In fact, if the header is correctly writtren
(the relevant part is =?ISO-8859-something?B?text?= or
=?IOS-8859-something?Q?text?= for
base64 or quoted printable, and the something can range from 1 to 15), it would
be a sure
indication of a european sender.
The b and q can be lowercase, and probably the ISO as well.
If it is badly written (impossible to convert) it should be a sure sign of an
"unusual" mailer
or a homegrown mail script.
It seems that most mailers only use encoding in the header if there are actual
non-asciii
characters present, and that some spam encodes the entire sender and subject as
base64
although no such characters are present, but I would not dare to put a high
score on that.
Wolfgang Hamann
>>
>> From: "Kris Deugau" <[EMAIL PROTECTED]>
>>
>> > Thomas Deliduka wrote:
>> >> I have been dealing with a spammer that seems to defy every option to
>> >> limit him. So, I decided to create a final rule that should kill him.
>> >> I noticed that the subject in the text file always looks like
>> >>
>> >> =3D?iso-8859-1?blah blha blah
>> >>
>> >> It may or may not have 3D sometimes it's P3 or something so I made a
>> >> subject rule like this in my /etc/mail/spamassassin/local.cf:
>> >>
>> >> header L_ISO_SUBJECT Subject =~ /iso\-8859\-/i
>> >> describe L_ISO_SUBJECT Last Ditch Attempt against this Arse
>> >> score L_ISO_SUBJECT 5.2
>> >>
>> >> But I see a TON of e-mails that come through with a subject line like
>> >> that above and none of them are trapped by L_ISO_SUBJECT none!
>> >>
>> >> Why would this be.
>> >
>> > You want to use Subject:raw, so as to run your rule on the raw ASCII
>> > subject line. What you're testing there is the *decoded* Subject: which
>> > naturally has no encoding specification in it.
>> >
>> > header L_ISO_SUBJECT Subject:raw =~ /iso\-8859\-/i
>> >
>> > should work for what you're trying to do.
>> >
>> > If I get that annoyed, I usually just save myself some processing time
>> > and stuff in a procmail rule instead of playing with SA.
>> >
>> > -kgd
>>
>> Off hand I'd say that was a very bad rule. I receive a fair amount of
>> mail with that header that is quite positively ham. It's almost all
>> from Linux related lists.
>>
>> {o.o}
>>
>>
