On Fri, 27 Nov 2009, Philip A. Prindeville wrote:
header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/
Just how do I go about figuring out what the "To:raw" value is (for example)?
header __TO_RAW To:raw =~ /.+/
If you're analyzing something that may have multiple occurrences, you'll
need a tflags multiple:
body __ALL_BODY /.+/
tflags __ALL_BODY multiple
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
"Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
does quite what I want. I wish Christopher Robin was here."
-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
28 days until Christmas
