> #rawbody __JEFFCO_ATTACH /^Content-Type: application\/octet-stream;
> name=".+\.(pif|zip)"$/
> #describe __JEFFCO_ATTACH Message contains suspicious attachment.
> # NOTE that this might be worth using in other contexts, but for now
> I'm
> # including only those I've seen with this particular virus.
This test is suspicious. I think you have to do it on full rather than
rawbody to actually get it hit. My understanding is binary attachments
(including their descriptions) vanish in rawbody.
> describe JEFFCO_BAGLE_VARIANT Message contains a variant of the
> "Bagle/Beagle" virus
> score JEFFCO_BAGLE_VARIANT 20.0
>
> (Relabeled for reporting) - I removed the ATTACH rules (I'm using
> MailScanner) and it seems to be catching some, although I do see 0.01
> scores for _JEFFCO_BAGLE_VARIANT - not sure why that is.
Which seems VERY strange, as the score for that seems to be 20.0, not 0.01.
Loren
