RE: [vps-mail] IS0-8859 spams slipping by SpamAssassin

["Jim Smith" <maillists@xxxxxxxxxxxxxxxx>]

 > Therefore, what you want to look out for is a subject which 
> is *entirely* encoded, and encoded in base64:
> 
> Subject: =?charset?b?.........?=

So I understand this, is it safe to say that any message subject starting
with encoding such as =?ISO-8859-1?b? is almost certainly either a
non-English language or else a spammer trying to hide a spam-filled subject?
I was going to push the score for that rule way up but wasn't sure if there
might be some legit reasons that might appear in the subject line.

Thanks,

Jim Smith

> -----Original Message-----
> From: owner-vps-mail@xxxxxxxxxxxx 
> [mailto:owner-vps-mail@xxxxxxxxxxxx] On Behalf Of Godwin Stewart
> Sent: Monday, April 12, 2004 4:24 AM
> To: vps-mail@xxxxxxxxxxxx
> Subject: Re: [vps-mail] IS0-8859 spams slipping by SpamAssassin
> 
> On Sun, 11 Apr 2004 22:03:57 -0400, "Jim Smith" 
> <maillists@xxxxxxxxxxxxxxxx>
> wrote:
> 
> > I've tried to find a pattern in these headers but I can't figure it 
> > out and can't find references on how to handle the IS0-8859 headers.
> > 
> > Any suggestions for creating rules for this IS0-8859 stuff?
> 
> If you want to rule out communication with anyone whose 
> language uses character sets other than us-ascii then this is 
> a good way to go about it.
> Legitimate software uses this technique. FWIW, ISO-8859-1 and 
> its more modern equivalent including the Euro symbol, 
> ISO-8859-15, is the character code used throughout Western 
> Europe, including English-speaking countries like the UK and 
> Ireland...
> 
> However, one difference between legitimate software and 
> spamware is that legitimate software usually only encodes the 
> word which needs it, *AND* it usually uses quoted printable 
> rather than base64.
> 
> Therefore, what you want to look out for is a subject which 
> is *entirely* encoded, and encoded in base64:
> 
> Subject: =?charset?b?.........?=
> 
> So, assuming SA uses Perl regular expressions (I've never used SA):
> 
> describe OBFUSCATED_SUBJECT	Subject messed around with
> full OBFUSCATED_SUBJECT		
> /^subject:\s+=\?[^\?]+\?b\?[^\?]*\?=$/i
> score OBFUSCATED_SUBJECT	2.1
> 
> This, however, will *not* catch subjects spread over several lines.
> 
> -- 
> G. Stewart   --   gstewart@xxxxxxxxxxx -- gstewart@xxxxxxxxxxx
> Registered Linux user #284683 (Slackware 9.0, Linux 2.4.25)
> --------------------------------------------------------------
> Why is it that when you transport something by car it's 
> called shipment, but when you transport it by ship it's called cargo?
> ======================================================================
> This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
> Before posting a question, please search the archives (see above URL).
> 

======================================================================
This is <vps-mail@xxxxxxxxxxxx>       <http://www.perlcode.org/lists/>
Before posting a question, please search the archives (see above URL).