3

We use a Barracuda Spam Filter at work, and we also provide a mass emailing program to some of clients that send out newsletters. Lately one of them's been composing his latest company newsletter and has been trying to send preview messages to himself, but they've actually been quarantined by Barracuda as potential spam, even though they aren't. I can see the breakdown of the spam scoring headers in Barracuda, but I'm not sure what certain rules mean. Here's the breakdown:

 pts rule name                      description
---- ----------------------         --------------------------------------------------
0.00 FUZZY_CPILL                    BODY: Attempt to obfuscate words in spam
2.21 HTML_IMAGE_ONLY_24             BODY: HTML: images with 2000-2400 bytes of words
0.00 HTML_MESSAGE                   BODY: HTML included in message
0.50 BSF_SC0_SA_TO_FROM_ADDR_MATCH  Sender Address Matches Recipient Address
1.00 BSF_SC0_SA392f                 Custom Rule SA392f

What is "Custom Rule SA392f"? Where do I find descriptions of these custom rules? And what does "images with 2000-2400 bytes of words" mean? Is that referring to the file size of the image, or something about the attributes on the <img> tag?

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
soapergem
  • 719
  • 4
  • 13
  • 29

2 Answers2

4

SoaperGEM is correct. It has nothing to do with the size of the image. Barracuda wants to see a certain amount of text content. If you don't have 2000-2400 bytes of actual words and you have an image, you're screwed.

Also, Barracuda will not tell you anything about their custom rules, which is frustrating but understandable (trust me I've tried). How do they know you are not one of the bad guys?

goodGuy
  • 41
  • 1
3

Regarding the HTML_IMAGE_ONLY_24:

HTML: images with 2000-2400 bytes of words

This means that it has an image of 2k - 2.4kb - it means its a very small image which can indicate spam.

The BSF_ obviously stand for Barracuda Spam Filter and are custom rules from them.

The SA392f is most likely an internal rule code from them. This is their "value add" to spamassassin, and they are not publishing it (at least that I could find on Google) because if they publish it, then spammers can find a way around it.

Your best bet is to contact Barracuda and see if they can give you the reason.

Dave Drager
  • 8,315
  • 28
  • 45
  • 2
    I've been doing some testing, and found that the HTML_IMAGE_ONLY_24 seemingly has nothing to do with the actual file size of the image. When I embedded it as `http://domain/image.gif`, I was getting this; however, when I embedded it as `http://domain/image.gif?gibberish=abcdeabcdeabcde...`, I started to get `HTML_IMAGE_ONLY_28` instead, which has a lower point value. – soapergem Oct 06 '09 at 16:40