I'm new to SpamFilter,and have a question about the Keyword Filtering.

If a message has a file attachment, is the entire message scanned for keywords including the MIME portion containing the attachment? Or just the main message body itself?

I tried a RegEx statement to catch some of the SWEN  virus crap by looking for the more common names of the file attachment.  The virus bypasses the filtering by attaching the MS HTML Notice and infected file as file attachments.  The raw message then just has 2 MIME sections and keywords can't be used to catch a thing.

(I know I know.. I should just rely on the anti-virus engine to handle this, but we get a lot of users asking about the residual fake MS Notice still being sent to them).

The RegEx statement is:

    (\b(patch|upgrade|update|installer|install|pack|q)\d{0,6}(\.exe|\.zip|\.com|\.pif))

It works in the RegExt Test region by catching the MIME info in the message:

   ---MOQ1064520418e5535a1509346a8b2a8d2d47da9f337c
   Content-Type: application/octet-stream; name="patch.exe"
   Content-Transfer-Encoding: base64
   Content-Disposition: attachment; filename="patch.exe"

But... it doesn't work in the actual live environment.