Markus Stumpf said:
On Mon, Mar 31, 2003 at 09:55:24AM -0700, Vernon Schryver wrote:
Many spammers encode their efforts as quoted-printable, base64,
or even both (never mind the MIME RFCs and MUA behavior).
You mean like in
Perfo<!--|s=3zd=3FAizd[S0=|d,F08F3-->rmance
En<!--|s=3zd=3FAizd[S0=|d,F08F3-->hancer
Enla<!--|s=3zd=3FAizd[S0=|d,F08F3-->rgement
easier to evade than to operate. Spammers are always slow and behind.
Why?
If they are so far behind, why do/did messages of these type pass so much
"ahead" content filters?
Hmm. *Do* they? I haven't heard of any filters, apart from the "A Plan
For Spam" style ones which do not even trivially decode HTML, that are
vulnerable to this.
SpamAssassin certainly isn't; in fact, it makes a great spam sign for us.
But about twice a week, someone posts to the SpamAssassin-talk list asking
if we're worried about this "new technique", which gets irritating after a
while.
BTW, in response to Vernon's original comment -- the reason at least one
spam tool uses QP/Base64 encoding on normal text, is to evade *AOL's*
content filters and bulk-mail detectors specifically. By adding a random
"hashbuster" at the start of the mail, the base64 text changes radically
and requires a totally different fuzzy hash signature. (I read the
tool's documentation ;)
--j.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg