Dealing with embedded GIF spam

embedded GIF SPAMSpam and phishing emails can be a huge drain on productivity for an Internet based business. I use Mozilla Thunderbird and I find the spam filtering works tolerably well. Most of the incoming spam is quietly siphoned off into a ‘Junk’ folder and there appear to be very few false positives. I supplement this with a message filter to move all emails purporting to be from or (99% of which are phishing emails) to a ‘Suspicious’ folder, which I check from time to time. But I still get lots of spam with embedded GIF images, which Thunderbird’s spam filter seems to be powerless to handle.

Mostly these are ‘pump and dump’ stock tips, but some of them are for viagra, cialis etc. Some of the spammers even helpfully include images of the body parts targeted by these medications. After a quick Google I found out how to set up a message filter for embedded GIFs on Uzik’s blog. Any email with an embedded GIF that comes from someone I don’t know now gets sent to my ‘Suspicious’ folder. Thanks Uzik! A similar approach should work in many other email clients.

Thunderbird embedded GIF rule

a rule for embedded GIFs (click to enlarge), see Uzik’s blog for more details

Note that some legitimate emails may have embedded GIFs as background images. While this practice is highly questionable you won’t want to lose these emails, so you should check your ‘Suspicious’ folder from time to time.

Of course this is only partial solution. The only real solution is to stop the spam in the first place. I say cut off their goolies.

9 thoughts on “Dealing with embedded GIF spam

  1. Andrea Nagar

    I use Google App for domains and I have my mail going through google mail server. I receive almost 0 spam and almost no false positive. Their filters seems to work very well (they are filtering out more than 4000 spams/month on my accounts).

  2. Andy Brice Post author

    Sounds interesting. But I am already dependent of Google for search, advertising, analytics and soon payment processing. I am not sure I want them hosting my email as well!

  3. Dave

    I have been using MailWasher Pro for about 2 years now and find it to be a great way to filter email before it even gets to my inbox.

    I read the header in MailWasher and then ‘process’ the list of spam/friends etc. It’s got SpamCop, FirstAlert and other online hooks to spam databases.

  4. Patrick

    Note that some legitimate emails may have embedded GIFs as background images.

    MANY of my emails have this feature, principally ones from automated systems at, e.g., my brokerage, Paypal confirmations, yadda yadda. I have a PopFile filter trained to recognize these and other automatically sent but still important email. Anything that gets tagged with that gets moved out of my “Never check it” suspicious folder to my “Eh, if I’m very bored” correspondence-with-a-computer folder.

  5. Rob Drimmie

    Hi Andy,

    Thanks for starting the blog, already there’s been tons of great information.

    Would it be possible to either switch your current feed to full entries, or add an additional feed that contains the whole thing?

  6. Andy Brice Post author


    Splitting the post into an intro+more seems to work well when it is syndicated to .

    Is it easy to create a second feed with wordpress?

  7. Andy Brice Post author


    I think the PayPal images are linked, rather than embedded. certainly they don’t get picked up by my embedded gif rule.

    In fact the only false positive so far is someone from the wedding industry who had a vile background image (which made their email almost impossible to read anyway).

Comments are closed.