utf-8 / base 64 encoded subject
- Thread starter GKrem
- Start date
-
- Tags
- spam base64 utf-8 subject
Could you please provide an example mail (at least the headers in 'raw' format ), the rule you created and your logs?
Hello Stoiko,
i am using this "What" regex:
(?i)(\W|^)(TcOkZGNoZW4=|date|mädchen|frauen|frau|madchen|liebe|dating|sex|sexuell)(\W|$)
You can see, i tested to include a base64 string but i guess this is very sensless :-(
The whole mail is attached, including the header.
What log do you need? the regular syslog does not give info about the spam handling?
The main issue is with the Subject encoded in utf-8?B - is it possible to have the SPAM filter to first decode the field before the regex is executed?
i am using this "What" regex:
(?i)(\W|^)(TcOkZGNoZW4=|date|mädchen|frauen|frau|madchen|liebe|dating|sex|sexuell)(\W|$)
You can see, i tested to include a base64 string but i guess this is very sensless :-(
The whole mail is attached, including the header.
What log do you need? the regular syslog does not give info about the spam handling?
The main issue is with the Subject encoded in utf-8?B - is it possible to have the SPAM filter to first decode the field before the regex is executed?
this might help - i wonder how to follow one mail in the pmg log file? The message id seems to change and i can not find any common string there?
Jun 14 06:26:02 pmg postfix/smtpd[120869]: connect from pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:02 pmg postfix/smtpd[120869]: AB1FB238E0: client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:02 pmg postfix/smtpd[120869]: DC71E238E7: client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:02 pmg postfix/cleanup[120872]: DC71E238E7: message-id=<0a2b62c93df9d3dc3f95dc779296bcbe158cf2@student.tp.edu.sg>
Jun 14 06:26:02 pmg postfix/qmgr[930]: DC71E238E7: from=<1301882E@STUDENT.TP.EDU.SG>, size=14521, nrcpt=1 (queue active)
Jun 14 06:26:03 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: new mail message-id=<0a2b62c93df9d3dc3f95dc779296bcbe158cf2@student.tp.edu.sg>#012
Jun 14 06:26:03 pmg postfix/smtpd[120869]: 1ED07238EC: client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:03 pmg postfix/smtpd[120869]: disconnect from pmg.xxx-xx.local[192.168.0.202] ehlo=1 mail=3 rcpt=3 data=3 quit=1 commands=11
Jun 14 06:26:19 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: SA score=1/5 time=16.580 bayes=undefined autolearn=no autolearn_force=no hits=DKIM_INVALID(0.1),DKIM_SIGNED(0.1),FROM_STARTS_WITH_NUMS(0.553),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_GOOGLE_REDIR(0.5),NO_DNS_FOR_FROM(0.379),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),T_SPF_HELO_TEMPERROR(0.01)
Jun 14 06:26:19 pmg postfix/smtpd[120897]: connect from localhost.localdomain[127.0.0.1]
Jun 14 06:26:19 pmg postfix/smtpd[120897]: ADC9A238EC: client=localhost.localdomain[127.0.0.1], orig_client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:19 pmg postfix/cleanup[120872]: ADC9A238EC: message-id=<0a2b62c93df9d3dc3f95dc779296bcbe158cf2@student.tp.edu.sg>
Jun 14 06:26:19 pmg postfix/qmgr[930]: ADC9A238EC: from=<1301882E@STUDENT.TP.EDU.SG>, size=15450, nrcpt=1 (queue active)
Jun 14 06:26:19 pmg postfix/smtpd[120897]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 14 06:26:19 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: accept mail to <t-online@xxxxxxxxx.de> (ADC9A238EC) (rule: default-accept)
Jun 14 06:26:19 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: processing time: 16.747 seconds (16.58, 0.095, 0)
Jun 14 06:26:19 pmg postfix/lmtp[120877]: DC71E238E7: to=<t-online@xxxxxxxxx.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=0.05/0.02/0/17, dsn=2.5.0, status=sent (250 2.5.0 OK (238EB62A80DDAEE37E))
Jun 14 06:26:19 pmg postfix/qmgr[930]: DC71E238E7: removed
Jun 14 06:26:19 pmg postfix/smtp[120898]: ADC9A238EC: to=<t-online@xxxxxxxxx.de>, relay=192.168.0.3[192.168.0.3]:25, delay=0.03, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Jun 14 06:26:19 pmg postfix/qmgr[930]: ADC9A238EC: removed
Jun 14 06:26:02 pmg postfix/smtpd[120869]: connect from pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:02 pmg postfix/smtpd[120869]: AB1FB238E0: client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:02 pmg postfix/smtpd[120869]: DC71E238E7: client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:02 pmg postfix/cleanup[120872]: DC71E238E7: message-id=<0a2b62c93df9d3dc3f95dc779296bcbe158cf2@student.tp.edu.sg>
