Thunderbird - Create an Image Spam Filter

Recently a new sort of spam has started annoying people around the world. This particular breed is often called 'image spam', but most people know it as "that %$#& stock spam I get every day".

What's different about these e-mail messages is how they're put together. Each one contains both an image (usually a GIF image file) which contains the thing they're trying to push or sell and a separate section filled with text. This text is what makes this new scheme insidious. It's generally prose pulled from a book or some other source and is therefore indistinguishable, to computers, from regular human communication. The vile idea behind doing this is two-fold.

If the spammer gets their message through because a spam filter sees this message as looking like real human interaction, then they're happy. If, however, the filters in between you and the spammer's message flag it as spam or if the user clicks the Junk button enough times... the well is poisoned. In fact, this is called "Bayesian Poisoning". Bayesian analysis is the method which most 'smart' spam filters use. When you press the Junk button in Thunderbird or Apple Mail, etc. your filter adds a bunch of weighted observations about that message to your Bayesian 'corpus' (a sort of 'rule book' it continually updates and adds to). Of course, once your filter is poisoned deep enough, you'll start finding that legitimate mail is getting tossed in the Junk folder and, the spammer hopes, you'll have to open things back up so they can once again start trying to push something on you.

Well, foruntately, the very thing that allows them to do this can be used against them. To get the text and image to both display they more often than not use a particular flag (a MIME type) in the message called "multipart/related". And you can use that to stop them. Or at least slow them down a great deal.

Below is a recipe for creating a filter/rule in Mozilla Thunderbird to trap these messages. Users of other mail programs may find that they can adapt these instructions for their program as well (Apple Mail users should find the process very similar, for instance).

The Filter Recipe

NOTE: While your windows/menus may look different depending on if you're using Windows, MacOS X or Linux, the steps are the same.
1. From the upper menu, select Tools, then select Message Filters. The Message Filters window will open where you can create a new filter.

Name the filter (1) so you'll know what it's for in the future should you need to modify it
You'll need to create a new type of criteria in (2) the first drop-down box by (3) selecting 'Customize'
NOTE: A perceptive reader has pointed out that you should select "Match all of the following", not "Match any of the following" as shown in the images below. So please make this change before activating the filter.

Type in (1) the new criteria type Content-Type (type it exactly as shown)
Click (2) Add, the click (3) OK.

Now (1) select the new type 'Content-Type', select (2) 'contains'
Type in (3) multipart/related.
Click (4) the + sign to add another condition.

For the new condition, select (1) 'From', then select (2) 'isn't in my address book' (make certain you select the right one!)
Select (3) 'Collected Addresses'.
Move down to the 'Perform these actions:' pane and (4) select 'Set Junk Status to'
Select (5) 'Junk'
Click the + sign to add another action.

Select (1) 'Move Message to'
Select your Junk folder from the list of folders
Click OK and then close the 'Message Filters window'.
Your new filter is ready and will start working on all new incoming mail.

NOTE: A perceptive reader has pointed out that you should select "Match all of the following", not "Match any of the following" as shown in the images above. So please make this change before activating the filter.