Re: Rejecting base64-encoded message bodies
Noel Jones
> Are there drawbacks to putting in a header_check
> that rejects
>Content-Transfer-Encoding: base64 body content?
>
> In my limited experience with the comparatively
> low volumes of mail we get
>here each day, only spam is so shrouded so that it
>misses the regular body
>checks and review by SpamAssassin. This is a separate
>issue from domain names
>and IP addresses not being acted upon, but Noel's and
>mouss' suggestions on that
>are waiting for me to have time to look into them.
>
> I've just added it as a 'hold' action. Your
> comments are appreciated.
>
>Thanks,
>
>Rich
This is probably a bad idea.
A great deal of legit mail is base64 encoded.
SpamAssassin does scan the decoded text of such
messages, but postfix body_checks can't.
Maybe a good compromise for you would be to use a
custom spamassassin rule to add a few points for
encoding you don't like so that such mail would be
skewed strongly towards spam. SpamAssassin web site
and -users mail list can give help in rule writing.
--
Noel Jones
mouss
> Are there drawbacks to putting in a header_check that rejects
> Content-Transfer-Encoding: base64 body content?
what do you mean? base64 is used in legitimate mail. This is how binary
attachments are sent.
of course, spammers may use it even when not necessary, to escape
filters that don't do base64 decoding. but SA does.
>
> In my limited experience with the comparatively low volumes of mail
> we get
> here each day, only spam is so shrouded so that it misses the regular
> body
> checks and review by SpamAssassin.
SA handles base64. make sure to use "body" (match after decoding) and
not "rbody" (match raw body) in your SA rules.
Rich Shepard
> A great deal of legit mail is base64 encoded.
Noel,
In the body text? I know that attachments are encoded, but I was not aware
that the content was also encoded on a regular basis. Is this MUA-specific?
> SpamAssassin does scan the decoded text of such messages, but postfix
> body_checks can't.
I missed the SA part when I read the book on it. Guess I need to go back to
it again.
> Maybe a good compromise for you would be to use a custom spamassassin rule
> to add a few points for encoding you don't like so that such mail would be
> skewed strongly towards spam. SpamAssassin web site and -users mail list
> can give help in rule writing.
It's not the encoding that I don't like, it's the use by spammers to evade
postfix filters that irritates me.
Thanks,
Rich
--
Dr. Richard B. Shepard, President | Author of "Quantifying Environmental
Applied Ecosystem Services, Inc. (TM) | Impact Assessments Using Fuzzy Logic"
<http://www.appl-ecosys.com> Voice: 503-667-4517 Fax: 503-667-8863
Wietse Venema
> On Thu, 3 Nov 2005, Noel Jones wrote:
>
> > A great deal of legit mail is base64 encoded.
>
> Noel,
>
> In the body text? I know that attachments are encoded, but I was not aware
> that the content was also encoded on a regular basis. Is this MUA-specific?
BASE64 is perfectly legitimate for the "main" body part, as is
QUOTED-PRINTABLE. I get such BASE64 and QP mail all the time.
Wietse
Rich Shepard
> BASE64 is perfectly legitimate for the "main" body part, as is
> QUOTED-PRINTABLE. I get such BASE64 and QP mail all the time.
Wietse,
Thank you for the lesson. I'll work on SpamAssassin rules then.
Noel Jones
>On Thu, 3 Nov 2005, Noel Jones wrote:
>
>>A great deal of legit mail is base64 encoded.
>
> encoded, but I was not aware
>that the content was also encoded on a regular basis.
Base64 is perfectly legit as the main body. Consider:
- spammers have been using base64 encoding for years;
ample time to react.
- spamassassin doesn't even add points for base64
encoded text.
- no one recommends blocking base64 encoded text.
This just isn't a good indicator of spam.
Remember that everyone who eats ketchup dies, no one
thinks the ketchup causes it.
--
Noel Jones