Content Filter for Base64 encoded email
Question asked by Leo Novelli - February 24 at 10:51 PM
Unanswered
We are getting a lot of base64 encoded email spam containing explicit sexual content. Some of the common text of the email are "milfs". I created a content filter as follows to block these messages but it is not working.

Match Type: any condition must be met
Enable wildcards in search string (* and ?): Enabled
Condition Type: Contains specific words or phrases
Field: Body
Comparison: Contains
Body: *bWlsZnM*

Here is an example of such an email:

Return-Path: <MiguelWilliams@rapnettelecom.com.br>
Received: from 131-255-96-170.customer.rapnettelecom.com.br (131-255-96-170.customer.rapnettelecom.com.br [131.255.96.170]) by mail.atlantisnet.com; Mon, 25 Feb 2019 04:07:40 +0000
Received: from unknown (10.202.233.170)
     by qnx.mdrost.com with NNFMP; Mon, 25 Feb 2019 20:06:35 +0800
Received: from unknown (HELO mxs.perenter.com) (Mon, 25 Feb 2019 19:49:01 +0800)
     by mailout.endmonthnow.com with ESMTP; Mon, 25 Feb 2019 19:49:01 +0800
Received: from unknown (116.40.114.138)
     by qrx.quickslick.com with NNFMP; Mon, 25 Feb 2019 19:30:13 +0800
Message-ID: <FE0A87B8.695747F4@rapnettelecom.com.br>
Date: Mon, 25 Feb 2019 19:22:53 +0800
Reply-To: "Aspen" <MiguelWilliams@rapnettelecom.com.br>
From: "Aspen" <MiguelWilliams@rapnettelecom.com.br>
User-Agent: Mozilla 4.7 [en] (Win98; I)
MIME-Version: 1.0
To: "Aspen" <john@floodnot.com>
Subject: could you meet me
Content-Type: text/html;
     charset="us-ascii"
Content-Transfer-Encoding: base64

PCFkb2N0eXBlIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgY2hhcnNldD0idXRmLTgiPg0K PC9oZWFkPg0KPGJvZHk+DQo8dGFibGUgd2lkdGg9IjYwMCIgYm9yZGVyPSIwIiBhbGlnbj0iY2Vu dGVyIiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsOyBmb250LXNpemU6IDE4cHgiPg0KIDx0Ym9k eT4NCiA8dHI+DQogPHRoIGhlaWdodD0iNzkiIHNjb3BlPSJjb2wiPkxvb2tpbmcgZm9yIGhvdCBn aXJscyBhbmQgbWlsZnM/PHA+PC9wPjwvdGg+DQogPC90cj4NCiA8dHI+DQogPHRkIGhlaWdodD0i NTUiIGFsaWduPSJjZW50ZXIiIGJnY29sb3I9IiNDMTAwMDMiIHN0eWxlPSJjb2xvcjogI0ZGRkZG

The second line from the bottom contains the string "bWlsZnM" which I am trying to filter. That string decoded is "milfs".

Does anyone know how to setup a content filter that can check for a specific string within a base64 encoded message?


8 Replies

Reply to Thread
0
Steve Norton Replied
The BASE64 encode is in the raw data and is decoded in the body, just search for milfs in the body instead.
0
Leo Novelli Replied
I changed the filter. Sometimes the filter catches the term and sometimes it does not. 

My current filter settings are:

Match Type: ANY condition must be met
Enable wildcards in search string (* and ?): Enabled
Condition Type: Contains specific words or phrases
Field: Body
Comparison: Contains
Body (one per line):
*bWlsZnM*
milfs

Is there anyway to diagnose a filter?
0
Steve Norton Replied
Are those that are not caught also BASE64 encoded?
Do you have the raw data from one that was not caught.
Have you tried sending the same message to the server via telnet several times as a test to see if it's missed sometimes even with the same data?

