Hey, all. I've recently started getting spam that's really hard to deal
with, and I'm open to suggestions as to how to approach it.
Superficially, they all look much like this:
Sender: "ivy" <epltbv@rehc.com>
From: "ivy" <bkwtzk@rehc.com>
To: ken@jots.org
Date: 27 Jul 2023 06:46:13 +0800
Subject: cxUP
---
mnGRZIrmMwvufsQdRRJ?Nlh?132-1532-1334
Now, the _only_ thing that stays the same is the /132.1532.1334/ (even
the separators change). "Well, great, Ken. Use a regex and zap 'em."
I did, and the regex did nothing, which completely confused me. So I
actually _looked_ at the damn e-mail:
---------------------------- cut here --------------------------
Subject: cxUP
Content-Type: multipart/alternative;
boundary=--boundary_1294650_c95a1e92-a32e-44c3-b4a8-21415b9755c6
----boundary_1294650_c95a1e92-a32e-44c3-b4a8-21415b9755c6
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
bW5HUlpJcm1Nd3Z1ZnNRZFJSSuWIkU5saOmjhDEzMi0xNTMyLTEzMzQ=
----boundary_1294650_c95a1e92-a32e-44c3-b4a8-21415b9755c6
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
---------------------------- cut here --------------------------
The damn body's been encoded! And there's so little in there that it's
not triggering on many rules (e.g., Bayesian doesn't go over 20%). If
anyone has a bright idea -- maybe a way to decode the attachments and
run a regex against _that_? -- I'm all ears.
Thanks much,
-Ken
with, and I'm open to suggestions as to how to approach it.
Superficially, they all look much like this:
Sender: "ivy" <epltbv@rehc.com>
From: "ivy" <bkwtzk@rehc.com>
To: ken@jots.org
Date: 27 Jul 2023 06:46:13 +0800
Subject: cxUP
---
mnGRZIrmMwvufsQdRRJ?Nlh?132-1532-1334
Now, the _only_ thing that stays the same is the /132.1532.1334/ (even
the separators change). "Well, great, Ken. Use a regex and zap 'em."
I did, and the regex did nothing, which completely confused me. So I
actually _looked_ at the damn e-mail:
---------------------------- cut here --------------------------
Subject: cxUP
Content-Type: multipart/alternative;
boundary=--boundary_1294650_c95a1e92-a32e-44c3-b4a8-21415b9755c6
----boundary_1294650_c95a1e92-a32e-44c3-b4a8-21415b9755c6
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: base64
bW5HUlpJcm1Nd3Z1ZnNRZFJSSuWIkU5saOmjhDEzMi0xNTMyLTEzMzQ=
----boundary_1294650_c95a1e92-a32e-44c3-b4a8-21415b9755c6
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
---------------------------- cut here --------------------------
The damn body's been encoded! And there's so little in there that it's
not triggering on many rules (e.g., Bayesian doesn't go over 20%). If
anyone has a bright idea -- maybe a way to decode the attachments and
run a regex against _that_? -- I'm all ears.
Thanks much,
-Ken