keyword blacklists no longer effective, question mark ascii characters - ORF Forums

keyword blacklists no longer effective, question mark ascii characters RSS Back to forum



I have a pretty decent list of keywords blacklisted for subjects. More and more, spammers are bypassing this by using ascii codes for random letters in the subject

Here are some examples as seen in the logs:

displayed subject: Paying too much for Internet service?
hover-over subject: ?aying too much for Internet ?ervice?

displayed subject: Controversial New E-Sig Model (Dont Miss This)
hover-over subject: ??ntr?v??s??l ??w ?-??g ??d?l (D?nt ??ss ?h?s)

searching for "paying" in the logs does not yield the example above, nor does "controversial", which means the keyword blacklists don't catch it either.

The domains, URL's, IP's were not on any subscribed blacklists, so the emails do get to the users

What's the best way to handle these?

by Bryon 5 years ago

@Bryon: How is the subject line presented in the MIME header?

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)


here are the headers as captured by our barracuda message archiver... really interesting subject line:

Subject: =?utf-8?B?0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU?=

Received: from ( by
( with Microsoft SMTP Server id; Thu, 8 May 2014
17:37:33 -0400
Subject: =?utf-8?B?0KBheWluZyB0b28gbXVjaCBmb3IgSW50ZXJuZXQg0ZVlcnZpY2U/IEdldCDQnWlnaCDQhXBlZWQgSW50ZXJuZXQgZnJvbSBBVCZU?=
From: AT&T High Speed Internet
Content-Type: text/html; charset="utf-8"
X-Mailer: iPhone Mail (11B771a)
Date: Thu, 8 May 2014 15:33:51 -0600
Content-Transfer-Encoding: 7bit
X-MS-Exchange-Organization-OriginalArrivalTime: 08 May 2014 21:37:33.0340
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-MS-Exchange-Organization-OriginalSize: 15300
X-MS-Exchange-Forest-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-MessageScope: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Organization-HygienePolicy: Standard
X-MS-Exchange-Organization-Recipient-Limit-Verified: True
X-MS-Exchange-Forest-RulesExecuted: onlinew2
MIME-Version: 1.0


#outlook a {
} /* Force Outlook to provide a "view in browser" menu link. */
body {
width:100% !important;
} /* Prevent Webkit and Windows Mobile platforms from changing default font sizes.*/
ExternalClass {
} /* Force Hotmail to display emails at full width */
ExternalClass, .ExternalClass p, .ExternalClass span, .ExternalClass font, .ExternalClass td, .ExternalClass div {
line-height: 100%;
} /* Forces Hotmail to display normal line spacing. More on that: */
@media only screen and (max-width: 568px) {
body {
background-color:#FFFFFF !important;

Got a need for speed? Save with AT&T High-Speed

View this email online.

For new service
call 855.837.3403

Get downstream speeds up to 3
Mbps (other charges apply)

by Bryon 5 years ago

By the way i just want to say, i think it's disgusting that these huge companies knowingly pay for this garbage to be sent by email. There's NO WAY AT&T isn't fully aware this is happening, i know for sure they're paying for this to be done. Nobody works for free, janitors or spammers.

I treat the spam i receive as "don't ever patronize this company" advertisements.

by Bryon 5 years ago

@Bryon: The subject is encoded in base64 in the header, it is actually the part between ?utf-8?B? and ?=


After decoding, this becomes

Рaying too much for Internet ѕervice? Get Нigh Ѕpeed Internet from AT&T

The URL in the email body is now listed on several SURBLs we recommend using (e.g., Spamhaus DBL):

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)


Thanks for that - is there an effective way to block emails which have base64 encoded subjects? I can't think of any legitimate reason a non-spam email would do that.

We do have checkmarked "Spamhaus-ZEN" (, perhaps that domain wasn't listed at the time the emails came through. Or, is there another aspect of spamhaus that we're not using?

by Bryon 5 years ago

@Bryon: ZEN is the DNS Blacklist of Spamhaus (which lists IP addresses of hosts sending spam), while DBL is their SURBL which lists Uniform Resource Identifier (URI) hosts, typically web site domains, that appear in unsolicited messages.

The currently recommended DNSBLs and SURBLs are listed in the following article:

If you do not seem to have all recommended lists in your configuration, it is strongly recommended to update your definition set:

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)


@Krisztián Fekete (Vamsoft): Perfect - i see the difference now, i wasn't using spamhaus DBL, but have the surbl's and dns blacklists updated now (with full overwrite)

Should any of the tests be able to be configured to capture and filter on encoded subjects?

Thanks again

by Bryon 5 years ago
(in reply to this post)


@Bryon: the Keyword Blacklist test can check the MIME header, but the fact that the email subject is encoded does not mean the email itself is spam: it is absolutely legitimate (and common) to use the UTF-8 encoding, because it allows using multiple character sets in a single email. So blacklisting encoded emails would result in lot of false positives.

by Krisztián Fekete (Vamsoft) 5 years ago
(in reply to this post)

New comment

Fill in the form below to add a new comment. All fields are required. If you are a registered user on our site, please sign in first.

It will not be published.
hnp1 | hnp2