I have noticed that a lot of spam messages change their mime boundary
during the message.
So in the headers they specify something like:
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="----=_NextPart_000_0005_01C6DC77.1B7CF1F0"
But then the first mime part is empty and changes the mime boundary:
------=_NextPart_000_0005_01C6DC77.1B7CF1F0
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_0006_01C6DC77.1B7CF1F0"
They then have two mime parts with this new mime boundary, first a text
and then an html mime part:
------=_NextPart_001_0006_01C6DC77.1B7CF1F0
Content-Type: text/plain;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
[Text Content]
------=_NextPart_001_0006_01C6DC77.1B7CF1F0
Content-Type: text/html;
charset="windows-1250"
Content-Transfer-Encoding: quoted-printable
[HTML Content]
------=_NextPart_001_0006_01C6DC77.1B7CF1F0--
They then revert back to the original mime boundary for the image spam
mime part:
------=_NextPart_000_0005_01C6DC77.1B7CF1F0
Content-Type: image/gif;
name="fighting.gif"
Content-Transfer-Encoding: base64
Content-ID: <[EMAIL PROTECTED]>
[image]
------=_NextPart_000_0005_01C6DC77.1B7CF1F0--
Does this happen in legitimate emails as well?
I have never seen this in a legit email, however i do spend far longer
looking at spam then i do ham.
Perhaps someone has already written a rule for this behaviour.
If so, could someone point me in the right direction to get it?
Thanks
Ben
