Thanks guys, for all the helpful info and sanity checks! :)
Sorry about the Message-ID munging - I get some really useful
malware at that domain but no ham, and am a bit paranoid about
losing that feed.
Followup:
>I had considered anchoring the MIME string, however we have a
>very powerful quarantine system, so I kept that rule simple.
>We've had zero FPs on either rule, albeit only in xml/doc/msword
>files.
I changed my system to run that MIME string test on all message
parts (plain text, de-MIMEd file, de-MIMEd non-file MIME), then
we did a regression test on all 2015 & 2016 ham for most of our
key corpora. We also tested 2013 & 2014 ham-only for a few of
the most useful corpora, for a grand total of about 1.4 million
individual emails.
We found exactly zero hits on ham. :)
Not counting "my" SA list digest.
That rule is now live on all our systems, at Exterminate score.
We'll be doing a few more corpora in the next two weeks, and if
there's any hits, I'll report back.
While it is hypothetically possible that somebody would send a
document with ActiveMime, I personally am trusting my quarantine
sytem to detect those. We can individually "skip" list that rule
if needed, just like we already do with Word macros and other
Pakled-icity. ;)
- "Chip"
