I want to be able to use a regular expression to block spam we get. The problem I have is that the spammer is using a UTF-8 base 64 encoding method in the Subject area and From area. The emails seem to slip by because the subject and from is utf-8.
Questions
1. Does Regular Express see the email headers before or after the translation of UTF-8 Encoding?
2.Can I make a Regular Express to filter subject and From lines in the Header to filter out encoded in UTF-8?
The UTF-8 decoded in Subject is "RE: Your mailbox is running out of data storage kindly update your mailbox to avoid email loss"
and From is "Webmaster Support"
3. has anyone have a defense to this?
Example below. (blocked my address with domain.com).
Received: from gateway.domain.com (10.0.0.1) by
server.domain.com (10.0.0.60) with Microsoft SMTP Server (TLS) id
14.3.498.0; Fri, 14 May 2021 05:43:12 -0700
Received: from ns31246108.ip-151-106-32.eu ([151.106.32.106]:53768) by
gateway.domain.com with esmtps (TLS1.2) tls
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from
<dtc@digitstradingph.secureserver.net>) id 1lhX9p-0001UO-0l for
me@domaincom; Fri, 14 May 2021 05:43:09 -0700
Received: from dtc by digitstradingph.secureserver.net with local (Exim
4.94.2) (envelope-from <dtc@digitstradingph.secureserver.net>) id
1lhX9n-0002cQ-At for me@domain.com; Fri, 14 May 2021 20:43:07
+0800
X-CTCH-RefID: str=0001.0A702F1B.609E705D.0005,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
To: <me@domain.com>
Subject: =?UTF-8?B?WW91ciBtYWlsYm94IGlzIHJ1bm5pbmcgb3V0IG9mIGRhdGEgc3RvcmFnZSBraW5kbHkgdXBkYXRlIHlvdXIgbWFpbGJveCB0byBhdm9pZCBlbWFpbCBsb3Nz?=
X-PHP-Script: aimfs.digitstrading.ph/database/alexusMailer_v2.0.php for 102.89.1.144
X-PHP-Originating-Script: 1006:alexusMailer_v2.0.php
From: =?UTF-8?B?V2VibWFzdGVyIFN1cHBvcnQ=?= <kumaranayagam@woolimlanka.com>
MIME-Version: 1.0;
Content-Type: multipart/mixed; boundary="--w3TfW1QSbT"
Message-ID: <E1lhX9n-0002cQ-At@digitstradingph.secureserver.net>
Date: Fri, 14 May 2021 20:43:07 +0800
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - digitstradingph.secureserver.net
X-AntiAbuse: Original Domain - domain.com
X-AntiAbuse: Originator/Caller UID/GID - [1006 993] / [47 12]
X-AntiAbuse: Sender Address Domain - digitstradingph.secureserver.net
X-Get-Message-Sender-Via: digitstradingph.secureserver.net: authenticated_id: dtc/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: digitstradingph.secureserver.net: dtc
X-Source:
X-Source-Args: php-fpm: pool aimfs_digitstrading_ph
X-Source-Dir: digitstrading.ph:/public_html/aimfs/database
Return-Path: dtc@digitstradingph.secureserver.net
X-MS-Exchange-Organization-AuthSource: SERVER1.domain.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-Antispam-Report: IPOnAllowList
X-MS-Exchange-Organization-SCL: -1
X-Auto-Response-Suppress: DR, OOF, AutoReply
This thread was automatically locked due to age.
