• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

Body-Checks für BASE64-Mails?

Status
Für weitere Antworten geschlossen.
D

danau

Member
Hallo,

habe eine SuSE 9.3 mit postfix, fetchmail, qpopper, amavis, spamassassin usw.

Funktioniert alles super, nur leider haben sich die SPAMMER ganz neue Tricks einfallen lassen, welche weder durch den SPAMASSASSIN noch durch BODY- bzw. HEADER-CHECKS erkannt werden können.

Beispiel 1:

Alle e-Mails die im Header mit
Code: 
Content-Transfer-Encoding: base64
codiert sind, können nicht mit BODY-CHECKS auf Suchbegriffe wie "VIAGRA" gefiltert werden, da der eigentliche Mailtext verschlüsselt ist.

Beispiel 2:

Auch solche Mails werden nicht gefiltet, da die SPAM-Wörter z.B. "VIAGRA" zerhäckselt eingefügt sind:

Code: 
This is a multi-part message in MIME format.

------=_NextPart_000_0022_01C5EE10.FB201B80
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

 X
V
C
P
V
L
A
a
A
I
r
I
e
m
n
L
A
o
A
v
b
a
I
L
z
G
i
i
x
U
I
a
R
t
e
 M
S
c
A
ra
n
 1,20
 3,70
 3,35
 http://www.momentask.heatecipe.com

------=_NextPart_000_0022_01C5EE10.FB201B80
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV> </DIV>
<DIV style=3D"BORDER-TOP-WIDTH: 0px; FLOAT: left;"><FONT face=3DCourier =
size=3D3>X<BR>V<BR>C<BR>P<BR>V<BR>L<BR>A</FONT></DIV>
<DIV style=3D"MARGIN-RIGHT: 0px; FLOAT: left;"><FONT face=3DCourier =
size=3D3>a<BR>A<BR>I<BR>r<BR>I<BR>e<BR>m</FONT></DIV>
<DIV style=3D"BORDER-LEFT-WIDTH: 0px; FLOAT: left;"><FONT face=3DCourier =
size=3D3>n<BR>L<BR>A<BR>o<BR>A<BR>v<BR>b</FONT></DIV>
<DIV style=3D"BORDER: 0px; FLOAT: left;"><FONT face=3DCourier =
size=3D3>a<BR>I<BR>L<BR>z<BR>G<BR>i<BR>i</FONT></DIV>
<DIV style=3D"PADDING-RIGHT: 0px; FLOAT: left;"><FONT face=3DCourier =
size=3D3>x<BR>U<BR>I<BR>a<BR>R<BR>t<BR>e</FONT></DIV>
<DIV style=3D"PADDING-LEFT: 0px; FLOAT: left;"><FONT face=3DCourier =
size=3D3> <BR>M<BR>S<BR>c<BR>A<BR>ra<BR>n</FONT></DIV>
<DIV style=3D"PADDING-TOP: 0px; FLOAT: left;"><FONT face=3DCourier =
size=3D3> <BR> 1,20<BR> 3,70<BR> <BR> 3,35<BR=
> <BR> </FONT></DIV><DIV style=3D"CLEAR: both;"> </DIV><A =
href=3D"http://www.momentask.heatecipe.com"><FONT size=3D3>http://www.mo=
mentask.heatecipe.com</FONT></A></BODY></HTML>

------=_NextPart_000_0022_01C5EE10.FB201B80--

Wie kann man solche lästigen SPAM-Mail trotzdem filtern?
Gibt's da schon eine Lösung?
 
OP
D

danau

Member
Klasse! Aber wie hast Du das gemacht?

Ich brauche das nämlich auch für andere SPAM-Wörter.
 
OP
D

danau

Member
Habe mir überlegt, dass die eintreffenden Mails irgendwie von base64 in 8bit (etc.) dekodiert werden müssten. Es muss doch da eine Lösung geben.

Denn eine solche Mail geht an allen SPAM-Filtern vorbei:

Code: 
Subject: Precision Micro-Cap Report
Date: Tue, 22 Nov 2005 08:46:26 +0000
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: base64
X-added: mobile.de customer service
X-Virus-Scanned: amavisd-new at site
X-UIDL: 8[["!m5="!?L##!Y=p!!

