for what it's worth, I just pushed Henry's version of Joe's rules into the
3.2.x sa-updates.

--j.

Jack Pepper writes:
> Quoting Jeremy Fairbrass :
>
> > HI Jack,
> > Any chance of sharing your rules for this?!
> >
> > Cheers,
> > Jeremy

>
> Sure:
>
> score BOBAX_GEN_SPAM_2 1.800
> header BOBAX_GEN_SPAM_2 ALL =~
> /^Message-Id:.*[0-9]{4}D[0-9]{3}\.[0-9]{6}\.[0-9]{5}\@[A-Z]{4}/m
> describe BOBAX_GEN_SPAM_2 Has Bobax Generated Message-Id, type 2
>
> score BOBAX_GEN_SPAM 1.800
> header BOBAX_GEN_SPAM ALL =~ /^Message-Id:.*EJXVWDA/m
> describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id
>
> One fellow suggested that it might be more efficient to do this:
>
> score BOBAX_GEN_SPAM 1.800
> header BOBAX_GEN_SPAM Message-ID =~ /EJXVWDA/m
> describe BOBAX_GEN_SPAM Has Bobax Generated Message-Id
>
> but I wasn't sure if SA would detect that the incorrect case on the
> word "message-id" and then not realize the test, etc. Any suggestions?
>
> jp
>
> --
> Framework? I don't need no steenking framework!
>
> ----------------------------------------------------------------
> @fferent Security Labs: Isolate/Insulate/Innovate
> http://www.afferentsecurity.com