Thanks Kevin, I did a similar rule to detect it but with higher score (3) since we are seeing a huge LinkedIn Phishing campaign using this technique, that on purpose or by mistake is evading most SA rules... I agree that Thunderbird may be doing it wrong. Outlook seems to do it right.
>I would say Thunderbird is not parsing it correctly. Looking to see if this >is a spam indicator. >I ran some test cases with this rule: >#Bad UTF--8 content type and transfer encoding >header __KAM_BAD_UTF8_1 Content-Type =~ /text\/html; >charset=\"utf-8\"/i >header __KAM_BAD_UTF8_2 Content-Transfer-Encoding =~ /base64/i >meta KAM_BAD_UTF8 (__KAM_BAD_UTF8_1 + __KAM_BAD_UTF8_2 >= 2) >score KAM_BAD_UTF8 1.0 >describe KAM_BAD_UTF8 Bad Content Type and Transfer Encoding that attempts >to evade SA scanning > > >So far not seeing any sign it's in the wild. Have you? ----- Pedro