/[smeserver]/rpms/spamassassin/sme10/bogus-virus-warnings.cf
ViewVC logotype

Annotation of /rpms/spamassassin/sme10/bogus-virus-warnings.cf

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (hide annotations) (download)
Fri Feb 5 16:20:38 2016 UTC (8 years, 9 months ago) by vip-ire
Branch: MAIN
CVS Tags: spamassassin-3_4_1-1_el7_sme
sme10 branch

1 vip-ire 1.1 # bogus-virus-warnings.cf version 1.160 (2005-06-22) - NB new Rules Emporium address
2     # NB (2005-06-07) I still have a backlog of submissions so if yours hasn't
3     # made it in yet, it's nothing personal. Bear with me - thanks, TJ.
4    
5     # Collated and maintained by Tim Jackson (tim@timj.co.uk)
6     # Latest version at:
7     #
8     # - http://www.rulesemporium.com/rules/bogus-virus-warnings.cf
9     # - http://www.timj.co.uk/linux/bogus-virus-warnings.cf
10     #
11     # Lists bogus virus warnings and similar
12     # This file is encoded using ISO-8859-1
13    
14     # ------------ NEWS - 2004-04-03 --------------
15     # READ THIS CAREFULLY - CHECK YOUR SETUP!
16     # To reduce the risk of false positives, some rules now have checks to make
17     # sure that the message is a bounce. This checking is currently only enabled
18     # for rules that would match it irrelevant of Return-Path, but will soon
19     # be added to rules for which we need to determine for certain that the
20     # envelope sender (return path) is null. However, if you are scanning at SMTP
21     # time, and your MTA hasn't at that time inserted the Return-Path header
22     # (e.g. Exim/Exiscan), or an X-Envelope-From header (which I am told is added
23     # by amavisd-new), we can't necessarily tell that it is a bounce, so in
24     # that case you need to either get your MTA to add a header X-Is-A-Bounce: 1
25     # which tells us that it has a null sender, or disable the bounce checking.
26     # To disable bounce-checking, put this in your local.cf:
27     # meta __REPORT_DSN 1
28     #
29     # You can add an X-Is-A-Bounce header with Exim 4 using the following rule
30     # in your RCPT ACL:
31     #
32     # warn message = X-Is-A-Bounce: 1
33     # senders = :
34     #
35     # (You may wish to add "headers_remove"/"headers remove" directives to your
36     # remote_smtp router and system filter respectively, to strip these out again
37     # before the message is delivered)
38    
39    
40     # ----------- UPDATES & CONTRIBUTIONS ---------
41     # This ruleset is updated regularly; check for updates every now and then
42     # Automatic updates are OK, although please don't check too often.
43     # (More than once per day is too often)
44     # If you are checking automatically, please use appropriate methods
45     # (including HTTP HEAD) to avoid downloading unchanged versions.
46     # You can use the Rules du Jour script to easily check for updates in a
47     # responsible way: http://www.exit0.us/index.php/RulesDuJour
48    
49     # Contributions/comments/corrections etc. are more than welcome, particularly
50     # complete samples of bogus warnings not caught by this rule. Please send to
51     # the following e-mail address: spam \-at/ timj.co.uk (replacing " \-at/ " with "@")
52     # PLEASE send complete samples (ideally as an attachment) if at all possible -
53     # it helps me maintain an archive for regression testing and so on.
54    
55     # There is a Postfix derivative of this (not identical) by Niels
56     # Callesøe at: http://www.t29.dk/antiantivirus.txt
57    
58     # A procmail derivative (derivative of a derivative!) of Niels's Postfix
59     # version is here: http://pekaje.homeip.net/antiantivirus_procmail.txt
60    
61     # A useful ruleset by Martin Blapp that has some overlap with this but has
62     # slightly different aims can be found at: http://mx.imp.ch/worm_found.cf
63    
64     # Contributors: (if I've missed anyone, I apologise - please let me know)
65     # TJ = Tim Jackson <tim@timj.co.uk>
66     # DD = Dennis Davis <ccsdhd/at\bath.ac.uk>
67     # BM = Brian Martin (indirectly via website article)
68     # see http://www.attrition.org/security/rant/av-spammers.html
69     # PV = Paul Vixie (indirectly via NANOG mailing list)
70     # see http://www.merit.edu/mail.archives/nanog/2004-01/msg00821.html
71     # and http://www.merit.edu/mail.archives/nanog/msg01014.html
72     # AF = Alan J. Flavell <a-dot-flavell/at/physics.gla.ac.uk>
73     # CE = Chris Edwards <C\dot\Edwards-at@-compserv.gla.ac.uk>
74     # NC = Niels Callesoe <nica\at/t29-dot-dk>
75     # JB = Jethro R Binks <jethro=dot=binks\@strath.ac.uk>
76     # ESR = Eric S. Raymond <esr\\a@t/snark.thyrsus^com>
77     # EA = Ed Avis <ed\at/membled.com>
78     # HP = Herb Peyerl <hpeyerl//at.beer.org>
79     # JBB = John B Batzel <batzel a t seas.upenn.edu>
80     # SC = Stephane Clodic <sclodic//at\teaser.fr>
81     # MK = Martin Kutschker <Martin-dot-Kutschker'at'blackbox.net>
82     # PB = Pieter B <PieterB-at/gewis.nl>
83     # PSI = Per Steinar Iversen <PerSteinar.Iversen/at/adm.hio.no>
84     # HPK = Homer Parker <hparker-at-pcsrvc.com>
85     # DJM = Damian Miller <djm/at/mindrot.org>
86     # VS = Jay 'veggiespam' Ball <jay//-at=veggiespam.com>
87     # NL = Nick Leverton <nick\-at$leverton.org>
88     # MR = Michael Roth <mroth%at%nessie.de>
89     # JT = Jona Tallieu <jona=at=tnt.be>
90     # VD = Vincent Deffontaines <vincent.deffontaines/at/coe.int>
91     # HD = Harald Deppeler
92     # DP = David Precious <dave=at=preshweb.co.uk>
93     # AS = Andreas Steinmetz <ast!at!domdv.de>
94     # GD = Guido Dorssers <g/dot/h/dot/j/dot/dorssers-at\ruiver.frontierfleet.net>
95     # MB = Martin Blapp <mb-at-imp.ch>
96     # RP = Rob van der Putten <rob=at-sput.nl>
97     # PBR = Peter Bieringer <pb\\at\bieringer.de>
98     # PC = Paul Cormier <pcormier--at--win-soft.com>
99     # TV = Tjerk Vonck <tjerk^^at/mirc.com>
100     # ML = Maurice Lucas <mslucas%at%taos-it.nl>
101     # MM = Marek Michalkiewicz <marekm(at)amelek.gda.pl>
102     # HB = Hanno Boeck <mail$at*hboeck.de>
103     # RN = Ronald I. Nutter <ronald_nutter#@!georgetowncollege.edu>
104     # JK = Josh Kelley <josh@@@@jbc.edu>
105    
106    
107     # ---------- BOUNCE DETECTION ---------
108     # General rule to indicate bounce or otherwise - used for some other rules
109     header __BOUNCE_HEADER X-Is-A-Bounce =~ /.{1,50}/
110    
111     # This won't match for scanning done at SMTP time, at least with Exim
112     header __BOUNCE_RP1 Return-Path =~ /^<>$/
113    
114     # NL says this is added by amavisd-new before passing to SA
115     header __BOUNCE_RP2 X-Return-Path =~ /^<>$/
116    
117     # Mark Martinec says the above is incorrect, and it's X-Envelope-From
118     header __BOUNCE_RP3 X-Envelope-From =~ /^<>$/
119    
120     meta __NULL_SENDER __BOUNCE_HEADER || __BOUNCE_RP1 || __BOUNCE_RP2 || __BOUNCE_RP3
121    
122     # Thanks to AF
123     header __CT_DEL_STATUS Content-Type =~ /report-type=delivery-status/
124    
125     meta __REPORT_DSN __NULL_SENDER || __CT_DEL_STATUS
126    
127    
128     # The rules are now slowly getting meta-information added to them, in the
129     # form of a "DSN:" message above the rule. The codes in this correspond to
130     # the following meanings:
131     #
132     # Null = Messages always come with null sender
133     # CT = Message always come with Content-Type =~ /report-type=delivery-status/
134     # !Attach = This rule matches the content of an attachment which has replaced
135     # a virus, so the Null/CT rules could conceivably vary
136     # A rule with a leading question mark means status unknown, for example:
137     # "DSN: Null, ?CT" means we know it always has a null sender, but not sure
138     # whether it has the Content-Type match.
139    
140    
141     # ---------- THE RULES PROPER -----------
142    
143     blacklist_from antivirus@webtar.hu
144     blacklist_from asterix@ars.de
145     blacklist_from deadletter@wingateweb.com
146     blacklist_from mailsweeper@tso.co.uk
147     blacklist_from us-interscan.admins@alcatel.com
148     blacklist_from virus@praca.gov.pl
149    
150    
151     # TJ/HPK
152     header VIRUS_WARNING1 Subject =~ /^(NDN: )?\{(Virus|Filename)\?\}/i
153     describe VIRUS_WARNING1 Unhelpful 'virus warning' (1)
154     score VIRUS_WARNING1 20
155    
156     # TJ
157     header VIRUS_WARNING2 Subject =~ /Virus Detected by Network Associates, Inc\. Webshield/
158     describe VIRUS_WARNING2 Unhelpful NAI Webshield 'virus warning' (2)
159     score VIRUS_WARNING2 20
160    
161     # TJ
162     header VIRUS_WARNING3 Subject =~ /^---- Virus Detected ----$/
163     describe VIRUS_WARNING3 Unhelpful Mail Marshal 'virus warning' (3)
164     score VIRUS_WARNING3 20
165    
166     # TJ/TV
167     # "Virus detected" is Tobit. "Virus Detected" seen from bang.ca.
