We are getting a lot of base64 encoded email spam containing explicit sexual content. Some of the common text of the email are "milfs". I created a content filter as follows to block these messages but it is not working.
Match Type: any condition must be met
Enable wildcards in search string (* and ?): Enabled
Condition Type: Contains specific words or phrases
Here is an example of such an email:
Received: from 131-255-96-170.customer.rapnettelecom.com.br (131-255-96-170.customer.rapnettelecom.com.br [220.127.116.11]) by mail.atlantisnet.com; Mon, 25 Feb 2019 04:07:40 +0000
Received: from unknown (10.202.233.170)
by qnx.mdrost.com with NNFMP; Mon, 25 Feb 2019 20:06:35 +0800
Received: from unknown (HELO mxs.perenter.com) (Mon, 25 Feb 2019 19:49:01 +0800)
by mailout.endmonthnow.com with ESMTP; Mon, 25 Feb 2019 19:49:01 +0800
Received: from unknown (18.104.22.168)
by qrx.quickslick.com with NNFMP; Mon, 25 Feb 2019 19:30:13 +0800
Date: Mon, 25 Feb 2019 19:22:53 +0800
Reply-To: "Aspen" <MiguelWilliams@rapnettelecom.com.br>
From: "Aspen" <MiguelWilliams@rapnettelecom.com.br>
User-Agent: Mozilla 4.7 [en] (Win98; I)
To: "Aspen" <email@example.com>
Subject: could you meet me
PCFkb2N0eXBlIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgY2hhcnNldD0idXRmLTgiPg0K PC9oZWFkPg0KPGJvZHk+DQo8dGFibGUgd2lkdGg9IjYwMCIgYm9yZGVyPSIwIiBhbGlnbj0iY2Vu dGVyIiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsOyBmb250LXNpemU6IDE4cHgiPg0KIDx0Ym9k eT4NCiA8dHI+DQogPHRoIGhlaWdodD0iNzkiIHNjb3BlPSJjb2wiPkxvb2tpbmcgZm9yIGhvdCBn aXJscyBhbmQgbWlsZnM/PHA+PC9wPjwvdGg+DQogPC90cj4NCiA8dHI+DQogPHRkIGhlaWdodD0i NTUiIGFsaWduPSJjZW50ZXIiIGJnY29sb3I9IiNDMTAwMDMiIHN0eWxlPSJjb2xvcjogI0ZGRkZG
The second line from the bottom contains the string "bWlsZnM" which I am trying to filter. That string decoded is "milfs".
Does anyone know how to setup a content filter that can check for a specific string within a base64 encoded message?