We're having a problem with the FH_RANDOM_SURE rule causing false positives. It has a subrule __ALL_RANDOM, which is:
header __ALL_RANDOM ALL =~ /(?:[%\#\[\$]R?A?NDO?M?|\%(?:CUSTOM|FROM|PROXY|X?MESSA|MAKE_TXT|FROM_USER))/i We have a user "ndrier", so legitimate email sometimes has a header that starts like: References: <CEFAE1FA.101C2%ndrier@ which matches the rule, since it contains "%nd". It looks like it's trying to find "%random", but only "nd" is required to be there. Could the score be way lowered or the rule made more restrictive? Brian Bebeau Email Security Researcher, Spiderlabs t: +1.513.885.7074 Trustwave | SMART SECURITY ON DEMAND www.trustwave.com<http://www.trustwave.com/> ________________________________ This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.