Never in the darkest days of Klez was it this bad. Overnight I got 300+ virus mails from "support@microsoft.com". THREE HUNDRED! Fortunately, SpamAssassin was ready.
For anyone else caught by this, here's my rules:
header FROM_SUPPORTMICROSOFT From =~ /\bsupport\@microsoft\.com\b/ describe FROM_SUPPORTMICROSOFT From: support@microsoft.com (virus) score FROM_SUPPORTMICROSOFT 1.5
rawbody BODY_SUPPORTMICROSOFT /^All information is in the attached file\.\s*$/m describe BODY_SUPPORTMICROSOFT support@microsoft.com virus body score BODY_SUPPORTMICROSOFT 1.5
meta SUPPORTMICROSOFT_VIRUS FROM_SUPPORTMICROSOFT && BODY_SUPPORTMICROSOFT describe SUPPORTMICROSOFT_VIRUS support@microsoft.com virus score SUPPORTMICROSOFT_VIRUS 6.5
# If it's support@microsoft.com, just toss the damn thing
:0
* ^From:.*support\@microsoft\.com
/dev/null
Re:You're too kind
merlyn on 2003-05-20T17:17:45
How appropriate that you're sending M$ support to/dev/null, because that's where it comes from as well. {grin}