Hi Jimmy,
If you want to get that exact version using rawbody, here's how it would
need to look like:
rawbody __PASSWORD_IN_QP /\bp\x{D0}\x{B0}ssword/i
As a trick to know what to use in such a case, I added this rule on my
debug/rule testing machine:
rawbody __ALLRAWBODY /.+/
tflags __ALLRAWBODY multiple
If you want to cover more variations of obfuscated ways to write
password, I'd recommend using the replace tags.
body __OBFU_PASS /\b(?!password)<P><A><S><S><W><O><R><D>\b/i
replace_rules __OBFU_PASS
If you want more informations about it use perldoc:
perldoc Mail::SpamAssassin::Plugin::ReplaceTags
Best regards,
Laurent
On 16.01.24 05:15, Jimmy wrote:
> ------------------
> Content-Transfer-Encoding: quoted-printable
>
> Login p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
> ------------------
>
> In the provided email snippet, I aim to match the text "p=D0=B0ssword" using
> the
> following rule:
>
> rawbody __PASSWORD_IN_QP /\bp=D0=B0ssword/i
>
> Despite my efforts, the rule doesn't seem to correctly identify the specified
> text. I'm uncertain whether there is an error in the rule, or if I've
> overlooked
> something crucial.
>
> Thank you
> Jimmy
>
