On 19 Nov 2018, at 15:38, Joseph Brennan wrote:
Example: Obvi=9Do=9Dusly yo=9Du=9D ca=9Dn can cha=9Dnge=9D i=9Dt
In windows-1256, the presence of =9D between characters under
decimal-128
is suspicious, regardless of Bitcoin. It seems like a simple rule but
even
rawbody does not check quoted-printable patterns. Plugin maybe? Has
this
already been done and I've missed it?
Using the 'full' rule type checks the truly pristine message. This is of
surprisingly limited utility. Note that if you looked for '=9D' using a
'full' rule it would match your message and most messages in this
thread. It's theoretically possible to only examine a QP-encoded part
for a QP encoding pattern, but I wouldn't use necessary sort of rule
(unlimited multi-line) in production.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
