base64 spam

[Allyn Fratkin]

<x-flowed>

Barry Gould wrote:

> Hi Allyn,
> I'm guessing this checks spam status, and if bogofilter says NO, it then
> runs it through unbase64 and bogofilter again.

yes, that is the idea.

> Would it instead be possible to look for
> "Content-Transfer-Encoding: base64"
> in the message header to decide where to use unbase64 or not?

that is an excellent idea.  also, i picked up an idea from my
web provider the other day, most spams are short <256K so we don't
need to check longer messages as thoroughly.

how about this updated second-try rule:

:0fHB
* < 256000
* H ?? ^X-Bogosity: No
* ^content-transfer-encoding: *(base64|quoted-printable)
* ? unbase64 | bogofilter
| formail -I"X-Bogosity: Yes, tests=bogofilter-unbase64"

> I know it is possible to have a multipart message, but after a quick
> look over all my base64 spam from this week, it looks like almost all
> the multipart messages I recieved were worms, not spam.

most of the base64 spam i receive is multipart so the above rule
scans the entire message body looking for base64.

if instead you'd like to only run bogofilter on a message once and decide
whether or not to use unbase64 based on whether the message has base64
in it, i'll leave that up to you to write the rules for that.

-- 
Allyn Fratkin             allyn at fratkin.com
Escondido, CA             http://www.fratkin.com/
</x-flowed>