Clear all

How can one intercept base64-encoded email spam messages?  



How can one intercept base64-encoded email spam messages through the Preferences>Rules feature of Mail?

I received numerous rubbishy spam emails again this morning. Again, all in base64 format and all of basically the same layout. Indeed, several of the lines of the base64 code were the same in all email messages. Given that these same lines are used, can they, or one of them, not be intercepted with a rule? For example, the line


appears in every message.

If this is placed in a rule such as

Message content contains Pg0KPHRyPg0KPHRoIGhlaWdodD0iNzkiIHNjb3BlPSJjb2wiPkxvb2tpbmcgZm9yIGhvdCBnaXJs

would this not work? (It seems not to.)

Or must one somehow use the translated equivalent of the code, or some other method?

3 Answers

My first reaction is - don't bother. The time spent on sussing it out might take longer than just pressing delete/junk keys and the unique string of text you have identified is unlikely to last very long in terms of evolving sources of spam.

My, somewhat limited, understanding of mail message structure is that Base64 encoding is generally used to embed attachments. eg.

Content-Type: image/jpeg; name="image001.jpg"
Content-Description: image001.jpg
Content-Disposition: inline; filename="image001.jpg"; size=3016;
Content-ID: <[email protected]>
Content-Transfer-Encoding: base64

If you are seeing the Base64 encoded text in the normal Mail viewer window it would indicate that the message structure is broken. ie. the spam robot has been badly configured. Normally you'd only see that detail if you view the raw source of a message.

But to answer the question, as far as I can see the Mail Rules won't search the internal structure of the body of the email. The deepest you can go is to add new header items to search.


Thanks for taking the time to answer.

Indeed, the string that I presented as an example is shown in the raw source view, the normal Mail view showing a layout of variously styled text and images.

Mail Rules can search the body of messages through the "Message content" condition. The thing is, it doesn't seem to recognize Base64 content, either copied as a full line of Base64 code, or in its decoded format.

I agree that it is in some cases just as easy to simply delete the unwanted messages, but when a computer is also used by younger members of the family, one doesn't want them confronted with the rubbish that these spammers seem to delight in sending. Far better to get rid of the stuff before it can be displayed.

Yes, "message content" I would assume really means "message text" and at that higher level the base64 coded content is not considered text.
It would be like asking spotlight to search for certain zipped files based upon the encoded binary contents rather than the unzipped text.


PS. For my clients who get really annoyed with spam that is not filtered by their ISP mail server I recommend moving to a free email service, such as Gmail or Outlook or Yahoo, either explicitly or via message forwarding, where the spam filters are being continuously tuned by thousands/millions of user interactions.