> -----Original Message----- > From: Bret Miller [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 03, 2004 12:35 PM > To: [EMAIL PROTECTED] > Subject: RE: New Beagle.J virus problems > > > Here is what I whipped up this morning > > > > header __YM_HF_BEAGLE_K From =~ > > /(?:management|administration|staff|noreply|support)\@(?:yourd > > omain1|you > > rdomain2|yourdomain3)/i > > body __YM_B_BEAGLE_K /^(?:dear|hello) user/i > > meta YM_BEAGLE_K (__YM_HF_BEAGLE_K && __YM_B_BEAGLE_K) > > describe YM_BEAGLE_K Message contains the "Bagle.K/Beagle.K" virus > > tflags YM_BEAGLE_K learn > > score YM_BEAGLE_K 20.0 > > This doesn't work for me since some of the accounts it comes from are > valid. It does contain a message-id with 11 lower case > letters followed > by my domain name, but I've been having difficulty in actually making > the regex match. Shouldn't this work? > > /^Message-I[Dd]: <[EMAIL PROTECTED]>$/ > > Bret > >
Bret, What are the chances that the folks using the mentioned addresses would greet folks by saying "Dear user or Hello user"? Also you could add another meta test that examines the subject line and looks for the following items: E-mail account disabling warning. E-mail account security warning. Email account utilization warning. Important notify about your e-mail account. Notify about using the e-mail account. Notify about your e-mail account utilization. Warning about your e-mail account. I think the message id regex you are looking for would be in this format: header TESTNAME Message-ID =~ /[EMAIL PROTECTED]/I But I would be careful of false positives running that alone, but it should be ok, if you combine it in a meta test along with the from address or subject or body test. -matt
