From da17c41f9c42cff0ef2a5f0e5e74188b3ea03b9e Mon Sep 17 00:00:00 2001
From: Don Armstrong <don@donarmstrong.com>
Date: Wed, 17 May 2017 13:53:42 -0700
Subject: [PATCH] add more matches for shipping spam

---
 common/virus_spam | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/common/virus_spam b/common/virus_spam
index 5e88e97..fb5a2ea 100644
--- a/common/virus_spam
+++ b/common/virus_spam
@@ -95,16 +95,16 @@ describe XEROX  Scanner malware
 score XEROX     4
 
 # don 2016-11-04
-header FEDEXPACKAGE subject=~/(FedEx International|USPS courier)|((unable to|could not) deliver|problems? with).*(item|parcel)|shipment delivery problem|delivery notification|USPS delivery/i
+header FEDEXPACKAGE subject=~/(FedEx International|USPS courier)|((unable to|could not) deliver|problems? with).*(item|parcel)|shipment delivery problem|delivery notification|US?PS delivery/i
 describe FEDEXPACKAGE Fedex Package Virus spam
 score FEDEXPACKAGE 4
 
 #don 2016-11-04
-header SHIPPING_ID subject =~ /(ID:?|ID|\#|n\.|UPS(| parcel))\s*\d{7,}\s*\)?\s*($|shipment|delivery)/
+header SHIPPING_ID subject =~ /(ID:?|ID|\#|n\.|UPS(| parcel)|code:?)\s*\d{7,}\s*\)?\s*($|shipment|delivery)/
 describe SHIPPING_ID Contains a long ID number at the end or folled by shipment
 score SHIPPING_ID 3
 
-header SHIP_ID_INT subject =~ /(ID:?|ID|\#|n\.|UPS(| parcel))\s*\d{7,}\s*/
+header SHIP_ID_INT subject =~ /(ID:?|ID|\#|n\.|UPS(| parcel)|code:?)\s*\d{7,}\s*/
 describe SHIP_ID_INT Contains a long ID number inside
 score SHIP_ID_INT 1
 
-- 
2.39.2