• lot of them are fake replies
  • lot of them are html based (used for poisonning)
  • it has an image

Detecting fake replies

I posted about it earlier here. This is the rule that will actually make the difference since a "ham" with an image will never be caught as a fake reply unless you are using a really crappy email client.

Detecting html multipart messages

Spamassassin already has a rule detecting this:


Detecting image attachements

You need to use the multipart attachment header for this:

full            __JPG_ATTACH   /image\/jpeg/i
full            __GIF_ATTACH   /image\/gif/i

The meta rules

now that your can detect fake replies, images and html mails, let's create a meta-rule:

describe        IMG_SPAM     fake reply in html with image
score           IMG_SPAM     3

there you go!