swbrains

Well-Known Member
Sep 13, 2006
272
37
178
I have received a lot of spam that has a subject with special characters in it. In every one, the subject or from header looks like this:

Code:
From: =?UTF-8?B?4oCM4oGg4oCL4oCO4oGg4oCO4oCO4oCq4oCL4oCtVGFsYy5Jbmp1cnlNYXRjaC5jb20gQWTvu7/vu7/igI3igIzigI7igK3igI7igI7igI7igaA=?= <[email protected]>
Subject: =?UTF-8?B?4oCsVO+7v+KAjmhlIEJh77u/YnkgUOKArOKAje+/um93ZGXvv7py4oCt4oCNIEPigI7igIxhbmNlciBD4oCs4oGgb25jZXLigIxu?=
I want to create a mail filter to detect these. I tried the following but it didn't work and I can't figure out why:

Code:
Any Header          matches regex
=\?UTF-8\?B\?
But when I test with the headers shown above, I get the result:

Code:
Condition is false: $message_headers matches =\\?UTF-8\\?B\\?
Filtering did not set up a significant delivery.
Normal delivery will occur.
Thanks for any advice on how I can make this work...
 

swbrains

Well-Known Member
Sep 13, 2006
272
37
178
I had it without slashes originally when I used "contains" and "begins with" -- I only added the slashes when I tried it as a regex.

Here's something interesting that may help, perhaps?
If I change the regex to match "?UTF-8?B?" -- i.e, without the leading equals sign (=) -- and then I change my test content to not have a leading equals sign at the beginning of the SUBJECT header, for example:

Code:
From: =?UTF-8?B?4oCt4oCO4oCs77u/77+677+64oCN4oGg4oCN4oCqSG9tZSBJbnN1cmFuY2UgQ29ubmVjdOKAjuKArOKAi+KBoOKAre+7v+KAjeKAje+/uuKArA==?= <[email protected]>
Subject: ?UTF-8?B?Q2hlY2sg4oCt77+6Zm/vu79yIGxv4oCLd2VyIOKAjkhvbeKAjGXigIsgaW5zdeKAjnJh4oCNbmPigIxlIOKAi3JhdGXigI5z4oCtIHRvZOKAquKBoGF5?=
then it matches and sets up delivery to /dev/null (discard rule).

Code:
Match expanded arguments:
  Subject = ‭‎‬‍⁠‍‪Home Insurance Connect‎‬⁠‭‍‍‬ <[email protected]>
Condition is false: $h_X-Spam-Bar: contains ++++++++++ 
Condition is true: $message_headers contains ?UTF-8?B?
 

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
I don't profess to understand regex, and I'm by no means an expert on this subject.
However, based on what you just said, could it be that the phrase 'From: =' is not being read by the rule or regex, and the phrase you actually need is just 'UTF-8?B? '
 

cPanelLauren

Product Owner II
Staff member
Nov 14, 2017
13,274
1,296
313
Houston
The "=" is a quantifier so I doubt it was even being read properly how it was added prior so I'd assume that's why when it was removed you were able to get a match on the subject. I'd second @keat63 here and skip the "=" for the UTF-8 section.