I've updated replace_tags with these 4-byte UTF-8 characters, whatever they are, will look more indepth later..
For example replace_tag A ....[\xf0][\x9d][\x97][\xae] Now your example hits atleast these rules 3.6 FUZZY_BITCOIN BODY: Obfuscated "Bitcoin" 1.0 BITCOIN_EXTORT_02 Extortion spam, pay via BitCoin Will take a day or two to end up in sa-update.. On Wed, Apr 22, 2020 at 04:44:25PM +0200, Brent Clark wrote: > I want to add, I tried this as well, and it *did* match. But it feels > clunky. > > https://pastebin.com/raw/7FaqnByB > > Regards > Brent > > On 2020/04/22 16:14, Brent Clark wrote: > >Sorry in that example I copied body. > >I tried rawbody and body. > > > >Regards > >Brent > > > >On 2020/04/22 16:11, Brent Clark wrote: > >>Good day Guys > >> > >>I would like to ask it someone could help write a rule for the following > >>base64 encoded sextorsion. > >> > >>https://pastebin.com/raw/MWYmfkuh > >> > >>I tried using rawbody. But it was proving to not work and be the right > >>solution. Below is it me testing. > >> > >>i.e. > >>body BASESEX /8J2XrvCdmIHwnZiB8J2XsvCdl7vwnZiB8J2XtvCdl7zwnZe7/ > >>describe BASESEX Base64 Sextorsion > >>score BASESEX 2.0 > >> > >>If anyone could assist, it would be appreciated. > >> > >>King regards > >>Brent Clark