Global email filter not working with Base64 encoded email

ddaddy

• September 12, 2019 05:19

I'm getting an increasing number of spam emails that are Base64 encoded. I grabbed a tiny section of the Base64 string that appears in all the spam emails and i've setup some global email filters, however the filter test just lets the email through. Attached is a screenshot of my filters which i've set as both strings and regex. I confirmed the regex works at regex101.com An example of a full email body is here gist.github.com/ddaddy/92e6e3f28a42112b814bf34532cba347 Why would the email filter not pick up on a simple string IHJpZ2h0IG5v
Is the Base64 string maybe not actually in the email body?

• 

  keat63

  • September 12, 2019 13:45

  I looked at your rule and the first thing that caught my eye was your regex entry. I've no experience with regex rules so I wouldn't know where to start. Did you try the rule without the regex part.

  0
• 

  ddaddy

  • September 12, 2019 13:57

  Yes, it didn't work without the regex which is why I tried it with.

  0
• 

  keat63

  • September 13, 2019 07:41

  I would be interested to learn the outcome of this if you find an answer, as I've no doubt it could help others.

  0
• 

  cPanelMichael

  • September 16, 2019 20:50

  Hello, The following response was included in a recent support ticket: [QUOTE]It seems that our "Global Email Filters" does not work with base64 encoded body messages, so you would want to either pipe the message through a program to decode it (not something we would be able to help with), or enable the Apache SpamAssassin service and filter spam with that method
  Additionally, you can find some discussion of a similar topic on the following links: Thank you.

  0
• 

  ddaddy

  • September 16, 2019 21:06

  Hi, I did read that previous discussion, however I think that was about searching for encoded text within the Base64. As in, the filter decoding the Base64 then looking for the text. This is different. I have a Base64 pattern IHJpZ2h0IG5v
  that appears in the email body that I want to match. No decoding is needed at all. Just match the text. But it fails to see it.

  0
• 

  cPanelMichael

  • September 16, 2019 21:07

  Hi, I did read that previous discussion, however I think that was about searching for encoded text within the Base64. As in, the filter decoding the Base64 then looking for the text. This is different. I have a Base64 pattern IHJpZ2h0IG5v
  that appears in the email body that I want to match. No decoding is needed at all. Just match the text. But it fails to see it.

  
  Can you submit a

  0
• 

  ddaddy

  • September 17, 2019 09:22

  Support ticket submitted 13360843

  0
• 

  cPanelMichael

  • September 17, 2019 16:31

  Support ticket submitted 13360843

  
  Here's a summary of the response sent by one of our Technical Analysts: [QUOTE] The content type shows that the data associated with the referenced email is base64. This means that it is binary data. This can decode to text or HTML, however it could also decode to a image, or zip file, etc. This is why exim skips this portion, it is not "text" even though it is transmitted this way. We suggest using SpamAssassin to filter messages as it generally does a good job in using various methods and tests to determine if a message is spam or not. Please note that our ability to assist with custom mail filter rules is very limited. Currently it appears to be working as expected.
  Thank you.

  0

Please sign in to leave a comment.