Ideas to Identify Base64-encoded Spam?

Sun, 28 Jan 2007 06:36:24 -0800 

  With your help the amount of spam getting past the various filters in my
inbox (and that of my fiancee) has dropped dramatically. I appreciate
learning from all of you.

  The past couple of days has seen the arrival of a new mutant species of
spam: the empty message with a Windows .exe attachment that is base64
encoded. SpamAssassin is giving them scores of 0.0. I have a postfix filter
checking for exposed .exe attachments, but nothing seems to catch these
guys. To add insult to injury, I have a postfix body check for '/Empty or
malformed message/' that did nothing when the original message came in, but
prevented me from send it on to the list here. :-(

  Below are the headers from one example, with the uucoded part removed. If
I tell pine to look at the attachments, and start to save it, the name comes
up with a .exe extension. If anyone has suggestions on how to identify and
reject this format, please share them with me.

Rich

--
Richard B. Shepard, Ph.D.               |    The Environmental Permitting
Applied Ecosystem Services, Inc.        |          Accelerator(TM)
<http://www.appl-ecosys.com>     Voice: 503-667-4517      Fax: 503-667-8863
===========================================================================

From [EMAIL PROTECTED] Sun Jan 28 04:31:09 2007

Return-Path: <[EMAIL PROTECTED]>
X-Original-To: [EMAIL PROTECTED]
Delivered-To: [EMAIL PROTECTED]
Received: by salmo.appl-ecosys.com (Postfix, from userid 1006)
        id E6FC7DE; Sun, 28 Jan 2007 04:31:08 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on
        salmo.appl-ecosys.com
X-Spam-Level: X-Spam-Status: No, score=0.0 required=4.0 tests=BAYES_50 autolearn=no 
        version=3.1.7
Received: from abjn32.neoplus.adsl.tpnet.pl (abjn32.neoplus.adsl.tpnet.pl [83.7.155.32]) 
        by salmo.appl-ecosys.com (Postfix) with SMTP id 210A258
        for <[EMAIL PROTECTED]>; Sun, 28 Jan 2007 04:29:55 -0800 (PST)
Received: from egvvx ([116.82.221.212])
by abjn32.neoplus.adsl.tpnet.pl (8.13.4/8.13.4) with SMTP id l0SCY7oD053228; 
        Sun, 28 Jan 2007 13:34:07 +0100
Message-ID: <[EMAIL PROTECTED]>
Date: Sun, 28 Jan 2007 13:29:22 +0100
From: Dooley Dinah <[EMAIL PROTECTED]>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: [EMAIL PROTECTED]
Subject: Love at First Sight
Content-Type: multipart/related;
 boundary="------------010904090903010104020004"


    [ Empty or malformed message. Displaying raw text. ]

--------------010904090903010104020004
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit


--------------010904090903010104020004
Content-Type: application/x-msdownload;
 name="flash postcard.exe"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
 filename="flash postcard.exe"

Reply via email to