>> I received a spam today where the text was only a base64-encoded blob. >> >> Content-Type: text/html; >> charset="us-ascii" >> Content-Transfer-Encoding: base64 >> Subject: feel young and strong again >> >> PGh0bWw+DQpTdG9wIG92ZXJwYXlpbmcgZm9yIHlvdXIgcHJlc2NyaXB0aW9uIG1lZGljYXRpb25z >> IHRvZGF5Lg0KPGJyPg0KPGJyPg0KU2F2ZSBtb3JlIHRoYW4gc2l4dHkgcGVyY2VudCBvbiBicmFu >> ZCBuYW1lIGdlbmVyaWMgbWVkcyB0aGF0IGFyZSBjaGVtaWNhbGx5IGlkZW50aWNhbC4NCjxicj4N >> >> Does SA convert the blob into text before scanning? It contains a number >> of drug-related words and a URI that points to "pharmconnect.org". >> >> Also is there an SA rule that scores messages that contain only a single >> base64 part (as opposed to a base64-encoded attachment)? I doubt many >> legitimate messages arrive with only a single base64 part. >> >> Peter >>
Hi Peter, if the message is in a language requiting 8bit characters, a single base64 part seems to be a reasonable option to send a plaintext message. On the other hand, I am not aware of a mail client that uses this format, so I would suspect that any such mail comes from an automated system (I think I have seen order confirmations in that format) Probably a message in base64 that does not contain any single 8bit code should be considered as an attempt to hide the message from scanners Wolfgang Hamann
