Re: [Declude.JunkMail] Strange Subject

[Matthew Bramble]

Use a text filter and add something like: SUBJECT 40 CONTAINS =?ISO-8859-1?b? to it. I tried this all the way down to ust ?b? and a SUBJECT filter didn't catch it.  The SUBJECT filter also doesn't catch the decoded text. I found though that if you use the HEADERS filter, it will catch this (customize to suit, this will only catch Latin-1 that is base64 encoded, and I can't think of why that would be necessary, I would think that only other charactersets could need this):     HEADERS        10    CONTAINS    ISO-8859-1?B? Neither the HEADERS filter nor the SUBJECT filter is catching the decoded form of the text.  The BASE64 test is also not catching this if it's only in the Subject of the message (I assume it only does the body/attachments). The not so funny thing is that I'm getting this now as a part of those E-mails containing no displayable text.  This guy is real good at getting through my settings unless he chooses a bad IP to send from.  I think a few days ago, another person on this list commented about this same spammer, bringing up the domains that he is using (common words followed by numbers).  The only pattern this guys leaves apart from having no text in the body, is having different country's TLDs listed in the Received line, the sender, and the reverse DNS.  Here's a copy of what I just received using this technique (with links modified): From - Mon Sep 08 17:36:44 2003 X-UIDL: 314612976 X-Mozilla-Status: 0011 X-Mozilla-Status2: 00000000 Received: from gjr.paknet.com.pk [81.128.130.33] by igaia.com with ESMTP (SMTPD32-7.13) id A6244F101D8; Mon, 08 Sep 2003 17:35:32 -0400 Date: Mon, 08 Sep 2003 21:35:35 +0000 Message-ID: <[EMAIL PROTECTED]> X-Mailer: Windows Eudora Pro Version 2.2 (32) To: [EMAIL PROTECTED] Subject: =?ISO-8859-1?B?UmU6T3JkZXIgU2lsZGVuYWZpbCBDaXRyYXRlICBmcm9tIGhvbWUgLSBubyBkb2N0b3IgcmVxdWlyZWQu?= MIME-Version: 1.0 From: "Shirley Dalton" <[EMAIL PROTECTED]> Content-Type: text/html Content-Transfer-Encoding: 8bit X-Declude-Sender: [EMAIL PROTECTED] [81.128.130.33] X-Declude-Spoolname: Df62404f101d89e2c.SMD X-Note: This E-mail was scanned by iGaia Incorporated's E-mail service (www.igaia.com) for spam. X-Note: This E-mail was sent from host81-128-130-33.in-addr.btopenworld.com ([81.128.130.33]). X-Spam-Tests-Failed: DSN, IPNOTINMX, NOLEGITCONTENT [1] X-RCPT-TO: <[EMAIL PROTECTED]> Status: U X-UIDL: 314612976 <html><body> <center><!--lfoln42j66--><a href="" class="moz-txt-link-rfc2396E" href="http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni">"http://www-dot-payment33dd-dot-com/host/default.asp?ID=omni"><img src="" class="moz-txt-link-rfc2396E" href="http://discountrate2-dot-com/pics/gv1.gif">"http://discountrate2-dot-com/pics/gv1.gif" height="270" width="405"></a></center> </html></body>