On Wednesday 23 March 2016 17:59:07 Gene Heskett wrote:

> On Wednesday 23 March 2016 10:11:39 Michele Calgaro wrote:
> > On 03/23/2016 11:03 PM, Gene Heskett wrote:
> > > Thats great as I can remove about 1/2 of the rules by combining
> > > them so.
> > >
> > > Thank you Michelle.
> >
> > Well,
> > you should thanks E. Liddell for this one ;-)
> > Cheers
> >   Michele
>
> Ohhhkaay, thanks Mr. E. Liddell. :)

I am getting a little schmardter, but not enough. On thing that stands 
out is that the spams that it misses, have had another one line, first 
line header line inserted:
=================================
From gene  Thu Mar 24 09:11:22 2016
Received: from localhost by coyote.coyote.den
	with SpamAssassin (version 3.4.0);
	Thu, 24 Mar 2016 09:11:23 -0400
From: "Alliance Security" <AllianceSecurity@...>
To: <gheskett@...>
Subject: Alliance security Solution
Date: Thu, 24 Mar 2016 06:10:52 -0700
==================================
It should have triggered on the _real_ "From:" line, but didn't.
Yet it did trigger on several others from that same tld.

And thats the whole thing, next is the spamassassin stuff.
And except for the the real From: line, it is totally bogus, unless some 
A.H. has figured out how to compromize a linux email system that is NOT 
built like the usual linux email chain.

I'll do some more system snooping, but the two rootkit finders we have, 
haven't been updated in years that I'm aware of.

Thanks folks.

Cheers, Gene Heskett
-- 
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>