Re: rules for a sneaky SPEAR-VIRUS spam that gets past bayes
Just off the top of my head: rawbodyONEDRIVE_DOWNLOADm'https://onedrive\.live\.com/download[?]cid=' score ONEDRIVE_DOWNLOAD0.5 describeONEDRIVE_DOWNLOADDownload link to a file on Onedrive Personally I'd be inclined to put an i on the end of that. body FILE_PWD_INFO/\b(?:Fil lösenord|File password):\s[A-Z]{2}\d{4}\b/ scoreFILE_PWD_INFO3 describe FILE_PWD_INFOEmail has a password to an archive file meta PWD_ONEDRIVE_DLOADONEDRIVE_DOWNLOAD && FILE_PWD_INFO scorePWD_ONEDRIVE_DLOAD4 describe PWD_ONEDRIVE_DLOADEmail contains download for passworded Onedrive file Loren
rules for a sneaky SPEAR-VIRUS spam that gets past bayes
rules for a sneaky SPEAR-VIRUS spam that gets past bayes because legit content from hijacked emails are copied into the spam, making it look like a follow-up msg of an existing legit conversation. Catch using these rules below. (Perhaps also add more to this to prevent rare FPs? But this is a good start!) FILE SIZE < 50kb then, on decoded/demime'd msg: exact match on: *https://onedrive.live.com/download?cid=** * Then a hit on THIS RegEx: *\b(Fil lösenord|File password): [A-Z]{2}\d{4}\b** * (I'll let someone else jump in here and create and share the actual SA implementation of this, if desired - along with any suggested improvements) -- Rob McEwen, invaluement