Re: [Declude.JunkMail] BASE64 violating mailers

[Matthew Bramble]

John Tolmachoff (Lists) wrote: X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165   That is the line. Unfortunately that line is quite common to Microsoft products of all sorts, from CDONTS to Outlook Express.  It's all over in legit E-mail, though often with the X-Mailer header as you pointed out.  I think that the eXclaimer program replaced the X-Mailer header???  That's why I'm thinking that this product is responsible for encoding the text.  If so, I can use that for an exclusion, but I just wanted to make sure.  Obviously it's an obscure add-on, but it can't hurt.  That E-mail would have almost failed if not for me subtracting points for non-inline attachments (HELOBOGUS and BASE64 scored, and DYNAMIC was counterbalanced because the provider is business-class and I excluded it, if not, it would have failed without attachments). Are you sure that is the full headers? All that counts, I chopped off the Declude stuff and a bunch of addresses.  Also, why is it showing a line calling an Exchange event sink? No clue (why or what that is). It is possible that the sender purposely or otherwise caused it to become encoded. Can you do that?  This example was redundantly encoded though. Matt -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Matthew Bramble Sent: Wednesday, September 24, 2003 8:46 PM To: [EMAIL PROTECTED] Subject: [Declude.JunkMail] BASE64 violating mailers   I just found an(other) example of legit E-mail using base64 encoding for text segments.  I would like to create an anti-filter for this (along with OWA for Exchange violations), however I'm having trouble identifying what piece of software or other identifying characteristic appears in the following message headers can be positively linked to this behavior: From <--SNIP--> Tue Sep 23 11:58:28 2003 Received: from --SNIP-- [--SNIP--] by --SNIP-- with ESMTP   (SMTPD32-7.13) id AD962BE019C; Tue, 23 Sep 2003 11:58:14 -0400 X-Exclaimer-OnMessagePostCategorize-{71daf94f-e3fe-4bbf-865a-6309cc88575e}: C:\Program Files\eXclaimer\eXclaimer.dll - 2.0.4.67 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Content-Transfer-Encoding: 7bit Content-Class: urn:content-classes:message Subject: What a Sight! Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: multipart/mixed;     boundary="----_=_NextPart_001_01C381EB.7EA73E73" Date: Tue, 23 Sep 2003 11:58:13 -0400 Message-ID: <[EMAIL PROTECTED]> X-MS-Has-Attach: yes X-MS-TNEF-Correlator: Thread-Topic: What a Sight! thread-index: AcOB6lcQHs7kFedSQxyWKNoHWv8qcAAANutg From: "--SNIP--" <--SNIP--> To: "--SNIP--" <--SNIP--> In the message body, the text was displayed as both HTML and base64 encoded.  This appears to have been sent through an E-mail client, either PC-based or Web mail.  The only thing out of the ordinary is the note left by a program called eXclaimer which is used to tag outgoing E-mail with a disclaimer footer, and can also be used to archive outgoing E-mail (installed on Exchange Server).  Is it possible that this was sent by Outlook/Outlook Express and then redundantly base64 encoded by eXclaimer at the server?  If not, does anyone know what might have produced this behavior? Thanks, Matt