FYI, I pulled this test 3 weeks ago after a email from France came through (or rather didn't) with this subject:
Subject: =?ISO-8859-1?B?RW5qb3kgc3VtbWVyIHVudGlsIGl0cyB2ZXJ5IGVuZCE=?= There's definitely is a correlation here among spammers, ?B? encoded subjects, disposable domain names, and nothing else in the body of the message. There has to be a way to bring the 2 or 3 variables togther as a super test. Dan On Monday, September 8, 2003 19:05, Matthew Bramble <[EMAIL PROTECTED]> wrote: >Use a text filter and add something like: > > SUBJECT 40 CONTAINS =?ISO-8859-1?b? > > to it. > > I tried this all the way down to ust ?b? and a SUBJECT filter >didn't catch it.� The SUBJECT filter also doesn't catch the >decoded text. > > I found though that if you use the HEADERS filter, it will >catch this (customize to suit, this will only catch Latin-1 >that is base64 encoded, and I can't think of why that would be >necessary, I would think that only other charactersets could >need this): > >��� HEADERS��� ��� 10 �� CONTAINS��� ISO-8859-1?B? > > Neither the HEADERS filter nor the SUBJECT filter is catching >the decoded form of the text.� The BASE64 test is also not >catching this if it's only in the Subject of the message (I >assume it only does the body/attachments). > > The not so funny thing is that I'm getting this now as a part >of those E-mails containing no displayable text.� This guy is >real good at getting through my settings unless he chooses a >bad IP to send from.� I think a few days ago, another person on >this list commented about this same spammer, bringing up the >domains that he is using (common words followed by numbers).� >The only pattern this guys leaves apart from having no text in >the body, is having different country's TLDs listed in the >Received line, the sender, and the reverse DNS.� Here's a copy >of what I just received using this technique (with links >modified): > > >From - Mon Sep 08 17:36:44 2003 >X-UIDL: 314612976 >X-Mozilla-Status: 0011 >X-Mozilla-Status2: 00000000 >Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP > (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 >Date: Mon, 08 Sep 2003 21:35:35 +0000 >Message-ID: <[EMAIL PROTECTED]> >X-Mailer: Windows Eudora Pro Version 2.2 (32) >To: [EMAIL PROTECTED] >Subject: >=?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= >MIME-Version: 1.0 >From: "Shirley Dalton" <[EMAIL PROTECTED]> >Content-Type: text/html >Content-Transfer-Encoding: 8bit >X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] >X-Declude-Spoolname: Df62404f101d89e2c.SMD >X-Note: This E-mail was scanned by iGaia Incorporated's E-mail >service (www.igaia.com) for spam. >X-Note: This E-mail was sent from >host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). >X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] >X-RCPT-TO: <[EMAIL PROTECTED]> >Status: U >X-UIDL: 314612976 > ><html><body> ><center><!--lfoln42j66--><a >href="http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni";><img >src="http://discountrate2-dot-com/pics/gv1.gif"; height="270" width="405"></a></center> ></html></body> > > --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
![http://discountrate2-dot-com/pics/gv1.gif"](http://discountrate2-dot-com/pics/gv1.gif"){kind=link}