LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

   Not sure if I just never noticed before, or if these spammers are using a new technique.

I'm seeing text messages (they look like text) but when you view the source the messages are just base64 encoded.  Guess the email client is decoding the source.

Am I correct in that spamfilter can not do keyword scanning on messages that are base64 encoded?

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
yapadu Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 12 May 2005 Status: Offline Points: 297	Post Options Post Reply Quote yapadu Report Post Thanks(0) Quote Reply Topic: encoding spam? Posted: 07 December 2011 at 7:55am
	Not sure if I just never noticed before, or if these spammers are using a new technique. I'm seeing text messages (they look like text) but when you view the source the messages are just base64 encoded. Guess the email client is decoding the source. Am I correct in that spamfilter can not do keyword scanning on messages that are base64 encoded?
	-------------------------------------------------------------- I am a user of SF, not an employee. Use any advice offered at your own risk.

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 07 December 2011 at 9:32pm
	yapadu, Yes, that is correct. SpamFilter does not currently perform an decoding on that base64 encoded message content to check it for keywords. We are alpha-testing a new major upgrade of SpamFilter that features a completely new redesigned SMTP engine. In addition to using fibers rather than threads, and adding support for things like TLS, this release does decode many more email formats, including the base64-encoded ones. We're probably going to pre-release publicly it within a few weeks. In the meantime... we do have this option in the SpamFilter.ini file to block emails with such encodings: ;Set FilterBase64html to 1 if you want to block any emails with Content-Transfer-Encoding=base64 and Content-Type=text/html or text/plain FilterBase64html=0
	Roberto Franceschetti LogSat Software Spam Filter ISP

yapadu Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 12 May 2005 Status: Offline Points: 297	Post Options Post Reply Quote yapadu Report Post Thanks(0) Quote Reply Posted: 08 December 2011 at 6:13am
	Hi Roberto, I have been spending some time since posting that query trying to stop these messages. I would have to ask are you sure it does not decode base64 messages? The reason I say this is I'm looking at a message right now, it was placed in quarantine rejection reason 13 - and it shows the keywords that triggered it. When I look at the message source from the quarantine table it has a text/plain & text/html sections (and an image/jpeg section) all of them are base64 encoded. If I decode the base64 message content the keyword filter that triggered it does in fact exist in the message. So in this case at least spamfilter must have decoded the message before running the keyword filters... I will email you a copy of the message for your reference.
	-------------------------------------------------------------- I am a user of SF, not an employee. Use any advice offered at your own risk.

LogSat Members Profile Send Private Message Find Members Posts Add to Buddy List Admin Group Joined: 25 January 2005 Location: United States Status: Offline Points: 4104	Post Options Post Reply Quote LogSat Report Post Thanks(0) Quote Reply Posted: 08 December 2011 at 7:53pm
	I should have been a bit more thorough in my previous post. I wanted to keep things simple, but this topic deserved more explanations. If a message contains multi-part MIME attachments, and one or more of these parts is a text/plain or a text/html attachment that is base64-encoded, SpamFilter does indeed decode them and applies all the text-based filters on them (including keywords). An example of such an email would be something like: Received: from 211.239.153.213 by mail.netwide.net (LogSat Software SMTP Server); Wed, 7 Dec 2011 16:21:41 -0500 From: "waylen" <waylen@jalond.com> To: roberto <test@logsat.com> Subject: Re: LED Lamps From Waylen Date: Thu, 8 Dec 2011 17:22:40 +0800 MIME-Version: 1.0 Content-Type: multipart/related; type="multipart/alternative"; boundary="----=_NextPart_000_088E_01CCB5CD.FD3A47C0" This is a multi-part message in MIME format. ------=_NextPart_000_088E_01CCB5CD.FD3A47C0 Content-Type: multipart/alternative; boundary="----=_NextPart_001_088F_01CCB5CD.FD3A47C0" ------=_NextPart_001_088F_01CCB5CD.FD3A47C0 Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: base64 SGkgU2lycywgDQoNCk91ciBMRUQgc3RyaXAgbGlnaHQgaGF2ZSBhIHNwZWNpYWwgcHJpY2UgZm9y IGhhcHB5IG5ldyB5ZWFyIGFzIGZvbGxvdzoNCkpELVNMMzUyOFMtTjEyRDYwICBVU0QyLjUvbWV0 .........OMISSIS.......... ------=_NextPart_001_088F_01CCB5CD.FD3A47C0 Content-Type: text/html; charset="ISO-8859-1" Content-Transfer-Encoding: base64 PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv L0VOIj4NCjxIVE1MPjxIRUFEPg0KPE1FVEEgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PWlz .........OMISSIS.......... ------=_NextPart_001_088F_01CCB5CD.FD3A47C0-- ------=_NextPart_000_088E_01CCB5CD.FD3A47C0 Content-Type: image/jpeg; name="card-2011-1.jpg" Content-Transfer-Encoding: base64 Content-ID: <200FBB4A8BC446EDB21F596F0D2758EC@PC201009220859> /9j/4R+8RXhpZgAASUkqAAgAAAAIABIBAwABAAAAAQAAABoBBQABAAAAbgAAABsBBQABAAAAdgAA ACgBAwABAAAAAgAAA .........OMISSIS.......... What SpamFilter is not currently able to do (but the next release will), is to decode an email which does not have any MIME attachments, but rather has its entire email body base-64 encoded. In this specific case, SpamFilter does not currently decode the body as there are no MIME attachments to decode. An example would be the email section below, which as you see has no "Content-Type: multipart" in it: Received: from 211.239.153.213 by mail.netwide.net (LogSat Software SMTP Server); Wed, 7 Dec 2011 16:21:41 -0500 MIME-Version: 1.0 Date: Thu, 08 Dec 2011 06:21:38 +0900 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: base64 Message-ID: 5_1323274905168_1278962658406wf984tI_7689C27FC746872D570B.noreply@spf01.bizmailer.co.kr From: Muk Eun Ji <no_reply@mukeunjikimchi.com> To: roberto <test@logsat.com> Subject: =?UTF-8?B?W011ayBFdW4gSmldIEJlc3QgV2ludGVyIEZvb2QsIE11ayBFdW4gSmkgS2ltY2hpIE1lbnU=?= PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0MvL0RURCBYSFRNTCAxLjAgVHJhbnNpdGlvbmFs Ly9FTiIgImh0dHA6Ly93d3cudzMub3JnL1RSL3hodG1sMS9EVEQveGh0bWwxLXRyYW5zaXRpb25h bC5kdGQiPg0KPGh0bWwgeG1sbnM9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPg0KPGhl YWQ+DQo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRleHQvaHRtbDsg Y2hhcnNldD11dGYtOCIgLz4NCiA8dGl0bGU+TXVrIEV1biBKaSA6IEtpbWNoaSBNZW51PC90aXRs ZT4NCjwvaGVhZD4NCg0KPGJvZHkgc3R5bGU9Im1hcmdpbjphdXRvIDA7IHBhZGRpbmc6MDsgZm9u ......OMISSIS.......
	Roberto Franceschetti LogSat Software Spam Filter ISP

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

encoding spam?