[Esd-l] Base64 mail
John D. Hardin
jhardin at impsec.org
Sat Nov 2 13:41:01 PST 2002
On Thu, 31 Oct 2002, Jeff Bettes wrote:
> Speaking of defanging image tags, I have been getting a lot of
> base64 encoded mail lately which is nothing more than html. In
> this case none of the tags get defanged which is to be expected.
Yeah, that's a pretty common spammer trick to bypass content filters,
and is a high-reliability spam indicator.
> Is there an easy way to break the base64 mime headers so the email
> client won't decode them. They all seem to have the mime type,
>
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: base64
If you don't want to receive encoded HTML-only messages, then detect
those lines in the RFC822 message headers:
:0
* ^Content-Type: *text/html
* ^Content-Transfer-Encoding: *base64
$SPAMBOX
Note that this rule only checks the RFC822 headers, so
multipart/alternative messages and regular attachments shouldn't be
trapped.
--
John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
jhardin at impsec.org pgpk -a jhardin at impsec.org
key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
...the Fates notice those who buy chainsaws...
-- www.darwinawards.com
-----------------------------------------------------------------------
46 days until The Two Towers
More information about the esd-l
mailing list