reply to this post)


Hi I am seeing this problem as well, but I cant get the filter in the link above to work as it appears to only include the users name not their email address how do I block empty emails with no text.


by mark.hoban 1 year ago

@mark.hoban: Hello Mark,

If you want to blacklist blank emails (i.e. no content in the mail body), add the following regex type expression to the Keyword Blacklist with an "Email body" search scope. - the "Body raw HTML source" option should not be checked in this case.

Regex pattern to use:


by Daniel Novak (Vamsoft) 1 year ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2