168     header VIRUS_WARNING4 Subject =~ /^Virus detected$/i
169     describe VIRUS_WARNING4 Unhelpful 'virus warning' (4)
170     score VIRUS_WARNING4 20
171    
172     # TJ
173     header VIRUS_WARNING4A Subject =~ /^Virus Detected:status/
174     describe VIRUS_WARNING4A Unhelpful MailSweeper 'virus warning' (4A)
175     score VIRUS_WARNING4A 20
176    
177     # TJ/HPK/AF
178     header VIRUS_WARNING5 Subject =~ /^Virus (Alert|Warning|intercepted)!?$/i
179     describe VIRUS_WARNING5 Unhelpful 'virus warning' (5)
180     score VIRUS_WARNING5 20
181    
182     # TJ/VS
183     header VIRUS_WARNING6 Subject =~/^InterScan (NT|Virus) Alert$/
184     describe VIRUS_WARNING6 Unhelpful InterScan 'virus warning' (6)
185     score VIRUS_WARNING6 20
186    
187     # TJ
188     header VIRUS_WARNING7 Subject =~/^Virus found in the message$/
189     describe VIRUS_WARNING7 Unhelpful 'virus warning' (7)
190     score VIRUS_WARNING7 20
191    
192     # TJ
193     header VIRUS_WARNING8 Subject =~/^Message quarantined$/
194     describe VIRUS_WARNING8 Unhelpful 'virus warning' (8)
195     score VIRUS_WARNING8 20
196    
197     # TJ
198     # VIRUS_WARNING9 now rolled into VIRUS_WARNING5
199    
200     # TJ
201     header VIRUS_WARNING10 Subject =~/^Virus found in e-mail \(/
202     describe VIRUS_WARNING10 Unhelpful Netpilot VPN 'virus warning' (10)
203     score VIRUS_WARNING10 20
204    
205     # TJ
206     header VIRUS_WARNING11 Subject =~/^MDaemon Warning - Virus Found/
207     describe VIRUS_WARNING11 Unhelpful MDaemon 'virus warning' (11)
208     score VIRUS_WARNING11 20
209    
210     # TJ
211     header VIRUS_WARNING12 From =~/F-Secure Anti-Virus for Internet Mail/
212     describe VIRUS_WARNING12 Unhelpful F-Secure 'virus warning' (12)
213     score VIRUS_WARNING12 20
214    
215     # TJ
216     rawbody VIRUS_WARNING13 /If you meant to send this file then please/
217     describe VIRUS_WARNING13 Unhelpful Exim system_filter 'virus warning'? (13)
218     score VIRUS_WARNING13 3
219    
220     # TJ
221     rawbody VIRUS_WARNING14 /package it up as a zip file and resend it/
222     describe VIRUS_WARNING14 Looks like Exim system_filter 'virus warning' (14)
223     score VIRUS_WARNING14 3
224    
225     # TJ
226     meta VIRUS_WARNING_EXIM VIRUS_WARNING13 && VIRUS_WARNING14
227     describe VIRUS_WARNING_EXIM Unhelpful Exim system_filter 'virus warning'
228     score VIRUS_WARNING_EXIM 6
229    
230     # TJ/JT
231     header VIRUS_WARNING15 Subject =~ /^(Warning: E-mail viruses detected|Waarschuwing: E-mail virus ontdekt)$/
232     describe VIRUS_WARNING15 Unhelpful MailScanner 'virus warning' (15)
233     score VIRUS_WARNING15 20
234    
235     # TJ/PSI/AF
236     header VIRUS_WARNING16 Subject =~ /^ScanMail Message: To (Sender|Recipient) (virus found|file blocking settings matched)/
237     describe VIRUS_WARNING16 Unhelpful ScanMail/Exch 'virus warning' (16)
238     score VIRUS_WARNING16 20
239    
240     # TJ
241     rawbody VIRUS_WARNING17 /The uncleanable file is deleted\./
242     describe VIRUS_WARNING17 Unhelpful Cisco 'virus warning' (17)
243     score VIRUS_WARNING17 10
244    
245     # TJ/DD/PSI/TV
246     # Often customised.
247     # TJ: removed end-assertion (2004-06-06) to catch customisations
248     # NC has seen caseless version "Virus in mail from you."
249     # TV has seen "Banned file: "data.doc.pif" in mail from you"
250     header VIRUS_WARNING18 Subject =~/^(VIRUS|BANNED FILENAME|banned file:|BANNED) .{1,99}(IN YOUR MAIL|w Twoim mejlu|IN (A )?MAIL FROM YOU|NO SEU EMAIL)/i
251     describe VIRUS_WARNING18 Unhelpful 'virus warning' (18)
252     score VIRUS_WARNING18 20
253    
254     # TJ
255     # Added optional space in v1.11 thanks to CE
256     # See also 299
257     header VIRUS_WARNING19 Subject =~/^Norton Anti ?Virus detected/
258     describe VIRUS_WARNING19 Unhelpful Norton AntiVirus 'virus warning' (19)
259     score VIRUS_WARNING19 20
260    
261     # Rule 20 deprecated in favour of modified rule #18
262     # (DD: Subject: VIRUS (blah) IN YOUR MAIL)
263    
264     # DD/MK
265     header VIRUS_WARNING21 Subject =~ /^Antigen found (VIRUS|FILE)/
266     describe VIRUS_WARNING21 Unhelpful Antigen 'virus warning' (21)
267     score VIRUS_WARNING21 20
268    
269     # TJ
270     rawbody VIRUS_WARNING22 /^Panda Antivirus has taken the following actions/
271     describe VIRUS_WARNING22 Unhelpful Panda Antivirus 'virus warning' (22)
272     score VIRUS_WARNING22 20
273    
274     # TJ
275     header VIRUS_WARNING23 Subject =~ /^Filter incident$/
276     describe VIRUS_WARNING23 Unhelpful Panda Antivirus 'virus warning'? (23)
277     score VIRUS_WARNING23 4
278    
279     # TJ
280     rawbody VIRUS_WARNING24 /^<<< 554 TRANSACTION FAILED - Unrepairable Virus/
281     describe VIRUS_WARNING24 Unhelpful AOL 'virus warning' (24)
282     score VIRUS_WARNING24 20
283    
284     # DD
285     rawbody VIRUS_WARNING25 /^Network Associates WebShield SMTP.{1,99}detected virus/
286     describe VIRUS_WARNING25 Unhelpful Network Associates 'virus warning' (25)
287     score VIRUS_WARNING25 20
288    
289     # TJ
290     rawbody VIRUS_WARNING26 /^The name\(s\) of the blocked file\(s\) follow:/
291     describe VIRUS_WARNING26 Unhelpful 'virus warning' (26)
292     score VIRUS_WARNING26 20
293    
294     # TJ
295     rawbody VIRUS_WARNING27 /V I R U S A L E R T/
296     describe VIRUS_WARNING27 Unhelpful amavisd 'virus warning' (27)
297     score VIRUS_WARNING27 20
298    
299     # TJ
300     # Modified to remove "^Our" (thanks CE) as is sometimes customised like so:
301     # "The University of xxxx virus detector...."
