On Tue, 20 Nov 2018, RW wrote:
On Mon, 19 Nov 2018 13:31:47 -0800 (PST)
John Hardin wrote:
On Mon, 19 Nov 2018, Joseph Brennan wrote:
Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
In windows-1256, the presence of =9D between characters under
decimal-128 is suspicious, regardless of Bitcoin. It seems like a
simple rule but even rawbody does not check quoted-printable
patterns. Plugin maybe? Has this already been done and I've missed
it?
It's there, but performing poorly:
https://ruleqa.spamassassin.org/20181119-r1846888-n/__UNICODE_OBFU_ZW/detail
For this to work with 'normalize_charset 1', \x9d needs to be replaced
with (?:\x9d|\xe2\x80\x8c)
That makes an *enormous* difference:
https://ruleqa.spamassassin.org/20181121-r1847080-n/UNICODE_OBFU_ZW/detail
Without the normalized version it was only hitting ~5 spams in the entire
corpus.
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
[For Earth Day] Obama flew a 747 all the way to the Everglades
then rode in a massive SUV motorcade to tell you
to cut carbon emissions. -- Twitter satirist @hale_razor
-----------------------------------------------------------------------
601 days since the first commercial re-flight of an orbital booster (SpaceX)