On Wed, 11 Aug 2004, Steven Champeon wrote:
on Wed, Aug 11, 2004 at 09:49:39AM -0400, Chris Santerre wrote:
Look at these things they have in common. Need to look at rawbody code.
alt=3d =2e(org|gif|htm) #split into 3 name=3dgenerator ==.HTM bgColor=3d face=3d src=3d border=3d title=3d face=3d
<STYLE></STYLE>
Needs to be one big meta rule
...that will also catch pretty much every last MSHTML email ever sent. That's just base64-encoded HTML, Chris. The empty STYLE element may be unique, but I doubt it.
Beg to differ with you Steve, that is NOT base64-encoded HTML, that is BASTARD-64-encoded HTML. If you read the MIME RFCs, they state very clearly (with 'MUST' wording) that the Hex Digits MUST BE IN CAPS. EG: "bgColor=3D" is valid, "bgColor=3d" is NOT.
I've written several SA rules that look for that kind of violation of the standards, and they take out that particular spam varient quite consistently, even before SURBL hits the URIs.