OK, I see there's a new version of the ruleset (thanks!) but it doesn't
look like it'll account for the two false positives I spotted this morning.
Our logs showed two hits on FVGT_m_FORGED_CITIBNK that looked legit and
came from relays in the domain citibankcards.com. (The envelope sender on
both was [EMAIL PROTECTED]; I can only assume that the From
address ended in citibank.com.)
Forward and reverse DNS match, and whois matches citibank.com and
citicorp.com, so it's probably safe to assume they're legit.
Kelson Vibber
SpeedGate Communications <www.speed.net>
