rules for a sneaky SPEAR-VIRUS spam that gets past bayes

[Rob McEwen]

rules for a sneaky SPEAR-VIRUS spam that gets past bayes because legit 
content from hijacked emails are copied into the spam, making it look 
like a follow-up msg of an existing legit conversation. Catch using 
these rules below. (Perhaps also add more to this to prevent rare FPs? 
But this is a good start!)

FILE SIZE < 50kb
then, on decoded/demime'd msg:

exact match on:
*https://onedrive.live.com/download?cid=**
*
Then a hit on THIS RegEx:
*\b(Fil lösenord|File password): [A-Z]{2}\d{4}\b**
*

(I'll let someone else jump in here and create and share the actual SA 
implementation of this, if desired - along with any suggested improvements)

-- Rob McEwen, invaluement