From: "Sylvain Robitaille" <[EMAIL PROTECTED]> | Well, it still hasn't worked, so I switched to something as simple as | you suggested (with the list of addressesI've seen instead of only the | one) and that seems to have actually stopped some... :-(
Try something like this as it works for us: Note: remove any word wrapping header __BAGLE_K_FROM From =~ /(?:management|administration|staff|noreply|support)\@/i body __BAGLE_K_BODY_1 /^(?:dear|hello) user/i body __BAGLE_K_BODY_21 /^Your e-mail account has been temporary disabled because of unauthorized access\./i body __BAGLE_K_BODY_22 /^Our main mailing server will be temporary unavaible for next two days, to continue receiving mail in these days you have to configure our free auto-forwarding service\./i body __BAGLE_K_BODY_23 /^Your e-mail account will be disabled because of improper using in next three days, if you are still wishing to use it, please, resign your account information\./i body __BAGLE_K_BODY_24 /^We warn you about some attacks on your e-mail account. Your computer may contain viruses, in order to keep your computer and e-mail account safe, please, follow the instructions\./i body __BAGLE_K_BODY_25 /^Our antivirus software has detected a large ammount of viruses outgoing from your email account, you may use our free anti-virus tool to clean up your computer software\./i body __BAGLE_K_BODY_26 /^Some of our clients complained about the spam \(negative e-mail content\) outgoing from your e-mail account\. Probably, you have been infected by a proxy-relay trojan server\. In order to keep your computer safe, follow the instructions\./i meta BAGLE_WORM_CE (__BAGLE_K_FROM && __BAGLE_K_BODY_1 && (?:__BAGLE_K_BODY_21 || __BAGLE_K_BODY_22 || __BAGLE_K_BODY_23 || __BAGLE_K_BODY_24 || __BAGLE_K_BODY_25 || __BAGLE_K_BODY_26)) describe BAGLE_WORM_CE Bagle/Beagle worm in Zip File DO NOT OPEN tflags BAGLE_WORM_CE learn score BAGLE_WORM_CE 120.0 Greg
