VOICE Home Page: http://www.os2voice.org |
September 2002
[Newsletter Index]
|
By Michael W. Cocke © September 2002 |
An increasingly common spam tactic is to send an attachment with a blank email message (one that has no text in the body of the email). These attachments are often web pages or Windows executable programs. Maybe the spammers think that an empty text body makes it harder to filter against. But there is a way to filter based on the content of attachments, if you know how.
At the time the mail filter is executing, the mail server doesn't understand anything about attachments; the server is just dealing with a text stream. So assuming you are using Peter Moylan's Weasel SMTP/Pop3 server or Zeryx's Zxmail, you can use David Hough's Weaselfilter to filter on the contents of that stream.
First, you will need a base 64 encoder / decoder utility (often called MIME encoding). There are many available, including one that can be run right here on my utils web page: http://www.catherders.com/base64.shtml.
Second, you choose the string you want to filter on. (See samples below.) It's better to use a long string rather than a short one to reduce the chance of a false match. (See Technical Note at end.) I recommend at least 25-30 characters.
Third, you MIME encode the string you want to filter on. Remove the trailing equal signs, which are just appended by the MIME format to pad the length out to the nearest 4-byte boundary. This gives you the search string to set as a bodyfilter in Weaselfilter.
Here are several sample strings you might want to use, followed by the corresponding MIME translation (in green color) to give the search string. (If your browser wraps some of these to more than one line each, just ignore the wrap.) The first three are from web pages; the last two are common in Windows executables.
to receive special offers from Hi-Speed Media or one of it's marketing partnersThe WeaselFilter docs cover the basics but don't go into more advanced areas, so unless you know how a pop server works, you probably wouldn't stumble onto this trick. With this simple technique, you can improve the effectiveness of Weaselfilter and block more of the spammer's art. And as a side benefit, this method can also be used to trap viruses coming in as executable attachments.
dG8gcmVjZWl2ZSBzcGVjaWFsIG9mZmVycyBmcm9tIApIaS1TcGVlZCBNZWR pYSBvciBvbmUgb2YgaXQncyBtYXJrZXRpbmcgcGFydG5lcnM <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMi8vRU4iPg <A HREF="http://www.img-marketing.com/remove.htm">
PEEgSFJFRj0iaHR0cDovL3d3dy5pbWctbWFya2V0aW5nLmNvbS9yZW1vdmUuaHRtIj4 This program cannot be run in DOS mode
VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU This program must be run under Win32
VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVyIFdpbjMy
Weaselfilter compares the search string to the text stream on a case-insensitive
basis. However, MIME-encoding is a case-sensitive process. Two different initial
strings can produce encoded search strings that differ only in the cases of some
of the characters. If the initial string is short, then the corresponding MIME encoding
is also short. Change a case here and there, then decode the result, and you get
a short initial string that might actually be found elsewhere in the text stream.
On the other hand, a long initial string gives a long search string. Change one
or more cases in that and decode the result and you most likely have a long string
of gibberish for the initial string. And while it's certinaly not impossible to
find gibberish in a web page, it's far less likely to be an exact match and so trigger
the filter.
References:
|
Mike's Notebook web site contains an assortment of frequently updated articles and tips for OS/2 users.
[Feature Index]
editor@os2voice.org
[Previous Page] [Newsletter Index] [Next Page]
VOICE Home Page: http://www.os2voice.org