Mailing List Archive: base64 encoded subjects

base64 encoded subjects

Feb 7, 2020, 2:29 PM

Post #1 of 6 (736 views)

I'm seeing a lot of spam with base64 encoded subjects:

Subject:
=?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?=

Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?=

SA is scoring the messages pretty high based off the body, but a lot of
spams with the base64 is still getting through. I thought it wouldn't be
too hard to write a rule to catch these, but clearly I don't know what
I'm doing:

header BRT_BASE64_SUBJECT Subject =~ /=\?UTF\-8/

This doesn't trigger on any of these spams. Am I going about this the
wrong way or I'm I just that bad at writing regexs? Any suggestions
would be appreciated.

Re: base64 encoded subjects [ In reply to ]

ahodgson at lists

Feb 7, 2020, 2:38 PM

Post #2 of 6 (736 views)

On Fri, 2020-02-07 at 16:29 -0600, Benjamin Toll wrote:
> I'm seeing a lot of spam with base64 encoded subjects:
>
> Subject:
> =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?=
>
> Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?=
>
>
> SA is scoring the messages pretty high based off the body, but a lot of
> spams with the base64 is still getting through. I thought it wouldn't be
> too hard to write a rule to catch these, but clearly I don't know what
> I'm doing:
>
> header BRT_BASE64_SUBJECT Subject =~ /=\?UTF\-8/
>
> This doesn't trigger on any of these spams. Am I going about this the
> wrong way or I'm I just that bad at writing regexs? Any suggestions
> would be appreciated.
>

SA decodes those before rule matching.

Try Subject:raw =~

Re: base64 encoded subjects [ In reply to ]

rwmaillists at googlemail

Feb 7, 2020, 4:07 PM

Post #3 of 6 (736 views)

On Fri, 7 Feb 2020 16:29:38 -0600
Benjamin Toll wrote:

> I'm seeing a lot of spam with base64 encoded subjects:
>
...
> SA is scoring the messages pretty high based off the body, but a lot
> of spams with the base64 is still getting through. I thought it
> wouldn't be too hard to write a rule to catch these, but clearly I
> don't know what I'm doing:
>
> header BRT_BASE64_SUBJECT Subject =~ /=\?UTF\-8/
>

There's already a sub-rule for this

__SUBJECT_ENCODED_B64 Subject:raw =~ /=\?\S+\?B\?/i

so

meta BRT_BASE64_SUBJECT __SUBJECT_ENCODED_B64

would do. Note that it's the ?B? part that makes it base64.

Re: base64 encoded subjects [ In reply to ]

Feb 7, 2020, 6:16 PM

Post #4 of 6 (735 views)

On 2020-02-07 18:07, RW wrote:
>
> There's already a sub-rule for this
>
> __SUBJECT_ENCODED_B64 Subject:raw =~ /=\?\S+\?B\?/i

Oh. Thank you very much.

It looks like I haven't been reading enough of the docs after all.

Re: base64 encoded subjects [ In reply to ]

sausers-20150205 at billmail

Feb 7, 2020, 7:06 PM

Post #5 of 6 (735 views)

On 7 Feb 2020, at 21:16, Benjamin Toll wrote:

> On 2020-02-07 18:07, RW wrote:
>>
>> There's already a sub-rule for this
>>
>> __SUBJECT_ENCODED_B64 Subject:raw =~ /=\?\S+\?B\?/i
>
> Oh. Thank you very much.
>
> It looks like I haven't been reading enough of the docs after all.

If you use SA, "perldoc Mail::SpamAssassin::Conf" is your best friend.

(Or it's mine at least, but I'm running low on surviving friends.)

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)

Re: base64 encoded subjects [ In reply to ]

hamann.w at t-online

Feb 7, 2020, 8:41 PM

Post #6 of 6 (734 views)

>> I'm seeing a lot of spam with base64 encoded subjects:
>>
>> Subject:
>> =?UTF-8?B?RnVsbCBkZW50YWwgY292ZXJhZ2UgZm9yIGZhbWlsaWVzIGFuZCBzZW5pb3JzLCBjb3ZlcnMgYWxsIHByb2NlZHVyZXM=?=
>>
>> Subject: =?UTF-8?B?V2VhciB5b3VyIE11bHRpLVRvb2wgYXJvdW5kIHlvdXIgd3Jpc3Qu?=
>>
>>
Hi,

I live in a part of the world where =?UTF-8?B? is normal .... everywhere utside the
realm of US Ascii
I would, however, treat UTF16 as a spam indicator

Best regards
Wolfgang