On 8 Nov 2017, at 14:15, Bill Cole wrote:
Of course that should be:
describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type
header SCC_MIME_BOGUSCT1 Content-Type =~ /^(?<!multipart)\/mixed/
score SCC_MIME_BOGUSCT1 2
Hmmm... For some reason I do not understand, the anchor doesn't work,
so:
describe SCC_MIME_BOGUSCT1 Bogus /mixed Content-Type
header SCC_MIME_BOGUSCT1 Content-Type =~ /(?<!multipart)\/mixed/
score SCC_MIME_BOGUSCT1 2
A more conservative approach that barely catches more than Dianne's
example:
describe SCC_MIME_BOGUSCT2 Bogus /mixed Content-Type
header SCC_MIME_BOGUSCT2 Content-Type =~ /^mult[^i]*[^p]*art\/mixed/
score SCC_MIME_BOGUSCT2 2
Note that as a side-effect of the bad Content-Type, the message will
match both __EMPTY_BODY and __NONEMPTY_BODY, which might be an
interesting combination to look for.