From 7d70654ff7df3260f06dc15d4fd7d2c6e03801e7 Mon Sep 17 00:00:00 2001
From: Don Armstrong <don@donarmstrong.com>
Date: Fri, 9 Dec 2016 10:28:42 -0800
Subject: [PATCH] add rule for internal shipping id

---
 common/virus_spam | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/common/virus_spam b/common/virus_spam
index 1129f24..ba76a8c 100644
--- a/common/virus_spam
+++ b/common/virus_spam
@@ -104,10 +104,14 @@ header SHIPPING_ID subject =~ /(ID:?|ID|\#|n\.)\s*\d{8,}\s*$/
 describe SHIPPING_ID Contains a long ID number at the end
 score SHIPPING_ID 3
 
+header SHIP_ID_INT subject =~ /(ID:?|ID|\#|n\.)\s*\d{8,}\s*/
+describe SHIP_ID_INT Contains a long ID number inside
+score SHIP_ID_INT 1
+
 rawbody MSWORD    /application\/msword/
 describe MSWORD   Has a word attachment
 score MSWORD      2
 
-meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID ) && ( ZIPCOMPRESSED || ZIPFILE || MSWORD )
+meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID || SHIP_ID_INT ) && ( ZIPCOMPRESSED || ZIPFILE || MSWORD )
 describe FEDEX_ZIP Fedex package with zip file
 score FEDEX_ZIP 6
-- 
2.39.2