302     rawbody VIRUS_WARNING28 /virus detector has just been triggered by a message you sent/
303     describe VIRUS_WARNING28 Unhelpful MailScanner 'virus warning' (28)
304     score VIRUS_WARNING28 20
305    
306     # TJ
307     header VIRUS_WARNING29 Subject =~ /^Vírus figyelmeztetés! Virus warning!$/
308     describe VIRUS_WARNING29 Unhelpful Hungarian 'virus warning' (29)
309     score VIRUS_WARNING29 20
310    
311     # TJ
312     body VIRUS_WARNING30 /The mail was deleted on the mailserver. The sender was informed about this incident/
313     describe VIRUS_WARNING30 Unhelpful 'virus warning' (30)
314     score VIRUS_WARNING30 20
315    
316     # DD
317     rawbody VIRUS_WARNING31 /^The Declude Virus.{0,50}software on our mail server detected the/
318     describe VIRUS_WARNING31 Unhelpful Declude Virus software warning (31)
319     score VIRUS_WARNING31 20
320    
321     # TJ
322     body VIRUS_WARNING32 /^\/infected with \w/
323     describe VIRUS_WARNING32 Unhelpful qmail-plugin virus warning (32)
324     score VIRUS_WARNING32 5
325    
326     # BM
327     body VIRUS_WARNING33 /^The virus detector said this about the message/
328     describe VIRUS_WARNING33 Unhelpful MailScanner virus warning (33)
329     score VIRUS_WARNING33 12
330    
331     # BM/AF
332     header VIRUS_WARNING34 Subject =~ /^Symantec (AVF|Mail Security|AntiVirus(\/Filtering)?) (for (Lotus Notes|Domino) )?detected/
333     describe VIRUS_WARNING34 Unhelpful Symantec virus warning (34)
334     score VIRUS_WARNING34 20
335    
336     # BM/MK
337     # Borderware MXtreme Firewall
338     body VIRUS_WARNING35 /was stopped and (Rejected|Quarantined) because it contains one or more (viruses|forbidden attachments)/
339     describe VIRUS_WARNING35 Unhelpful BorderWare MXtreme virus warning (35)
340     score VIRUS_WARNING35 8
341    
342     # BM
343     header VIRUS_WARNING36 Subject =~ /^Returned due to virus;/
344     describe VIRUS_WARNING36 Unhelpful 'virus warning' (36)
345     score VIRUS_WARNING36 20
346    
347     # PV
348     header VIRUS_WARNING37 Subject =~ /^Anti-Virus Notification/
349     describe VIRUS_WARNING37 Unhelpful 'virus warning' (37)
350     score VIRUS_WARNING37 12
351    
352     # PV/JT
353     # was Subject /^BANNED FILENAME .{0,99}IN MAIL FROM YOU/
354     # obsoleted by 18
355    
356     # PV
357     header VIRUS_WARNING39 Subject =~ /^File blocked - ScanMail for Lotus/
358     describe VIRUS_WARNING39 Unhelpful ScanMail 'virus warning' (39)
359     score VIRUS_WARNING39 12
360    
361     # PV
362     header VIRUS_WARNING40 Subject =~ /^Message deleted/
363     describe VIRUS_WARNING40 Unhelpful 'virus warning' (40)
364     score VIRUS_WARNING40 20
365    
366     # PV
367     header VIRUS_WARNING41 Subject =~ /^NAV detected a virus/
368     describe VIRUS_WARNING41 Unhelpful 'virus warning' (41)
369     score VIRUS_WARNING41 20
370    
371     # PV
372     header VIRUS_WARNING42 Subject =~ /^RAV AntiVirus scan/
373     describe VIRUS_WARNING42 Unhelpful RAV 'virus warning' (42)
374     score VIRUS_WARNING42 20
375    
376     # PV
377     # was header VIRUS_WARNING43 Subject =~ /^VIRUS .{0,99}IN (A )?MAIL FROM YOU/i
378     # obsoleted by 18
379    
380     # PV
381     header VIRUS_WARNING44 Subject =~ /^Virus Notification:/
382     describe VIRUS_WARNING44 Unhelpful 'virus warning' (44)
383     score VIRUS_WARNING44 20
384    
385     # PV
386     header VIRUS_WARNING45 Subject =~ /^Virus found in a message you sent/
387     describe VIRUS_WARNING45 Unhelpful 'virus warning' (45)
388     score VIRUS_WARNING45 20
389    
390     # PV
391     # CE contributed caseless start
392     header VIRUS_WARNING46 Subject =~ /^[Vv]irus found in sent message/
393     describe VIRUS_WARNING46 Unhelpful 'virus warning' (46)
394     score VIRUS_WARNING46 20
395    
396     # PV
397     header VIRUS_WARNING47 From =~ /^GroupShield for Exchange/
398     describe VIRUS_WARNING47 Unhelpful GroupShield/Exch 'virus warning' (47)
399     score VIRUS_WARNING47 10
400    
401     # PV
402     body VIRUS_WARNING48 /^The infected message's properties are:/
403     describe VIRUS_WARNING48 Unhelpful McAfee 'virus warning' (48)
404     score VIRUS_WARNING48 20
405    
406     # AF
407     header VIRUS_WARNING49 Subject =~ /^VIRUS EN SU CORREO/
408     describe VIRUS_WARNING49 Unhelpful 'virus warning' (49)
409     score VIRUS_WARNING49 20
410    
411     # AF
412     header VIRUS_WARNING50 Subject =~ /^Warning: antivirus system report$/
413     describe VIRUS_WARNING50 Unhelpful 'virus warning' (50)
414     score VIRUS_WARNING50 20
415    
416     # AF
417     header VIRUS_WARNING51 Subject =~ /^MDaemon Notification -- Attachment Removed$/
418     describe VIRUS_WARNING51 Unhelpful 'virus warning' (51)
419     score VIRUS_WARNING51 20
420    
421     # AF
422     header VIRUS_WARNING52 Subject =~ /^Information - Antivirus$/
423     describe VIRUS_WARNING52 Unhelpful 'virus warning' (52)
424     score VIRUS_WARNING52 20
425    
426     # AF
427     header VIRUS_WARNING53 Subject =~ /^Symantec AntiVirus detected a violation/
428     describe VIRUS_WARNING53 Unhelpful 'virus warning' (53)
429     score VIRUS_WARNING53 20
430    
431     # AF
432     header VIRUS_WARNING54 Subject =~ /^WARNING: YOU WERE SENT A VIRUS/
433     describe VIRUS_WARNING54 Unhelpful 'virus warning' (54)
434     score VIRUS_WARNING54 20
435    
436     # AF
437     header VIRUS_WARNING55 Subject =~ /^SAV detected a violation in a/
438     describe VIRUS_WARNING55 Unhelpful SAV 'virus warning' (55)
439     score VIRUS_WARNING55 20
440    
441     # AF/CE
442     # Virus version seen as "...a Virus in your message", not sure about other
443     header VIRUS_WARNING56 Subject =~ /^MailMarshal has detected a (Virus|suspect attachment)/
444     describe VIRUS_WARNING56 Unhelpful MailMarshal 'virus warning' (56)
445     score VIRUS_WARNING56 20
446    
447     # AF/TV
448     header VIRUS_WARNING57 Subject =~ /^A virus was detected in your (mail|message)/i
449     describe VIRUS_WARNING57 Unhelpful 'virus warning' (57)
450     score VIRUS_WARNING57 20
451    
452     # AF
453     header VIRUS_WARNING58 Subject =~ /^Recipient Virus-alert/
454     describe VIRUS_WARNING58 Unhelpful 'virus warning' (58)
455     score VIRUS_WARNING58 20
456    
457     # AF/PBR
458     #lowercase version is VirusGuard "^Virus found in message to you!$"
459     header VIRUS_WARNING59 Subject =~ /^Virus [fF]ound in message/
460     describe VIRUS_WARNING59 Unhelpful 'virus warning' (59)
461     score VIRUS_WARNING59 20
462    
463     # AF
464     # Roll into VIRUS_WARNING15?
465     header VIRUS_WARNING60 Subject =~ /^E-?mail viruses detected/
466     describe VIRUS_WARNING60 Unhelpful 'virus warning' (60)
467     score VIRUS_WARNING60 20
468    
469     # AF
470     header VIRUS_WARNING61 Subject =~ /^Undelivered mail: VIRUS FOUND/
471     describe VIRUS_WARNING61 Unhelpful 'virus warning' (61)
472     score VIRUS_WARNING61 20
473    
474     # AF/TJ/PB/HD/JT
475     # 2004-12-15: the Symantec@ doesn't seem to work, for reasons that are opaque to me
476     header VIRUS_WARNING62 From =~ /Antivirus|InterScan|MailScanner|virusscan|WebShield SMTP|NortonAV|DrWeb-DAEMON|amavisd-new|virenscanner|GateLockX200|Filtermails|MailMonitor|Symantec\@|Symantec E-Mail-Proxy/i
477     describe VIRUS_WARNING62 'From' indicates unhelpful 'virus warning' (62)
478     score VIRUS_WARNING62 3.5
479    
480     # AF/TJ
481     # care: double count of this & 62 for 'amavisd-new'
482     header VIRUS_WARNING62A From =~ /amavis\@/
483     describe VIRUS_WARNING62A 'From' contains 'amavis'; 'virus warning'? (62A)
484     score VIRUS_WARNING62A 0.8
485    
486     # AF/TJ/MK/JT
487     # Case-sensitive strong indications
488     header VIRUS_WARNING63 From =~ /mail.marshal\@|InterScan Notification|Antivirus-Daemon|Nemx Power Tools for MS Exchange Server|NAVMSE-|Norton_AntiVirus_|Unicom Anti-Virus|Symantec_AntiVirus_for_SMTP|ANTIVIRUS-SYSTEM|\"System Anti-Virus Administrator\"|Eclipse-VirusShield|Anti-Virus Scanner|SymantecSMTPSecurityServer|_WatchDog_Demon|MAILsweeper|InterScan Notification|eTrust_Antivirus_Lotus_Notes|BorderWare MXtreme Mail Firewall|DinaScanner|vba_filter|KAV for Microsoft Exchange|Guinevere Anti-Virus|Barracuda Spam Firewall|'Watchdog' Demon|Virus Scanner/
489     describe VIRUS_WARNING63 'From' strongly indicates 'virus warning' (63)
490     score VIRUS_WARNING63 8
491    
492     # TJ/AF
493     # Case-insensitive strong indications
494     header VIRUS_WARNING63A From =~ /mailsweeper\@|avmailwall\@|virusscreen\@|virus-alert\@|antigen_|escanuser\@/i
495     describe VIRUS_WARNING63A 'From' strongly indicates 'virus warning' (63A)
496     score VIRUS_WARNING63A 8
497    
498     # ML
499     # blacklist_from not used, because resent-from (added by some mailing lists) overrides.
500     header VIRUS_WARNING63B From =~ /viruscheckservice\@virusguardman\.com/i
501     describe VIRUS_WARNING63B Unhelpful 'virus warning' (blacklisted) (63B)
502     score VIRUS_WARNING63B 20
503    
504     # AF
505     # False positive reported by Dan Miller <dan-dot-miller/at/ci-pinkerton.com>
506     # Has had a score of 20 for a long time.
