On Thu, 4 Mar 2004, Thomas Muller wrote: > I've received thousands of emails with the "Latest Microsoft Critical > Patch" (various variants). Any rules out therer catching these?
I snag them in procmail, but it would be easy enough to adapt it to SA. Note where tests are split-up, procmail style, with escaped newline: :0 HB * From:.*microsoft.com * Subject:.*(LiveUpdate Information|Use this patch immediately !|\ Windows XP Service Pack 1 \(Express\) - Critical Update) /dev/null IN SA the above would be two separate tests and a META rule..... # 'W32.Swen.A' :0 HB * ^Content-Type:.*(.*$)?.*name=\"?(patch|upgrade|update|installer|\ install|installation|pack|q)[0-9]*\.(exe|zip) /dev/null The above test has a chance for some false positives, but given how prevalent 'swen' was, I thought it worth it.... - Charles