0
Leo Novelli Replied
Yes, all these are BASE64 encoded.

Here is the raw data from the one not caught:

Return-Path: <JerryRivera@sunshinetowers.com.au>
Received: from sunshinetowers.com.au (unknown [177.101.55.66]) by mail.atlantisnet.com with SMTP; Wed, 27 Feb 2019 11:42:48 -0800
Received: from unknown (145.227.17.31)
	by mtu67.syds.piswix.net with SMTP; Thu, 28 Feb 2019 00:37:23 -0300
Message-ID: <A6398E54.2423155A@sunshinetowers.com.au>
Date: Thu, 28 Feb 2019 00:26:07 -0300
Reply-To: "Ariyah" <JerryRivera@sunshinetowers.com.au>
From: "Ariyah" <JerryRivera@sunshinetowers.com.au>
User-Agent: AOL 8.0 for Windows US sub 230
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Ariyah" <john@floodnot.com>
Subject: Do you know how to turn a girl on? 
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: base64

PCFkb2N0eXBlIGh0bWw+DQo8aHRtbD4NCjxoZWFkPg0KPG1ldGEgY2hhcnNldD0idXRmLTgiPg0K
PC9oZWFkPg0KPGJvZHk+DQo8dGFibGUgd2lkdGg9IjYwMCIgYm9yZGVyPSIwIiBhbGlnbj0iY2Vu
dGVyIiBzdHlsZT0iZm9udC1mYW1pbHk6IEFyaWFsOyBmb250LXNpemU6IDE4cHgiPg0KIDx0Ym9k
eT4NCiA8dHI+DQogPHRoIGhlaWdodD0iNzkiIHNjb3BlPSJjb2wiPkxvb2tpbmcgZm9yIGhvdCBn
aXJscyBhbmQgbWlsZnM/PHA+PC9wPjwvdGg+DQogPC90cj4NCiA8dHI+DQogPHRkIGhlaWdodD0i
NTUiIGFsaWduPSJjZW50ZXIiIGJnY29sb3I9IiNDMTAwMDMiIHN0eWxlPSJjb2xvcjogI0ZGRkZG
RjsgZm9udC1zaXplOiAyNHB4OyBmb250LWZhbWlseTogQXJpYWwiPldhbnQgc2V4IHRvbmlnaHQs
IGFuZCBuZXcgcHVzc3kgZXZlcnkgZGF5Pzxicj48L3RkPg0KIDwvdHI+DQogPHRyPg0KIDx0ZCBo
ZWlnaHQ9IjEzMyIgYWxpZ249ImNlbnRlciI+PHA+R28gdG8gdGhpcyBzaXRlIGFuZCBjaG9vc2Ug
YW55IG9mIGNvb2wgZ2lybHMhIEFuZCB0aGV5IGFyZSByZWFkeSB0byBmdWNrIHdpdGggeW91ITxi
cj48YnI+PC9wPg0KIDxwPjxhIGhyZWY9Imh0dHA6Ly9teXN3ZWV0Z2lybHMuc3UiIHN0eWxlPSJm
b250LWZhbWlseTogQXJpYWw7IGZvbnQtc2l6ZTogMThweDsgY29sb3I6ICMzRjUwRkM7Ij5odHRw
Oi8vbXlzd2VldGdpcmxzLnN1PC9hPjwvcD4NCiA8cD5IZXJlIGFyZSBzb21lIG9mIHRoZW0sIHNl
ZSBwaG90byBiZWxvdzwvcD48bmF2PjwvbmF2PjwvdGQ+DQogPC90cj4NCiA8L3Rib2R5Pg0KPC90
