One of the few false negatives I mentioned in a recent message was an HTML spam, where the HTML message was encoded as base-64.
The start of the message body is: -------------- ------=_NextPart_F83_4BC1_E4708BB4.69BBB339 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable ------=_NextPart_F83_4BC1_E4708BB4.69BBB339 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: base64 PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMDEg ... -------------- The subject line was meaningless lower case characters with some spaces. SA 2.55's analysis was: X-Spam-Status: No, hits=2.8 required=5.0 tests=BASE64_ENC_TEXT, BAYES_44, NO_REAL_NAME, PRIORITY_NO_NAME, USER_AGENT Netscape 7.02 reads this message loud and clear and displays it as HTML - just text with links to the spammer's site. In its original form it had Javascript text colour changes on mouse-over over the links, but after going through Anomy Sanitizer (after SpamAssasin decided it was not spam), these were disabled. So Anomy Sanitizer (http://mailtools.anomy.net) must have unpacked the base-64 encoding, read the HTML, and written back a new base-64 encoding after modifying the HTML. Indeed, looking at the pre- and post- filter versions of the message, the base-64 blocks start the same but differ in content and length. Does this mean that SpamAssassin is blind to the contents of base-64 encoded HTML? If so, does this mean that spammers can use this to bypass many of SpamAssassin's tests? I never would have asked this before because I didn't know that HTML could be sent this way. Anomy Sanitizer is hip to base-64 encoding. I tried changing the message header so this base-64 was "Content-Type: text/plain;" and the HTML contents of the base-64 block displayed as plain text. Does this mean that base-64 encoding is a way to send messages to be displayed as text too? That would be a nasty misfeature of the entire email system I think - for messages to be sent and received like this in a way which resists filtering and searching. - Robin ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk