I just received an email the other day that had mime headers including:
content-type: text/plain
content-transfer-encoding: base64
and the message was encoded in base64, but to the client, it looks like regular text including a geocities spam message. It was only picked up by the MIME_BASE64_TEXT rule and I have a rule that blocks geocities spam which failed to pick up because the text was all in base64.
Is there a way to get rules to pass for both plain and base64 encoded messages?
My current rule that failed is like this:
body IPBL_6 /geocities\.com\//i
describe IPBL_6 IPBL: Geocities is spam ...
score IPBL_6 5.5
- base64 transfer encoding defeats rules Steven Kiehl
- Re: base64 transfer encoding defeats rules Loren Wilton
- Re: base64 transfer encoding defeats rules Theo Van Dinter
- Re: base64 transfer encoding defeats rules Steven Kiehl
- Re: base64 transfer encoding defeats rules Theo Van Dinter
