See rawbody_part_scan is the docs.
Also the chunking of the rawbody into 2-4 kB blocks, may make a
difference.
I wasn't able to find rawbody_part_scan in any of the docs that I managed to
find, but after digging into the source I found the chunking logic and dug
out the 2K limit. I'm not sure why I was hitting a limit at just under 1K, I
can only guess that the header was included in the first rawbody chunk,
which seems a little unlikely.
I was able to get the rule to work using a full rule, but I sure hated to do
that, since I lose the base64 decoding of the body, and full rules are ugly
and potentially dangerously inefficient. But at least it worked. Fortunately
these spams are plain text encoded.
