Huh? I don't see how shortening the prefix does anything except:
Sorry, thought you were arguing against the very concept of trying to match signatures...
We *know* the virus writers are smart. They will find an easy way to vary some number in the header, and blow out all but the short prefix matching.
Three words for you:
LOW HANGING FRUIT
The virus writers don't need to be smart in this regard, since there are millions of computers which are not scanning anything at all. They aren't going to take the time to tweak the DOS image because it is much more profitable to take the human engineering route and find ways to entice [stupid] people to click on the damn link in the first place.
I don't see how it's a bad thing to only look for "TV"? We'd only check for that if the mime header says it's base64'ed, and that's very unlikely[1] to have a false positive.
I think it is worth the experiment; I assume you are volunteering to be the guinea pig. <DUCK>
However, remember that if you have a bare base64'd body, lookOut will helpfully render that as an attachment, so you cannot assume that the message will be multipart MIME...
John
