Global email filter not working with Base64 encoded email

ddaddy

Active Member
Aug 19, 2015
34
1
8
UK
cPanel Access Level
Root Administrator
I'm getting an increasing number of spam emails that are Base64 encoded. I grabbed a tiny section of the Base64 string that appears in all the spam emails and i've setup some global email filters, however the filter test just lets the email through.

Attached is a screenshot of my filters which i've set as both strings and regex.
Screenshot 2019-09-12 at 11.09.43.png

I confirmed the regex works at regex101.com

An example of a full email body is here gist.github.com/ddaddy/92e6e3f28a42112b814bf34532cba347

Why would the email filter not pick up on a simple string IHJpZ2h0IG5v
Is the Base64 string maybe not actually in the email body?
 
Last edited by a moderator:

keat63

Well-Known Member
Nov 20, 2014
1,339
98
28
cPanel Access Level
Root Administrator
I looked at your rule and the first thing that caught my eye was your regex entry.
I've no experience with regex rules so I wouldn't know where to start.

Did you try the rule without the regex part.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
Hello,

The following response was included in a recent support ticket:

It seems that our "Global Email Filters" does not work with base64 encoded body messages, so you would want to either pipe the message through a program to decode it (not something we would be able to help with), or enable the Apache SpamAssassin service and filter spam with that method
Additionally, you can find some discussion of a similar topic on the following links:


Thank you.
 

ddaddy

Active Member
Aug 19, 2015
34
1
8
UK
cPanel Access Level
Root Administrator
Hi, I did read that previous discussion, however I think that was about searching for encoded text within the Base64. As in, the filter decoding the Base64 then looking for the text.
This is different. I have a Base64 pattern IHJpZ2h0IG5v that appears in the email body that I want to match. No decoding is needed at all. Just match the text. But it fails to see it.
 

cPanelMichael

Technical Support Community Manager
Staff member
Apr 11, 2011
47,862
2,216
363
cPanel Access Level
DataCenter Provider
Twitter
Hi, I did read that previous discussion, however I think that was about searching for encoded text within the Base64. As in, the filter decoding the Base64 then looking for the text.
This is different. I have a Base64 pattern IHJpZ2h0IG5v that appears in the email body that I want to match. No decoding is needed at all. Just match the text. But it fails to see it.
Can you submit a support ticket so we can take a closer look? You can post the ticket number here and we'll link this thread to it.

Thank you.
 
  • Like
Reactions: keat63