On Fri, 2 Sep 2005, Gary Funck wrote:
Lous, your web page at
http://www.columbia.edu/~lnp3/PennyStocks.htm
didn't show the original e-mail message, complete with
headers. It showed the human-readable form. If you'll
re-post the actual text of the e-mail in question, complete
with headers, it'd be helpful.
If you go to the archives,
http://www.xray.mpe.mpg.de/mailing-lists/procmail/
and enter "base64", "reformime", or "munpack" as
a search string you may find some ideas on how to solve your
problem of dealing with encoded e-mails.
You can enhance your script that scans the body of base64
messages to look for (and presumably score) hits on particular
encodings. Here's a quick/easy way to get the encodings
of "st0cks" for example.
echo -n 'st0cks' | perl -MMIME::Base64 -0777 -ne 'print encode_base64($_)'
which prints: c3QwY2tz
Gary did you try your recipe? If the word st0cks is in the line:
all st0cks here
The code will be: YWxsIHN0MGNrcyBoZXJl
If the word st0cks is in the line:
any st0cks up
The code will be: YW55IHN0MGNrcyB1cA==
In any case you will not find "c3QwY2tz" and don't think that
you can look for phrase because:
abc any st0cks up 25
Looks like: YWJjIGFueSBzdDBja3MgdXAgMjU no more IHN0MGN...
Bye,
Udi
You could add something like:
# We have a base64 encoded body.
# Look for at least 2 hits on base64 encoded spam words
# The encodings below are for:
# Penny-stocks, Penny stocks, st0ck, St0ck respectively.
#
:0 B
* ^Content-Type: text/html
* ^Content-Transfer-Encoding: base64
* -2^0
* 1^1 (UGVubnktc3RvY2tz|\
UGVubnkgc3RvY2tz|\
c3QwY2s=|\
U3QwY2s=)
/users/lnp3/mail/base64-spam
Note that in your checking for Content-Type and Content-Transfer-Encoding
above, you check for only one space after the field name and you expect
a particular form of that line. There are probably other MIME compliant
encodings of those MIME descriptors that a mail client will honor,
but will make it past your filter. Spammers will take advantage of
such things.
(I didn't test the example above. Hopefully, others here will correct
any errors they see.)
Spamassassin will let you add your own tests against either the raw
message or the decoded message. Check out RulesDuJour as one method
of enhancing your SA experience:
http://www.exit0.us/index.php?pagename=RulesDuJour
and an example of custom body rules (note these are applied to the
body after it is decoded by SA)
http://www.exit0.us/index.php?pagename=BodyRules
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
+++++++++++++++++++++++++++++++++++++++++++
This Mail Was Scanned By Mail-seCure System
at the Tel-Aviv University CC.
---------------------------------------------------------------------------
Udi Mottelo - Unix System Administrator.
Faculty of Engineering - Tel-Aviv University
E-Mail: uuddii(_at_)eng(_dot_)tau(_dot_)ac(_dot_)il Phone: +972-3-6409446
---------------------------------------------------------------------------
____________________________________________________________
procmail mailing list Procmail homepage: http://www.procmail.org/
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail