You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@spamassassin.apache.org by Patrick Steiner <pa...@bluewin.ch> on 2004/06/10 23:13:51 UTC

Why SA find no words like viag*** in base64 coded Mails

I have a big problem with base64 endcoded spam mails. no check of words 
like
viag***  (i think somebody knows what i meen when i write viag***
because i don't
want that my question mail are be cached by some spamfilters)

I attached a link where you can see the mail source and the output that
i see in mozilla when i open the mail. the spam mail has many
words like viag** xan*** and other medicine...  but the only thing that
sa find is:

X-Spam-Status: No, hits=2.8 required=3.6 tests=BLANK_LINES_70_80,
	DATE_IN_PAST_03_06,MIME_BASE64_TEXT,SAVE_UP_TO autolearn=no
	version=2.63
X-Spam-Report:
	*  0.1 SAVE_UP_TO BODY: Save Up To
	*  0.9 BLANK_LINES_70_80 BODY: Message body has 70-80% blank lines
	*  1.1 MIME_BASE64_TEXT RAW: Message text disguised using base64 encoding
	*  0.7 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date


the output in mozilla (what i see):
http://homepage.hispeed.ch/mybag/output.jpg

the spam mail source:
http://homepage.hispeed.ch/mybag/spam.eml

Re: Why SA find no words like viag*** in base64 coded Mails

Posted by Fred <te...@i-is.com>.

My system catches your example quite well
Content analysis details:   (25.3 points, 6.6 required)

 pts rule name              description
---- ---------------------- ------------------------------------------------
--
 5.0 FB_SUPER_VIAGRA        BODY: /S[ue]p[eu]r.{1,5}Via.{0,1}g?ra/i
 0.3 SAVE_UP_TO             BODY: Save Up To
 1.8 OBFU_VIAGRA            BODY: Obfuscated 'VIAGRA' in body
 1.8 OBFU_XANAX             BODY: Obfuscated 'XANAX' in body
 2.2 SARE_SUPERVIAGRA       BODY: mentions drug which is often subject of
spam
 1.8 OBFU_VALIUM            BODY: Obfuscated 'VALIUM' in body
 2.0 BLANK_LINES_70_80      BODY: Message body has 70-80% blank lines
 1.1 MIME_BASE64_TEXT       RAW: Message text disguised using base64
encoding
 0.2 MIME_BASE64_NO_NAME    RAW: base64 attachment does not have a file name
 0.3 DATE_IN_PAST_03_06     Date: is 3 to 6 hours before Received: date
 2.5 DRUGS_ERECTILE         Refers to an erectile drug
 2.0 DRUGS_ANXIETY          Refers to an anxiety control drug
 2.0 LW_RATWARE3            Spammer sign in headers
 2.3 DRUGS_ANXIETY_EREC     Refers to both an erectile and an anxiety drug

Many of the rules in my results are already in the pre-released 3.0.0
version.

It might be worth your time to install some of the SARE rulesets until 3.0.0
is final.  The problem is the time gap between releasing 2.63 and 3.0.0.  A
lot has changed in this time and the current *release* version does not
reflect the change in spam.  If you installed 3.0.0 you will see an
improvement on all sides, however it's still under active development and
not due out for another month or so.

Find additional rulesets here:  http://www.rulesemporium.com/

P.S.  SpamAssassin does decode base64, it just didn't have any rules to
catch these at the time 2.63 was released.   3.0.0 has the entire antidrug
set and that gave this message an additional 6.8 all by itself.

HTH




----- Original Message ----- 
From: "Patrick Steiner" <pa...@bluewin.ch>
To: <sp...@incubator.apache.org>
Sent: Thursday, June 10, 2004 5:13 PM
Subject: Why SA find no words like viag*** in base64 coded Mails


> I have a big problem with base64 endcoded spam mails. no check of words
> like
> viag***