Re: encoded spam that got thru
FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE= Something seems a little odd here. On my system those rules would add up to quite a few points, and they don't seem to add up to anything for you. Loren
Re: encoded spam that got thru
Jeremy Fairbrass wrote: > Hi Eric, > The text there is encoded with base64, which is decoded into the "proper" > text by the mail client. SpamAssassin will also decode it before running its > rules against it, for "body" or "rawbody" rules, which means SpamAssassin > will be able to filter it out whether the text was encoded with base64 or > was sent as plain text. > > Without being able to decode that block of stuff myself and thus see what it > says, I'd suggest firstly making sure you're using the URIBL/SURBL network > checks (in case this spam had any web links in it), and also use the SARE > stock rules at http://www.rulesemporium.com/rules.htm#stocks (you might find > the other rules on that page useful in general too). > > Cheers, > Jeremy That's helpful, thank you. Running the message thru SA by hand, it comes up with a score of 30+. > "Eric W. Bates" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > >>I don't even understand how the following message works (let alone how >>to block it). >> >>It simply has a chunk of what looks like encoded binary; and yet, >>thunderbird renders it as a stock announcement (as I write this, I >>wonder whether the good readers of this list are likely to the ascii >>block, or the rendered version? view source for me please). The >>header: "Content-Transfer-Encoding: base64" should probably give me a >>clue. >> >>How do we filter out spam like this? This got 0 hits. >> >>Thanks for your time. >> >>[snip] >>X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on >>ace1.vineyard.net >>X-Spam-Level: >>X-Spam-Status: No, hits=0.0 required=5.0 tests=EMPTY_MESSAGE=, >>FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE= >>bayes=0.5 autolearn=failed version=3.1.0 >> >>[snip] >> >>From: "Roxie F. Hankins" <[EMAIL PROTECTED]> >>To: [EMAIL PROTECTED], [EMAIL PROTECTED] >>Subject: Focus Stock Alert >>Date: Sat, 11 Mar 2006 23:33:30 + >>MIME-Version: 1.0 >>Content-Type: text/plain >>Content-Transfer-Encoding: base64 >>X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET >> >>SW4gdGhlIGN1cnJlbnQgb2lsIG1hcmtldCwgc2VsZWN0IHNtYWxsIGVuZXJn >>eSBkZWFscyBhcmUgZmx5aW5nLiAgDQpXaXRoIGdyb3dpbmcgZGVtYW5kLCBz >>aHJpbmtpbmcgc3VwcGxpZXMsIGFuZCBnb3Zlcm5tZW50IHN1cHBvcnQgDQpm >>b3IgZG9tZXN0aWMgZW5lcmd5IHByb2plY3RzLCBpcyB0aGVyZSBhIGJldHRl >>ciBzZWN0b3IgdG8gaW52ZXN0IGluPyANCkhlcmUncyBvdXIgbmV4dCB3aW5u >>ZXI6DQoNCkNvOiBQcmVtaXVtIFBldHJvfF9ldW0gSW5jLg0KU3ltOiBQIFAg >>VCB8XyAgDQpDdXJyZW50bHkgVHJhZGluZyBhdDogJDAuMDIgICAgDQoxIFdl >>ZWtfVGFyZ2V0X1ByaWNlOiAgJDAuMTANCg0KQSBNYXNzaXZlIFBSIENhbXBh >>aWduIGlzIFVuZGVyd2F5IGZvciBGcmlkYXkgaW50byBuZXh0IHdlZWshIQ0K >>U3RhcnRpbmcgYXQgb25seSAyIGNlbnRzIHRoZSBHYWlucyB3aWxsIGJlIHRy >>ZW1lbmRvdXMhIQ0KDQpIVUdFIG5ld3MgY29taW5nIG91dCBmb3IgUCBQIFQg >>fF8uIERpZCB0aGV5IHN0cmlrZSBvaWw/DQpQbGVhc2UgcmVhZCBhbGwgdGhl >>IGxhdGVzdCBQcmVzcyBSZWxlYXNlcyBvbiB0aGUgY29tcGFueS4NCldlIGFk >>dmlzZSBvdXIgcmVhZGVycyB0byBnZXQgaW4gZWFybHkhIFRoaXMgb25lIGlz >>IGdvaW5nIHVwIGZhc3QhDQoNClByZW1pdW0gUGV0cm9sZXVtLCBJbmMuIGlz >>IGEgZGl2ZXJzaWZpZWQgZW5lcmd5IGNvbXBhbnkgZm9jdXNlZCBvbiANCmV4 >>cGxvaXRpbmcgdGhlIHZhc3Qgb2lsIGFuZCBnYXMgcmVzZXJ2ZXMgb2YgTm9y >>dGhlcm4gQ2FuYWRhLiBXaXRoIGEgDQpzdHJvbmcgbWFuYWdlbWVudCBhbmQg >>dGVjaG5pY2FsIHRlYW0sIFByZW1pdW0gUGV0cm9sZXVtIHdpbGwgYXBwbHkg >>DQppbm5vdmF0aXZlIHRlY2hub2xvZ2llcyB0b3dhcmRzIHRoZSBkaXNjb3Zl >>cnkgYW5kIGRldmVsb3BtZW50IG9mIGEgDQpkaXZlcnNlIHBvcnRmb2xpbyBv >>ZiBoaWdoIHZhbHVlLCBsb3cgcmlzayBlbmVyZ3kgcHJvamVjdHMuICANCiAg >>ICAgICAgICAgICANCiAgICAgICAgICAqIEdPT0QgTFVDSyAmIFRSQURFIE9V >>VCBUSEUgVE9QICo= >> >> >> > > > > >
Re: encoded spam that got thru
> Without being able to decode that block of stuff myself and thus see what
> it says
It's a stock spam for some oil company.
Decoding anything base64 encoded is pretty easy if you have perl installed
somewhere:
cut
#!/usr/bin/perl
use MIME::Base64;
print decode_base64("");
cut
Re: encoded spam that got thru
Hi Eric, The text there is encoded with base64, which is decoded into the "proper" text by the mail client. SpamAssassin will also decode it before running its rules against it, for "body" or "rawbody" rules, which means SpamAssassin will be able to filter it out whether the text was encoded with base64 or was sent as plain text. Without being able to decode that block of stuff myself and thus see what it says, I'd suggest firstly making sure you're using the URIBL/SURBL network checks (in case this spam had any web links in it), and also use the SARE stock rules at http://www.rulesemporium.com/rules.htm#stocks (you might find the other rules on that page useful in general too). Cheers, Jeremy "Eric W. Bates" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] >I don't even understand how the following message works (let alone how > to block it). > > It simply has a chunk of what looks like encoded binary; and yet, > thunderbird renders it as a stock announcement (as I write this, I > wonder whether the good readers of this list are likely to the ascii > block, or the rendered version? view source for me please). The > header: "Content-Transfer-Encoding: base64" should probably give me a > clue. > > How do we filter out spam like this? This got 0 hits. > > Thanks for your time. > > [snip] > X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on > ace1.vineyard.net > X-Spam-Level: > X-Spam-Status: No, hits=0.0 required=5.0 tests=EMPTY_MESSAGE=, > FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE= > bayes=0.5 autolearn=failed version=3.1.0 > > [snip] > > From: "Roxie F. Hankins" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: Focus Stock Alert > Date: Sat, 11 Mar 2006 23:33:30 + > MIME-Version: 1.0 > Content-Type: text/plain > Content-Transfer-Encoding: base64 > X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET > > SW4gdGhlIGN1cnJlbnQgb2lsIG1hcmtldCwgc2VsZWN0IHNtYWxsIGVuZXJn > eSBkZWFscyBhcmUgZmx5aW5nLiAgDQpXaXRoIGdyb3dpbmcgZGVtYW5kLCBz > aHJpbmtpbmcgc3VwcGxpZXMsIGFuZCBnb3Zlcm5tZW50IHN1cHBvcnQgDQpm > b3IgZG9tZXN0aWMgZW5lcmd5IHByb2plY3RzLCBpcyB0aGVyZSBhIGJldHRl > ciBzZWN0b3IgdG8gaW52ZXN0IGluPyANCkhlcmUncyBvdXIgbmV4dCB3aW5u > ZXI6DQoNCkNvOiBQcmVtaXVtIFBldHJvfF9ldW0gSW5jLg0KU3ltOiBQIFAg > VCB8XyAgDQpDdXJyZW50bHkgVHJhZGluZyBhdDogJDAuMDIgICAgDQoxIFdl > ZWtfVGFyZ2V0X1ByaWNlOiAgJDAuMTANCg0KQSBNYXNzaXZlIFBSIENhbXBh > aWduIGlzIFVuZGVyd2F5IGZvciBGcmlkYXkgaW50byBuZXh0IHdlZWshIQ0K > U3RhcnRpbmcgYXQgb25seSAyIGNlbnRzIHRoZSBHYWlucyB3aWxsIGJlIHRy > ZW1lbmRvdXMhIQ0KDQpIVUdFIG5ld3MgY29taW5nIG91dCBmb3IgUCBQIFQg > fF8uIERpZCB0aGV5IHN0cmlrZSBvaWw/DQpQbGVhc2UgcmVhZCBhbGwgdGhl > IGxhdGVzdCBQcmVzcyBSZWxlYXNlcyBvbiB0aGUgY29tcGFueS4NCldlIGFk > dmlzZSBvdXIgcmVhZGVycyB0byBnZXQgaW4gZWFybHkhIFRoaXMgb25lIGlz > IGdvaW5nIHVwIGZhc3QhDQoNClByZW1pdW0gUGV0cm9sZXVtLCBJbmMuIGlz > IGEgZGl2ZXJzaWZpZWQgZW5lcmd5IGNvbXBhbnkgZm9jdXNlZCBvbiANCmV4 > cGxvaXRpbmcgdGhlIHZhc3Qgb2lsIGFuZCBnYXMgcmVzZXJ2ZXMgb2YgTm9y > dGhlcm4gQ2FuYWRhLiBXaXRoIGEgDQpzdHJvbmcgbWFuYWdlbWVudCBhbmQg > dGVjaG5pY2FsIHRlYW0sIFByZW1pdW0gUGV0cm9sZXVtIHdpbGwgYXBwbHkg > DQppbm5vdmF0aXZlIHRlY2hub2xvZ2llcyB0b3dhcmRzIHRoZSBkaXNjb3Zl > cnkgYW5kIGRldmVsb3BtZW50IG9mIGEgDQpkaXZlcnNlIHBvcnRmb2xpbyBv > ZiBoaWdoIHZhbHVlLCBsb3cgcmlzayBlbmVyZ3kgcHJvamVjdHMuICANCiAg > ICAgICAgICAgICANCiAgICAgICAgICAqIEdPT0QgTFVDSyAmIFRSQURFIE9V > VCBUSEUgVE9QICo= > > >
