I received a spam today where the text was only a base64-encoded blob.
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: base64
Subject: feel young and strong again
PGh0bWw+DQpTdG9wIG92ZXJwYXlpbmcgZm9yIHlvdXIgcHJlc2NyaXB0aW9uIG1lZGljYXRpb25z
IHRvZGF5Lg0KPGJyPg0KPGJyPg0KU2F2ZSBtb3JlIHRoYW4gc2l4dHkgcGVyY2VudCBvbiBicmFu
ZCBuYW1lIGdlbmVyaWMgbWVkcyB0aGF0IGFyZSBjaGVtaWNhbGx5IGlkZW50aWNhbC4NCjxicj4N
Does SA convert the blob into text before scanning? It contains a number
of drug-related words and a URI that points to "pharmconnect.org".
Also is there an SA rule that scores messages that contain only a single
base64 part (as opposed to a base64-encoded attachment)? I doubt many
legitimate messages arrive with only a single base64 part.
Peter