YWJsZT48bWFpbj48L21haW4+DQo8dGFibGUgd2lkdGg9IjYwMCIgYm9yZGVyPSIwIiBhbGlnbj0i
Y2VudGVyIj4NCiA8dGJvZHk+DQogPHRyPg0KIDx0aD48YSBocmVmPSJodHRwOi8vbXlzd2VldGdp
cmxzLnN1Ij48aW1nIHNyYz0iaHR0cDovLzI0LWluZm8uaW5mby91cGxvYWRzL3Bvc3RzLzIwMTgt
MTEvZGV2dXNoa2ktcy1rcmFzaXZveS1ncnVkeXUtNDAtZm90b18xLmpwZyIgd2lkdGg9IjI4MCIg
YWx0PSJwaG90byBvbmUiLz48L2E+PC90aD4NCiA8dGg+PGEgaHJlZj0iaHR0cDovL215c3dlZXRn
aXJscy5zdSI+PGltZyBzcmM9Imh0dHA6Ly8yNC1pbmZvLmluZm8vdXBsb2Fkcy9wb3N0cy8yMDE4
LTExL2RldnVzaGtpLXMta3Jhc2l2b3ktZ3J1ZHl1LTQwLWZvdG9fMTUuanBnIiB3aWR0aD0iMjgw
IiBhbHQ9InBob3RvIHR3byIvPjwvYT48L3RoPg0KIDwvdHI+DQogPHRyPg0KIDx0ZD48dGFibGUg
d2lkdGg9IjU3JSIgYm9yZGVyPSIwIj48dGJvZHk+PHRyPjx0ZD48L3RkPjx0ZD48L3RkPjx0ZD48
L3RkPjx0ZD48L3RkPjwvdHI+PC90Ym9keT48L3RhYmxlPjwvdGQ+DQogPHRkPjxicj48L3RkPg0K
IDwvdHI+DQogPHRyPg0KIDx0ZD48YSBocmVmPSJodHRwOi8vbXlzd2VldGdpcmxzLnN1Ij48aW1n
IHNyYz0iaHR0cDovLzI0LWluZm8uaW5mby91cGxvYWRzL3Bvc3RzLzIwMTgtMTEvZGV2dXNoa2kt
cy1rcmFzaXZveS1ncnVkeXUtNDAtZm90b18yOS5qcGciIHdpZHRoPSIyODAiIGFsdD0icGhvdG8g
dGhyZWUiLz48L2E+PC90ZD4NCiA8dGQ+PGEgaHJlZj0iaHR0cDovL215c3dlZXRnaXJscy5zdSI+
PGltZyBzcmM9Imh0dHA6Ly8yNC1pbmZvLmluZm8vdXBsb2Fkcy9wb3N0cy8yMDE4LTExL2RldnVz
aGtpLXMta3Jhc2l2b3ktZ3J1ZHl1LTQwLWZvdG9fMzMuanBnIiB3aWR0aD0iMjgwIiBhbHQ9InBo
b3RvIGZvdXIiLz48L2E+PC90ZD4NCiA8L3RyPg0KIDwvdGJvZHk+DQo8L3RhYmxlPg0KPHA+PGJy
Pjxicj4gPC9wPg0KPHRhYmxlIHdpZHRoPSI2MDAiIGJvcmRlcj0iMCIgYWxpZ249ImNlbnRlciI+
DQogPHRib2R5Pg0KIDx0cj4NCiANCjx0ZD48YSBocmVmPSJodHRwOi8vbXlzd2VldGdpcmxzLnN1
Ij4NCjx0YWJsZT4NCiA8dHI+DQo8dGQgdmFsaWduPSJ0b3AiIHN0eWxlPSJiYWNrZ3JvdW5kOiB1
cmwoaHR0cDovLzI0LWluZm8uaW5mby91cGxvYWRzL3Bvc3RzLzIwMTctMDMvMTQ5MDg3MzYxNl9i
aWctbmlwcGxlcy00MS5qcGcpIG5vLXJlcGVhdCBjZW50ZXI7YmFja2dyb3VuZC1wb3NpdGlvbjog
dG9wO2JhY2tncm91bmQtc2l6ZTogY292ZXI7Ij48IS0tW2lmIGd0ZSBtc28gOV0+IDx2OnJlY3Qg
eG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIGZpbGw9InRydWUiIHN0cm9r
ZT0iZmFsc2UiIHN0eWxlPSJtc28td2lkdGgtcGVyY2VudDoxMDAwO2hlaWdodDo0MDBweDsiPiA8
djpmaWxsIHR5cGU9InRpbGUiIHNyYz0iaHR0cDovLzI0LWluZm8uaW5mby91cGxvYWRzL3Bvc3Rz
LzIwMTctMTEvZXJvdGljYV8xNTEwNDk1OTY4My5qcGciIC8+IDx2OnRleHRib3ggaW5zZXQ9IjAs
MCwwLDAiPiA8IVtlbmRpZl0tLT48dGFibGUgd2lkdGg9Ijg0JSIgYm9yZGVyPSIwIj48dGJvZHk+
PHRyPjx0ZD48L3RkPjwvdHI+PC90Ym9keT48L3RhYmxlPg0KPGRpdj4NCjxjZW50ZXI+DQo8dGFi
bGUgY2VsbHNwYWNpbmc9IjAiIGNlbGxwYWRkaW5nPSIwIiB3aWR0aD0iMjgwIiBoZWlnaHQ9IjQw
MCI+DQo8dHI+DQo8dGQgdmFsaWduPSJtaWRkbGUiIHN0eWxlPSJ2ZXJ0aWNhbC1hbGlnbjptaWRk
bGU7dGV4dC1hbGlnbjpsZWZ0OyIgY2xhc3M9Im1vYmlsZS1jZW50ZXIiIGhlaWdodD0iNDAwIj48
ZGl2PjwvZGl2PiA8L3RkPg0KPC90cj4NCjwvdGFibGU+DQo8L2NlbnRlcj4NCjwvZGl2Pg0KPCEt
LVtpZiBndGUgbXNvIDldPiA8L3Y6dGV4dGJveD4gPC92OnJlY3Q+IDwhW2VuZGlmXS0tPjwvdGQ+
DQo8L3RyPg0KCTwvdGFibGU+PC9hPg0KPC90ZD4NCg0KIDx0ZD4NCjxhIGhyZWY9Imh0dHA6Ly9t
eXN3ZWV0Z2lybHMuc3UiPg0KPHRhYmxlPg0KIDx0cj4NCjx0ZCB2YWxpZ249InRvcCIgc3R5bGU9
ImJhY2tncm91bmQ6IHVybChodHRwOi8vMjQtaW5mby5pbmZvL3VwbG9hZHMvcG9zdHMvMjAxNy0x
MS9lcm90aWNhXzE1MTA0OTU5NzU5LmpwZykgbm8tcmVwZWF0IGNlbnRlcjtiYWNrZ3JvdW5kLXBv
c2l0aW9uOiB0b3A7YmFja2dyb3VuZC1zaXplOiBjb3ZlcjsiPjwhLS1baWYgZ3RlIG1zbyA5XT4g
PHY6cmVjdCB4bWxuczp2PSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOnZtbCIgZmlsbD0idHJ1
ZSIgc3Ryb2tlPSJmYWxzZSIgc3R5bGU9Im1zby13aWR0aC1wZXJjZW50OjEwMDA7aGVpZ2h0OjQw
MHB4OyI+IDx2OmZpbGwgdHlwZT0idGlsZSIgc3JjPSJodHRwOi8vMjQtaW5mby5pbmZvL3VwbG9h
ZHMvcG9zdHMvMjAxNy0xMS9lcm90aWNhXzE1MTA0OTU5NzgxMi5qcGciIC8+IDx2OnRleHRib3gg
aW5zZXQ9IjAsMCwwLDAiPiA8IVtlbmRpZl0tLT48cD48L3A+DQo8ZGl2Pg0KPGNlbnRlcj4NCjx0
YWJsZSBjZWxsc3BhY2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdpZHRoPSIyODAiIGhlaWdodD0i
NDAwIj4NCjx0cj4NCjx0ZCB2YWxpZ249Im1pZGRsZSIgc3R5bGU9InZlcnRpY2FsLWFsaWduOm1p
ZGRsZTt0ZXh0LWFsaWduOmxlZnQ7IiBjbGFzcz0ibW9iaWxlLWNlbnRlciIgaGVpZ2h0PSI0MDAi
PjxoZWFkZXI+PC9oZWFkZXI+IDwvdGQ+DQo8L3RyPg0KPC90YWJsZT4NCjwvY2VudGVyPg0KPC9k
aXY+DQo8IS0tW2lmIGd0ZSBtc28gOV0+IDwvdjp0ZXh0Ym94PiA8L3Y6cmVjdD4gPCFbZW5kaWZd
