To answer your original question, though: your rules would work, but could easily cause false positives. I would suggest looking instead for the faked domain-specific portion:
body BOGUS_SERVER_AV /\"GEORGETOWNCOLLEGE\" Anti-Virus/ describe BOGUS_SERVER_AV Blocks Bogus AV Clean message score BOGUS_SERVER_AV 20.0 Pierre Thomson BIC -----Original Message----- From: Ronald I. Nutter [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 03, 2005 9:13 AM To: users@spamassassin.apache.org Subject: First attempt at writing SPAM rules We are getting flooded this morning with email that contains the following item(s) in the body of the message - *** Server-AntiVirus: No Virus (Clean) *** "GEORGETOWNCOLLEGE" Anti-Virus *** http://www.georgetowncollege.edu OR *** Attachment-Scanner: Status OK *** "GEORGETOWNCOLLEGE" Anti-Virus *** http://www.georgetowncollege.edu Here is that I have created as a rule set - body BOGUS_SERVER_AV /Server-AntiVirus:/ describe BOGUS_SERVER_AV Blocks Bogus AV Clean message score BOGUS_SERVER_AV 20.0 body BOGUS_ATTACH_SCAN /Attachment-Scanner:/ describe BOGUS_ATTACH_SCAN Blocks Bogus Attach Scan message score BOGUS_ATTACH_SCAN 20.0 Any suggestions ? Thanks, Ron -------------------------------------------------------------------- Ron Nutter [EMAIL PROTECTED] Network Infrastructure & Security Manager Information Technology Services (502)863-7002 Georgetown College Georgetown, KY 40324-1696 --------------------------------------------------------------------
