[Esd-l] Base64 mail

John D. Hardin jhardin at impsec.org
Sat Nov 2 13:41:01 PST 2002

On Thu, 31 Oct 2002, Jeff Bettes wrote:

> Speaking of defanging image tags, I have been getting a lot of
> base64 encoded mail lately which is nothing more than html.  In
> this case none of the tags get defanged which is to be expected.

Yeah, that's a pretty common spammer trick to bypass content filters, 
and is a high-reliability spam indicator.

> Is there an easy way to break the base64 mime headers so the email
> client won't decode them.  They all seem to have the mime type,
> Content-Type: text/html; charset="iso-8859-1"
> Content-Transfer-Encoding: base64

If you don't want to receive encoded HTML-only messages, then detect
those lines in the RFC822 message headers:

  * ^Content-Type: *text/html
  * ^Content-Transfer-Encoding: *base64

Note that this rule only checks the RFC822 headers, so
multipart/alternative messages and regular attachments shouldn't be

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  ...the Fates notice those who buy chainsaws...
                                              -- www.darwinawards.com
   46 days until The Two Towers

More information about the esd-l mailing list