Loading ...
Sorry, an error occurred while loading the content.

Stupid Base64

Expand Messages
  • Charles Gregory
    Hello! I don t suppose there is a stupid pet trick that will let me perform a simple body_check on base64 encoded text bodies? Like some simple tool that
    Message 1 of 9 , May 2, 2006
    • 0 Attachment
      Hello!

      I don't suppose there is a 'stupid pet trick' that will let me
      perform a simple 'body_check' on base64 encoded text bodies?
      Like some simple tool that can convert my chosen text string
      into base64 so that I can search for *that* as a body_check ?
      I don't want to get into 'add ons' and plugins. Just add something
      suitable to body_checks to catch these morons who base64 spam.
      I'm running an older Postfix on RH9. So some options may not be
      available....

      Oh, I'm also open to any hints for header/body checks that catch improper
      use of base64 (as distinguished from proper usage). Thanks.

      - Charles
    • Magnus Bäck
      On Tuesday, May 02, 2006 at 21:48 CEST, ... Nope. ... Sure, there are many such programs and scripting languages but since a given string has more than one
      Message 2 of 9 , May 2, 2006
      • 0 Attachment
        On Tuesday, May 02, 2006 at 21:48 CEST,
        Charles Gregory <cgregory@...> wrote:

        > I don't suppose there is a 'stupid pet trick' that will let me
        > perform a simple 'body_check' on base64 encoded text bodies?

        Nope.

        > Like some simple tool that can convert my chosen text string
        > into base64 so that I can search for *that* as a body_check ?

        Sure, there are many such programs and scripting languages but since a
        given string has more than one possible Base64 equivalent it would not
        be practical.

        > I don't want to get into 'add ons' and plugins. Just add something
        > suitable to body_checks to catch these morons who base64 spam.

        Stop trying to use body_checks and friends as the spam blocker of
        choice. You will spend far too much time maintaining your expressions
        and you still won't come even close to the accuracy of "real" antispam
        solutions. body_checks is indeed useful for some tasks, but it simply
        isn't a generic spam stopper.

        > I'm running an older Postfix on RH9. So some options may not be
        > available....

        The option of upgrading Postfix is always available, should the need
        arise.

        > Oh, I'm also open to any hints for header/body checks that catch
        > improper use of base64 (as distinguished from proper usage). Thanks.

        Please define "improper use of Base64".

        --
        Magnus Bäck
        magnus@...
      • Victor Duchovni
        ... For experts only, it is possible to take a medium length substring, (not too short to generate FPs and not too long to be likely split accross more than
        Message 3 of 9 , May 2, 2006
        • 0 Attachment
          On Tue, May 02, 2006 at 10:01:22PM +0200, Magnus B?ck wrote:

          > On Tuesday, May 02, 2006 at 21:48 CEST,
          > Charles Gregory <cgregory@...> wrote:
          >
          > > I don't suppose there is a 'stupid pet trick' that will let me
          > > perform a simple 'body_check' on base64 encoded text bodies?
          >
          > Nope.
          >
          > > Like some simple tool that can convert my chosen text string
          > > into base64 so that I can search for *that* as a body_check ?
          >
          > Sure, there are many such programs and scripting languages but since a
          > given string has more than one possible Base64 equivalent it would not
          > be practical.
          >

          For experts only, it is possible to take a medium length substring, (not
          too short to generate FPs and not too long to be likely split accross
          more than two lines) prefix it with zero then one then two random bytes,
          base64 each of the encoded strings, discard the first and last 4 bytes,
          split the result into two pieces of equal length, and look for any of the
          6 resulting fragments. This is not something you should do routinely...

          The following was once in my body checks above the rule to skip base64
          encoded content:

          /HbjdzZmlibS5jaVdvZ|duN3NmaWJtLmNpV29n|R243c2ZpYm0uY2lXb2/i
          REJECT MYTOB worm

          If you can figure out what this is looking for, you can with caution
          take this approach.

          --
          Viktor.

          P.S. Morgan Stanley is looking for a New York City based, Senior Unix
          system/email administrator to architect and sustain the Unix email
          environment. If you are interested, please drop me a note.

          Disclaimer: off-list followups get on-list replies or get ignored.
          Please do not ignore the "Reply-To" header.

          To unsubscribe from the postfix-users list, visit
          http://www.postfix.org/lists.html or click the link below:
          <mailto:majordomo@...?body=unsubscribe%20postfix-users>

          If my response solves your problem, the best way to thank me is to not
          send an "it worked, thanks" follow-up. If you must respond, please put
          "It worked, thanks" in the "Subject" so I can delete these quickly.
        • Charles Gregory
          ... (sigh) Kinda expected that answer. Thanks for not calling *me* stupid. :) ... (sigh again) ... Agreed, but we re in a weird spot where we have tried to
          Message 4 of 9 , May 2, 2006
          • 0 Attachment
            On Tue, 2 May 2006, Magnus [iso-8859-1] Bäck wrote:
            > > I don't suppose there is a 'stupid pet trick' that will let me
            > > perform a simple 'body_check' on base64 encoded text bodies?
            > Nope.

            (sigh) Kinda expected that answer. Thanks for not calling *me* stupid. :)

            > Sure, there are many such programs and scripting languages but since a
            > given string has more than one possible Base64 equivalent it would not
            > be practical.

            (sigh again)

            > Stop trying to use body_checks and friends as the spam blocker of
            > choice. You will spend far too much time maintaining your expressions
            > and you still won't come even close to the accuracy of "real" antispam
            > solutions.

