On 28 Feb 2019, at 8:43, Emanuel wrote:
Hello,
due to email accounts compromised by viruses, I have created filters
for the subject of these malicious emails
/^Subject: Your Amazon\.co\.uk order \#[0-9]*$/ DISCARD
Side note: REJECT is a better choice than DISCARD, unless you're doing
the check on a Postfix instance that doesn't receive mail directly from
the Internet. Discarding means you appear to be accepting the message
for delivery as far as the SMTP client can tell, making your system look
like a promising target. Rejecting instead makes it clear that the spam
isn't going anywhere and in cases where the source is a compromised
account, it makes the abuse apparent to the victim and possibly their
service provider.
Now, I see that these malicious emails keep coming out but they are
not discarded because the subject is encoded in utf8.
And just as importantly: encoded with Base64.
=?UTF-8?B?WW91ciBBbWF6b24uY28udWsgb3JkZXIgIzM2Njg1MDk2Nw==?=
How can I discard these emails if they are encoded? yes or if I need
to create a regular expression for the ID in to the subject
2 possible solutions:
1. Match against the encoded form. "WW91ciBBbWF6b24uY28udWsgb3JkZXIg" is
'Your Amazon.co.uk order ' encoded with Base64, so you could use this
header_checks line:
/^Subject: =\?UTF-8\?B\?WW91ciBBbWF6b24uY28udWsgb3JkZXIg/ DISCARD
Note that this is error-prone because the standard for non-ASCII header
encoding allows breaking a header into distinct words which may be
encoded independently and even use different encodings. Someone actually
believed that to be a good idea...
2. Do this in an external content filter (e.g. SpamAssassin) that
decodes everything for you so that you can just match against the
decoded header.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