TmV3c2xldHRlciAtIE1pZC1Ob3ZlbWJlciBJc3N1ZSwgMjAwNQ0KDQogIElu
IE9jdG9iZXIncyBpc3N1ZSB3ZSBhcmUgZ29pbmcgdG8gcHJvZmlsZQ0KY29t
cGFueSBpbnZvbHZlZCBpbiB0aGUgUmVkIEhvdCBob21lbGFuZA0Kc2VjdXJp
dHkgc2VjdG9yLiAgVGhpcyBjb21wYW55J3Mgc3QwY2sgaXMNCnZlcnkgbXVj
aCB1bmRlcnZhbHVlZCBjb25zaWRlcmluZyB0aGUNCnBvdGVudGlhbCBvZiB0
aGUgaW5kdXN0cnkgYW5kIHRoZSBwb3NpdGlvbg0Kb2YgdGhlIGNvbXBhbnku
IChUaGUgcGVyZmVjdCB0aW1lIHRvIGdldCBpbikNCg0KVGhpcyBzbWFsbCB0
cmVhc3VyZSBpczogVk5CTCAoVmlub2JsZSwgSW5jLikNCg0KICBUaGUgc3Qw
Y2sgaXMgdHJhZGluZyBhdCBvbmx5IE8uTzQgLSBPLjA1DQpjZW50cyBhbmQg
d2UgZXhwZWN0IGl0IGNvdWxkIGhpdCAkMC4xMCAtDQokMC4xNCBieSBlYXJs
eSBEZWNlbWJlci4NCg0KICBIdWdlIFBSIGNhbXBhaWduIGV4cGVjdGVkIHRo
aXMgd2VlayBzbw0KZ3JhYiBhcyBtdWNoIGFzIHlvdSBjYW4gdXAgdG8gJDAu
MTAgcmFuZ2UuDQpXZSBhbGwga25vdyBpdCdzIHRoZSBiaWcgYW5ub3VuY2Vt
ZW50cyB0aGF0DQptYWtlIHRoZXNlIHNtYWxsIGdlbXMgbW92ZS4NCg0KQ29t
cGFueTogVmlub2JsZSwgSW5jLg0KU3ltYjBsOiBWTkJMIC5PQg0KQ3VycmVu
dCBQcmljZTogJE8uTzQxDQpUYXJnZXRfUHJpY2U6IC4xMA0KDQpXZSBleHBl
Y3QgdGhlIHByaWNlIHRvIGdvIHRvICRPLjEwIGluIG5leHQNCjItMyBkYXlz
LiAgV2UgZXhwZWN0IHRoZSBwcmljZSB0byBnbyB0bw0KJE8uMTQgaW4gbmV4
dCAzIHdlZWtzLg0KDQoNCkFib3V0IHRoZSBjb21wYW55Og0KDQogIFZpbm9i
bGUsIEluYy4gaXMgYSBob2xkaW5nIGNvbXBhbnksIHdoaWNoDQppcyBpZGVu
dGlmeWluZyBhbmQgYWNxdWlyaW5nIG9wZXJhdGlvbmFsDQpidXNpbmVzcyBv
cHBvcnR1bml0aWVzIGluIHRoZSBhcmVhcyBvZg0KaG9tZWxhbmQgc2VjdXJp
dHksIHNlY3VyaXR5IGluZm9ybWF0aW9uDQpzeXN0ZW1zLCBhbmQgb3RoZXIg
c2VjdXJpdHkgc2VydmljZXMgdG8NCnByb3ZpZGUgbG9uZyB0ZXJtIGdyb3d0
aCBmb3IgaXRzDQpzaGFyZWhvbGRlcnMuICBWaW5vYmxlIGJlbGlldmVzIHRo
YXQgdGhlDQpvcHBvcnR1bml0eSB0byBidWlsZCBhIHN1Y2Nlc3NmdWwgYnVz
aW5lc3MNCmluIHRoZSBzZWN1cml0eSBzZWN0b3IgaXMgdW5wcmVjZWRlbnRl
ZC4NCg0KICBUaGUgdGVycm9yIGF0dGFja3Mgb24gdGhlIFVuaXRlZCBTdGF0