507     # What a pain; Google shows huge amounts of junk
508     # 2004-08-09: removed after another FP report. Would love to know more about this.
509     #header VIRUS_WARNING64 X-BLTSYMAVREINSERT =~ /./
510     #describe VIRUS_WARNING64 Looks like unhelpful 'virus warning' (64)
511     #score VIRUS_WARNING64 3
512    
513     # AF
514     header VIRUS_WARNING65 X-Virus-Scan-Result =~ /Repaired/
515     describe VIRUS_WARNING65 Unhelpful 'virus warning' (65)
516     score VIRUS_WARNING65 20
517    
518     # AF
519     # This pattern has been seen as X-AtHome-MailScanner, X-Virus-Scanner,
520     # X-MailScanner, X-Antivirus, X-CTC-Iris-MailScanner, X-UTwente-MailScanner
521     header VIRUS_WARNING66 ALL =~ /Found to be infected/
522     describe VIRUS_WARNING66 Unhelpful 'virus warning' (66)
523     score VIRUS_WARNING66 20
524    
525     # AF
526     header VIRUS_WARNING67 X-Scanned =~ /Symantec Antivirus Scan - Virus found/
527     describe VIRUS_WARNING67 Unhelpful 'virus warning' (67)
528     score VIRUS_WARNING67 20
529    
530     # AF
531     header VIRUS_WARNING68 X-Sender =~ /NetMail AntiVirus Agent/
532     describe VIRUS_WARNING68 Unhelpful 'virus warning' (68)
533     score VIRUS_WARNING68 20
534    
535     # Rule 69 was obsoleted by modified version of rule #66
536     # (AF: X-yoursite-Mailscanner: Found to be infected)
537    
538     # AF
539     header VIRUS_WARNING70 Subject =~ /^Quarantined Mail: virus from/
540     describe VIRUS_WARNING70 Unhelpful 'virus warning' (70)
541     score VIRUS_WARNING70 20
542    
543     # TJ
544     header VIRUS_WARNING71 Subject =~ /^Failed to clean virus/
545     describe VIRUS_WARNING71 Unhelpful InterScan 'virus warning' (71)
546     score VIRUS_WARNING71 20
547    
548     # TJ
549     rawbody VIRUS_WARNING72 /^ Attempted to clean the file but it is not cleanable/
550     describe VIRUS_WARNING72 Unhelpful InterScan 'virus warning' (72)
551     score VIRUS_WARNING72 20
552    
553     # AF
554     header VIRUS_WARNING73 X-Mirapoint-Virus =~ /DELETED/
555     describe VIRUS_WARNING73 Unhelpful Mirapoint 'virus warning' (73)
556     score VIRUS_WARNING73 20
557    
558     # AF
559     # Part of "Attenzione Virus - Virus Alert"
560     header VIRUS_WARNING74 Subject =~ /^Attenzione Virus/
561     describe VIRUS_WARNING74 Unhelpful 'virus warning' (74)
562     score VIRUS_WARNING74 20
563    
564     # AF
565     header VIRUS_WARNING75 X-Auto-Generated =~ /^Sophos antivirus plugin/
566     describe VIRUS_WARNING75 Unhelpful 'virus warning' (75)
567     score VIRUS_WARNING75 10
568    
569     # AF/TJ
570     # Variant on #16
571     header VIRUS_WARNING76 Subject =~ /^\[MailServer Notification\]\s?To (Sender|External Sender|Recipient):? (virus found|a virus was found|file blocking settings matched|Message matched eManager setting)/
572     describe VIRUS_WARNING76 Unhelpful ScanMail 'virus warning' (76)
573     score VIRUS_WARNING76 20
574    
575     # AF
576     header VIRUS_WARNING77 Subject =~ /^virus in verschickter Nachricht gefunden/
577     describe VIRUS_WARNING77 Unhelpful 'virus warning' (77)
578     score VIRUS_WARNING77 20
579    
580     # AF
581     rawbody VIRUS_WARNING78 /Status: 5\.7\.0 \(other or undefined security status\)/
582     describe VIRUS_WARNING78 Could be a bogus virus warning (78)
583     score VIRUS_WARNING78 0.5
584    
585     # AF
586     rawbody VIRUS_WARNING79 /Message-ID: <[^>]{1,50}> \(added by postmaster/
587     describe VIRUS_WARNING79 Could be a bogus virus warning (79)
588     score VIRUS_WARNING79 0.5
589    
590     # AF
591     meta VIRUS_WARNING80 VIRUS_WARNING78 && VIRUS_WARNING79 && __REPORT_DSN
592     describe VIRUS_WARNING80 Likely to be a bogus virus warning (80)
593     score VIRUS_WARNING80 3.5
594    
595     # Rule 81 combined with 56
596    
597     # CE
598     header VIRUS_WARNING82 Subject =~ /^Virus encontrado en el mensaje enviado/
599     score VIRUS_WARNING82 20
600    
601     # CE
602     header VIRUS_WARNING83 Subject =~ /^Security Alert - ScanMail for Lotus Notes/
603     describe VIRUS_WARNING83 Unhelpful ScanMail 'virus warning' (83)
604     score VIRUS_WARNING83 20
605    
606     # CE/MK
607     # TJ: ...Detected is right-anchored
608     header VIRUS_WARNING84 Subject =~ /^Virus Infection (Alert|Detected)/
609     score VIRUS_WARNING84 20
610    
611     # CE
612     header VIRUS_WARNING85 Subject =~ /^Warning - Virus Detected:/
613     score VIRUS_WARNING85 20
614    
615     # CE
616     header VIRUS_WARNING86 Subject =~ /^Skynet Mail Protection scan results/
617     score VIRUS_WARNING86 20
618    
619     # CE
620     rawbody VIRUS_WARNING87 /RAV AntiVirus plugin for CommuniGate Pro has found a virus in the e-mail you are about to send/
621     describe VIRUS_WARNING87 Unhelpful RAV 'virus warning' (87)
622     score VIRUS_WARNING87 20
623    
624     # CE
625     rawbody VIRUS_WARNING88 /This is an automated return email from McAfee Virus Scan/
626     describe VIRUS_WARNING88 Unhelpful McAfee 'virus warning' (88)
627     score VIRUS_WARNING88 20
628    
629     # CE
630     rawbody VIRUS_WARNING89 /------------------ Virus Warning Message/
631     describe VIRUS_WARNING89 Unhelpful 'virus warning' (89)
632     score VIRUS_WARNING89 20
633    
634     # JB
635     body VIRUS_WARNING90 /^contained an attachment of a type that is frequently used to transport/
636     describe VIRUS_WARNING90 Looks like unhelpful ScanMail 'virus warning' (90)
637     score VIRUS_WARNING90 6
638    
639     # JB
640     # Seen in "-- KO/Office has blocked your mail due to an email policy."
641     header VIRUS_WARNING91 Subject =~ /has blocked your mail due to an email policy\./
642     describe VIRUS_WARNING91 Looks like unhelpful ScanMail 'virus warning' (91)
643     score VIRUS_WARNING91 6
644    
645     # NC: Contributed by "Safari" in n.a.n-a.e
646     header VIRUS_WARNING92 Subject =~ /^Virusveszely! Virus warning!/
647     score VIRUS_WARNING92 20
648    
649     # NC
650     header VIRUS_WARNING93 Subject =~ /^Virus infection notice/
651     score VIRUS_WARNING93 20
652    
653     # NC
654     header VIRUS_WARNING94 Subject =~ /^Possible virus found in message you sent/
655     score VIRUS_WARNING94 20
656    
657     # NC
658     header VIRUS_WARNING95 Subject =~ /^AntiVir ALERT/
659     score VIRUS_WARNING95 20
660    
661     # NC
662     # TJ: I suspect this may be specific to a site
663     header VIRUS_WARNING96 Subject =~ /^Centrale Anti-Virus melding/
664     score VIRUS_WARNING96 20
665    
666     # NC
667     # Looks like #95
668     header VIRUS_WARNING97 Subject =~ /^Vexira ALERT/
669     score VIRUS_WARNING97 20
670    
671     # NC
672     # TJ: again, suspect site-specific. Maybe change to ALL =~ ...?
