As others will no doubt point out, SpamAssassin is not a virus scanner, and if you getting viruses through your gateway you should be looking for a better virus scanner...
That said, I would use "body" tests rather than "full". Body tests will strip out invisible HTML codes from the mail, so you can match text as your mail reader displays it. Also, I would avoid trying to match a very long text string. Rather, look for unique keywords or phrases, like: body VTEST1 /to send a huge amount of junk email/ describe VTEST1 phrase found in virus mails score VTEST1 2.0 body VTEST2 /compromised and now runs a hidden proxy/ describe VTEST2 phrase found in virus mails score VTEST2 2.0 body VTEST3 /instructions in order to keep your computer/ describe VTEST3 phrase found in virus mails score VTEST3 2.0 It's best to make a set of rules and eith use additive scoring or a META rule to combine them. That way, the occasional mail that may match one test will not be killed. Pierre Thomson BIC -----Original Message----- From: Matthias Keller [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 27, 2004 8:46 AM To: [EMAIL PROTECTED] Subject: Trying to catch those latest virii.... Hi There seems to be a virus spreading, I've received it several times, it goes like this: Subject: Returned mail: see transcript for details Body: Dear user of <maildomain>, We have received reports that your email account has been used to send a huge amount of junk email during this week. Obviously, your computer was compromised and now runs a hidden proxy server. Please follow our instructions in order to keep your computer safe. Best regards, <maildomain> user support team. attached is a .pif file no virusscanner (yet?) detects as spam. So I wanted to write a rule against those sentences, but whatever I try, no rule will match.... I tried: full _MKE_xVIRUS1 /We have received reports that your email account has been used to send a huge amount of junk email/i full _MKE_xVIRUS2 /Obviously, your computer was compromised and now runs a hidden proxy server/i and added for each one a score and a description I also tried body, rawbody but still NO match at all! The Mail has a MIME Type of multipart/mixed and the first part is: ------=_NextPart_000_0001_F824EC38.FBF36544 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit <here comes the mail body...> Am I doing something wrong that my rules wont trigger? The file should be read as other rules out of the same file matched regularly over the last few days... Thanx Matt
