I'm also interested in detecting unusual non-printable byte codes in the decoded
strings.
Here is a sample 'From:' header line that is base64 encoded and contains non-
printable characters at the end of the decoded string:
From: "=?ISO-8859-1?B?MWluawEHBgYGAgIEAwY=?=" <plkxrwdo@deleted.net>
The base64 string decodes as hex : 31696E6B01070606060202040306
which becomes "1ink" followed by ten octet values between 1 and 9.
I'd like to filter on the presence of these encoded strings within header lines.
Neither an Expression filter using *ISO-8859-1* or more complex variants (headers
only), nor a Headers filter (for From and Subject) using "ISO-8859-1" trigger.
It could also be useful to detect the presence of unusual values in the decoded
strings, but there doesn't seem to be any regular expression to detect unusual
character codes in decoded header strings.
An expression filter for *1ink* triggers, suggesting the expression filter is
actually applied to the decoded string. I tried the expression [ -~]+, with
negation, thinking it would trigger on decoded strings containing character codes
below 0x20 (space), but it fails to trigger. A simple negated expression of *
doesn't detect the abnormal header line either (I tried this in case the concept of
"character" would exclude the "non-characters" in the decoded base64 byte sequence,
so a simple negated '*' Expression (excluding the quotes) would trigger..
Any ideas? I'm using using 4.63.
strings.
Here is a sample 'From:' header line that is base64 encoded and contains non-
printable characters at the end of the decoded string:
From: "=?ISO-8859-1?B?MWluawEHBgYGAgIEAwY=?=" <plkxrwdo@deleted.net>
The base64 string decodes as hex : 31696E6B01070606060202040306
which becomes "1ink" followed by ten octet values between 1 and 9.
I'd like to filter on the presence of these encoded strings within header lines.
Neither an Expression filter using *ISO-8859-1* or more complex variants (headers
only), nor a Headers filter (for From and Subject) using "ISO-8859-1" trigger.
It could also be useful to detect the presence of unusual values in the decoded
strings, but there doesn't seem to be any regular expression to detect unusual
character codes in decoded header strings.
An expression filter for *1ink* triggers, suggesting the expression filter is
actually applied to the decoded string. I tried the expression [ -~]+, with
negation, thinking it would trigger on decoded strings containing character codes
below 0x20 (space), but it fails to trigger. A simple negated expression of *
doesn't detect the abnormal header line either (I tried this in case the concept of
"character" would exclude the "non-characters" in the decoded base64 byte sequence,
so a simple negated '*' Expression (excluding the quotes) would trigger..
Any ideas? I'm using using 4.63.