673     header VIRUS_WARNING98 X-ELTE-VirusStatus =~ /^was_infected/
674     score VIRUS_WARNING98 20
675    
676     # NC: contributed by B Briggs in n.a.n-a.e
677     header VIRUS_WARNING99 Subject =~ /^You sent potentially unsafe content/
678     score VIRUS_WARNING99 20
679    
680     # NC
681     # TJ: looks site-specific to me
682     header VIRUS_WARNING100 Subject =~ /^Hov, du har sendt Jubii en virus !!!$/
683     score VIRUS_WARNING100 20
684    
685     # NC
686     header VIRUS_WARNING101 Subject =~ /^\[message from .{0,99}virus detect system\]$/
687     score VIRUS_WARNING101 20
688    
689     # NC
690     header VIRUS_WARNING102 Subject =~ /^Net Integrator Virus Alert$/
691     score VIRUS_WARNING102 20
692    
693     # NC
694     header VIRUS_WARNING103 Subject =~ /^Information - Antivirus$/
695     score VIRUS_WARNING103 20
696    
697     # NC
698     header VIRUS_WARNING104 Subject =~ /^AntiVirus Alert!$/
699     score VIRUS_WARNING104 20
700    
701     # NC
702     header VIRUS_WARNING105 Subject =~ /^\{ALERTA DE VIRUS\}/
703     score VIRUS_WARNING105 20
704    
705     # NC
706     header VIRUS_WARNING106 Subject =~ /^Virus in una mail per lei/
707     score VIRUS_WARNING106 20
708    
709     # NC
710     header VIRUS_WARNING107 Subject =~ /AntiVirus scan results/
711     describe VIRUS_WARNING107 Looks like an unhelpful 'virus warning' (107)
712     score VIRUS_WARNING107 7
713    
714     # TJ
715     header VIRUS_WARNING108 Subject =~ /^Returned due to - ATTACHMENT BLOCKINGS/
716     describe VIRUS_WARNING108 Unhelpful WebShield 'virus warning' (108)
717     score VIRUS_WARNING108 20
718    
719     # TJ
720     # deprecated in favour of 186
721    
722     # JB/TJ
723     body VIRUS_WARNING110 /^Please inform your (system)? administrator (and have your virus scanning|or check your machine for viruses)/
724     describe VIRUS_WARNING110 Unhelpful MIMEsweeper 'virus warning'? (110)
725     score VIRUS_WARNING110 8
726    
727     # JB
728     body VIRUS_WARNING111 /^Scan: Threat: '[^']{1,50}' detected by/
729     describe VIRUS_WARNING111 Unhelpful MIMEsweeper 'virus warning'? (111)
730     score VIRUS_WARNING111 6
731    
732     # ESR
733     header VIRUS_WARNING112 Subject =~ /^Virus Detected in your Email message!/
734     describe VIRUS_WARNING112 Unhelpful Norton Antivirus 'virus warning' (112)
735     score VIRUS_WARNING112 20
736    
737     # ESR
738     rawbody VIRUS_WARNING113 /infected with the W32.Mydoom.A\@mm virus/
739     describe VIRUS_WARNING113 Unhelpful Mydoom virus warning (113)
740     score VIRUS_WARNING113 6
741    
742     # TJ
743     body VIRUS_WARNING114 /RAV AntiVirus plugin for .{1,50} has found a virus/
744     describe VIRUS_WARNING114 Unhelpful RAV plugin 'virus warning' (114)
745     score VIRUS_WARNING114 7.5
746    
747     # TJ
748     body VIRUS_WARNING115 /^Remote host said: 5.. Message rejected due to possible virus/
749     describe VIRUS_WARNING115 Qmail bounce of unhelpful virus warning (115)
750     score VIRUS_WARNING115 10
751    
752     # ESR
753     # Similar to rule 23
754     header VIRUS_WARNING116 Subject =~ /^Virus incident/
755     describe VIRUS_WARNING116 Unhelpful Panda virus warning (116)
756     score VIRUS_WARNING116 6
757    
758     # TJ
759     rawbody VIRUS_WARNING117 /^A known virus was discovered and deleted\./
760     describe VIRUS_WARNING117 Looks like MIMEDefang 'virus warning' (117)
761     score VIRUS_WARNING117 4
762    
763     # TJ/AF
764     rawbody VIRUS_WARNING117A /^WARNING: This e-mail has been altered by (SATN-)?MIMEDefang/
765     describe VIRUS_WARNING117A MIMEDefang modified message (117A)
766     score VIRUS_WARNING117A 0.2
767    
768     # AF
769     rawbody VIRUS_WARNING117B /^I found the \S+ virus\.$/
770     describe VIRUS_WARNING117B Unhelpful MIMEDefang 'virus warning' (117B)
771     score VIRUS_WARNING117B 5
772    
773     # TJ
774     meta VIRUS_WARNING_DEFANG VIRUS_WARNING117 && VIRUS_WARNING117A
775     describe VIRUS_WARNING_DEFANG Unhelpful MIMEDefang 'virus warning'
776     score VIRUS_WARNING_DEFANG 10
777    
778     # EA
779     # Sample at: http://article.gmane.org/gmane.comp.tv.xmltv.devel/2772
780     body VIRUS_WARNING118 /^The delivery of this message has been rejected. This message appears to have a.{0,99} virus/
781     describe VIRUS_WARNING118 Unhelpful 'virus warning' (118)
782     score VIRUS_WARNING118 10
783    
784     # EA
785     # Sample at: http://article.gmane.org/gmane.comp.tv.xmltv.devel/2773
786     header VIRUS_WARNING119 Subject =~ /^WARNING: YOU MAY HAVE A VIRUS/
787     describe VIRUS_WARNING119 Unhelpful 'virus warning' (119)
788     score VIRUS_WARNING119 20
789    
790     # EA
791     # Sample at: http://article.gmane.org/gmane.comp.tv.xmltv.devel/2773
792     body VIRUS_WARNING120 /^The E-mail containing the virus has been removed/
793     describe VIRUS_WARNING120 Unhelpful 'virus warning' (120)
794     score VIRUS_WARNING120 10
795    
796     # PV
797     header VIRUS_WARNING121 Subject =~ /^ALERTE \- Vous avez envoye un mail avec virus/
798     describe VIRUS_WARNING121 Unhelpful 'virus warning' (121)
799     score VIRUS_WARNING121 20
800    
801     # PV
802     header VIRUS_WARNING122 Subject =~ /^ALERTE: un virus a /
803     describe VIRUS_WARNING122 Unhelpful 'virus warning' (122)
804     score VIRUS_WARNING122 20
805    
806     # PV
807     header VIRUS_WARNING123 Subject =~ /^Anti-Virus Notification/
808     describe VIRUS_WARNING123 Unhelpful 'virus warning/ (123)
809     score VIRUS_WARNING123 20
810    
811     # PV
812     header VIRUS_WARNING124 Subject =~ /^Antigen Notification/
813     describe VIRUS_WARNING124 Unhelpful Antigen 'virus warning' (124)
814     score VIRUS_WARNING124 20
815    
816     # PV
817     header VIRUS_WARNING125 Subject =~ /Antivirus stopped your message/
818     describe VIRUS_WARNING125 Unhelpful 'virus warning' (125)
819     score VIRUS_WARNING125 10
820    
821     # PV
822     header VIRUS_WARNING126 Subject =~ /^Email Quarantined Due to Virus/
823     score VIRUS_WARNING126 10
824    
825     # PV/MK
826     # TJ: often anchored to start, but can have prefix
827     header VIRUS_WARNING127 Subject =~ /Inflex scan report \[\d+\]$/
828     describe VIRUS_WARNING127 Unhelpful Inflex 'virus warning' (127)
829     score VIRUS_WARNING127 20
830    
831     # PV
832     header VIRUS_WARNING128 Subject =~ /^MMS Notification/
833     score VIRUS_WARNING128 4.5
834    
835     # PV
836     header VIRUS_WARNING129 Subject =~ /MailSure Virus Alert/
837     score VIRUS_WARNING129 10
838    
839     # PV
840     header VIRUS_WARNING130 Subject =~ /Ochrona antywirusowa/
841     score VIRUS_WARNING130 5
842    
843     # PV
844     header VIRUS_WARNING131 Subject =~ /(SENDER|RECIPIENT) \! Virus Notify \!/
845     score VIRUS_WARNING131 10
846    
847     # PV/TJ
848     header VIRUS_WARNING132 Subject =~ /VIRUS (NO|EM) SEU EMAIL/i
849     score VIRUS_WARNING132 20
850    
851     # PV
852     header VIRUS_WARNING133 Subject =~ /Virus Check Alert/
853     score VIRUS_WARNING133 10
854    
855     # TJ
856     # Variation on 133
857     header VIRUS_WARNING133A Subject =~ /^\#\# Virus Check Alert \#\#$/
858     score VIRUS_WARNING133A 20
859    
860     # PV
861     # Seen as 'Virus Notification from Redstone'
862     # TJ: checked
863     header VIRUS_WARNING134 Subject =~ /^Virus Notification from/
864     score VIRUS_WARNING134 20
865    
866     # PV
867     # TJ: checked
868     header VIRUS_WARNING135 Subject =~ /^Virus Quarantine Notification$/
869     score VIRUS_WARNING135 20
870    
871     # PV/TJ
872     # TJ: checked, and seen separately with optional virus name
873     header VIRUS_WARNING136 Subject =~ /^Virus (\(.{1,50}\) )?in Ihrer Nachricht/i
874     describe VIRUS_WARNING136 Unhelpful amavisd-new 'virus warning' [DE] (136)
875     score VIRUS_WARNING136 10
876    
877     # PV
878     header VIRUS_WARNING137 Subject =~ /Votre message contient un virus/
879     score VIRUS_WARNING137 8
880    
881     # PV
882     # TJ: checked
883     header VIRUS_WARNING138 Subject =~ /^WorldSecure Server notification$/
884     describe VIRUS_WARNING138 Unhelpful WorldSecure 'virus warning' (138)
885     score VIRUS_WARNING138 20
886    
887     # PV
888     header VIRUS_WARNING139 Subject =~ /\[SmartFilter\] Virus Alert /
889     score VIRUS_WARNING139 8
890    
891     # PV
