ISO-8859-x encoded subject lines |
Post Reply 
|
| Author | |
JimMeredith 
Guest Group 
|
 Post Options
 Thanks(0)
 Quote Reply
 Topic: ISO-8859-x encoded subject linesPosted: 26 December 2003 at 6:19pm |
|
The old ISO-8859-x subject line encoding trick seems to be making a comeback, at least in a majority of the spam that's getting through our SpamFilter right now. For example, today, I received a spam message with a subject line of: Subject: =?iso-8859-1?B?c21hc2ggdGhhdCBwdTU1eQ==?= When the mail client decodes this line, it reads: Subject: smash that pu55y A few months ago, Roberto mentioned that subject line decoding would be included in a future release (see http://www.logsat.com/spamfilter/forums/showmessage.asp?messageID=1945). I'm not sure if that has been implemented or not, but even if it has, it will only go so far. Decoding this text prior to passing it to the content filters would be beneficial in catching some spam... but unless we were keyword trapping on "pu55y" (and "puzzy" and "puszy" and 10,000 other possible character combinations that a spammer might use for this word) we most likely would not be stopping these messages anyway. I'm a bit concerned about setting-up a RegEx to trap the "=?iso-8859-" etc. in the subject line. While there is a 99.99%+ probability that any message with a subject line encoded in this manner IS spam (at least in our system), I'm not certain as to whether inline encoding of this type might be used in legitimate message content such as documents created with Microsoft Word or other applications. In other words... if I could, I would be willing to enact the following rule on my system:
Has anyone done this, or have an idea on how this could be implemented? And if it can't be done... Roberto, would it be possible to implement a "FilterEncodedSubject" INI setting or something like that, in a similar manner to the way that the "FilterBase64html" INI setting is currently implemented? Thanks, Jim |
|
 |
|
|
LogSat
Admin Group 
Joined: 25 January 2005 Location: United States Status: Offline Points: 4106 |
Post Options
Thanks(0)
Quote Reply
Posted: 26 December 2003 at 9:38pm |
|
Jim, You have a valid point here. We've just update the current alpha build of SpamFilter in such a way that all subject lines are stored internally as "Subject:this is some kind of subject". What this means is that we're prefixing the subject text with the letters Subject: (colon included). This will allow to use RegEx searches that look for the "Subject:" substring followed by any text you wish to search for. The search will then be limited to all lines beginning with "Subject:", which will of course then catch the email's subject. We'll be releasing this alpha build to a public beta within a few days. Roberto F. |
|
|
|
|
JimMeredith
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 26 December 2003 at 11:12pm |
|
Thanks, Roberto. (Wow, that was a fast response!) This modification will be very beneficial, not just for the ISO-8859-x encoding issue, but also for other testing that might work great when limited to the subject line such as repetitive consonant traps, etc. Jim |
|
|
|
|
eric
Guest Group
|
Post Options
Thanks(0)
Quote Reply
Posted: 28 December 2003 at 10:47am |
|
making multiple lines in the keyword file :
<!--,-->, <!--,-->, <!--,-->, <!--,--> but no less then 3 helps, but inform your users in advance. |
|
|
|
Topic Options|
Post Reply
|
|
Tweet
|
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.199 seconds.