You're right in that it *could* be a common RTF header, but a bit of decoding of the attachments on my end seems to indicate that it isn't. All these spam RTFs are practically identical except for a different URL link in the document, and a different (probably forged) "generator Msftedit #.##.##.###" line.
I guess my question is more general: how do I write a rule that looks at the undecoded content of the emails, versus one that looks at the decoded parts? - Colin -- View this message in context: http://old.nabble.com/Help-with-new-rule%2C-and-local.cf-tp28775147p28780895.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
