Re: Filtering MIME content & encoded headers
Eric S <ejs <at> bfd.com>
2003-06-04 00:06:31 GMT
On 4 Jun 2003, Igor Stroh wrote:
> is it possible to make filter rules find patterns in encoded
> headers/body parts? e.g. in base64 or quoted-printable strings?
I started off rejecting any email that was text/plain or
text/html and base64-encoded, and found it so effective that I wrote a
perl program to feed through to parse out the sub-entities of the
document and check each of them the same way (to avoid false positives
where I have one text/plain entity and a base-64 encoded graphic entity as
part of the same email).
Not perfect, I've had one false positive that came from a mailing list
hosted in Germany.
Now, this doesn't exactly answer your question. Yes, but not easily, at
least not that I know of. The only way's I'm aware of to do it is to use
an external program like I am (besides, as much of a step forward maildrop
is over procmail, I'm much more comfortable with Perl), or to search for
the encoded text, ie (/(s|=73|=53)(e|=65|=45)(x|=75|=58)/i). Searching
within base64 encoded text is much more complicated this way, as each
possible string has at least 4 different ways to encode it, possibly more
if the surrounding characters are variable or if you want
case-insensitivity. For example, "sex" could be encoded 8*(1+256*3) ways,
and your regexp would get pretty complicated avoiding false-positives from
decoding starting at the wrong position.
This SF.net email is sponsored by: Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features