In fact, if the header is correctly writtren (the relevant part is =?ISO-8859-something?B?text?= or =?IOS-8859-something?Q?text?= for base64 or quoted printable, and the something can range from 1 to 15), it would be a sure indication of a european sender. The b and q can be lowercase, and probably the ISO as well. If it is badly written (impossible to convert) it should be a sure sign of an "unusual" mailer or a homegrown mail script. It seems that most mailers only use encoding in the header if there are actual non-asciii characters present, and that some spam encodes the entire sender and subject as base64 although no such characters are present, but I would not dare to put a high score on that.
Wolfgang Hamann >> >> From: "Kris Deugau" <[EMAIL PROTECTED]> >> >> > Thomas Deliduka wrote: >> >> I have been dealing with a spammer that seems to defy every option to >> >> limit him. So, I decided to create a final rule that should kill him. >> >> I noticed that the subject in the text file always looks like >> >> >> >> =3D?iso-8859-1?blah blha blah >> >> >> >> It may or may not have 3D sometimes it's P3 or something so I made a >> >> subject rule like this in my /etc/mail/spamassassin/local.cf: >> >> >> >> header L_ISO_SUBJECT Subject =~ /iso\-8859\-/i >> >> describe L_ISO_SUBJECT Last Ditch Attempt against this Arse >> >> score L_ISO_SUBJECT 5.2 >> >> >> >> But I see a TON of e-mails that come through with a subject line like >> >> that above and none of them are trapped by L_ISO_SUBJECT none! >> >> >> >> Why would this be. >> > >> > You want to use Subject:raw, so as to run your rule on the raw ASCII >> > subject line. What you're testing there is the *decoded* Subject: which >> > naturally has no encoding specification in it. >> > >> > header L_ISO_SUBJECT Subject:raw =~ /iso\-8859\-/i >> > >> > should work for what you're trying to do. >> > >> > If I get that annoyed, I usually just save myself some processing time >> > and stuff in a procmail rule instead of playing with SA. >> > >> > -kgd >> >> Off hand I'd say that was a very bad rule. I receive a fair amount of >> mail with that header that is quite positively ham. It's almost all >> from Linux related lists. >> >> {o.o} >> >>