[Rules] Use bad_unicode flag for LEAKED_PASSWORD_SCAM rule

Issue: #2649
author: Vsevolod Stakhov <vsevolod@highsecure.ru> 2018-11-30 10:00:21 +0000
committer: Vsevolod Stakhov <vsevolod@highsecure.ru> 2018-11-30 10:00:21 +0000
commit: 3f147877af03e70bac4cb9786108c2238d578038 (patch)
tree: b9f82f337ca909534609096d101a8c5204b72ebb /rules
parent: 44b731c68fc57e94fa26d0172f4805a56bcb94ea (diff)
download: rspamd-3f147877af03e70bac4cb9786108c2238d578038.tar.gz
rspamd-3f147877af03e70bac4cb9786108c2238d578038.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/rules/regexp/misc.lua b/rules/regexp/misc.lua
index 2332cd6ce..3a78ec969 100644
--- a/rules/regexp/misc.lua
+++ b/rules/regexp/misc.lua
@@ -61,14 +61,14 @@ reconf['HAS_ONION_URI'] = {
     group = 'experimental'
 }
 
-local password_in_subject = [[Subject=/\bpassword\b/i]]
-local password_in_body = [[/\bpassword\b/i{sa_body}]]
+local password_in_words = [[/^password/i{words}]]
 local btc_wallet_address = [[/^[13][0-9a-zA-Z]{25,34}$/{words}]]
 local wallet_word = [[/^wallet$/i{words}]]
+local broken_unicode = [[has_flag(bad_unicode)]]
 
 reconf['LEAKED_PASSWORD_SCAM'] = {
-  re = string.format('(%s | %s) & %s & %s', password_in_subject,
-      password_in_body, btc_wallet_address, wallet_word),
+  re = string.format('%s & %s & (%s | %s)',
+      password_in_words, btc_wallet_address, wallet_word, broken_unicode),
   description = 'Contains password word and BTC wallet address',
   score = 7.0,
   group = 'scams'
author	Vsevolod Stakhov <vsevolod@highsecure.ru>	2018-11-30 10:00:21 +0000
committer	Vsevolod Stakhov <vsevolod@highsecure.ru>	2018-11-30 10:00:21 +0000
commit	3f147877af03e70bac4cb9786108c2238d578038 (patch)
tree	b9f82f337ca909534609096d101a8c5204b72ebb /rules
parent	44b731c68fc57e94fa26d0172f4805a56bcb94ea (diff)
download	rspamd-3f147877af03e70bac4cb9786108c2238d578038.tar.gz rspamd-3f147877af03e70bac4cb9786108c2238d578038.zip