On Mon, 7 Feb 2005 [EMAIL PROTECTED] wrote: > > I just created a rule for the most common spams that have been making it > through SA, but for some reason, it's not showing up in the tests: > > body SEE_ATTACH /See attachment message.html/i > describe SEE_ATTACH body contains See attachment message.html > score SEE_ATTACH 5.0 > > --lint shows no problems....
(replying to my own post) I found out what the problem is, and it seems like it should be considered a bug in SA. The text in question is in the second line of the body of the message, and it seems it is being ignored by SA, because if I insert a couple of LFs to move it down, the rule kicks in. I had tried changing it from "body" to "header" (also tried "rawbody) and that didn't work. Here is a look at the offending message, sans the html attachment: Return-Path: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] Received: (qmail 47948 invoked from network); 6 Feb 2005 07:17:59 -0000 Received: by simscan 1.0.7 ppid: 47553, pid: 47562, t: 29.0736s scanners:none Received: from unknown (HELO localhost) (213.98.12.243) by richard2.pil.net with SMTP; 6 Feb 2005 07:17:30 -0000 Message-ID: <[EMAIL PROTECTED]> From: "Halpern Helen"<[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Reply-To: "Halpern Helen"<[EMAIL PROTECTED]> Subject: 75% Off for All New Software. Date: dom, 06 feb 2005 08:17:22 +0100 MIME-Version: 1.0 X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2 X-Sender: "Halpern Helen"<[EMAIL PROTECTED]> Content-Type: multipart/mixed; boundary="------------56L352DTUJU4N2" X-Spam-Checker-Version: SpamAssassin 3.0.2 (2004-11-16) on mail.pil.net X-Spam-Status: No, score=3.8 required=6.0 tests=BAYES_00,FORGED_YAHOO_RCVD, INVALID_DATE,RCVD_IN_BL_SPAMCOP_NET autolearn=no version=3.0.2 X-Spam-Level: *** Parts/Attachments: 1 Shown 1 lines Text 2 OK ~23 KB Text ---------------------------------------- See attachment message.html [ Part 2, Text/HTML (Name: "message.html") 1 lines. ] [ Not Shown. Use the "V" command to view or save this part. ]