Hi
There seems to be a virus spreading, I've received it several times, it goes like this:
Subject: Returned mail: see transcript for details
Body:
Dear user of <maildomain>,
We have received reports that your email account has been used to send a huge amount of junk email during this week. Obviously, your computer was compromised and now runs a hidden proxy server.
Please follow our instructions in order to keep your computer safe.
Best regards, <maildomain> user support team.
attached is a .pif file no virusscanner (yet?) detects as spam.
So I wanted to write a rule against those sentences, but whatever I try, no rule will match....
I tried:
full _MKE_xVIRUS1 /We have received reports that your email account has been used to send a huge amount of junk email/i
full _MKE_xVIRUS2 /Obviously, your computer was compromised and now runs a hidden proxy server/i
and added for each one a score and a description
I also tried body, rawbody but still NO match at all!
The Mail has a MIME Type of multipart/mixed
and the first part is:
------=_NextPart_000_0001_F824EC38.FBF36544
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit<here comes the mail body...>
Am I doing something wrong that my rules wont trigger? The file should be read as other rules out of the same file matched regularly over the last few days...
Thanx
Matt
