On Tue, Nov 30, 2021 at 12:03:15PM -0700, Philip Prindeville wrote: > > On Nov 17, 2021, at 9:50 AM, Bill Cole > > <sausers-20150...@billmail.scconsult.com> wrote: > > SpamAssassin rules are not laws in any sense. They do not prescribe or > > proscribe any action. They do not reflect any sort of moral or ethical > > judgment. They do not express or define technical correctness. > > Isn't that exactly what we're discussing here? "Technical correctness"?
Hm, no? App encoding pure ASCII is Base64 is not breaking any RFC? So it is behaving "technically correctly". > Good internetworking implementations follow (to the extent they don't > conflict with good security practices) Postel's Law, "be conservative in what > you send, be liberal [but not naive] in what you accept". Well, antispam efforts (as is security for important stuff) are mostly exactly the OPPOSITE of good internetworking implementations of the old Postel's law. And for the good reasons - in the internetworking implementations of the old, the vast majority of peers (if not all) you interacted with were GOOD guys trying to do good things. In today e-mail (and security), the majority of the actors are enemies trying to penetrate your defensive lines. Also, see https://en.wikipedia.org/wiki/Robustness_principle#Criticism > Rereading: > > Base64 encoding is only necessary if there are non-ASCII characters used. > > UTF-8 is a superset of ASCII & it is normal for MUAs to not encode more > > than needed. > > Exactly. Encoding is only used when and where necessary. ...by legitimate users. Spammers on the other hand will sometimes encode even when it is NOT needed, probably in attempt to avoid less advanced antispam tools (or due to sheer laziness when writing spam tool). The fact that such encoding is tehnically allowed does NOT change the fact that the tecnique is vastly more used by spammers than by innocent parties. > Properly encoded HTML uses HTML-Entity naming, which is also ASCII-friendly, > i.e. é instead of Latin1 é etc. or raw 8bit characters. There are several "proper" (ie. allowed by different RFCs) ways to encode that information in mail. Statistical analyses seem to say that some of the ways are used much more by spammers then by legitimate users. Hence, the score for those methods. -- Opinions above are GNU-copylefted.