LS0+PC90ZD4NCjwvdHI+DQoJPC90YWJsZT48L2E+DQo8L3RkPg0KDQogPC90cj4NCiANCiA8dHI+
DQogDQo8dGQ+DQo8YSBocmVmPSJodHRwOi8vbXlzd2VldGdpcmxzLnN1Ij4NCjx0YWJsZT4NCiA8
dHI+DQo8dGQgdmFsaWduPSJ0b3AiIHN0eWxlPSJiYWNrZ3JvdW5kOiB1cmwoaHR0cDovLzI0LWlu
Zm8uaW5mby91cGxvYWRzL3Bvc3RzLzIwMTctMTEvZXJvdGljYV8xNTEwNDk1OTg4MjEuanBnKSBu
by1yZXBlYXQgY2VudGVyO2JhY2tncm91bmQtcG9zaXRpb246IHRvcDtiYWNrZ3JvdW5kLXNpemU6
IGNvdmVyOyI+PCEtLVtpZiBndGUgbXNvIDldPiA8djpyZWN0IHhtbG5zOnY9InVybjpzY2hlbWFz
LW1pY3Jvc29mdC1jb206dm1sIiBmaWxsPSJ0cnVlIiBzdHJva2U9ImZhbHNlIiBzdHlsZT0ibXNv
LXdpZHRoLXBlcmNlbnQ6MTAwMDtoZWlnaHQ6NDAwcHg7Ij4gPHY6ZmlsbCB0eXBlPSJ0aWxlIiBz
cmM9Imh0dHA6Ly8yNC1pbmZvLmluZm8vdXBsb2Fkcy9wb3N0cy8yMDE3LTAzLzE0OTA4NzM2MTZf
YmlnLW5pcHBsZXMtNDEuanBnIiAvPiA8djp0ZXh0Ym94IGluc2V0PSIwLDAsMCwwIj4gPCFbZW5k
aWZdLS0+PGJyPg0KPGRpdj4NCjxjZW50ZXI+DQo8dGFibGUgY2VsbHNwYWNpbmc9IjAiIGNlbGxw
YWRkaW5nPSIwIiB3aWR0aD0iMjgwIiBoZWlnaHQ9IjQwMCI+DQo8dHI+DQo8dGQgdmFsaWduPSJt
aWRkbGUiIHN0eWxlPSJ2ZXJ0aWNhbC1hbGlnbjptaWRkbGU7dGV4dC1hbGlnbjpsZWZ0OyIgY2xh
c3M9Im1vYmlsZS1jZW50ZXIiIGhlaWdodD0iNDAwIj48bmF2PjwvbmF2PiA8L3RkPg0KPC90cj4N
CjwvdGFibGU+DQo8L2NlbnRlcj4NCjwvZGl2Pg0KPCEtLVtpZiBndGUgbXNvIDldPiA8L3Y6dGV4
dGJveD4gPC92OnJlY3Q+IDwhW2VuZGlmXS0tPjwvdGQ+DQo8L3RyPg0KCTwvdGFibGU+PC9hPg0K
PC90ZD4NCg0KIDx0ZD4NCjxhIGhyZWY9Imh0dHA6Ly9teXN3ZWV0Z2lybHMuc3UiPg0KPHRhYmxl
Pg0KIDx0cj4NCjx0ZCB2YWxpZ249InRvcCIgc3R5bGU9ImJhY2tncm91bmQ6IHVybChodHRwOi8v
MjQtaW5mby5pbmZvL3VwbG9hZHMvcG9zdHMvMjAxNy0xMS9lcm90aWNhXzE1MTA0OTU5NjcyLmpw
Zykgbm8tcmVwZWF0IGNlbnRlcjtiYWNrZ3JvdW5kLXBvc2l0aW9uOiB0b3A7YmFja2dyb3VuZC1z
aXplOiBjb3ZlcjsiPjwhLS1baWYgZ3RlIG1zbyA5XT4gPHY6cmVjdCB4bWxuczp2PSJ1cm46c2No
ZW1hcy1taWNyb3NvZnQtY29tOnZtbCIgZmlsbD0idHJ1ZSIgc3Ryb2tlPSJmYWxzZSIgc3R5bGU9
Im1zby13aWR0aC1wZXJjZW50OjEwMDA7aGVpZ2h0OjQwMHB4OyI+IDx2OmZpbGwgdHlwZT0idGls
ZSIgc3JjPSJodHRwOi8vMjQtaW5mby5pbmZvL3VwbG9hZHMvcG9zdHMvMjAxNy0xMS9lcm90aWNh
