On 2/1/2017 9:35 PM, Kevin A. McGrail wrote:
I agree. The test does not trigger
The second test will trigger utf8_mode on
Feb 1 21:29:32.246 [26958] dbg: message: HTML::Parser utf8_mode on
(assumed UTF-8 octets)
Content-Type: text/html; charset="utf-8"
It makes sense since SA tries to decode the body before applying
rules but Thunderbird shows the email correctly in
both cases (the email is human readable).
Can anyone please try it as well to discard it is only me... just
add those 2 headers at the end of smtp headers section..
I would say Thunderbird is not parsing it correctly. Looking to see
if this is a spam indicator.
I ran some test cases with this rule:
#Bad UTF--8 content type and transfer encoding
header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html;
charset=\"utf-8\"/i
header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~
/base64/i
meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 >= 2)
score KAM_BAD_UTF8 1.0
describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that
attempts to evade SA scanning
So far not seeing any sign it's in the wild. Have you?
Regards,
KAM
