[SAtalk] Base-64 encoded HTML and text spam

Wed, 18 Jun 2003 04:47:24 -0700 

One of the few false negatives I mentioned in a recent message was an
HTML spam, where the HTML message was encoded as base-64.

The start of the message body is:

--------------

------=_NextPart_F83_4BC1_E4708BB4.69BBB339
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


------=_NextPart_F83_4BC1_E4708BB4.69BBB339
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: base64


PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEg
...

--------------


The subject line was meaningless lower case characters with some spaces.
  SA 2.55's analysis was:

    X-Spam-Status: No, hits=2.8 required=5.0
    tests=BASE64_ENC_TEXT, BAYES_44, NO_REAL_NAME, PRIORITY_NO_NAME,
    USER_AGENT

Netscape 7.02 reads this message loud and clear and displays it as HTML
- just text with links to the spammer's site.  In its original form it
had Javascript text colour changes on mouse-over over the links, but
after going through Anomy Sanitizer (after SpamAssasin decided it was
not spam), these were disabled.  So Anomy Sanitizer
(http://mailtools.anomy.net) must have unpacked the base-64 encoding,
read the HTML, and written back a new base-64 encoding after modifying
the HTML.  Indeed, looking at the pre- and post- filter versions of the
message, the base-64 blocks start the same but differ in content and length.

Does this mean that SpamAssassin is blind to the contents of base-64
encoded HTML?  If so, does this mean that spammers can use this to
bypass many of SpamAssassin's tests?  I never would have asked this
before because I didn't know that HTML could be sent this way.  Anomy
Sanitizer is hip to base-64 encoding.

I tried changing the message header so this base-64 was "Content-Type:
text/plain;" and the HTML contents of the base-64 block displayed as
plain text.  Does this mean that base-64 encoding is a way to send
messages to be displayed as text too?  That would be a nasty misfeature
of the entire email system I think - for messages to be sent and
received like this in a way which resists filtering and searching.


  - Robin





-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk

Reply via email to