> The title is actually in the body, not the header. (Possibly
> you need the "rawbody" directive. I'm not sure) For SA, your
> first recipe is enough to score any email for Sobig.E.
Oh, that was just for testing - I'm pretty sure I tried BODY and RAWBODY -
neither were caught, but I'll try again
I'm trying to block all the annoying SoBig viruses - so I have the
following:
body SO_BIG_VIRUS /Please see the attached zip file for details\./
score SO_BIG_VIRUS 6.0
header SO_BIG_ATTACHMENT ALL =~ /your_details\.zip/
score SO_BIG_ATTACHMENT 3.0
The first rule works, the 2nd doesn't - how can I
