[Rspamd-Users] How to handle MIME encoded headers?

Dan Swartzendruber dswartz at druber.com
Mon Jun 17 19:46:00 UTC 2024 

On 2024-06-17 13:28, Gerald Galster wrote:
>> Been using rspamd for a couple of weeks now, and it works just fine.  
>> The only issue I'm having is somehow getting tons of financial 
>> clickbait articles that score low on all defaults, so every day I have 
>> to delete dozens of these.  They get sneaky and encode the subject 
>> lines so instead of seeing things like 'subject: Taiwan in Dаnger Amіd 
>> Chinese Drіlls' it is 'subject: 
>> =?UTF-8?B?VGFpd2FuIGluIETQsG5nZXIgQW3RlmQgQ2hpbmVzZSBEctGWbGxz?='.  So 
>> the normal header examination setup in multimap.conf won't work 
>> because the headers have been decoded.  I get not authentic emails 
>> with the subjects encoded this way so I'd like to flag these as spam, 
>> but not high enough to be outright rejected.  So I'd like to look at 
>> the undecoded subject headers and if I see a regex like 
>> '=\?UTF-8\?.*\?=' it would add 7.0 to the score.  Except as said, the 
>> headers are decoded.  It seems like the following would work (if the 
>> subject header was undecoded):
>> 
>> mime_subject_spam {
>>        type = "header"; <=== needs changing?
>>        header = "subject";
>>        filter = "regexp:/.*UTF\-8\?.*\?=/i";
>>        map = "/var/rspamd/maps/mime_subject_spam.map"; <=== don't need 
>> a map but it complains, so an empty file?
>>        symbol = "MIME_SUBJECT_SPAM";
>>        description = "Detect mime-encoded spam subjects";
>>        score = 7.0;
>>        regexp = true;
>> }
> 
> 
> See https://rspamd.com/doc/modules/multimap.html#content-filters
> 
>   For content maps, the following filters are supported
>   - headers -> undecoded headers
> 
> You could try something like this (untested):
> 
> MIME_SUBJECT_SPAM {
>   type = "content";
>   filter = "headers";
>   map = "/etc/rspamd/local.d/maps.d/mime_subject_spam.map";
>   description = "Detect mime-encoded spam subjects";
>   score = 7.0;
>   regexp = true;
> }
> 
> /etc/rspamd/local.d/maps.d/mime_subject_spam.map:
> /^Subject:.*?=\?UTF-8\?(B|Q)\?/
> 
> For quoted printable in MIME see
> https://en.wikipedia.org/wiki/MIME#Encoded-Word
> 
> 
> Besides that, have you had a look at your logs which symbols match?
> 
> https://github.com/rspamd/rspamd/blob/master/rules/regexp/headers.lua#L284-L299
> 
> There are lua rules for SUBJ_EXCESS_BASE64 and SUBJ_EXCESS_QP that 
> should help:
> "Subject header is unnecessarily encoded in base64/quoted-printable"
> 
> It might be sufficient to just bump those symbols' scores up.
> 
> It's also possible to write a lua rule (place it in
> /etc/rspamd/rspamd.local.lua):
> https://rspamd.com/doc/developers/writing_rules.html#configuration-files
> ... and other examples on that site.
> 
> 
> Best regards,
> Gerald

many thanks. i'll give these a look!

More information about the Users mailing list