Uh, what do these 'ratware' rules trigger on?
How effective are they, and what are the chances of false positives?
- Charles
On Thu, 30 Apr 2009, LuKreme wrote:
(single lines)
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
<....([0-9a-f]{8})\$([0-9a-f]{8})\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
# "
header KB_RATWARE_OUTLOOK_12 ALL =~ /^Message-Id:
<....([0-9a-f]{8})\$([0-9a-f]{4})[0-9a-f]{4}\$.{100,400}boundary="----=_NextPart_000_...._\1\.\2/msi
# "
header KB_RATWARE_BOUNDARY ALL =~ /^Message-Id:
<....([0-9a-f]{8})\$[0-9a-f]{8}\$.{100,400}boundary="----=_NextPart_000_...._\1\./msi
# "
score KB_RATWARE_BOUNDARY 2.0
score KB_RATWARE_OUTLOOK_16 0.1
--
Exit, pursued by a bear.
