match rules to base64 encoded body

[saqariden <sa...@ac-montpellier.fr>]

Hi all,

lately i see more and more mails using base64 encoding for the body of 
the mails.

example:

-------------------
Date: Thu, 05 Apr 2018 16:22:08 +0200
From: carla@blaha.net
Subject: Marth
X-Originating-IP: 179.96.142.37
X-Sender: carla@blaha.net
To: xxxxxx@xxxxxx.com
Message-id: <90...@blaha.net>
MIME-version: 1.0 (1.0)
X-Mailer: iPad Mail (13E238)
Content-type: text/plain; charset=UTF-8
Content-transfer-encoding: base64
X-Greylist: Sender IP whitelisted by DNSRBL,
  not delayed by milter-greylist-4.5.11 (xxxxxxxxx
  [X.X.X.X]); Thu, 05 Apr 2018 16:22:12 +0200 (CEST)
X-Scanned-By: MIMEDefang 2.79
Original-recipient: rfc822;xxxxxxxx@xxxxxxxx.fr

QXJlIHlvdSByZWFkeSB0byBoYXZlIGluc2FuZSBzZXggd2l0aCBtZT8NCknigJltIHJlYWR5IHRv 

IHNoYXJlIHNvbWUgb2YgbXkgaG90IHNleHkgcGhvdG9zLg0KQWZ0ZXIgd2F0Y2hpbmcgbXkgYnV0 

dG9ja3MsIGJyZWFzdHMsIGFuZCBsb25nIGxlZ3MgeW91IHdpbGwgbm90IHJlbWFpbiB1bnNhdGlz 

ZmllZC4NCkNvbnRhY3QgbWUgYW5kIEkgY2FuIGdpdmUgeW91IG15IGxvY2F0aW9uLg0KDQpodHRw 

Oi8vd3d3LmFzdHJlaW50ZS1kZXBhbm5hZ2UuY29tLzF4ZTNjOGIzdy9na25wZHEyZ3cucGhwP1pY 

WmxiR2x1WlM1c2RYQnBZV05BWVdNdGJXOXVkSEJsYkd4cFpYSXVabkk9DQo=
------------------------------------

This is a spam mail, my SpamAssassin did not recognize it as spam, even 
if i have rules that can match the decoded body. My question is:

Is it possible to decode into TXT/HTML the encoded parts so SA can catch 
it ? Otherwise, how can the rule be applied to an encoded mail body?

Regards.
Signature Academique

Re: match rules to base64 encoded body

[Kris Deugau <kd...@vianet.ca>]

(Please keep list mail on the list.)

> On 11/04/2018 16:15, Kris Deugau wrote: >> Please post the rules you think should match on this example.
saqariden wrote:

> this is my rule:
> 
> uri    __FR_SHORT_SPAM_URI_1 
> /(\/[a-zA-Z\d]{1,3}\.php\?[a-zA-Z\d]{3,9})|(\/[a-zA-Z\d]{3,10}\/[a-zA-Z\d]{3,9}\.php\?[a-zA-Z\d]{3,9})/ 
> 
> body   __FR_SHORT_SPAM_URI_2 
> /(\/[a-zA-Z\d]{1,3}\.php\?[a-zA-Z\d]{3,9})|(\/[a-zA-Z\d]{3,10}\/[a-zA-Z\d]{3,9}\.php\?[a-zA-Z\d]{3,9})/ 


Both of these hit on your example spam for me:

$ spamassassin -D 2>&1 <test1.eml |grep FR_SHORT
Apr 18 12:10:25.137 [24553] dbg: rules: ran body rule 
__FR_SHORT_SPAM_URI_2 ======> got hit: "/1xe3c8b3w/gknpdq2gw.php?ZXZlbGluZ"
Apr 18 12:10:25.194 [24553] dbg: rules: ran uri rule 
__FR_SHORT_SPAM_URI_1 ======> got hit: "/1xe3c8b3w/gknpdq2gw.php?ZXZlbGluZ"

You'll need to share more detail of how you're testing these for someone 
to be able to suggest what's going wrong.

-kgd

Re: match rules to base64 encoded body

[Kris Deugau <kd...@vianet.ca>]

saqariden wrote:
> Hi all,
> 
> lately i see more and more mails using base64 encoding for the body of 
> the mails.
> 
> example:
[snip]
> This is a spam mail, my SpamAssassin did not recognize it as spam, even 
> if i have rules that can match the decoded body. My question is:
> 
> Is it possible to decode into TXT/HTML the encoded parts so SA can catch 
> it ? Otherwise, how can the rule be applied to an encoded mail body?

SpamAssassin already does this, as per the man page entry for body rules 
in Mail::SpamAssassin::Conf:

=====

body SYMBOLIC_TEST_NAME /pattern/modifiers

Define a body pattern test.  "pattern" is a Perl regular expression. 
Note: as per the header tests, "#" must be escaped ("\#") or else it is 
considered the beginning of a comment.

The 'body' in this case is the textual parts of the message body; any 
non-text MIME parts are stripped, and the message decoded from 
Quoted-Printable or Base-64-encoded format if necessary.  The message 
Subject header is considered part of the body and becomes the first 
paragraph when running the rules.  All HTML tags and line breaks will be 
removed before matching.

=====

Please post the rules you think should match on this example.

-kgd