            Agreed, but we're in a weird spot where we have tried to implement the
            'real' anti-spam solutions with appropriate per-user opt-in mechansisms,
            and excuse my candor, but the users are just so (ahem) unknowledgable that
            they don't understand the idea of setting their filter properly to avoid
            false positives. And so a lot of users set them in 'test mode' without
            realizing that is what it is, and then complain that the filter "doesn't
            work" - and then there are a bunch of people who can't even be bothered
            trying to turn it on. So I try to skim the few really repetitive and
            obvious spams, like the penny stock ads.... Which was working okay until I
            started getting base64 copies of them..... (sigh once more)

            > Please define "improper use of Base64".

            Not sure there *is* such a beast. But I notice that spamassassin has a
            score for BASE64_NO_NAME so maybe there are one or two forms of 'misuse'
            that could be caught?

            Anyways. Thanks for the answer.

            - Charles
          • Charles Gregory
            ... (smile) Thanks, but that s not something I want to do for every idiot that uses base64 on their spam. I ll let spamassassin catch those ones. Sometimes
            Message 5 of 9 , May 2, 2006
            • 0 Attachment
              On Tue, 2 May 2006, Victor Duchovni wrote:
              > For experts only, it is possible to take a medium length substring, (not
              > too short to generate FPs and not too long to be likely split accross
              > more than two lines) prefix it with zero then one then two random bytes,
              > base64 each of the encoded strings, discard the first and last 4 bytes,
              > split the result into two pieces of equal length, and look for any of the
              > 6 resulting fragments. This is not something you should do routinely...

              (smile) Thanks, but that's not something I want to do for every idiot that
              uses base64 on their spam. I'll let spamassassin catch those ones.
              Sometimes there just aren't the answers I want. That's life.... :)

              - Charles
            • Magnus Bäck
              On Tuesday, May 02, 2006 at 22:22 CEST, ... You already have SpamAssassin up and running, so we not configure that tool to your liking? ... There probably is,
              Message 6 of 9 , May 2, 2006
              • 0 Attachment
                On Tuesday, May 02, 2006 at 22:22 CEST,
                Charles Gregory <cgregory@...> wrote:

                > Agreed, but we're in a weird spot where we have tried to implement the
                > 'real' anti-spam solutions with appropriate per-user opt-in
                > mechansisms, and excuse my candor, but the users are just so (ahem)
                > unknowledgable that they don't understand the idea of setting their
                > filter properly to avoid false positives. And so a lot of users set
                > them in 'test mode' without realizing that is what it is, and then
                > complain that the filter "doesn't work" - and then there are a bunch
                > of people who can't even be bothered trying to turn it on. So I try to
                > skim the few really repetitive and obvious spams, like the penny stock
                > ads.... Which was working okay until I started getting base64 copies
                > of them..... (sigh once more)

                You already have SpamAssassin up and running, so we not configure that
                tool to your liking?

                > Not sure there *is* such a beast. But I notice that spamassassin has a
                > score for BASE64_NO_NAME so maybe there are one or two forms of
                > 'misuse' that could be caught?

                There probably is, but it would surely be unwise to use it for anything
                other than scoring (as opposed to flat-out rejections). That rules out
                body_checks.

                --
                Magnus Bäck
                magnus@...
              • Charles Gregory
                ... I was for a long time, but finding it furstrating that so few people were setting up their spamassassin properly that I still got lots of complaints about
                Message 7 of 9 , May 2, 2006
                • 0 Attachment
                  On Tue, 2 May 2006, Magnus [iso-8859-1] Bäck wrote:
                  > You already have SpamAssassin up and running, so we not configure that
                  > tool to your liking?

                  I was for a long time, but finding it furstrating that so few people were
                  setting up their spamassassin properly that I still got lots of complaints
                  about spam. So I threw a couple of dozen rules into header and body checks
                  and everyone commented on the 'difference'. It also makes me feel a bit
                  better that the spam is rejected by SMTP so that false positives are
                  returned to sender. Our spamassassin is called out of procmail after
                  postfix is done with it.

                  > There probably is, but it would surely be unwise to use it for anything
                  > other than scoring (as opposed to flat-out rejections). That rules out
                  > body_checks.

                  (nods) Thanks.

                  - Charles
                • mouss
                  ... you can still run spamassassin twice: once with site-wide configuration (in amavisd-new for instance), and once in the MDA (procmail, maildrop, ...)
                  Message 8 of 9 , May 2, 2006
                  • 0 Attachment
                    Charles Gregory wrote:
                    > I was for a long time, but finding it furstrating that so few people were
                    > setting up their spamassassin properly that I still got lots of complaints
                    > about spam. So I threw a couple of dozen rules into header and body checks
                    > and everyone commented on the 'difference'. It also makes me feel a bit
                    > better that the spam is rejected by SMTP so that false positives are
                    > returned to sender. Our spamassassin is called out of procmail after
                    > postfix is done with it.
                    you can still run spamassassin twice: once with site-wide configuration
                    (in amavisd-new for instance), and once in the MDA (procmail, maildrop, ...)
                  • Charles Gregory
                    ... (nods) I d prefer to avoid running SA twice. If I make the effort to integrate SA to the front end, I will just set it up to properly handle per-user
                    Message 9 of 9 , May 3, 2006
                    • 0 Attachment
                      On Wed, 3 May 2006, mouss wrote:
                      > you can still run spamassassin twice: once with site-wide
                      > configuration (in amavisd-new for instance), and once in the MDA
                      > (procmail, maildrop, ...)

                      (nods) I'd prefer to avoid running SA twice. If I make the effort to
                      integrate SA to the front end, I will just set it up to properly
                      handle per-user configurations at that point. Right now I'm looking
                      for simple quick 'fixes' for this outdated system, which is due for
                      replacement. :)

                      Thanks.

                      - Charles
                    Your message has been successfully submitted and would be delivered to recipients shortly.