Hi Jimmy, If you want to get that exact version using rawbody, here's how it would need to look like: rawbody __PASSWORD_IN_QP /\bp\x{D0}\x{B0}ssword/i
As a trick to know what to use in such a case, I added this rule on my debug/rule testing machine: rawbody __ALLRAWBODY /.+/ tflags __ALLRAWBODY multiple If you want to cover more variations of obfuscated ways to write password, I'd recommend using the replace tags. body __OBFU_PASS /\b(?!password)<P><A><S><S><W><O><R><D>\b/i replace_rules __OBFU_PASS If you want more informations about it use perldoc: perldoc Mail::SpamAssassin::Plugin::ReplaceTags Best regards, Laurent On 16.01.24 05:15, Jimmy wrote: > ------------------ > Content-Transfer-Encoding: quoted-printable > > Login p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5 > ------------------ > > In the provided email snippet, I aim to match the text "p=D0=B0ssword" using > the > following rule: > > rawbody __PASSWORD_IN_QP /\bp=D0=B0ssword/i > > Despite my efforts, the rule doesn't seem to correctly identify the specified > text. I'm uncertain whether there is an error in the rule, or if I've > overlooked > something crucial. > > Thank you > Jimmy >