Re: Malformed spam email gets through.

Sun, 31 Dec 2017 17:55:00 -0800 

On 12/31/2017 05:15 PM, Mark London wrote:
Hi - I previously mentioned that I was getting emails with hand created html tags, that had both uppercase and lowercase letters. 


I created a crude rawbody rule to test for them. It worked, until the 
spammer accidentally added the line "Content-Transfer-Encoding: base64", 
even though the body of the message is not encoded with base64.



Because of this, my rawbody rules failed to trigger.  See below.  Is 
there a way to detect a malformed email like this?



Also, can anyone suggest a nicely written rule, that triggers when an 
html tag's text contains both upper and lower case letters?  Thanks. - Mark


MIME-Version: 1.0
From: c...@nmlc.com
To: markrlon...@gmail.com
Date: Sun, 31 Dec 2017 18:42:25 CET

Subject: Never Pay For Covered Home Repairs Again-Best deal of the year, 
Iimited-Time*Njvt

Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: base64
Message-ID: <NTMHDCrauhrQ5zjWNWEB20SB8wSA1X00000533@NTMHDCWEB20SB>
X-OriginalArrivalTime: 22 Mar 2017 15:52:46.0402 (UTC) FILETIME=

X-SG-EID: 
Ir4EYmZz10i7MgunveLJlw0xcvqQbeauQMDQs3EPe27heIGiqko5Ui6DR17zgRAkuOys70ubB2uU06 
2rXoYm1NiUd72Cmr8IRCp81sAgopwU26YxZSasTrSlTtZfLgs+yn3P85pGOBbZrAEV2KAPssmDkJ77 
YTcMSxfLqx2qEBkTLe9yUFrjCwDKa+CySPgoWXhA3BKLnvIvUPwEgt0uMQ==
X-Feedback-ID: 
561562:WZ3ZRcIWAujB4xGDqDKA1Ud8w67Bpa8gtW18sDbAXo0=:WZ3ZRcIWAujB4xGDqDKA1Ud8w67Bpa8gtW18sDbAXo0=:SG 




<cenTeR><A 
HrEf=http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=r-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb><IMg 
srC=https://www.imagevita.org/uploads/46174adfa726bcdadfc2914890c02ee9.jpg></a><HeAD><br><A 
HrEf=http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=ua-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb><IMg 
srC=https://www.imagevita.org/uploads/8d36198d9d812471230cd3a1362eb169.jpg></a><br><A 
HrEf=http://www.sitedesk.net/redirect.php?url=http%3A%2F/%2f/ec2-52-52-247-130.us-west-1.compute.amazonaws.com/qs=u-aeideaebigkjffgafifgifajjibbeaeekabababadjadaccaebbacdckacckcacb><IMg 
srC=https://www.imagevita.org/uploads/529ec935ba2f0b52917be25826b3a23b.jpg></a><br><hr><Div 
style="height:5500PX"></div>The New York Times

Thank you for registering.




That email looks like it came from Sendgrid but I can't tell for sure 
without seeing all of the Received headers.  If it did come through 
Sendgrid, then this should be reported to their abuse to help all of us.


https://sendgrid.com/report-spam/

--
David Jones






















					Reply via email to