Jun 14 06:26:02 pmg postfix/qmgr[930]: DC71E238E7: from=<1301882E@STUDENT.TP.EDU.SG>, size=14521, nrcpt=1 (queue active)
Jun 14 06:26:03 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: new mail message-id=<0a2b62c93df9d3dc3f95dc779296bcbe158cf2@student.tp.edu.sg>#012
Jun 14 06:26:03 pmg postfix/smtpd[120869]: 1ED07238EC: client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:03 pmg postfix/smtpd[120869]: disconnect from pmg.xxx-xx.local[192.168.0.202] ehlo=1 mail=3 rcpt=3 data=3 quit=1 commands=11
Jun 14 06:26:19 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: SA score=1/5 time=16.580 bayes=undefined autolearn=no autolearn_force=no hits=DKIM_INVALID(0.1),DKIM_SIGNED(0.1),FROM_STARTS_WITH_NUMS(0.553),HTML_MESSAGE(0.001),KAM_DMARC_STATUS(0.01),KAM_GOOGLE_REDIR(0.5),NO_DNS_FOR_FROM(0.379),SPF_PASS(-0.001),T_SCC_BODY_TEXT_LINE(-0.01),T_SPF_HELO_TEMPERROR(0.01)
Jun 14 06:26:19 pmg postfix/smtpd[120897]: connect from localhost.localdomain[127.0.0.1]
Jun 14 06:26:19 pmg postfix/smtpd[120897]: ADC9A238EC: client=localhost.localdomain[127.0.0.1], orig_client=pmg.xxx-xx.local[192.168.0.202]
Jun 14 06:26:19 pmg postfix/cleanup[120872]: ADC9A238EC: message-id=<0a2b62c93df9d3dc3f95dc779296bcbe158cf2@student.tp.edu.sg>
Jun 14 06:26:19 pmg postfix/qmgr[930]: ADC9A238EC: from=<1301882E@STUDENT.TP.EDU.SG>, size=15450, nrcpt=1 (queue active)
Jun 14 06:26:19 pmg postfix/smtpd[120897]: disconnect from localhost.localdomain[127.0.0.1] ehlo=1 xforward=1 mail=1 rcpt=1 data=1 commands=5
Jun 14 06:26:19 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: accept mail to <t-online@xxxxxxxxx.de> (ADC9A238EC) (rule: default-accept)
Jun 14 06:26:19 pmg pmg-smtp-filter[120330]: 238EB62A80DDAEE37E: processing time: 16.747 seconds (16.58, 0.095, 0)
Jun 14 06:26:19 pmg postfix/lmtp[120877]: DC71E238E7: to=<t-online@xxxxxxxxx.de>, relay=127.0.0.1[127.0.0.1]:10024, delay=17, delays=0.05/0.02/0/17, dsn=2.5.0, status=sent (250 2.5.0 OK (238EB62A80DDAEE37E))
Jun 14 06:26:19 pmg postfix/qmgr[930]: DC71E238E7: removed
Jun 14 06:26:19 pmg postfix/smtp[120898]: ADC9A238EC: to=<t-online@xxxxxxxxx.de>, relay=192.168.0.3[192.168.0.3]:25, delay=0.03, delays=0.01/0/0/0.01, dsn=2.0.0, status=sent (250 Message accepted for delivery)
Jun 14 06:26:19 pmg postfix/qmgr[930]: ADC9A238EC: removed
Ok - I think i see the issue - it boils down to the one described in:
https://bugzilla.proxmox.com/show_bug.cgi?id=2057
Currently PMG does not deal well with non-ascii characters (we're planning on fixing this soon) - so the issue with the subject is
Mädchen
The one workaround you can use is replace the Umlauts with '.' (of course that opens things up for false positivies - but I don't thing that you'll miss mails where the subject matches 'm.dchen' if you don't want mails where it contains 'mädchen'
I hope this helps!
https://bugzilla.proxmox.com/show_bug.cgi?id=2057
Currently PMG does not deal well with non-ascii characters (we're planning on fixing this soon) - so the issue with the subject is
Mädchen
The one workaround you can use is replace the Umlauts with '.' (of course that opens things up for false positivies - but I don't thing that you'll miss mails where the subject matches 'm.dchen' if you don't want mails where it contains 'mädchen'
I hope this helps!
Hello Stoiko,
i justg want to give you a feedback.
After somed days of silence the spam came back. But now i have the rules activated and this is keeping mail inbox cleaner as ever before.
This is the rules on field subject:
(?i)(\W|^)(TcOkZGNoZW4=|date|m.dchen|frauen|frau|madchen|liebe|dating|sex|sexuell)(\W|$)
(?i)(\W|^)(cannabis|abnehmen|zimt|bauch|gewicht|fett|bauchfett)(\W|$)
Thank yxou for the support and the solution.
Best wishes
Günter
i justg want to give you a feedback.
After somed days of silence the spam came back. But now i have the rules activated and this is keeping mail inbox cleaner as ever before.
This is the rules on field subject:
(?i)(\W|^)(TcOkZGNoZW4=|date|m.dchen|frauen|frau|madchen|liebe|dating|sex|sexuell)(\W|$)
(?i)(\W|^)(cannabis|abnehmen|zimt|bauch|gewicht|fett|bauchfett)(\W|$)
Thank yxou for the support and the solution.
Best wishes
Günter
Glad that worked as mitigation - the acutally correctly matching non-ascii characters is quite high on our todo list - so soon this should become more straight-forward!