I just got an odd message

Mirimir mirimir at riseup.net
Tue May 22 22:09:45 CEST 2018

On 05/22/2018 12:41 AM, Andrew Gallagher wrote:
> On 22/05/18 07:30, Mirimir wrote:
>> Those are just screwed-up text-encoded images, right?
> Without seeing the full email, it's hard to tell. They don't appear to
> represent any well-known file type when run through a base64 decoder.

I tried that too, for the full blocks, using online decoders, and got
nothing interpretable.

> Most uses of such constructions are hacks to get emails to display
> differently depending on the idiosyncracies of different readers, and I
> see plenty of them. But the text-encoded data does look odd.

In Thunderbird text mode, "----DMMAwGuf 1hTVhVG5 OI0QBVgA ... cROBNJ3k
q9IZYLZM rP0GExKW RS----" appeared as the message header. Where an image
might normally be.

The body is:

| BusinessStorage tank
| Dear Sir,.
| We are a foreign trading corporation with actual strength in Chengdu,
| We need to order many of Storage tank now...... I'd like to send
| you the picture of our need by’ the form of accessory, please find
| the attached file and offer us the Preferential price by the
| specifications of our picture..After receiving your offer price, I
| will contact you ASAP,and Negotiation cooperation details,I also hope
| that we can establish a long term cooperative relationship from now.
| Product : Storage tank ( name )
| Quantity: 50
| Please contact me by email if you need the specification of products’
| picture, I will send it to you because I often like to send message
| through email……Thanks
| We look forward to having a successful cooperation...F

So he _does_ refer to images.

> I grepped the last 500 days of my spam folder and found one instance
> from a long time back that closely matches the pattern of yours. It is
> missing the leading dashes and whitespace chunking but otherwise looks
> almost the same. It includes the domain name "wei wei gift dot com".
> I see nothing in my example that screams "efail", but even so I am
> reluctant to open it in an HTML renderer to find out. ;-) It may simply
> be garbage intended to confound bayesian analysis.

Thanks for checking. I'm curious enough that I'll put the HTML in a
LiveCD VM with no network connection, and see what Firefox does with it.

More information about the Gnupg-users mailing list