encoded spam that got thru
I don't even understand how the following message works (let alone how to block it). It simply has a chunk of what looks like encoded binary; and yet, thunderbird renders it as a stock announcement (as I write this, I wonder whether the good readers of this list are likely to the ascii block, or the rendered version? view source for me please). The header: "Content-Transfer-Encoding: base64" should probably give me a clue. How do we filter out spam like this? This got 0 hits. Thanks for your time. [snip] X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on ace1.vineyard.net X-Spam-Level: X-Spam-Status: No, hits=0.0 required=5.0 tests=EMPTY_MESSAGE=, FM_NO_FROM_OR_TO=,FM_NO_TO=,MISSING_SUBJECT=,NO_RECEIVED=,TO_CC_NONE= bayes=0.5 autolearn=failed version=3.1.0 [snip] From: "Roxie F. Hankins" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Focus Stock Alert Date: Sat, 11 Mar 2006 23:33:30 + MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: base64 X-Virus-Scanned: by AMaViS-ace1 at Vineyard.NET SW4gdGhlIGN1cnJlbnQgb2lsIG1hcmtldCwgc2VsZWN0IHNtYWxsIGVuZXJn eSBkZWFscyBhcmUgZmx5aW5nLiAgDQpXaXRoIGdyb3dpbmcgZGVtYW5kLCBz aHJpbmtpbmcgc3VwcGxpZXMsIGFuZCBnb3Zlcm5tZW50IHN1cHBvcnQgDQpm b3IgZG9tZXN0aWMgZW5lcmd5IHByb2plY3RzLCBpcyB0aGVyZSBhIGJldHRl ciBzZWN0b3IgdG8gaW52ZXN0IGluPyANCkhlcmUncyBvdXIgbmV4dCB3aW5u ZXI6DQoNCkNvOiBQcmVtaXVtIFBldHJvfF9ldW0gSW5jLg0KU3ltOiBQIFAg VCB8XyAgDQpDdXJyZW50bHkgVHJhZGluZyBhdDogJDAuMDIgICAgDQoxIFdl ZWtfVGFyZ2V0X1ByaWNlOiAgJDAuMTANCg0KQSBNYXNzaXZlIFBSIENhbXBh aWduIGlzIFVuZGVyd2F5IGZvciBGcmlkYXkgaW50byBuZXh0IHdlZWshIQ0K U3RhcnRpbmcgYXQgb25seSAyIGNlbnRzIHRoZSBHYWlucyB3aWxsIGJlIHRy ZW1lbmRvdXMhIQ0KDQpIVUdFIG5ld3MgY29taW5nIG91dCBmb3IgUCBQIFQg fF8uIERpZCB0aGV5IHN0cmlrZSBvaWw/DQpQbGVhc2UgcmVhZCBhbGwgdGhl IGxhdGVzdCBQcmVzcyBSZWxlYXNlcyBvbiB0aGUgY29tcGFueS4NCldlIGFk dmlzZSBvdXIgcmVhZGVycyB0byBnZXQgaW4gZWFybHkhIFRoaXMgb25lIGlz IGdvaW5nIHVwIGZhc3QhDQoNClByZW1pdW0gUGV0cm9sZXVtLCBJbmMuIGlz IGEgZGl2ZXJzaWZpZWQgZW5lcmd5IGNvbXBhbnkgZm9jdXNlZCBvbiANCmV4 cGxvaXRpbmcgdGhlIHZhc3Qgb2lsIGFuZCBnYXMgcmVzZXJ2ZXMgb2YgTm9y dGhlcm4gQ2FuYWRhLiBXaXRoIGEgDQpzdHJvbmcgbWFuYWdlbWVudCBhbmQg dGVjaG5pY2FsIHRlYW0sIFByZW1pdW0gUGV0cm9sZXVtIHdpbGwgYXBwbHkg DQppbm5vdmF0aXZlIHRlY2hub2xvZ2llcyB0b3dhcmRzIHRoZSBkaXNjb3Zl cnkgYW5kIGRldmVsb3BtZW50IG9mIGEgDQpkaXZlcnNlIHBvcnRmb2xpbyBv ZiBoaWdoIHZhbHVlLCBsb3cgcmlzayBlbmVyZ3kgcHJvamVjdHMuICANCiAg ICAgICAgICAgICANCiAgICAgICAgICAqIEdPT0QgTFVDSyAmIFRSQURFIE9V VCBUSEUgVE9QICo=
