Lately, we have been receiving spam that appears to go thru several forwarding steps within yahoo until it is finally sent out to listed recipients. The message contains "Note: forwarded message attached".
I would like to catch headers of that attached message in a SA rule, now i am not sure which type of rule to use: since those are headers of the attached message, not of the final message, would that be a rawbody/body rule? Regards, wolfgang
