Mailing List Archive: Rule to identify quoted-printable text

Rule to identify quoted-printable text

Jan 15, 2024, 8:15 PM

Post #1 of 3 (91 views)

------------------
Content-Transfer-Encoding: quoted-printable

Login p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
------------------

In the provided email snippet, I aim to match the text "p=D0=B0ssword"
using the following rule:

rawbody __PASSWORD_IN_QP /\bp=D0=B0ssword/i

Despite my efforts, the rule doesn't seem to correctly identify the
specified text. I'm uncertain whether there is an error in the rule, or if
I've overlooked something crucial.

Thank you
Jimmy

Re: Rule to identify quoted-printable text [ In reply to ]

110ef9e3086d8405c2929e34be5b4340 at protonmail

Jan 15, 2024, 11:41 PM

Post #2 of 3 (91 views)

Permalink

Hi Jimmy,

If you want to get that exact version using rawbody, here's how it would
need to look like:
rawbody __PASSWORD_IN_QP /\bp\x{D0}\x{B0}ssword/i

As a trick to know what to use in such a case, I added this rule on my
debug/rule testing machine:
rawbody __ALLRAWBODY /.+/
tflags __ALLRAWBODY multiple

If you want to cover more variations of obfuscated ways to write
password, I'd recommend using the replace tags.

body __OBFU_PASS /\b(?!password)<P><A><S><S><W><O><R><D>\b/i
replace_rules __OBFU_PASS

If you want more informations about it use perldoc:
perldoc Mail::SpamAssassin::Plugin::ReplaceTags

Best regards,
Laurent

On 16.01.24 05:15, Jimmy wrote:
> ------------------
> Content-Transfer-Encoding: quoted-printable
>
> Login p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
> ------------------
>
> In the provided email snippet, I aim to match the text "p=D0=B0ssword" using the
> following rule:
>
> rawbody __PASSWORD_IN_QP /\bp=D0=B0ssword/i
>
> Despite my efforts, the rule doesn't seem to correctly identify the specified
> text. I'm uncertain whether there is an error in the rule, or if I've overlooked
> something crucial.
>
> Thank you
> Jimmy
>

Re: Rule to identify quoted-printable text [ In reply to ]

thanadon at gmail

Jan 16, 2024, 2:45 AM

Post #3 of 3 (91 views)

Permalink

Hello Laurent,

I wanted to express my gratitude for sharing the tip on rawbody matching.
Your assistance is greatly appreciated.

Thank you,
Jimmy

On Tue, Jan 16, 2024 at 4:01?PM Laurent S. <
110ef9e3086d8405c2929e34be5b4340@protonmail.ch> wrote:

> Hi Jimmy,
>
> If you want to get that exact version using rawbody, here's how it would
> need to look like:
> rawbody __PASSWORD_IN_QP /\bp\x{D0}\x{B0}ssword/i
>
> As a trick to know what to use in such a case, I added this rule on my
> debug/rule testing machine:
> rawbody __ALLRAWBODY /.+/
> tflags __ALLRAWBODY multiple
>
> If you want to cover more variations of obfuscated ways to write
> password, I'd recommend using the replace tags.
>
> body __OBFU_PASS /\b(?!password)<P><A><S><S><W><O><R><D>\b/i
> replace_rules __OBFU_PASS
>
> If you want more informations about it use perldoc:
> perldoc Mail::SpamAssassin::Plugin::ReplaceTags
>
> Best regards,
> Laurent
>
> On 16.01.24 05:15, Jimmy wrote:
> > ------------------
> > Content-Transfer-Encoding: quoted-printable
> >
> > Login p=D0=B0ssword is s=D0=B5t to =D0=B5xpir=D0=B5
> > ------------------
> >
> > In the provided email snippet, I aim to match the text "p=D0=B0ssword"
> using the
> > following rule:
> >
> > rawbody __PASSWORD_IN_QP /\bp=D0=B0ssword/i
> >
> > Despite my efforts, the rule doesn't seem to correctly identify the
> specified
> > text. I'm uncertain whether there is an error in the rule, or if I've
> overlooked
> > something crucial.
> >
> > Thank you
> > Jimmy
> >
>
>