Toen wij Dallman Ross kietelden, kwam er dit uit:
Robert Allerstorfer:
Still have to think on how to convert
=?ISO-8859-1?Q?a?= =?ISO-8859-1?Q?b?= c =?ISO-8859-1?Q?d?=
to
=?ISO-8859-1?Q?a?==?ISO-8859-1?Q?b?= c =?ISO-8859-1?Q?d?=
in order to deobfuscate it to
ab c d
My biggest question is, why?
It seems to me that if you ever see anything like this, it is not
going to be mail you want to keep. Me, I don't bother to try to read
what spammers send me. If it's spam, it goes in the spam pile.
The quoted-printable obfuscation can be used to change "iloveyou.exe"
into "iloveyou.e=?charset?q?x?=
=?charset?q?e?="
A recipe for: if more than 1 charset is used in any header, than it
must be garbage.
bq_regex = '=\?[-a-z0-9]+\?[bq]\?[^?]*\?='
:0
*$ ()${bq_regex}.*${bq_regex}
--IN.garbage.bq/
Because the header-field-names are never encoded, the condition could
also be written as:
*$ ^[^:]+:.*${bq_regex}.*${bq_regex}
And to limit it to specific headers:
bq_headers = '(Subject|From|To|Cc)
bq_regex = '=\?[-a-z0-9]+\?[bq]\?[^?]*\?='
:0
*$ ^${bq_headers}:.*${regex_bq}.*${regex_bq}
--IN.garbage.bq/
--
Grtz, Ruud
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail