score XEROX 4
# don 2016-11-04
-header FEDEXPACKAGE subject=~/FedEx International|(unable to deliver|problem with).*(item|parcel)|shipment delivery problem|delivery notification/i
+header FEDEXPACKAGE subject=~/(FedEx International|USPS courier)|((unable to|could not) deliver|problems? with).*(item|parcel)|shipment delivery problem|delivery notification|USPS delivery/i
describe FEDEXPACKAGE Fedex Package Virus spam
score FEDEXPACKAGE 4
#don 2016-11-04
-header SHIPPING_ID subject =~ /(ID:?|ID|\#)\s*\d{8,}\s*$/
-describe SHIPPING_ID Contains a long ID number at the end
+header SHIPPING_ID subject =~ /(ID:?|ID|\#|n\.|UPS(| parcel))\s*\d{7,}\s*\)?\s*($|shipment|delivery)/
+describe SHIPPING_ID Contains a long ID number at the end or folled by shipment
score SHIPPING_ID 3
-meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID ) && ZIPCOMPRESSED
+header SHIP_ID_INT subject =~ /(ID:?|ID|\#|n\.|UPS(| parcel))\s*\d{7,}\s*/
+describe SHIP_ID_INT Contains a long ID number inside
+score SHIP_ID_INT 1
+
+rawbody MSWORD /application\/msword/
+describe MSWORD Has a word attachment
+score MSWORD 2
+
+meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID || SHIP_ID_INT ) && ( ZIPCOMPRESSED || ZIPFILE || MSWORD )
describe FEDEX_ZIP Fedex package with zip file
-score FEDEX_ZIP 3
+score FEDEX_ZIP 7