Fletcher, > I seem to be having a hard time writing rules which anchor > a string to the start of the line in the body of a text message. > > e.g., suppose I get a lot of phish which contain text (not html) > like this: > > Username:.......... > Password:.......... > > I try what seemed intuitively easy: > > body __PHISH1 /^Password\b/i > body __PHISH0 /^Username\b/i > meta PHISH __PHISH1 && __PHISH0 > > But the rule does not hit unless I remove the '^' from the above regex.
> What am I missing? The /m flag probably. It is almost always wrong (or irrelevant) to leave out the /m flag on regexp rules which contain anchors like ^ and $ (especially on header rules). Try: body __PHISH1 /^Password\b/im Mark
