> Of course that should be:
>
> describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type
> header SCC_MIME_BOGUSCT1 Content-Type =~ /^(? score SCC_MIME_BOGUSCT1 2
>Hmmm... For some reason I do not understand, the anchor doesn't work,
>so:
Bill the negative lookbehind does not consum
Hi,
In case anyone wants an actual sample: https://pastebin.com/raw/R3b0UHsB
Regards,
Dianne.
On 8 Nov 2017, at 14:15, Bill Cole wrote:
Of course that should be:
describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type
headerSCC_MIME_BOGUSCT1 Content-Type =~ /^(?
Hmmm... For some reason I do not understand, the anchor doesn't work,
so:
describe SCC_MIME_BOGUSCT1 Bogus /mixed Co
On Wed, 8 Nov 2017 11:49:38 -0800 (PST)
Jim Dunphy wrote:
> header J_BAD_CONTYPE Content-Type !~
> /^(application|audio|image|message|multipart|text|video|x-)/i
For messages that lack a content type header, I guess you need the
[if-unset:] tag at the end: [if-unset: text/plain]
I know those m
Another method.
The content header field is defined to have these values for the type.
header J_BAD_CONTYPEContent-Type !~
/^(application|audio|image|message|multipart|text|video|x-)/i
score J_BAD_CONTYPE 0.1
describe J_BAD_CONTYPE invalid content type declared in header of the message
On 8 Nov 2017, at 14:12, Bill Cole wrote:
On 8 Nov 2017, at 11:16, Dianne Skoll wrote:
On Wed, 8 Nov 2017 11:02:16 -0500
Rob McEwen wrote:
This seems to be catching most of them:
Subject: Invoice [A-Z]{2,3}\d{7}\b
Yes, that'll work. Maybe a better approach is a combo rule that
looks
On 8 Nov 2017, at 11:16, Dianne Skoll wrote:
On Wed, 8 Nov 2017 11:02:16 -0500
Rob McEwen wrote:
This seems to be catching most of them:
Subject: Invoice [A-Z]{2,3}\d{7}\b
Yes, that'll work. Maybe a better approach is a combo rule that looks
in the headers for Content-Type: .*art/mixed
Ty can you throw me a sample? I also think I am blocking it with me and will
post on that list about it once i analyze it a bit.
Regards,
KAM
On November 8, 2017 7:45:28 AM PST, Dianne Skoll
wrote:
>Hi,
>
>Heads-up: We're seeing weird new malware with a subject that looks like
On Wed, 8 Nov 2017 11:02:16 -0500
Rob McEwen wrote:
> This seems to be catching most of them:
> Subject: Invoice [A-Z]{2,3}\d{7}\b
Yes, that'll work. Maybe a better approach is a combo rule that looks
in the headers for Content-Type: .*art/mixed but NOT multipart/mixed
I don't know offhand ho
-up: We're seeing weird new malware with a subject that looks like
Invoice XXX
where XXX is two or three random upper-case letters and n is a series
of digits. What's weird is that the Content-Type: header looks like this:
Content-Type: multXXXart/mixed
where the XXX is t
Hi,
Heads-up: We're seeing weird new malware with a subject that looks like
Invoice XXX
where XXX is two or three random upper-case letters and n is a series
of digits. What's weird is that the Content-Type: header looks like this:
Content-Type: multXXXart/mixed
where
11 matches
Mail list logo
