Parsing DCC

[Dan]

This is partly about DCC and partly about regex (yes, I've ordered two more regex books).   First, there's the basic all or nothing output: X-DCC-servers-Metrics: ui1 1049; bulk Body=many Fuz1=many Fuz2=many X-DCC-servers-Metrics: ui1 1049; bulk Body=0 Fuz1=0 Fuz2=0 ...that can be captured with basic rules: header DCCBODY_m ALL =~ /X-DCC-.{1,500}Body=many/i header DCCFUZ1_m ALL =~ /X-DCC-.{1,500}Fuz1=many/i header DCCFUZ2_m ALL =~ /X-DCC-.{1,500}Fuz2=many/i 1) Is capturing header output text the best way to implement DCC in SA? Then there are variations in between 0 and many (these are actual): X-DCC-servers-Metrics: ui1 1049; bulk Body=0 Fuz1=0 Fuz2=1027 X-DCC-servers-Metrics: ui1 1049; bulk Body=many Fuz1=many Fuz2=230 X-DCC-CTc-dcc2-Metrics: ui1 1031; bulk Body=40 Fuz1=0 Fuz2=0 X-DCC-servers-Metrics: ui1 1049; bulk Body=0 Fuz1=0 Fuz2=2 X-DCC-servers-Metrics: ui1 1049; bulk Body=0 Fuz1=1 Fuz2=1 2) Are DCC scores less than many or 1000's worth valuing, particularly 1's and 2's? 3) If so, is their relevancy (likely ham or likely spam) linear and segment-able into 1's, 10's, 100's, 1000's, such that this might work?: header DCCBODY_4 ALL =~ /X-DCC-.{1,500}Body=[0-9]{4}\b/i header DCCFUZ1_4 ALL =~ /X-DCC-.{1,500}Fuz1=[0-9]{4}\b/i header DCCFUZ2_4 ALL =~ /X-DCC-.{1,500}Fuz2=[0-9]{4}\b/i header DCCBODY_3 ALL =~ /X-DCC-.{1,500}Body=[0-9]{3}\b/i header DCCFUZ1_3 ALL =~ /X-DCC-.{1,500}Fuz1=[0-9]{3}\b/i header DCCFUZ2_3 ALL =~ /X-DCC-.{1,500}Fuz2=[0-9]{3}\b/i header DCCBODY_2 ALL =~ /X-DCC-.{1,500}Body=[0-9]{2}\b/i header DCCFUZ1_2 ALL =~ /X-DCC-.{1,500}Fuz1=[0-9]{2}\b/i header DCCFUZ2_2 ALL =~ /X-DCC-.{1,500}Fuz2=[0-9]{2}\b/i header DCCBODY_1 ALL =~ /X-DCC-.{1,500}Body=[1-9]{1}\b/i header DCCFUZ1_1 ALL =~ /X-DCC-.{1,500}Fuz1=[1-9]{1}\b/i header DCCFUZ2_1 ALL =~ /X-DCC-.{1,500}Fuz2=[1-9]{1}\b/i   4) If so, is this the way to do it? 5) Are these regex's adequate for what I want and do not want to "see" and can they be improved? Thanks! Dan