On Thu, 2013-03-21 at 09:40 +0000, Sharma, Ashish wrote: > What would be the change in spam rule if the Content-Disposition field > is mime word encoded as per RFC 2047 ? > > Please find the sample eml at: > > http://pastebin.com/FLjzCsUZ > What's the problem with this message? The portion you've posted contains only text/plain and text/html parts: neither are harmful on the face of it and, unlike the message my rule was meant to catch, neither the name or the filename of the attachment are obviously executable or otherwise harmful.
Did you obfuscate the various names and e-mail addresses in the message? If so, you've probably removed anything that might be distinctive enough to write rules against. Martin