[Esa-l] Base64 encoded pages

Bjarni R. Einarsson bre at klaki.net
Wed Feb 7 06:43:56 PST 2001

On 2001-02-07, 08:57:01 (-0200), Andre Kajita - Administrador da Rede wrote:
> Then I nearly fell off my chair, the damn spammer encoded the page and
> my Netscape Mailer (4.7 though I also use Mozilla) decoded and parsed
> the HTML.

As it should... :)

This is only to be expected - as more and more people deply
simple filters which only scan the undecoded message body for
crap, the spammers and virus writers will respond by encoding
their messages as Base64 or Quoted-Printable since that will
allow them to slip by the filters while remaining perfectly
legible for the recipient.

Just imagine how much fun we're going to have when crypto is the
norm and not the exception for email...  I'm beginning to
consider encryption of email as a security *risk*, since it
implies that all security analysis of content will have to take
place on the recipient's machine instead of at a central point as
implemented by John's (and my) sanitizer.  Signed mail is fine,
but encrypted mail is going to cause a whole slew of new

> I don't know if anyone else has had this problem - if it really is a
> problem - but this is a first for me.  Is there any way to stop this
> type of trash from coming in (and tracking with webbugs or Javascript
> code)?

If I recall correctly, this is on John's TODO list.  He
explicitly mentioned it in his last release's changelog anyway
(mentioned that it needed to be fixed, that is).

My sanitizer (http://mailtools.anomy.net/) will sanitize the
contents of base64-, uu- or quoted-printable-encoded attachments
(remove javascript & other active HTML code), but it won't do the
web-bug cleanup you're looking for.

Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at klaki.net                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/

More information about the esd-l mailing list