ZXMgb24NClNlcHRlbWJlciAxMSwgMjBPMSBoYXZlIGNoYW5nZWQgdGhlIHNl
Y3VyaXR5DQpsYW5kc2NhcGUgZm9yIHRoZSBmb3Jlc2VlYWJsZSBmdXR1cmUu
IEJvdGgNCnBoeXNpY2FsIGFuZCBsb2dpY2FsIHNlY3VyaXR5LCBoYXZlIGJl
Y29tZQ0KcGFyYW1vdW50IGZvciBhbGwgaW5kdXN0cnkgc2VnbWVudHMsDQpz
cGVjaWFsbHkgaW4gdGhlIGJhbmtpbmcsIGhlYWx0aGNhcmUgYW5kDQpnb3Zl
cm5tZW50IHNlY3RvcnMuIFdoaWxlIHRoZSBmb2N1cyBmb3INClZpbm9ibGUg
aXMgb24gTm9ydGggQW1lcmljYSwgdGhlIG9wcG9ydHVuaXR5DQpmb3Igc2Vj
dXJpdHkgc2VydmljZXMgaXMgd29ybGR3aWRlLg0KQWNjb3JkaW5nIHRvIEdp
Z2EsIGEgd2hvbGx5IG93bmVkIHN1YnNpZGlhcnkNCm9mIEZvcnJlc3RlciBS
ZXNlYXJjaCwgd29ybGR3aWRlIGRlbWFuZCBmb3INCmluZm9ybWF0aW9uIHNl
Y3VyaXR5IHByb2R1Y3RzIGFuZCBzZXJ2aWNlcw0KaXMgc2V0IHRvIGVjbGlw
c2UgJDQ2QiB0aGlzIHllYXIuDQoNCldoeSB3ZSBiZWxpZXZlIFZOQkwgd2ls
bCBnaXZlIGJpZyByZXR1cm5zIG9uDQppbnZlc3RtZW50Og0KDQoqIEF0IHRo
aXMgdGltZSBtdWNoIG9mIFZOQkwncyBmb2N1cyBpcyBvbg0KUkZJRCAoUmFk
aW8gZnJlcXVlbmN5IGlkZW50aWZpY2F0aW9uKQ0KdGVjaG5vbG9neSBhbmQg
aXQncyB1c2VzIGluIHRoZSBvaWwgYW5kIGdhcw0KaW5kdXN0cnkuICBUaGlz
IGlzIHRlY2hub2xvZ3kgd2hpY2ggdXNlcw0KdGlueSBzZW5zb3JzIHRvIHRy
YW5zbWl0IGluZm9ybWF0aW9uIGFib3V0IGENCnBlcnNvbiBvciBvYmplY3Qg
d2lyZWxlc3NseS4NCg0KKiBWTkJMIGlzIGRldmVsb3BpbmcgYSBmb3JtIG9m
IFJGSUQNCnRlY2hub2xvZ3kgd2hpY2ggYWxsb3dzIGNvbXBhbmllcyBhbmQN
CmdvdmVybm1lbnRzIHRvIHdpcmVsZXNzbHkgdHJhY2sgdGhlaXIgYXNzZXRz
DQphbmQgcmVzb3VyY2VzLiBTdWNoIHRlY2hub2xvZ3kgaGFzIGh1Z2UNCnBv
dGVudGlhbCBpbiB0aGUgcHJvdGVjdGlvbiBhbmQNCnRyYW5zcG9ydGF0aW9u
IG9mIG1hdGVyaWFscyBkZXNpZ25hdGVkICJIaWdoDQpSaXNrIiB3ZXJlIHRo
ZXkgdG8gZmFsbCBpbnRvIHRoZSB3cm9uZw0KaGFuZHMuDQoNCiogVk5CTCB3
b3JrcyBvbiBpbnRlZ3JhdGlvbiBvZiB0aGUgdHdvIGFmb3JlDQptZW50aW9u
ZWQgc3lzdGVtcyBpbiBvcmRlciB0byBjcmVhdGUgIkhpZ2gNClNlY3VyaXR5
IFNwYWNlIiBpbiBsb2NhbGVzIHdoZXJlIGl0IGlzDQpkZWVtZWQgbmVjZXNz
