[Declude.JunkMail] Base64 encoded
I know in the past it was discussion about legit base64 usage in mail. I found what seems to be a legit e-mail where the mail client is base64 encoding the message. Received: from mail.XX.com [12.28.XX.XXX] by imail.fament.com with ESMTP (SMTPD32-7.13) id A4EE26B0366; Wed, 15 Jan 2003 09:57:34 -0600 Received: from [10.1.102.202] by mail.XX.XXX with SMTP (QuickMail Pro Server for Mac 3.0.1); 15-Jan-2003 09:57:19 -0600 Date: 15 Jan 2003 09:45:15 -0600 Message-ID: [EMAIL PROTECTED] From: X X [EMAIL PROTECTED] Subject: Fwd: To: X XX [EMAIL PROTECTED] X-Mailer: QuickMail Pro 3.0 (Mac) X-Priority: 3 MIME-Version: 1.0 Reply-To: X X [EMAIL PROTECTED] Content-Type: multipart/mixed; boundary=50524848535754575554===1 X-RBL-Warning: BASE64: A binary encoded text or HTML section was found in this E-mail. X-RBL-Warning: WEIGHT10: Weight of 20 reaches or exceeds the limit of 10. X-Tests-Failed: REVDNS, BASE64, WEIGHT10, WEIGHT20. X-Note: Total spam weight of this E-mail is 20. --50524848535754575554===1 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=US-Ascii regular text message (seems to be a chainmail) MSN 8: advanced junk mail protection and 2 months FREE* http://g.msn.com/= 8HMNEN/2017 --50524848535754575554===1 Content-Transfer-Encoding: base64 Content-Type: text/html; name=Text00.htm; x-mac-creator=556DC536; x-mac-type=54455854 PGh0bWw+PGRpdiBzdHlsZT0nYmFja2dyb3VuZC1jb2xvcjonPjxESVY+DQo8UD48QlI+PFVuZGlz Y2xvc2VkLVJlY2lwaWVudD rest of the base64 is cut off. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Base64 encoded
I know in the past it was discussion about legit base64 usage in mail. I found what seems to be a legit e-mail where the mail client is base64 encoding the message. The question here is what legitimate means. Does it mean that it is a legitimate E-mail, which uses base64 encoding for no apparent reason (which we are not too concerned about, as most people only use the BASE64 test towards the weighting system), or is it a legitimate mail that has a legitimate reason for using base64 encoding (which we would care about, as it could indicate that there are false positives that can't be prevented)? -Scott --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[2]: [Declude.JunkMail] Base64 encoded
Well. When I say legit I reference in that it is not a spam mail but a regular mail communication to a user that been sent with a regular mail program. Like you using Eudora Version 5.1 to send a e-mail message directly to me. This person was using QuickMail Pro 3 (mac) to send a e-mail to a client on our service. Reason for doing base64 ? None except poor software engineering and client more then likely using default settings because they don't know better. There is no reason really for the base64 just that it does it anyways in poor practice. I personally put in a word filter rule that now gives this X-mailer a somewhat negative weight to compensate for it's poor e-mail sending behavior. Wasn't sure if anyone ever found a e-mail client that did post standard message in base64 besides what we frequently see from spammers with advertisment junk in it. / Eje Tuesday, January 21, 2003, 2:42:41 PM, you wrote: I know in the past it was discussion about legit base64 usage in mail. I found what seems to be a legit e-mail where the mail client is base64 encoding the message. RSP The question here is what legitimate means. RSP Does it mean that it is a legitimate E-mail, which uses base64 encoding for RSP no apparent reason (which we are not too concerned about, as most people RSP only use the BASE64 test towards the weighting system), or is it a RSP legitimate mail that has a legitimate reason for using base64 encoding RSP (which we would care about, as it could indicate that there are false RSP positives that can't be prevented)? RSP -Scott RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. RSP --- RSP [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[2]: [Declude.JunkMail] Base64 encoded
Wasn't sure if anyone ever found a e-mail client that did post standard message in base64 besides what we frequently see from spammers with advertisement junk in it. Outlook Web Access on Exchange 2000. John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Base64 encoded
Thank you I had missed the OWA I added that one myself. Thanks. Tuesday, January 21, 2003, 3:33:06 PM, you wrote: CA As per John's earlier research on OWA as a client, and Eje's report I now CA use this in one of my filter text files: CA #Nov-29-2002 AC Cancel the BASE64 weight when the client was CA # OWA for Exchange 2000 and Enterprise CA HEADERS -4 CONTAINS V6.0.5762.3 CA HEADERS -4 CONTAINS V6.0.6249.0 CA #Jan-21-2003 AC Cancel the BASE64 weight another product that CA # happens to encode body test as BASE64 CA HEADERS -4 CONTAINS QuickMail Pro Server for Mac CA Andrew 8) EG Wasn't sure if anyone ever found a e-mail client that did post EG standard message in base64 besides what we frequently see from EG spammers with advertisement junk in it. JT Outlook Web Access on Exchange 2000. CA --- CA [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] CA --- CA This E-mail came from the Declude.JunkMail mailing list. To CA unsubscribe, just send an E-mail to [EMAIL PROTECTED], and CA type unsubscribe Declude.JunkMail. The archives can be found CA at http://www.mail-archive.com. CA --- CA [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re[4]: [Declude.JunkMail] Base64 encoded
While I never followed up or asked any ones opinion, not that it has come up again, read through the attached text file and see what you think. I think, Ugh. M$ at it again, and their faithful admins recite their inconsistent rhetoric as if it's perfectly normal. As you point out, their light MUA uses Quoted-Printable by default, their full-fledged MUAs use None by default, and their web MUA uses Base64 by default. What I'd be most afraid of is that OWA is simply the first wave, and that soon they will make Base64 the default for all their apps, thereby killing the test entirely. -Sandy --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
