I could use 'rawbody', but then I end up 'wheeling' through all the different possible substitutes for each letter.
actually, rawbody won't help you.. those characters are decoded even in "rawbody" type rules...
the only differences between rawbody and body are that rawbody retains HTML tags and line-breaks.
base64, QP and other character decoding filters are still applied to rawbody rules.
Is there a simple test for this sort of obfuscation?
Not really, although you can create tests resistant to a single-character mangling by using a . or \w wildcard.
A trick in SA rules?
None yet, although many have suggested enhancements to the code to do things like "deobfuscated_body" rules, etc.
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
