Here is a much simpler rule to catch Netsky.B:
header JM_MIME_BOUND_NETSKY Content-Type =~ /^multipart\/mixed;
boundary="\d{8}"$/
describe JM_MIME_BOUND_NETSKY Netsky.B worm pattern in MIME boundary
score JM_MIME_BOUND_NETSKY 200.0
Some mail clients may wrap the first ("header") line, but it should be
just one line.
:: Jeff Makey
[EMAIL PROTECTED]