892     header VIRUS_WARNING140 Subject =~ /\[Virus detected\]/
893     score VIRUS_WARNING140 6
894    
895     # 141 obsoleted by 142
896    
897     # PV/TJ
898     header VIRUS_WARNING142 Subject =~ /^virus (trouve dans le message envoye|trovato in un messaggio inviato)/
899     describe VIRUS_WARNING142 Unhelpful 'virus warning'
900     score VIRUS_WARNING142 20
901    
902     # HP
903     # BorderWare Mail Gateway
904     rawbody VIRUS_WARNING143 /^This is a recorded message from the BorderWare Mail Gateway/
905     describe VIRUS_WARNING143 Unhelpful BorderWare 'virus warning' (143)
906     score VIRUS_WARNING143 6
907    
908     # HP
909     # Also from BorderWare Mail Gateway
910     header VIRUS_WARNING144 Subject =~ /^Discarded Email/
911     describe VIRUS_WARNING144 Unhelpful BorderWare 'virus warning'? (144)
912     score VIRUS_WARNING144 5
913    
914     # TJ
915     body VIRUS_WARNING145 /A L E R T A\s+D E\s+V [IÍ] R U S/
916     describe VIRUS_WARNING145 Unhelpful MailScanner 'virus warning' (145)
917     score VIRUS_WARNING145 4
918    
919     # AF
920     body VIRUS_WARNING146 /^The content of the following email has been checked by the HBOS plc/
921     describe VIRUS_WARNING146 Unhelpful 'virus warning' - HBOS/Halifax? (146)
922     score VIRUS_WARNING146 3.5
923    
924     # AF
925     body VIRUS_WARNING147 /Aquest missatge contenia un fitxer adjunt amb virus que s'ha eliminat/
926     score VIRUS_WARNING147 4
927    
928     # AF
929     header VIRUS_WARNING148 Subject =~ /^HBOS plc Automated Email Administrator/
930     describe VIRUS_WARNING148 Unhelpful 'virus warning'- HBOS plc/Halifax (148)
931     score VIRUS_WARNING148 10
932    
933     # TJ
934     header VIRUS_WARNING149 Subject =~ /^Disallowed attachment type found in sent message/
935     describe VIRUS_WARNING149 Unhelpful 'virus warning' (149)
936     score VIRUS_WARNING149 20
937    
938     # TJ
939     body VIRUS_WARNING150 /550 Error: VB0007 - Rejected: Probably a virus/
940     describe VIRUS_WARNING150 Probably a virus bounce (club-internet.fr) (150)
941     score VIRUS_WARNING150 4
942    
943     # TJ
944     rawbody VIRUS_WARNING151 /^Virus\(es\) found\.$/
945     describe VIRUS_WARNING151 McAfee/CommuniGate Pro 'virus warning' (151)
946     score VIRUS_WARNING151 7
947    
948     # TJ
949     body VIRUS_WARNING152 /^Captured by McAfee antivirus plugin/
950     describe VIRUS_WARNING152 Unhelpful McAfee plugin 'virus warning' (152)
951     score VIRUS_WARNING152 4
952    
953     # TJ
954     rawbody VIRUS_WARNING153 /^\S+ is infected with/
955     describe VIRUS_WARNING153 Unhelpful McAfee plugin 'virus warning'? (153)
956     score VIRUS_WARNING153 3
957    
958     # TJ
959     rawbody VIRUS_WARNING154 /^WARNING! Your message was infected by VIRUS:$/
960     describe VIRUS_WARNING154 Unhelpful 'virus warning' (154)
961     score VIRUS_WARNING154 15
962    
963     # TJ
964     rawbody VIRUS_WARNING155 /^Antiviral program output:$/
965     describe VIRUS_WARNING155 Unhelpful 'virus warning' (155)
966     score VIRUS_WARNING155 3
967    
968     # AF
969     header VIRUS_WARNING156 Subject =~ /^Virus found:/
970     describe VIRUS_WARNING156 Unhelpful SurfControl 'virus warning' (156)
971     score VIRUS_WARNING156 20
972    
973     # AF - should normally be caught by 156
974     rawbody VIRUS_WARNING157 /^SurfControl E-mail Anti-Virus Agent and has detected the Virus/
975     describe VIRUS_WARNING157 Unhelpful SurfControl 'virus warning' (157)
976     score VIRUS_WARNING157 5
977    
978     # JBB
979     header VIRUS_WARNING158 Subject =~ /^Your mail server sent us a virus/
980     describe VIRUS_WARNING158 Unhelpful Declude 'virus warning' (158)
981     score VIRUS_WARNING158 20
982    
983     # AF
984     header VIRUS_WARNING159 Subject =~ /^This is an alert from eSafe$/
985     describe VIRUS_WARNING159 Unhelpful eSafe 'virus warning' (159)
986     score VIRUS_WARNING159 20
987    
988     # AF/PB - sometimes, but not always caught by 159
989     rawbody VIRUS_WARNING160 /^\*\*\* eSafe detected (a )?hostile content in this email( and removed it)?. \*\*\*$/
990     describe VIRUS_WARNING160 Unhelpful eSafe 'virus warning' (160)
991     score VIRUS_WARNING160 12
992    
993     # AF
994     header VIRUS_WARNING161 Subject =~ /^Virus encontrado/
995     describe VIRUS_WARNING161 Unhelpful 'virus warning' (161)
996     score VIRUS_WARNING161 4
997    
998     # AF
999     rawbody VIRUS_WARNING162 /^---uvscan results ---$/
1000     describe VIRUS_WARNING162 Looks like unhelpful 'virus warning' (162)
1001     score VIRUS_WARNING162 3.5
1002    
1003     # TJ
1004     rawbody VIRUS_WARNING162A /^---perlscanner results ---$/
1005     describe VIRUS_WARNING162A Looks like unhelpful 'virus warning' (162A)
1006     score VIRUS_WARNING162A 2.0
1007    
1008     # AF
1009     rawbody VIRUS_WARNING163 /^Scan result/
1010     describe VIRUS_WARNING163 Unhelpful 'virus warning'? (163)
1011     score VIRUS_WARNING163 2
1012    
1013     # SC - seen as 2Notification du serveur antivirus SEII"
1014     # TrendMicro Viruswall
1015     header VIRUS_WARNING164 Subject =~ /^Notification du serveur antivirus/
1016     describe VIRUS_WARNING164 Unhelpful Viruswall 'virus warning' (164)
1017     score VIRUS_WARNING164 6
1018    
1019     # SC
1020     rawbody VIRUS_WARNING165 /^Un virus a été détecté dans votre $/
1021     describe VIRUS_WARNING165 Unhelpful Viruswall 'virus warning'? (165)
1022     score VIRUS_WARNING165 4
1023    
1024     # SC
1025     rawbody VIRUS_WARNING166 /^Un virus \(.{1,50}\) a été déte/
1026     describe VIRUS_WARNING166 Unhelpful Viruswall 'virus warning'? (166)
1027     score VIRUS_WARNING166 4
1028    
1029     # SC
1030     header VIRUS_WARNING167 Subject =~ /^NAV ha rilevato un virus in un documento inviato$/
1031     describe VIRUS_WARNING167 Unhelpful NAV 'virus warning' (167)
1032     score VIRUS_WARNING167 100
1033    
1034     # SC
1035     rawbody VIRUS_WARNING168 /^Il documento analizzato è in QUARANTEA\.$/
1036     describe VIRUS_WARNING168 Unhelpful NAV 'virus warning' (168)
1037     score VIRUS_WARNING168 4
1038    
1039     # SC
1040     rawbody VIRUS_WARNING169 /^Informazioni sul virus:$/
1041     describe VIRUS_WARNING169 Unhelpful NAV 'virus warning' (169)
1042     score VIRUS_WARNING169 4
1043    
1044     # AF
1045     # Hmm, maybe use X-WSS-ID: <uid> header? Looks like it's a NAI WS spamsign
1046     header VIRUS_WARNING170 Subject =~ /^Network Associates Webshield - e-mail Content Alert$/
1047     describe VIRUS_WARNING170 Unhelpful Webshield 'attachment warning' (170)
1048     score VIRUS_WARNING170 20
1049    
1050     # AF
1051     rawbody VIRUS_WARNING171 /^Network Associates WebShield SMTP.{1,50}intercepted a mail/
1052     describe VIRUS_WARNING171 Unhelpful Webshield 'attachment warning' (171)
1053     score VIRUS_WARNING171 5
1054    
1055     # TJ
1056     rawbody VIRUS_WARNING172 /^Virus identity found:/
1057     describe VIRUS_WARNING172 Unhelpful MailMonitor 'virus warning' (172)
1058     score VIRUS_WARNING172 5
1059    
1060     # TJ
1061     rawbody VIRUS_WARNING173 /^The Firstnet Anti-Virus \(FAV\) system intercepted it/
1062     describe VIRUS_WARNING173 Unhelpful Firstnet AV 'virus warning' (173)
1063     score VIRUS_WARNING173 5
1064    
1065     # TJ - this is generated by the braindead qmail-scanner patch
1066     header VIRUS_WARNING174 X-Tnz-Problem-Type =~ /.{1,50}/
1067     describe VIRUS_WARNING174 Unhelpful qmail-scanner 'virus warning' (174)
1068     score VIRUS_WARNING174 1
1069    
1070     # TJ
1071     rawbody VIRUS_WARNING175 /^Panda Antivirus has found the following viruses in the message:$/
1072     describe VIRUS_WARNING175 Unhelpful Panda Antivirus 'virus warning' (175)
1073     score VIRUS_WARNING175 8
1074    
1075     # TJ - can't assert the end of this string for some reason
1076     rawbody VIRUS_WARNING176 /^Report generated by Panda Antivirus/
1077     describe VIRUS_WARNING176 Unhelpful Panda Antivirus 'virus warning' (176)
1078     score VIRUS_WARNING176 5
1079    
1080     # AF
1081     # as in "...virus in a document you authored"
1082     header VIRUS_WARNING177 Subject =~ /^Symantec AntiVirus\/Filtering for Domino detected a virus/
1083     describe VIRUS_WARNING177 Unhelpful Symantec for Domino 'virus warning'(177)
1084     score VIRUS_WARNING177 20
1085    
1086     # TJ
1087     # Honestly, ISPs should know better than this. Idiots.
