GD> I'm trying to block all the annoying SoBig viruses - so I have the GD> following:
GD> body SO_BIG_VIRUS /Please see the attached zip file for details\./ GD> score SO_BIG_VIRUS 6.0 GD> header SO_BIG_ATTACHMENT ALL =~ /your_details\.zip/ GD> score SO_BIG_ATTACHMENT 3.0 The title is actually in the body, not the header. (Possibly you need the "rawbody" directive. I'm not sure) For SA, your first recipe is enough to score any email for Sobig.E. You should know that Sobig.E. is programmed to stop working on July 14th, and that the reason the file name is so consistent is that there is a bug in the program. So anything you write now won't be needed in a week. This doesn't mean you won't have to worry about it. Whoever wrote Sobig.E. had a reason for the termination date, very likely because a newer version will be launched on July 15th. But of course the rule you write now won't work then, because at the very least the next version will have a change in text and file name. I think it is a mistake to try to identify viruses with Spamassassin, both because it is inefficient and because viruses often have very large binary attachments which can cause SA to crash with an out of memory error, and let the attachment through in any case. For example, Sobig.E. is about 115k. It's much better to pre-filter for potential viruses & attachments before the email gets to SA, either with procmail or another filtering program. -Abigail ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk