for what it's worth, I just pushed Henry's version of Joe's rules into the 3.2.x sa-updates.
--j. Jack Pepper writes: > Quoting Jeremy Fairbrass <[EMAIL PROTECTED]>: > > > HI Jack, > > Any chance of sharing your rules for this?! > > > > Cheers, > > Jeremy > > Sure: > > score BOBAX_GEN_SPAM_2 1.800 > header BOBAX_GEN_SPAM_2 ALL =~ > /^Message-Id:[EMAIL PROTECTED]/m > describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2 > > score BOBAX_GEN_SPAM 1.800 > header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m > describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id > > One fellow suggested that it might be more efficient to do this: > > score BOBAX_GEN_SPAM 1.800 > header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m > describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id > > but I wasn't sure if SA would detect that the incorrect case on the > word "message-id" and then not realize the test, etc. Any suggestions? > > jp > > -- > Framework? I don't need no steenking framework! > > ---------------------------------------------------------------- > @fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentsecurity.com