Peter H. Lemieux wrote: > I received a spam today where the text was only a base64-encoded blob. > > Content-Type: text/html; > charset="us-ascii" > Content-Transfer-Encoding: base64 > Subject: feel young and strong again > > PGh0bWw+DQpTdG9wIG92ZXJwYXlpbmcgZm9yIHlvdXIgcHJlc2NyaXB0aW9uIG1lZGljYXRpb25z > > IHRvZGF5Lg0KPGJyPg0KPGJyPg0KU2F2ZSBtb3JlIHRoYW4gc2l4dHkgcGVyY2VudCBvbiBicmFu > > ZCBuYW1lIGdlbmVyaWMgbWVkcyB0aGF0IGFyZSBjaGVtaWNhbGx5IGlkZW50aWNhbC4NCjxicj4N > > > Does SA convert the blob into text before scanning? Yes. It's done that for a LONG time.. Even SA 2.3x did that. Even "rawbody" rules are run after decoding base64.
Otherwise this would be a huge hole in SA and every spammer would very quickly use base64 for all their spam. (Yes, spammers DO very aggressively study spamassassin and tune their mail to fit it's weaknesses. VERY aggressively. Anything this obvious and easy would be discovered and become widespread within two months of a SA release.) > It contains a number of drug-related words and a URI that points to > "pharmconnect.org". > > Also is there an SA rule that scores messages that contain only a > single base64 part (as opposed to a base64-encoded attachment)? I > doubt many legitimate messages arrive with only a single base64 part. No, but there is one that detects base64 encoding of text sections. MIME_BASE64_TEXT.
