Hi All,
Recently we're seeing more spam passing our spamfilters using text
obfuscating in the FROM header. The problem mainly targets users which
are using mail clients like iPhone Mail which are only displaying the
display name of the FROM header and not the actual email address which
was used, bypassing DKIM measures. For example:
From: =?UTF-8?B?0KBvc3RubC5ubCDQoGFra2V0?= <a...@qbocel.com>
This is base64 encoded "Рostnl.nl Рakket" and pretends to come from
Postnl, a dutch snailmail company. However the hexadecimal
representation of this base64 decoded text differs from that of normal
ASCII:
Obfuscated:
$ printf "Рostnl.nl Рakket" | od -A n -t x1
d0 a0 6f 73 74 6e 6c 2e 6e 6c 20 d0 a0 61 6b 6b
65 74
Plain ASCII:
$ printf "Postnl.nl Pakket" | od -A n -t x1
50 6f 73 74 6e 6c 2e 6e 6c 20 50 61 6b 6b 65 74
There is no way to tell the difference with the naked eye. You can
obfuscate text using this online tool: https://obfuscator.uo1.net/
Is there any way to detect this type of obfuscation with a spamassassin
rule?
Best regards,
Frido Otten
