On 2025-01-24 at 08:03:42 UTC-0500 (Fri, 24 Jan 2025 13:03:42 +0000)
Marc <m...@f1-outsourcing.eu>
is rumored to have said:

I just received this crap from ceneo.pl. Interesting is that in the header (or just below it?)

Just below it. The blank line delimits headers from body.


there is a large (2154 lines) base64 encoded block which if you decoded it, is a full html 1261 line html page starting with <!doctype html> and ending with </html>

Which is precisely what one would expect from a message like this labeled as being text/html at the top level.

Boldly enough they even include a google tracking link within this html

<img src='https://ssl.google-analytics.com/collect?v=1&amp;tid=UA-51159636-11&amp;cid=039927d7-b027-40f0-b1e9-xxxxxx&amp;t=event&amp;ec=TrustedReview&amp;ea=Shop%20ID:%2024715&amp;el=open' style="display: none"/>

Also, far too common.

I can't view the raw source of this message (using crappy outlook) But I have the impression this base64 html is not exactly the same as the message I am seeing in outlook using converted to plain text viewing.

I'm not sure what you're seeing in Outlook, but I don't see any reason it would just make up message content...


Afaik you use mime mime headers to separate txt and html version of the email.

That's only for multipart messages. This is not a multipart message.


I was wondering if this is a new trick to bypass spam detection, and if spamassassin decodes these blocks.

As documented, SpamAssassin decodes all text/* parts for analysis, no matter the encoding. This message is not in any sense unusual and sending just text/html is not a "trick" at all.


Reply-To: opi...@ceneo.pl
Date: 24 Jan 2025 08:09:01 +0100
Subject: =?utf-8?B?8J+SqiBNYXN6IGplc3pjemUgc3phbnPEmSAtIHBhbGVjemth?=
 =?utf-8?B?bWkucGwgY3pla2Eg8J+VkCBuYSBUd29qxIUgb3BpbmnEmSE=?=
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Received-SPF: pass (193.203.222.34 is listed to deliver ceneo.pl)
X-Verification-Result: dkim=pass; i...@ceneo.pl paleczkami...@ceneo.pl
X-Spam-Status: No, score=0.3 required=3.0 tests=HTML_FONT_LOW_CONTRAST,
        HTML_IMAGE_RATIO_06,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_MID,
        T_DATE_IN_FUTURE_96_Q,T_REMOTE_IMAGE,T_SCC_BODY_TEXT_LINE
        autolearn=disabled version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        89d96068-ddf8-47bc-a33a-3ad5b65bfb7d

DQo8IWRvY3R5cGUgaHRtbD4NCjxodG1sIGxhbmc9InBsIiB4bWw6bGFuZz0icGwiIHht
bG5zPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hodG1sIiB4bWxuczp2PSJ1cm46c2No
ZW1hcy1taWNyb3NvZnQtY29tOnZtbCIgeG1sbnM6bz0idXJuOnNjaGVtYXMtbWljcm9z
b2Z0LWNvbTpvZmZpY2U6b2ZmaWNlIj4NCg0KPGhlYWQ+DQogICAgPHRpdGxlPg0KICAg
IDwvdGl0bGU+DQogICAgPCEtLVtpZiAhbXNvXT48IS0tIC0tPg0KICAgIDxtZXRhIGh0
dHAtZXF1aXY9IlgtVUEtQ29tcGF0aWJsZSIgY29udGVudD0iSUU9ZWRnZSI+DQogICAg
PCEtLTwhW2VuZGlmXS0tPg0KICAgIDxtZXRhIGh0dHAtZXF1aXY9IkNvbnRlbnQtVHlw
ZSIgY29udGVudD0idGV4dC9odG1sOyBjaGFyc2V0PVVURi04Ij4NCiAgICA8bWV0YSBu
YW1lPSJ2aWV3cG9ydCIgY29udGVudD0id2lkdGg9ZGV2aWNlLXdpZHRoLCBpbml0aWFs
LXNjYWxlPTEiPg0KICAgIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+DQogICAgICAgICNv
.
.
.


--
 Bill Cole
 b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com addresses)
 Not Currently Available For Hire

Reply via email to