Am 07.07.2017 um 19:04 schrieb Alex: > > I'm interested in how your system would have (or currently does) > handle this email I received some days ago: > https://pastebin.com/innRFvZt > that one triggers one of my redpill meta rules and scores at 24.1 :-)
__HAS_LIST_ID exists:exists:List-Id HAS_LIST_UNSUB exists:List-Unsubscribe meta RED_PILL (MIME_BASE64_TEXT && FROM_EXCESS_BASE64 && __HAS_URI && !__HAS_LIST_ID && !HAS_LIST_UNSUB) Without that rule it might have flown below my sa-radar. Got some scoring on it by using this plugin: https://github.com/eilandert/Botnet.pm and with the built in rules MIME_BASE64_TEXT and FROM_EXCESS_BASE64. As well RCVD_DOUBLE_IP_SPAM hit on that sample Regards tobi
