I've seen this wave too. You could use such a rule: ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader ONENOTE_ATTACHED Content-Type =~ /\.one[";$]/i describe ONENOTE_ATTACHED Attached OneNote score ONENOTE_ATTACHED 5.0 end if
Make sure MIMEHeader is loaded. I haven't used that rule in prod so I don't guarantee it will perfectly work. We use fuglu to put mails in quarantine based on file attachment. ClamAV does not recognize attachments inside OneNote files, so most signatures don't hit as one would expect. But looking for .hta inside those OneNote helped me block more or less all those mails (that were not blocked earlier by RBLs). Good luck, Laurent S.
