[Mimedefang] Filter on encoding type
Joseph Brennan
brennan at columbia.edu
Fri May 28 14:52:55 EDT 2004
Yes, I see some reported spam with that "Content-Transfer-Encoding: plain"
and no real mail in four months of my old mail. Looks good. I would
test it myself but it's late the day before a three-day weekend (here in
the States) so I do not want to make changes right now.
---
This reminds me that I found it worthwhile to check the MIME-Version
header. It should of course look like this:
MIME-Version: 1.0
But there is a spam product that feels it needs to qualify that
further. Look for /MIME-Version:.*\(produced by/ to find such
as these:
MIME-Version: 1.0 (produced by septennialcongressmen 9.5)
MIME-Version: 1.0 (produced by avereedbuck 4.5)
MIME-Version: 1.0 (produced by crepepinto 3.7)
MIME-Version: 1.0 (produced by cypriancrash 6.8)
MIME-Version: 1.0 (produced by explicitblown 2.7)
MIME-Version: 1.0 (produced by padlupine 0.7)<br>
MIME-Version: 1.0 (produced by clinchcrosswalk 4.3)
MIME-Version: 1.0 (produced by sacrilegioussailboat 7.1)
MIME-Version: 1.0 (produced by airlinechomp 6.4)
MIME-Version: 1.0 (produced by bustardchloroform 9.0)
MIME-Version: 1.0 (produced by vocalicapprentice 6.3)
MIME-Version: 1.0 (produced by diversebangladesh 7.2)
MIME-Version: 1.0 (produced by aberrateaccelerate 8.1)
MIME-Version: 1.0 (produced by allianceribonucleic 2.2)
It's the same spam product that inserts patternbusters with 1-pixel
characters, e.g.
<p class=3D"MsoNormal" style=3D"margin-left: 8; margin-right: 8">Hel=
lo
de<FONT style=3D"FONT-SIZE: 1px">+</font>a<FONT style=3D"FONT-SIZE: =
1px">85</font>r home o<FONT style=3D"FONT-SIZE: 1px">)</font>wn<FONT style=
=3D"FONT-SIZE: 1px">!</font>er,</p>
Painfully, that's "Hello, dear howeowner"!
Joseph Brennan
Academic Technologies Group, Academic Information Systems (AcIS)
Columbia University in the City of New York
More information about the MIMEDefang
mailing list