add rule for internal shipping id

author Don Armstrong <don@donarmstrong.com>

Fri, 9 Dec 2016 18:28:42 +0000 (10:28 -0800)

committer Don Armstrong <don@donarmstrong.com>

Fri, 9 Dec 2016 18:28:42 +0000 (10:28 -0800)
author Don Armstrong <don@donarmstrong.com>
Fri, 9 Dec 2016 18:28:42 +0000 (10:28 -0800)
committer Don Armstrong <don@donarmstrong.com>
Fri, 9 Dec 2016 18:28:42 +0000 (10:28 -0800)
diff --git a/common/virus_spam b/common/virus_spam

index 1129f2495e3fa57e9485d2e1f3e114dfae8699dc..ba76a8c093b604b846ccfac75e7e8d9df80913a8 100644 (file)
--- a/common/virus_spam
+++ b/common/virus_spam
@@ -104,10 +104,14 @@ header SHIPPING_ID subject =~ /(ID:?|ID|\#|n\.)\s*\d{8,}\s*$/
  describe SHIPPING_ID Contains a long ID number at the end
  score SHIPPING_ID 3
  
+header SHIP_ID_INT subject =~ /(ID:?|ID|\#|n\.)\s*\d{8,}\s*/
+describe SHIP_ID_INT Contains a long ID number inside
+score SHIP_ID_INT 1
+
  rawbody MSWORD    /application\/msword/
  describe MSWORD   Has a word attachment
  score MSWORD      2
  
-meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID ) && ( ZIPCOMPRESSED || ZIPFILE || MSWORD )
+meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID || SHIP_ID_INT ) && ( ZIPCOMPRESSED || ZIPFILE || MSWORD )
  describe FEDEX_ZIP Fedex package with zip file
  score FEDEX_ZIP 6
author	Don Armstrong <don@donarmstrong.com>
	Fri, 9 Dec 2016 18:28:42 +0000 (10:28 -0800)
committer	Don Armstrong <don@donarmstrong.com>
	Fri, 9 Dec 2016 18:28:42 +0000 (10:28 -0800)