Ditto to what John said, however, thanks for the spample Mark. :)
Mark, is that the exact network image?
If not, do you have access to it? If so, please pastebin it.
By "network image", I mean not-mangled by any post filter software.
Your posted spample is quoted-printable, and should have been decoded
then hit some bitcoin/sextortion specific rules.
In your spample, the Content headers are borked, and it wasn't
recognized as qp, hence the abundant "9D" artifacts.
I ran it as-is, and it scored poorly.
After I manually de-borked the headers, and retested, it hit SA's
"OBFU_BITCOIN" and my own anti-bitcoin/sextortion & hi-Ascii-count tests.
The question is, is that broken header pattern in the original, and
if so, should it be detected & scored, in-and-of-itself?
We'd need the most pristine original, before proceding. :)
- "Chip"
P.S. Sorry for the lack of Reply headers. I'm on the road, with limited tools.