1088     header VIRUS_WARNING178 Subject =~ /^Eclipse Internet VIRUSshield detected VIRUS/
1089     describe VIRUS_WARNING178 Unhelpful Eclipse Internet 'virus warning' (178)
1090     score VIRUS_WARNING178 20
1091    
1092     # TJ
1093     # see also 390
1094     rawbody VIRUS_WARNING179 /^VIRUS ALERT/
1095     describe VIRUS_WARNING179 Could be a bogus 'virus warning' (179)
1096     score VIRUS_WARNING179 2.5
1097    
1098     # TJ
1099     # Norton Antivirus Gateway
1100     header VIRUS_WARNING180 Subject =~ /^VIRUS MESSAGE$/
1101     describe VIRUS_WARNING180 Unhelpful Norton AV Gateway 'virus warning' (180)
1102     score VIRUS_WARNING180 4.5
1103    
1104     # AF
1105     header VIRUS_WARNING181 Subject =~ /^Internet Mail Failure - Virus Alert$/
1106     describe VIRUS_WARNING181 Unhelpful 'virus warning' (181)
1107     score VIRUS_WARNING181 20
1108    
1109     # AF
1110     rawbody VIRUS_WARNING182 /^Virus Scanner found the$/
1111     describe VIRUS_WARNING182 Unhelpful 'virus warning'? (182)
1112     score VIRUS_WARNING182 1.5
1113    
1114     # TJ
1115     rawbody VIRUS_WARNING183 /^YOUR MAIL HAD THE VIRUS/
1116     describe VIRUS_WARNING183 Unhelpful 'virus warning' (WebShield?) (183)
1117     score VIRUS_WARNING183 2.0
1118    
1119     # TJ
1120     header VIRUS_WARNING184 Subject =~ /^FOUND VIRUS IN YOUR MAIL TO:/
1121     describe VIRUS_WARNING184 Unhelpful ArmourPlate 'virus warning' (184)
1122     score VIRUS_WARNING184 10.0
1123    
1124     # TJ
1125     rawbody VIRUS_WARNING185 /^ArmourPlate protects organisations/
1126     describe VIRUS_WARNING185 Unhelpful ArmourPlate 'virus warning' spam (185)
1127     score VIRUS_WARNING185 3.0
1128    
1129     # AF
1130     rawbody VIRUS_WARNING186 /^<p>The WebShield&reg; .{1,50} Appliance discovered a virus/
1131     describe VIRUS_WARNING186 Unhelpful WebShield 'virus warning' (186)
1132     score VIRUS_WARNING186 10.0
1133    
1134     # AF
1135     header VIRUS_WARNING187 Subject =~ /^\s*"Returned due to virus/
1136     describe VIRUS_WARNING187 Unhelpful WebShield 'virus warning' (187)
1137     score VIRUS_WARNING187 2.0
1138    
1139     # AF
1140     # TJ: From WebShield, but fairly generic
1141     rawbody VIRUS_WARNING188 /^\s*(Virus name|diagnostics\/Diagnose):/i
1142     describe VIRUS_WARNING188 Looks like unhelpful 'virus warning' (188)
1143     score VIRUS_WARNING188 1.5
1144    
1145     # AF
1146     # From some kind of Exchange-based scanner
1147     header VIRUS_WARNING189 Subject =~ /^ALERT - Virus .{1,50} found/
1148     describe VIRUS_WARNING189 Unhelpful 'virus warning' (189)
1149     score VIRUS_WARNING189 8.0
1150    
1151     # AF/TJ
1152     rawbody VIRUS_WARNING190 /^(Infected\? Yes|Stato file:\s*Infetto)$/i
1153     describe VIRUS_WARNING190 Unhelpful 'virus warning' (190)
1154     score VIRUS_WARNING190 2.0
1155    
1156     # TJ
1157     # Mis-spelling is intentional!
1158     rawbody VIRUS_WARNING191 /^WARNING! Virus foudn in attachment/
1159     describe VIRUS_WARNING191 Unhelpful Wharf T&T 'virus warning' (191)
1160     score VIRUS_WARNING191 10
1161    
1162     # TJ
1163     # Something to do with VirusWall?
1164     # matches Mirapoint too (2004-07-14)
1165     rawbody __VIRUS_WARNING192A /^.{1,50} is removed from here because it contains a virus\.$/
1166     rawbody __VIRUS_WARNING192B /^-{40,80}( \(on .{1,50}\))?$/
1167     meta VIRUS_WARNING192 __VIRUS_WARNING192A && __VIRUS_WARNING192B
1168     describe VIRUS_WARNING192 Unhelpful 'virus warning' (192)
1169     score VIRUS_WARNING192 20
1170    
1171     # AF
1172     header VIRUS_WARNING193 Subject =~ /Suppresion du Virus/
1173     describe VIRUS_WARNING193 Looks like unhelpful 'virus warning' (193)
1174     score VIRUS_WARNING193 2.0
1175    
1176     # TJ
1177     rawbody VIRUS_WARNING194 /^A possible virus was detected in your message/
1178     describe VIRUS_WARNING194 Looks like unhelpful 'virus warning' (194)
1179     score VIRUS_WARNING194 2.0
1180    
1181     # TJ
1182     rawbody VIRUS_WARNING195 /^.{1,50}\@.{1,50}: Email Content Not Allowed/
1183     describe VIRUS_WARNING195 Could be unhelpful 'virus warning' (195)
1184     score VIRUS_WARNING195 0.5
1185    
1186     # AF
1187     # From postmaster@
1188     rawbody VIRUS_WARNING196 /^[a-zA-Z0-9_\-\.] detected a hostile content in this email and removed it/
1189     describe VIRUS_WARNING196 Unhelpful 'virus warning' (196)
1190     score VIRUS_WARNING196 6.0
1191    
1192     # AF
1193     header VIRUS_WARNING197 Subject =~ /^Tipo de arquivo anexo nao permitido!/
1194     describe VIRUS_WARNING197 Unhelpful 'virus warning' (197)
1195     score VIRUS_WARNING197 8.0
1196    
1197     # TJ
1198     header VIRUS_WARNING198 Subject =~ /^Illegal attachment type found in sent message/
1199     describe VIRUS_WARNING198 Unhelpful qmail-scanner 'virus warning' (198)
1200     score VIRUS_WARNING198 10
1201    
1202     # TJ
1203     rawbody VIRUS_WARNING199 /A Illegal attachment type was found in an Email message you sent\.$/
1204     describe VIRUS_WARNING199 Unhelpful qmail-scanner 'virus warning' (199)
1205     score VIRUS_WARNING199 4.0
1206    
1207     # TJ
1208     header VIRUS_WARNING200 Subject =~ /^Message Deleted:/
1209     describe VIRUS_WARNING200 Unhelpful 'virus warning' (200)
1210     score VIRUS_WARNING200 6.0
1211    
1212     # TJ
1213     rawbody VIRUS_WARNING201 /^An attachment \(.{0,99}\) in the message violated system permissions/
1214     describe VIRUS_WARNING201 Unhelpful 'virus warning' (201)
1215     score VIRUS_WARNING201 2.0
1216    
1217     # TJ
1218     meta VIRUS_WARNING201A VIRUS_WARNING200 && VIRUS_WARNING201
1219     describe VIRUS_WARNING201A Unhelpful 'virus warning' (201A)
1220     score VIRUS_WARNING201A 4.0
1221    
1222     # TJ
1223     # Seen from ipworldcom.ch
1224     rawbody VIRUS_WARNING202 /^\s*\S+ is infected with/
1225     describe VIRUS_WARNING202 Unhelpful 'virus warning' (202)
1226     score VIRUS_WARNING202 3.0
1227    
1228     # TJ
1229     rawbody VIRUS_WARNING203 /^Your computer seems to send a message containing a virus/
1230     describe VIRUS_WARNING203 Unhelpful 'virus warning' (203)
1231     score VIRUS_WARNING203 3.0
1232    
1233     # TJ
1234     meta VIRUS_WARNING203A VIRUS_WARNING202 && VIRUS_WARNING203
1235     describe VIRUS_WARNING203A Unhelpful 'virus warning' (203A)
1236     score VIRUS_WARNING203A 4.0
1237    
1238     # TJ
1239     rawbody VIRUS_WARNING204 /^file contains virus:/
1240     describe VIRUS_WARNING204 Unhelpful 'virus warning' (204)
1241     score VIRUS_WARNING204 3.0
1242    
1243     # TJ
1244     header VIRUS_WARNING205 Subject =~ /\[.{1,50}: Virus detected\]$/
1245     describe VIRUS_WARNING205 Unhelpful 'virus warning' (205)
1246     score VIRUS_WARNING205 3.0
1247    
1248     # TJ
1249     rawbody VIRUS_WARNING206 /^This e-mail contained attachments which were virus infected/
1250     describe VIRUS_WARNING206 Unhelpful 'virus warning' (206)
1251     score VIRUS_WARNING206 2.5
1252    
1253     # TJ
1254     header VIRUS_WARNING207 Subject =~ /^RAV[0-9]+ Antivirus notification/
1255     describe VIRUS_WARNING207 Unhelpful RAV 'virus warning' (207)
1256     score VIRUS_WARNING207 20
