On 6/1/03 17:37, "Peter C.S. Adams" <[EMAIL PROTECTED]> wrote:
> Thus spake Barry Wainwright <[EMAIL PROTECTED]>, circa 1/5/2003 2:06 PM: >> There are some rules that do work in spite of the spammers changing emails >> all the time. Most effective of all my spam rules is the one that looks for >> five consecutive spaces in the subject line. > > I have a similar test in a rule that FLAGS spam but does not delete it. That > one's a little too general for me to risk losing a real message. I have yet to see any legitimate mail with five spaces in the subject line. A lot of spam does thisto try and hide a reference number off-screen to the right of the actual subject. > > Lately I've been seeing spam that passes through all my criteria and has an > odd characteristic: looking at the source, you see that the body of the > message is Base 64 encoded HTML! Apparently, Entourage decodes the Base 64 > and displays it. So I have devised a new rule with the following three > tests. If all three are met, the message is flagged. (Once I'm happy with > the results, I'll change the rule to delete the messages unseen.) > > 1. Attachment does not exist. > 2. Any header contains "text/html" > 3. Any header contains "base64" > > I am assuming that no legitimate message will ever contain Base 64 encoded > HTML (why should it?) and that any legitimate Base 64 would be in an > attachment (so in theory I could do away with test #2). Nice one! I may try this out myself. Encoding the text is often used to get through content filters. (Why spammers think that anyone who cares enough to set up content filters would take anything they send seriously is beyond me, but probably an indication of the mentality at work) > > For these reasons, I do not believe Entourage should decode Base 64 unless > the message is (a) marked as multipart and (b) the encoded item is sent as > an attachment with a name (e.g. image002.jpg). Can this behavior be changed > in a future SR? I doubt it, but send your feedback to MS - some items do get on the wishlist. You can do this (in Entourage vX) through the last item under the 'help' menu. Given the constant changes in spammers techniques I would be surprised if MS weren't looking at the way the JMF targets spam all the time. -- Barry -- To unsubscribe: <mailto:[EMAIL PROTECTED]> archives: <http://www.mail-archive.com/entourage-talk%40lists.letterrip.com/> old-archive: <http://www.mail-archive.com/entourage-talk%40lists.boingo.com/>