YXJ5LiAgTG9jYXRpb25zIHdoaWNoIG1heSB0YWtlDQphZHZhbnRhZ2Ugb2Yg
c3VjaCBzeXN0ZW1zIGFyZSBhaXJwb3J0cywgc2VhDQpwb3J0cywgbWluZXMs
IG51Y2xlYXIgZmFjaWxpdGllcywgYW5kIG1vcmUuDQoNCg0KKioqTiBFIFcg
UyoqKg0KDQo5LzYgVmlub2JsZSB0byBFbnRlciB0aGUgT2lsIGFuZCBHYXMg
U2VjdG9yDQoNCjkvOSBWaW5vYmxlIEFncmVlcyB0byBBY3F1aXJlIGFuZCBJ
bnRlcmVzdA0KaW4gYW4gT2lsIGFuZCBHYXMgUHJvc3BlY3QNCg0KMTAvMTMg
Vmlub2JsZSBGaW5hbGl6ZXMgQXNzZXQgQWNxdWlzaXRpb24NCg0KTGF0ZXN0
IE5ld3M6DQoNCk1BTElCVSwgQ2FsaWYuLS0oQlVTSU5FU1MgV0lSRSktLU5v
di4gMTcsDQoyMDA1LS1WaW5vYmxlLCBJbmMuIGFubm91bmNlZCB0b2RheSB0
aGF0IGl0DQpoYXMgY29tcGxldGVkIGFuZCBleGVjdXRlZCBhIGRlZmluaXRp
dmUNCmFncmVlbWVudCBpbiBhY3F1aXJpbmcgYSBtaW5vcml0eSBpbnRlcmVz
dA0KaW4gdGhlIE9pbCBhbmQgR2FzIFByb3NwZWN0IGtub3duIGFzIHRoZQ0K
Q2xvdmVsbHkgUHJvc3BlY3QuICBTaW5jZSBpdHMgZGlzY292ZXJ5IGluDQox
OTUwLCB0aGUgZmllbGQgaGFzIHByb2R1Y2VkIGluIGV4Y2VzcyBvZiAzMA0K
TU1CTyAoTWlsbGlvbiBiYXJyZWxzIG9mIG9pbCkgYW5kIDIwMCBCQ0ZHDQoo
QmlsbGlvbiBjdWJpYyBmZWV0IG9mIGdhcykuDQoNCkluIFNlcHRlbWJlciwg
Vmlub2JsZSBkaXNjbG9zZWQgdG8NCnNoYXJlaG9sZGVycyBpdHMgaW50ZW50
IHRvIGVudGVyIHRoZSBvaWwgYW5kDQpnYXMgcHJvZHVjdGlvbiBpbmR1c3Ry
eSBieSBhbm5vdW5jaW5nIHRoYXQNCml0IGVudGVyZWQgaW50byBhIE1lbW9y
YW5kdW0gb2YNClVuZGVyc3RhbmRpbmcgd2hlcmVieSBhY3F1aXJpbmcgYSBt
aW5vcml0eQ0Kc3Rha2UgaW4gdGhlIENsb3ZlbGx5IFByb3NwZWN0Lg0KU3Vi
c2VxdWVudGx5LCB0aGUgQ29tcGFueSBoYXMgY29tcGxpZWQgd2l0aA0KdGhl
IHRlcm1zIG9mIHRoZSBNT1UgYW5kIGhhcyBmaW5hbGl6ZWQgYW4NCmFncmVl
bWVudCBmb3IgdGhlIGludmVzdG1lbnQuDQoNCg0KV2hpbGUgb2lsIHByaWNl
cyByZW1haW4gc3RhZ2dlcmluZ2x5IGhpZ2gNCmFuZCBnb2xkIHJlYWNoaW5n
IGFuIDE4IHllYXIgcGVhayBhdCBvdmVyDQokNDg1IHBlciBvdW5jZSwgdGhl
IENvbXBhbnkgaXMgZXhjaXRlZCBhYm91dA0KZW50ZXJpbmcgdHdvIHN0cm9u
ZyBtYXJrZXRzIHdoZXJlIGRlbWFuZCBpcw0KaGlnaCBhbmQgYWRkaXRpb25h
