2.4 Disguising the Subject: Header
It is tempting to examine the Subject: header to identify spam email. Unfortunately, the Subject: header is entirely under the spammer's control and thus can never be trusted.
But not all spam senders are created equal. Some will do everything possible to make the Subject: header appear benign, but others are inept and will provide clues in that header.
Clearly, it can benefit you to try to pick off these inept spammers. But first, understand that, by doing so, you run the risk of identifying good email as spam. To illustrate, consider the following examples of actual spam Subject: headers:
Subject: Learn how thousands are making a fortune with eBay... Subject: Earn While You Learn sjdv Subject: Visit PlayboyPlus for New Playmate Pics Subject: Discreet delivery Subject: naked and cute. watch my movie. Subject: ,^refina'nce now and ;save- r Subject: Extend your auto warranty, free quote Subject: Subject: Spring Special Subject: <a href="http://www.example.com/mp/axis/">or not Subject: get the edge Subject: Re: jock Subject: V1AGR*A final1y fOund a t0ugh cOmpet1t0r -- CIAL1-S Subject: Email Verification!Please take a look. wyl Subject: Celebrity Secret to looking young! Subject: You've seen ads for Levitra on TV, Does it Work?i s k Subject: Refinance your Home and skip a payment Subject: Important notify about your e-mail account.
Although all of these appear to be spam Subject: headers, in actuality the two shown in bold were real email messages to users who wanted to receive them.
In general, it is unwise to employ a spam-screening strategy that examines only Subject: headers. Such screening is prone to errors, and as spammers mature, the use of such headers will likely decline. We expect spam email Subject: headers of the future to look more like these:
Subject: Yesterday was fun Subject: Re: updating my address Subject: Thanks again! Subject: Email Statement Subject: next appointment Subject: I hope so
Another trick used by spam senders is to base64-encode the Subject: header. This has the advantage of making it hard for detection software to see the header, while still allowing the end user to see a readable subject line. Such base64 code might look like this:
The end user will see this:
Subject: 90 days to youth
Unfortunately, however, base64 encoding of a Subject: does not always indicate a spam message, because it is also the only method that allows some foreign languages to insert legal headers into email. For example, in the United States a user might consider =?.GB2312? (which indicates simple Chinese) to be a solid indicator of spam email. But in China, that same encoding might indicate good email, whereas =?US-ASCII? might indicate spam. Thus, again, we recommend that you screen Subject: headers sparingly, if at all.