This thread on news.admin.net-abuse.email got me thinking.
Recently we have had major success rejecting spam at source by a variety of means including DNSRBLs, local block lists and other rules. Some spam still gets through and an increasing proportion seems (I have noticed when complaining to ISPs about it) to come through with this "signature":
Content-Type: text/html OR
Content-Type: text/plain AND
Content-Transfer-Encoding: base64
Note, these are not multipart/mixed or multipart/related (or multipart at all, actually). They are non-MIME messages that have plain text delivered base64 encoded and that's that.
Because as far as I can tell, this should never be necessary (for messages in English at any rate), I did some more digging and found:
- many samples of spam messages using this technique, presumably to try and get past content filtering/hashing
- not a single sample of real email delivered this way
This just begs to be a rule in Server / Configuration / Router/SMTP / Restrictions / Rules, but how to write such a rule?
I have created a rule, testing the message body for these attributes, but of course it does not work as they are not strictly part of the message body I suppose.
Any ideas or is this just too ambitious?
Return to top
Plain text, base64 encoded spam (ru... (~Kelly Zekwebur... 25.Nov.02)
. . 
Print this page
