I think the difference is between body and rawbody rule:
rawbody: If there's encoding like quoted-printable or base64, the text
parts are decoded, but you still get all the HTML tags and such.
body: If they exist, also html parts are decoded, so you just get the
plain text content.
So it depends of what you would like to count, the length of the
readable text or also the HTML encoding.
On 2012-07-07 04:27, Alex wrote:
Hi,
I'm having a problem with emails with short body text and a link to
malware that automatically downloads when the link is clicked. What's
the difference between the short body tests, besides the actual
character lengths:
72_active.cf
body __KAM_BODY_LENGTH_LT_128
eval:check_body_length('128')
describe __KAM_BODY_LENGTH_LT_128 The length of the body
of the email is less than 128 bytes.
KAM.cf
meta __BODY_LE_200 (__RB_LE_200 == 1) && !__RB_GT_200
rawbody __RB_LE_200 /^.{2,200}$/s
tflags __RB_LE_200 multiple maxhits=2
Here's one such example, if you're interested. The link is actually
still valid.
https://pastebin.com/innRFvZt
It hit bayes00 and not many other rules. This one, or ones like it,
were hitting ANY_BOUNCE_MESSAGE (and FROM_NO_USER) in some variations
because the From field was either empty or missing entirely.
--
Christian Laußat