bCBzdXBwbHkgaXMgbmVjZXNzYXJ5IHRvDQpzYXRpc2Z5IHRoZSBkZW1hbmQu
IE9SWCBSZXNvdXJjZXMsIEluYy4sIHRoZQ0Kb3BlcmF0b3Igb2YgdGhlIENs
b3ZlbGx5IFByb3NwZWN0IGV4cGVjdHMNCmRyeSB3ZWxsIHByb2R1Y3Rpb24g
dG8gYmVnaW4gaW4gNCB0byA2DQp3ZWVrcy4gVmlub2JsZSBhbHNvIGV4cGVj
dHMgdG8gYmVnaW4NCmNvbmR1Y3RpbmcgYW4gZXhwbG9yYXRpb24gYW5kIDcw
MCBtZXRlcg0KZHJpbGwgcHJvZ3JhbSBvbiB0aGUgSGF6YXJkIHByb3BlcnR5
IGluDQplYXJseSAyMDA2Lg0KDQoNCiAgV2UgYmVsaWV2ZSB0aGF0IHRoaXMg
aXMgZ3JlYXQgbmV3cyBmb3INClZOQkwuICBKdXN0IGF0IHRoZSB0aW1lIHdo
ZW4gbW9yZSBkb21lc3RpYw0Kb2lsIG9wZXJhdGlvbnMgYXJlIHN0YXJ0aW5n
IHVwLCBWTkJMIGNvbWVzDQppbiB3aXRoIGEgZ3JlYXQgcHJvZHVjdCBhbmQg
c29saWQNCmFjcXVpc2l0aW9uLg0KDQpHbyBWTkJMISEhDQoNCg0KUGxlYXNl
IHdhdGNoIHRoaXMgb25lIHRyYWRlIGFsbCB3ZWVrIQ0KDQpfX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fDQpE
aXNjfGFpbWVyOg0KSW5mb3JtYXRpMG4gd2l0aGluIHRoaXMgZW1haXwgYzBu
dGFpbnMgImYwcndhcmRfbDAwa2luZw0Kc3Q0dGVtZW50cyIgd2l0aGluIHRo
ZSBtZWFuaW5nIG9mIFNlY3QxMG4gMjdBIG9mIHRoZQ0KU2VjdXIxdDFlcyBB
Y3Qgb2YgMTkzMyBhbmQgU2VjdDEwbiAyMUIgb2YgdGhlIFMzY3VyMXQxZXMN
CkV4Y2hhbmdlIEFjdCBvZiAxOTM0LiBBbnkgc3Q0dGVtZW50cyB0aGF0IGV4
cHJlc3Mgb3INCmludjBsdmUgZGlzY3Vzc2kwbnMgd2l0aCByZXNwZWN0IHRv
IHByZWRpY3RpMG5zLCBnMGFscywNCmV4cGVjdGF0aTBucywgYmV8aWVmcywg
cGxhbnMsIHByMGplY3RpMG5zLCBvYmplY3RpdmVzDQosYXNzdW1wdGlvbnMg
b3IgZnV0dXJlIGV2ZW50cyBvciBwZXJmb3JtYW5jZSBhcmUgbm90DQpzdGF0
ZW1lbnRzIG9mIGhpc3QwcmljYWwgZmFjdCBhbmQgbWF5IGJlICJmMHJ3NHJk
DQpsMDBraW5nIHN0YXRlbWVudHMuIkluIGNvbXBsaWFuY2Ugd2l0aCBTZWN0
MTBuIDE3KGIpLA0Kd2UgZGlzY2xvc2UgdGhlIHBheW1lbnQgb2YgNU9PTyBk
b3x8YXJzIHByaTByIHRvIHRoZQ0KcHVibGljYXRpb24gb2YgdGhpcyByZXBv
cnQuIEJlIGF3YXJlIG9mIGFuIGluaGVyZW50DQpjb25mbGljdCBvZiBpbnRl
cmVzdCByZXN1bHRpbmcgZnJvbSBzdWNoIHBheW1lbnQu
 
Status
Für weitere Antworten geschlossen.
Oben