Hello Laurent,
I wanted to express my gratitude for sharing the tip on rawbody matching.
Your assistance is greatly appreciated.
Thank you,
Jimmy
On Tue, Jan 16, 2024 at 4:01 PM Laurent S. <
110ef9e3086d8405c2929e34be5b4...@protonmail.ch> wrote:
> Hi Jimmy,
>
> If you want to get that exact version using rawbody, here's how it would
> need to look like:
> rawbody __PASSWORD_IN_QP /\bp\x{D0}\x{B0}ssword/i
>
> As a trick to know what to use in such a case, I added this rule on my
> debug/rule testing machine:
> rawbody __ALLRAWBODY /.+/
> tflags __ALLRAWBODY multiple
>
> If you want to cover more variations of obfuscated ways to write
> password, I'd recommend using the replace tags.
>
> body __OBFU_PASS /\b(?!password)<P><A><S><S><W><O><R><D>\b/i
> replace_rules __OBFU_PASS
>
> If you want more informations about it use perldoc:
> perldoc Mail::SpamAssassin::Plugin::ReplaceTags
>
> Best regards,
> Laurent
>
> On 16.01.24 05:15, Jimmy wrote:
> > ------------------
> > Content-Transfer-Encoding: quoted-printable
> >
> > Login p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
> > ------------------
> >
> > In the provided email snippet, I aim to match the text "p=D0=B0ssword"
> using the
> > following rule:
> >
> > rawbody __PASSWORD_IN_QP /\bp=D0=B0ssword/i
> >
> > Despite my efforts, the rule doesn't seem to correctly identify the
> specified
> > text. I'm uncertain whether there is an error in the rule, or if I've
> overlooked
> > something crucial.
> >
> > Thank you
> > Jimmy
> >
>
>