XzE1MTA0OTU5NzgxMi5qcGciIC8+IDx2OnRleHRib3ggaW5zZXQ9IjAsMCwwLDAiPiA8IVtlbmRp
Zl0tLT48YXJ0aWNsZT48L2FydGljbGU+DQo8ZGl2Pg0KPGNlbnRlcj4NCjx0YWJsZSBjZWxsc3Bh
Y2luZz0iMCIgY2VsbHBhZGRpbmc9IjAiIHdpZHRoPSIyODAiIGhlaWdodD0iNDAwIj4NCjx0cj4N
Cjx0ZCB2YWxpZ249Im1pZGRsZSIgc3R5bGU9InZlcnRpY2FsLWFsaWduOm1pZGRsZTt0ZXh0LWFs
aWduOmxlZnQ7IiBjbGFzcz0ibW9iaWxlLWNlbnRlciIgaGVpZ2h0PSI0MDAiPjx0YWJsZSB3aWR0
aD0iMzAlIiBib3JkZXI9IjAiPjx0Ym9keT48dHI+PHRkPjwvdGQ+PC90cj48L3Rib2R5PjwvdGFi
bGU+IDwvdGQ+DQo8L3RyPg0KPC90YWJsZT4NCjwvY2VudGVyPg0KPC9kaXY+DQo8IS0tW2lmIGd0
ZSBtc28gOV0+IDwvdjp0ZXh0Ym94PiA8L3Y6cmVjdD4gPCFbZW5kaWZdLS0+PC90ZD4NCjwvdHI+
DQoJPC90YWJsZT48L2E+DQo8L3RkPg0KPC90cj4NCjwvdGJvZHk+DQo8L3RhYmxlPg0KPHA+Jm5i
c3A7PC9wPg0KPC9ib2R5Pg0KPC9odG1sPg0K
0
Leo Novelli Replied
Very strange. I did send the message 5 times via telnet and each time the filter caught the message and successfully deleted it.

Any idea what would cause the message to sometimes not be caught?
0
Steve Norton Replied
Was it missed after you updated the filter but has been caught ever since? I'm not 100% on when filters updates become active apart from on service restart. You could try it by encoding random characters, updating your filter to look for the decoded string and use the telnet test again, if it doesn't pick it up immediately you could wait for a period of time before retrying or restart the mail service and try again.
0
Steve Norton Replied
You should also have had URIBL hits against mysweetgirls.su in the decoded BASE64 during spool filtering checks, did you get those hits in your X-Spam score?
0
Leo Novelli Replied
Im not sure if this is a coincidence or not but the filter seems to be working for user accounts but not for alias accounts.

Also, we do not use SM for anti-spam. Instead we use the Barracuda Email Security Service. Therefore we do not check for URIBL hits and do not have X_Spam scores.

Reply to Thread