RE: Re[4]: [Declude.JunkMail] Base64 encoded
What I'd be most afraid of is that OWA is simply the first wave, and that soon they will make Base64 the default for all their apps, thereby killing the test entirely. Oh great Sandy, just by you saying that it will probably happen. :(( John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Base64 encoded
Eje, I use QuickMail on a Mac and Base64 is used as the encoding type by two of their standard configs, but only for attachments. Base64 encoding for the message body requires a manual change. What most likely happened is that the sender in question was swapping around encoding types trying to get an attachment to go through and got sloppy. Dan On Tuesday, January 21, 2003 13:14, Eje Gustafsson [EMAIL PROTECTED] wrote: Well. When I say legit I reference in that it is not a spam mail but a regular mail communication to a user that been sent with a regular mail program. Like you using Eudora Version 5.1 to send a e-mail message directly to me. This person was using QuickMail Pro 3 (mac) to send a e-mail to a client on our service. Reason for doing base64 ? None except poor software engineering and client more then likely using default settings because they don't know better. There is no reason really for the base64 just that it does it anyways in poor practice. I personally put in a word filter rule that now gives this X-mailer a somewhat negative weight to compensate for it's poor e-mail sending behavior. Wasn't sure if anyone ever found a e-mail client that did post standard message in base64 besides what we frequently see from spammers with advertisment junk in it. / Eje Tuesday, January 21, 2003, 2:42:41 PM, you wrote: I know in the past it was discussion about legit base64 usage in mail. I found what seems to be a legit e-mail where the mail client is base64 encoding the message. RSP The question here is what legitimate means. RSP Does it mean that it is a legitimate E-mail, which uses base64 encoding for RSP no apparent reason (which we are not too concerned about, as most people RSP only use the BASE64 test towards the weighting system), or is it a RSP legitimate mail that has a legitimate reason for using base64 encoding RSP (which we would care about, as it could indicate that there are false RSP positives that can't be prevented)? RSP -Scott RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. RSP --- RSP [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.
Re: [Declude.JunkMail] Base64 encoded
Hello Dan, I see. Thanks for the clearification. This particular message was a html encoded message where the html part got encoded. Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 - Your Full Time Professionals - eBay UserID : macahan -- DP Eje, DP I use QuickMail on a Mac and Base64 is used as the encoding type by two of their standard configs, but only for attachments. Base64 encoding for the message body requires a manual change. What DP most likely happened is that the sender in question was swapping around encoding types trying to get an attachment to go through and got sloppy. DP Dan DP On Tuesday, January 21, 2003 13:14, Eje Gustafsson [EMAIL PROTECTED] wrote: Well. When I say legit I reference in that it is not a spam mail but a regular mail communication to a user that been sent with a regular mail program. Like you using Eudora Version 5.1 to send a e-mail message directly to me. This person was using QuickMail Pro 3 (mac) to send a e-mail to a client on our service. Reason for doing base64 ? None except poor software engineering and client more then likely using default settings because they don't know better. There is no reason really for the base64 just that it does it anyways in poor practice. I personally put in a word filter rule that now gives this X-mailer a somewhat negative weight to compensate for it's poor e-mail sending behavior. Wasn't sure if anyone ever found a e-mail client that did post standard message in base64 besides what we frequently see from spammers with advertisment junk in it. / Eje Tuesday, January 21, 2003, 2:42:41 PM, you wrote: I know in the past it was discussion about legit base64 usage in mail. I found what seems to be a legit e-mail where the mail client is base64 encoding the message. RSP The question here is what legitimate means. RSP Does it mean that it is a legitimate E-mail, which uses base64 encoding for RSP no apparent reason (which we are not too concerned about, as most people RSP only use the BASE64 test towards the weighting system), or is it a RSP legitimate mail that has a legitimate reason for using base64 encoding RSP (which we would care about, as it could indicate that there are false RSP positives that can't be prevented)? RSP -Scott RSP --- RSP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] RSP --- RSP This E-mail came from the Declude.JunkMail mailing list. To RSP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and RSP type unsubscribe Declude.JunkMail. The archives can be found RSP at http://www.mail-archive.com. RSP --- RSP [This E-mail scanned for viruses by Declude Virus] Best regards, Eje Gustafsson mailto:[EMAIL PROTECTED] --- The Family Entertainment Network http://www.fament.com Phone : 620-231- Fax : 620-231-4066 eBay UserID : macahan - Your Full Time Professionals - --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com. DP --- DP [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] DP --- DP This E-mail came from the Declude.JunkMail mailing list. To DP unsubscribe, just send an E-mail to [EMAIL PROTECTED], and DP type unsubscribe Declude.JunkMail. The archives can be found DP at http://www.mail-archive.com. DP --- DP [This E-mail scanned for viruses by Declude Virus] --- [This E-mail scanned for viruses by Declude Virus] --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type unsubscribe Declude.JunkMail. The archives can be found at http://www.mail-archive.com.