On 4/14/20 2:10 AM, John Hardin wrote:
> On Mon, 13 Apr 2020, Giovanni Bechis wrote:
>
>> On 4/11/20 9:06 PM, John Hardin wrote:
>>> On Thu, 9 Apr 2020, John Hardin wrote:
>>>
>>>> On Thu, 9 Apr 2020, RW wrote:
>>>>
>>>>> On Thu, 9 Apr 2020 09:59:16 +0200
>>>>> Giovanni Bechis wrote:
>>>>>
>>>>>> Hi,
>>>>>> I am trying to let __COPY_PASTE_EN match this message:
>>>>>> https://pastebin.com/QfungfGY
>>>>>>
>>>>>> The message has the relevant text obfuscated, I tried with
>>>>>> replace_tags with the following rule but it doesn't seems to work,
>>>>>> any hints ? ifplugin Mail::SpamAssassin::Plugin::ReplaceTags body
>>>>>> __COPY_PASTE_EN /<C><O><P><Y> (<A><N><D>|\+|\&) <P><A><S><T><E>/i
>>>>>> replace_rules __COPY_PASTE_EN else
>>>>>> body __COPY_PASTE_EN /Copy (and|\+|\&) paste/i
>>>>>> endif
>>>>>
>>>>> It's because the letter tags have incomplete coverage of ISO 8859-7.
>>>>
>>>> Yeah, I've been working on expanding the coverage but it's been piecemeal.
>>>>
>>>> I'll try to add the missing ones soon, unless somebody else tackles it.
>>>
>>> OK, ISO-8859-7 coverage added. How now?
>>>
>> the rule doesn't trigger yet,
>
> {looks} That rule is not written to use replacetags in the first place.
> Sorry, I didn't focus on the rule itself, just the replacetags coverage.
>
>> fwiw, "copy and paste" text is written as "co=F1y =E1nd =F1as=F4e" in
>> text/plain email message, I do not know what could be added to replace_tags
>> to properly match all letters.
>
> Nothing. It's quoted-printable, the conversion is automatic.
>
sorry,
I had a stale KAM.cf version on my laptop that was overwriting the official
replace_tags feature.
now it's working good.
Thanks
Giovanni
> You need to use replacetags if you want the rule to match obfuscated text
> using that feature.
>
> body __FUZZY_COPY_PASTE /<C><O><P><Y> (?:<A><N><D>|\+|\&)
> <P><A><S><T><E>/i
> replace_rules __FUZZY_COPY_PASTE
>
>
> Apr 13 17:09:03.689 [1753] dbg: rules-all: running body rule
> __FUZZY_COPY_PASTE
> Apr 13 17:09:03.689 [1753] dbg: rules: ran body rule __FUZZY_COPY_PASTE
> ======> got hit: "co\x{F1}y \x{E1}nd \x{F1}as\x{F4}e"
>
