Quoting Jeremy Fairbrass :

> HI Jack,
> Any chance of sharing your rules for this?!
>
> Cheers,
> Jeremy


Sure:

score BOBAX_GEN_SPAM_2 1.800
header BOBAX_GEN_SPAM_2 ALL =3D~ =20
/^Message-Id:.*[0-9]{4}D[0-9]{3}\.[0-9]{6}\.[0-9]{5}\@[A-Z]{4}/m
describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2

score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM ALL =3D~ /^Message-Id:.*EJXVWDA/m
describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id

One fellow suggested that it might be more efficient to do this:

score BOBAX_GEN_SPAM 1.800
header BOBAX_GEN_SPAM Message-ID =3D~ /EJXVWDA/m
describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id

but I wasn't sure if SA would detect that the incorrect case on the =20
word "message-id" and then not realize the test, etc. Any suggestions?

jp

--=20
Framework? I don't need no steenking framework!

----------------------------------------------------------------
@fferent Security Labs: Isolate/Insulate/Innovate =20
http://www.afferentsecurity.com