[Rules] Use bad_unicode flag for LEAKED_PASSWORD_SCAM rule

Issue: #2649

2 files changed, 5 insertions, 5 deletions

diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 2332cd6ce..3a78ec969 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -61,14 +61,14 @@ reconf['HAS_ONION_URI'] = {
     group = 'experimental'
 }
 
-local password_in_subject = [[Subject=/\bpassword\b/i]]
-local password_in_body = [[/\bpassword\b/i{sa_body}]]
+local password_in_words = [[/^password/i{words}]]
 local btc_wallet_address = [[/^[13][0-9a-zA-Z]{25,34}$/{words}]]
 local wallet_word = [[/^wallet$/i{words}]]
+local broken_unicode = [[has_flag(bad_unicode)]]
 
 reconf['LEAKED_PASSWORD_SCAM'] = {
-  re = string.format('(%s | %s) & %s & %s', password_in_subject,
-      password_in_body, btc_wallet_address, wallet_word),
+  re = string.format('%s & %s & (%s | %s)',
+      password_in_words, btc_wallet_address, wallet_word, broken_unicode),
   description = 'Contains password word and BTC wallet address',
   score = 7.0,
   group = 'scams'
diff --git a/src/libmime/mime_expressions.c b/src/libmime/mime_expressions.c
index 7bfbf34d4..04a745c2e 100644
--- a/src/libmime/mime_expressions.c
+++ b/src/libmime/mime_expressions.c
@@ -151,6 +151,7 @@ static struct _fl {
 		{"has_content_part", rspamd_has_content_part, NULL},
 		{"has_content_part_len", rspamd_has_content_part_len, NULL},
 		{"has_fake_html", rspamd_has_fake_html, NULL},
+		{"has_flag", rspamd_has_flag_expr, NULL},
 		{"has_html_tag", rspamd_has_html_tag, NULL},
 		{"has_only_html_part", rspamd_has_only_html_part, NULL},
 		{"header_exists", rspamd_header_exists, NULL},
@@ -158,7 +159,6 @@ static struct _fl {
 		{"is_html_balanced", rspamd_is_html_balanced, NULL},
 		{"is_recipients_sorted", rspamd_is_recipients_sorted, NULL},
 		{"raw_header_exists", rspamd_raw_header_exists, NULL},
-		{"has_flag", rspamd_has_flag_expr, NULL},
 };
 
 const struct rspamd_atom_subr mime_expr_subr = {