Re: base64 encoded subjects
>> I'm seeing a lot of spam with base64 encoded subjects: >> >> Subject: >> =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?= >> >> Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?= >> >> Hi, I live in a part of the world where =?UTF-8?B? is normal everywhere utside the realm of US Ascii I would, however, treat UTF16 as a spam indicator Best regards Wolfgang
Re: base64 encoded subjects
On 7 Feb 2020, at 21:16, Benjamin Toll wrote: > On 2020-02-07 18:07, RW wrote: >> >> There's already a sub-rule for this >> >> __SUBJECT_ENCODED_B64Subject:raw =~ /=\?\S+\?B\?/i > > Oh. Thank you very much. > > It looks like I haven't been reading enough of the docs after all. If you use SA, "perldoc Mail::SpamAssassin::Conf" is your best friend. (Or it's mine at least, but I'm running low on surviving friends.) -- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not For Hire (currently)
Re: base64 encoded subjects
On 2020-02-07 18:07, RW wrote: There's already a sub-rule for this __SUBJECT_ENCODED_B64 Subject:raw =~ /=\?\S+\?B\?/i Oh. Thank you very much. It looks like I haven't been reading enough of the docs after all.
Re: base64 encoded subjects
On Fri, 7 Feb 2020 16:29:38 -0600 Benjamin Toll wrote: > I'm seeing a lot of spam with base64 encoded subjects: > ... > SA is scoring the messages pretty high based off the body, but a lot > of spams with the base64 is still getting through. I thought it > wouldn't be too hard to write a rule to catch these, but clearly I > don't know what I'm doing: > > header BRT_BASE64_SUBJECT Subject =~ /=\?UTF\-8/ > There's already a sub-rule for this __SUBJECT_ENCODED_B64 Subject:raw =~ /=\?\S+\?B\?/i so meta BRT_BASE64_SUBJECT __SUBJECT_ENCODED_B64 would do. Note that it's the ?B? part that makes it base64.
Re: base64 encoded subjects
On Fri, 2020-02-07 at 16:29 -0600, Benjamin Toll wrote: > I'm seeing a lot of spam with base64 encoded subjects: > > Subject: > =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?= > > Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?= > > > SA is scoring the messages pretty high based off the body, but a lot of > spams with the base64 is still getting through. I thought it wouldn't be > too hard to write a rule to catch these, but clearly I don't know what > I'm doing: > > header BRT_BASE64_SUBJECT Subject =~ /=\?UTF\-8/ > > This doesn't trigger on any of these spams. Am I going about this the > wrong way or I'm I just that bad at writing regexs? Any suggestions > would be appreciated. > SA decodes those before rule matching. Try Subject:raw =~
base64 encoded subjects
I'm seeing a lot of spam with base64 encoded subjects: Subject: =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?= Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?= SA is scoring the messages pretty high based off the body, but a lot of spams with the base64 is still getting through. I thought it wouldn't be too hard to write a rule to catch these, but clearly I don't know what I'm doing: header BRT_BASE64_SUBJECT Subject =~ /=\?UTF\-8/ This doesn't trigger on any of these spams. Am I going about this the wrong way or I'm I just that bad at writing regexs? Any suggestions would be appreciated.