Re: [vps-mail] IS0-8859 spams slipping by SpamAssassin

[Godwin Stewart <gstewart@xxxxxxxxxxx>]

On Sun, 11 Apr 2004 22:03:57 -0400, "Jim Smith" <maillists@xxxxxxxxxxxxxxxx>
wrote:

> I've tried to find a pattern in these headers but I can't figure it out
> and can't find references on how to handle the IS0-8859 headers. 
> 
> Any suggestions for creating rules for this IS0-8859 stuff?

If you want to rule out communication with anyone whose language uses
character sets other than us-ascii then this is a good way to go about it.
Legitimate software uses this technique. FWIW, ISO-8859-1 and its more
modern equivalent including the Euro symbol, ISO-8859-15, is the character
code used throughout Western Europe, including English-speaking countries
like the UK and Ireland...

However, one difference between legitimate software and spamware is that
legitimate software usually only encodes the word which needs it, *AND* it
usually uses quoted printable rather than base64.

Therefore, what you want to look out for is a subject which is *entirely*
encoded, and encoded in base64:

Subject: =?charset?b?.........?=

So, assuming SA uses Perl regular expressions (I've never used SA):

describe OBFUSCATED_SUBJECT	Subject messed around with
full OBFUSCATED_SUBJECT		/^subject:\s+=\?[^\?]+\?b\?[^\?]*\?=$/i
score OBFUSCATED_SUBJECT	2.1

This, however, will *not* catch subjects spread over several lines.

-- 
G. Stewart   --   gstewart@xxxxxxxxxxx -- gstewart@xxxxxxxxxxx
Registered Linux user #284683 (Slackware 9.0, Linux 2.4.25)
--------------------------------------------------------------
Why is it that when you transport something by car it's
called shipment, but when you transport it by ship it's
called cargo?
======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).