Re: [Declude.JunkMail] Strange Subject

[Matthew Bramble]

I've been capturing this stuff and I have found the code in the middle of native language text, but only occasionally.  Some examples:     Subject: You never IM =?ISO-8859-1?B?bWUgYW55?=more     Subject: This is=?ISO-8859-1?b?IHRoZSA1dGgg?=email=?ISO-8859-1?b?IEkgc2Vu?=t you     Subject: =?ISO-8859-1?b?SG93IGRvIA==?=you use =?ISO-8859-1?b?aXQ/?= I haven't seen a false positive yet.  Has someone seen ISO 8859-1 (Latin-1) being used for any other purpose?  This is the standard English and Western European character set.  Is it possible that say a foreign E-mail client build would tag Latin-1?  If not, is there a reason to be concerned about false positives??? Matt Dan Patnode wrote: Looking at my "spamples" I don't see any prefix letter: Subject: =?iso-8859-1?b?QnVzeSBhdCB3b3Jr?=? Subject: =?iso-8859-1?B?RGlzY3JlZXQgT24gTGluZSBQaGFybWFjeSwgVmlhZ3Jh?= Subject: =?ISO-8859-1?b?RndkOiBUaA==?=e 24th o=?ISO-8859-1?b?ZiB0aGk=?=s month Subject: =?iso-8859-1?b?SG93IGRvZXMgU2lsZGVuYWZpbCBDaXRyYXRlICB3b3JrPw==?= Subject: =?iso-8859-1?B?U2F2ZSBtb25leSE=?= Subject: =?iso-8859-1?B?U2FtcGxlIFZpYWdyYQ==?= Subject: =?ISO-8859-1?B?UmU6Rm9yIHRoZSBtZW4uIFZpYWdyYS4=?= Subject: =?iso-8859-1?B?UmU6VmlhZ3JhOk5vIENvbnN1bHRhdGlvbiBGZWU=?= Subject: =?iso-8859-1?B?UmU6WW91ciBGcmVlIFNhbXBsZSBPZiBWaWFncmE=?= Subject: =?iso-8859-1?b?UmVtZW1iZQ==?=r that girl=?iso-8859-1?b?Pw==?= Who are these guys putting the code in the middle? Course, I'm only looking at uncaught spam, perhaps these guys are getting nailed by other tests. Dan On Thursday, September 11, 2003 13:16, Colbeck, Andrew <[EMAIL PROTECTED]> wrote: SUBJECT 40 CONTAINS =?ISO-8859-1?b? I'm seeing quite a few of these coming in, but they are getting held. I'm including a sample from my log, which is set to HIGH so that others can see what tests have been useful for me. An interesting point that came out of my following this thread is that I found that when the ISO string appears anywhere in the subject EXCEPT for the beginning, it's a SURE indicator that the message is spam. A really long (and imperfect) way to test for that is to add: SUBJECT 999 CONTAINS a=?ISO-8859-1?b? SUBJECT 999 CONTAINS b=?ISO-8859-1?b? SUBJECT 999 CONTAINS c=?ISO-8859-1?b? 999 CONTAINS 3=?ISO-8859-1?b? Anyone have a more concise way to test for that? Andrew 8)