You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Jones <dj...@ena.com> on 2018/01/01 01:11:59 UTC

Re: Malformed spam email gets through.

On 12/31/2017 05:15 PM, Mark London wrote:
> Hi - I previously mentioned that I was getting emails with hand created 
> html tags, that had both uppercase and lowercase letters.
> 
> I created a crude rawbody rule to test for them. It worked, until the 
> spammer accidentally added the line "Content-Transfer-Encoding: base64", 
> even though the body of the message is not encoded with base64.
> 
> Because of this, my rawbody rules failed to trigger.  See below.  Is 
> there a way to detect a malformed email like this?
> 
> Also, can anyone suggest a nicely written rule, that triggers when an 
> html tag's text contains both upper and lower case letters?  Thanks. - Mark
> 
> MIME-Version: 1.0
> From: CHW@nmlc.com
> To: markrlondon@gmail.com
> Date: Sun, 31 Dec 2017 18:42:25 CET
> Subject: Never Pay For Covered Home Repairs Again-Best deal of the year, 
> Iimited-Time*Njvt
> Content-Type: text/html; charset=utf-8
> Content-Transfer-Encoding: base64
> Message-ID: <NT...@NTMHDCWEB20SB>
> X-OriginalArrivalTime: 22 Mar 2017 15:52:46.0402 (UTC) FILETIME=
> X-SG-EID: 
> Ir4EYmZz10i7MgunveLJlw0xcvqQbeauQMDQs3EPe27heIGiqko5Ui6DR17zgRAkuOys70ubB2uU06 
> 2rXoYm1NiUd72Cmr8IRCp81sAgopwU26YxZSasTrSlTtZfLgs+yn3P85pGOBbZrAEV2KAPssmDkJ77 
> YTcMSxfLqx2qEBkTLe9yUFrjCwDKa+CySPgoWXhA3BKLnvIvUPwEgt0uMQ==
> X-Feedback-ID: 
> 561562:WZ3ZRcIWAujB4xGDqDKA1Ud8w67Bpa8gtW18sDbAXo0=:WZ3ZRcIWAujB4xGDqDKA1Ud8w67Bpa8gtW18sDbAXo0=:SG 
> 
> 
> <cenTeR><A 
> HrEf=http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=r-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb><IMg 
> srC=https://www.imagevita.org/uploads/46174adfa726bcdadfc2914890c02ee9.jpg></a><HeAD><br><A 
> HrEf=http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=ua-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb><IMg 
> srC=https://www.imagevita.org/uploads/8d36198d9d812471230cd3a1362eb169.jpg></a><br><A 
> HrEf=http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=u-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb><IMg 
> srC=https://www.imagevita.org/uploads/529ec935ba2f0b52917be25826b3a23b.jpg></a><br><hr><Div 
> style="height:5500PX"></div>The New York Times
> Thank you for registering.
> 

That email looks like it came from Sendgrid but I can't tell for sure 
without seeing all of the Received headers.  If it did come through 
Sendgrid, then this should be reported to their abuse to help all of us.

https://sendgrid.com/report-spam/

-- 
David Jones