Virtual OS/2 International Consumer Education
VOICE Home Page: http://www.os2voice.org
September 2002

[Newsletter Index]
[Previous Page] [Next Page]
[Feature Index]

editor@os2voice.org


Using Weaselfilter Against Email Attachments

By Michael W. Cocke © September 2002

Some Notes on Using Weaselfilter More Effectively

An increasingly common spam tactic is to send an attachment with a blank email message (one that has no text in the body of the email). These attachments are often web pages or Windows executable programs. Maybe the spammers think that an empty text body makes it harder to filter against. But there is a way to filter based on the content of attachments, if you know how.

At the time the mail filter is executing, the mail server doesn't understand anything about attachments; the server is just dealing with a text stream. So assuming you are using Peter Moylan's Weasel SMTP/Pop3 server or Zeryx's Zxmail, you can use David Hough's Weaselfilter to filter on the contents of that stream.

First, you will need a base 64 encoder / decoder utility (often called MIME encoding). There are many available, including one that can be run right here on my utils web page: http://www.catherders.com/base64.shtml.

Second, you choose the string you want to filter on. (See samples below.) It's better to use a long string rather than a short one to reduce the chance of a false match. (See Technical Note at end.) I recommend at least 25-30 characters.

Third, you MIME encode the string you want to filter on. Remove the trailing equal signs, which are just appended by the MIME format to pad the length out to the nearest 4-byte boundary. This gives you the search string to set as a bodyfilter in Weaselfilter.

Here are several sample strings you might want to use, followed by the corresponding MIME translation (in green color) to give the search string. (If your browser wraps some of these to more than one line each, just ignore the wrap.) The first three are from web pages; the last two are common in Windows executables.

to receive special offers from Hi-Speed Media or one of it's marketing partners

dG8gcmVjZWl2ZSBzcGVjaWFsIG9mZmVycyBmcm9tIApIaS1TcGVlZCBNZWR pYSBvciBvbmUgb2YgaXQncyBtYXJrZXRpbmcgcGFydG5lcnM

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">

PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDMuMi8vRU4iPg

<A HREF="http://www.img-marketing.com/remove.htm">

PEEgSFJFRj0iaHR0cDovL3d3dy5pbWctbWFya2V0aW5nLmNvbS9yZW1vdmUuaHRtIj4

This program cannot be run in DOS mode

VGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGU

This program must be run under Win32

VGhpcyBwcm9ncmFtIG11c3QgYmUgcnVuIHVuZGVyIFdpbjMy

The WeaselFilter docs cover the basics but don't go into more advanced areas, so unless you know how a pop server works, you probably wouldn't stumble onto this trick. With this simple technique, you can improve the effectiveness of Weaselfilter and block more of the spammer's art. And as a side benefit, this method can also be used to trap viruses coming in as executable attachments.

Technical Note:

Weaselfilter compares the search string to the text stream on a case-insensitive basis. However, MIME-encoding is a case-sensitive process. Two different initial strings can produce encoded search strings that differ only in the cases of some of the characters. If the initial string is short, then the corresponding MIME encoding is also short. Change a case here and there, then decode the result, and you get a short initial string that might actually be found elsewhere in the text stream. On the other hand, a long initial string gives a long search string. Change one or more cases in that and decode the result and you most likely have a long string of gibberish for the initial string. And while it's certinaly not impossible to find gibberish in a web page, it's far less likely to be an exact match and so trigger the filter.

References:

Weasel Filter - http://hobbes.nmsu.edu/cgi-bin/h-search?key=weaselfilter
Weasel SMTP/Pop3 server - http://eepjm.newcastle.edu.au/os2/weasel.html
Zxmail SMTP/Pop3 server - http://www.zeryx.com
Base64 Mime encoder/decoder - http://www.catherders.com/base64.shtml
Mike's Notebook - http://www.catherders.com/mwcexp.shtml


Mike's Notebook web site contains an assortment of frequently updated articles and tips for OS/2 users.


[Feature Index]
editor@os2voice.org
[Previous Page] [Newsletter Index] [Next Page]
VOICE Home Page: http://www.os2voice.org