1257    
1258     # TJ
1259     header VIRUS_WARNING208 Subject =~ /^Invalid content in mail message/
1260     describe VIRUS_WARNING208 Unhelpful Kerio Mailserver 'virus warning' (208)
1261     score VIRUS_WARNING208 7.5
1262    
1263     # TJ
1264     meta VIRUS_WARNING209 VIRUS_WARNING208 && VIRUS_WARNING188
1265     describe VIRUS_WARNING209 Unhelpful Kerio Mailserver 'virus warning' (209)
1266     score VIRUS_WARNING209 5.0
1267    
1268     # TJ
1269     rawbody VIRUS_WARNING210 /^This virus has been deleted/i
1270     describe VIRUS_WARNING210 Unhelpful 'virus warning' (210)
1271     score VIRUS_WARNING210 2.0
1272    
1273     # AF
1274     header VIRUS_WARNING211 Subject =~ /^IcoMailServer: Virus détect$/
1275     describe VIRUS_WARNING211 Unhelpful IcoMailServer 'virus warning' (211)
1276     score VIRUS_WARNING211 20
1277    
1278     # AF
1279     rawbody VIRUS_WARNING212 /^IcoMailServer Antivirus v[0-9\.]+ a détectén virus/
1280     describe VIRUS_WARNING212 Unhelpful IcoMailServer 'virus warning' (212)
1281     score VIRUS_WARNING212 5
1282    
1283     # TJ
1284     rawbody VIRUS_WARNING213 /^Bola Vam poslana elektronicka posta s prilohou. Obsahuje VIRUS!$/
1285     describe VIRUS_WARNING213 Unhelpful 'virus warning'
1286     score VIRUS_WARNING213 20
1287    
1288     # MK
1289     header VIRUS_WARNING214 Subject =~ /^ALERT!! Infected mail sent by you!$/
1290     describe VIRUS_WARNING214 Unhelpful NAVMSE 'virus warning' (214)
1291     score VIRUS_WARNING214 20
1292    
1293     # AF
1294     header VIRUS_WARNING215 Subject =~ /^NAV hat einen Virus oder nicht erlaubten Inhalt/
1295     describe VIRUS_WARNING215 Unhelpful NAV 'virus warning' (215)
1296     score VIRUS_WARNING215 20
1297    
1298     # AF
1299     rawbody VIRUS_WARNING216 /^The infected component in the scanned document was deleted\.$/
1300     describe VIRUS_WARNING216 Unhelpful NAV 'virus warning' (216)
1301     score VIRUS_WARNING216 5
1302    
1303     # AF
1304     rawbody VIRUS_WARNING217 /^The attachment \S+ contained the virus \S+/
1305     describe VIRUS_WARNING217 Unhelpful NAV 'virus warning' (217)
1306     score VIRUS_WARNING217 5
1307    
1308     # PB/JT
1309     # DSN: None
1310     # note 2004-08-18: sometimes has trailing space
1311     header VIRUS_WARNING218 Subject =~ /McAfee GroupShield Alert\s*$/
1312     describe VIRUS_WARNING218 Unhelpful GroupShield 'virus warning'? (218)
1313     score VIRUS_WARNING218 4
1314    
1315     rawbody VIRUS_WARNING218A /^Reason: Anti-Virus/
1316    
1317     meta VIRUS_WARNING218B VIRUS_WARNING218 && VIRUS_WARNING218A
1318     describe VIRUS_WARNING218B Definitely GroupShield 'virus warning' (218B)
1319     score VIRUS_WARNING218B 20
1320    
1321     # TJ
1322     header VIRUS_WARNING219 Subject =~ /^Illegal Content Violation - Message [0-9]+$/
1323     describe VIRUS_WARNING219 Unhelpful 'virus warning' (219)
1324     score VIRUS_WARNING219 20
1325    
1326     # MK
1327     # Seen alonside 221
1328     header VIRUS_WARNING220 Subject =~ /^Virus found in message from you!$/
1329     describe VIRUS_WARNING220 Unhelpful Kaspersky 'virus warning' (220)
1330     score VIRUS_WARNING220 20
1331    
1332     # MK
1333     header VIRUS_WARNING221 X-Mailer =~ /^Kaspersky SMTPSCAN/
1334     describe VIRUS_WARNING221 Could be unhelpful Kaspersky 'virus warning' (221)
1335     score VIRUS_WARNING221 2
1336    
1337     # TJ
1338     rawbody VIRUS_WARNING222 /^X-NAI-WebShield[a-zA-Z0-9]+-mimepp: Attachment repaired$/
1339     describe VIRUS_WARNING222 Could be unhelpful NAI 'virus warning' (222)
1340     score VIRUS_WARNING222 8
1341    
1342     # MK/JT
1343     header VIRUS_WARNING223 Subject =~ /^(Spam mail warning notification!|VirusWall has detected a sensitive e-mail !!!) \(Attachment Removal\)$/
1344     describe VIRUS_WARNING223 Unhelpful eManager 'virus warning' (223)
1345     score VIRUS_WARNING223 20
1346    
1347     # MK/JT
1348     rawbody VIRUS_WARNING224 /^(The following mail was blocked since it contains sensitive content|eManager has removed a sensitive attachment file in the email)\.$/
1349     describe VIRUS_WARNING224 Unhelpful eManager 'virus warning'? (224)
1350     score VIRUS_WARNING224 2.5
1351    
1352     # PSI
1353     header VIRUS_WARNING225 Subject =~ /^A Virus was detected in the message you sent$/i
1354     describe VIRUS_WARNING225 Unhelpful MAILsweeper 'virus warning' (225)
1355     score VIRUS_WARNING225 20
1356    
1357     # TJ
1358     rawbody VIRUS_WARNING226 /^\/var\/spool\/mailscanner.{1,50} Infection:/
1359     describe VIRUS_WARNING226 Unhelpful MailScanner 'virus warning' (226)
1360     score VIRUS_WARNING226 5
1361    
1362     # AF
1363     # BT-specific
1364     body VIRUS_WARNING227 /^"An attempt has been made to send a file called \S+ into BT's e-mail/
1365     describe VIRUS_WARNING227 Unhelpful BT 'virus warning' (227)
1366     score VIRUS_WARNING227 10
1367    
1368     # TJ
1369     # Goes alonside 229
1370     rawbody VIRUS_WARNING228 /^Found the \S+in message\.$/
1371     describe VIRUS_WARNING228 Unhelpful 'virus warning' (228)
1372     score VIRUS_WARNING228 2.5
1373    
1374     # TJ
1375     rawbody VIRUS_WARNING229 /^Found the (W32\/\S+|.{1,50}\@MM\S*)in message\.$/
1376     describe VIRUS_WARNING229 Unhelpful 'virus warning' (229)
1377     score VIRUS_WARNING229 10
1378    
1379     # TJ
1380     # Don't double count
1381     meta VIRUS_WARNING229A VIRUS_WARNING228 && VIRUS_WARNING229
1382     describe VIRUS_WARNING229A Don't double-count 228/229
1383     score VIRUS_WARNING229A -3.5
1384    
1385     # PB
1386     rawbody VIRUS_WARNING230 /^Dr\. Web (detailed )?report:$/
1387     describe VIRUS_WARNING230 Unhelpful Dr. Web 'virus warning' (230)
1388     score VIRUS_WARNING230 10
1389    
1390     # PB
1391     header VIRUS_WARNING231 Content-Type =~ /boundary="001-DrWeb-MailFilter-Notification"$/
1392     describe VIRUS_WARNING231 Looks like Dr. Web notification (231)
1393     score VIRUS_WARNING231 10
1394    
1395     # PSI
1396     rawbody VIRUS_WARNING232 /^Found virus .{1,50} in file .{1,50}$/
1397     describe VIRUS_WARNING232 Unhelpful 'virus warning' (232)
1398     score VIRUS_WARNING232 5
1399    
1400     # PSI
1401     rawbody VIRUS_WARNING233 /^The file is deleted\.$/
1402     describe VIRUS_WARNING233 Looks like unhelpful 'virus warning' (233)
1403     score VIRUS_WARNING233 1
1404    
1405     # PSI
1406     rawbody VIRUS_WARNING234 /^-+\s*Virus i denne meldingen er fjernet/
1407     describe VIRUS_WARNING234 Looks like unhelpful 'virus warning' (234)
1408     score VIRUS_WARNING234 4
1409    
1410     # PSI
1411     rawbody VIRUS_WARNING235 /^550 Error: The message probably contains the .{1,50} virus/
1412     describe VIRUS_WARNING235 Could be unhelpful 'virus warning' (235)
1413     score VIRUS_WARNING235 2
1414    
1415     # AF
1416     body VIRUS_WARNING236 /^Votre mail a été rejeté car il comporte une pièce jointe qui n'est pas acceptée par notre outil de filtrage/
1417     describe VIRUS_WARNING236 Unhelpful 'virus warning' (236)
1418     score VIRUS_WARNING236 7
1419    
1420     # AF
1421     # Could be virus infection too
1422     header VIRUS_WARNING237 X-BitDefender-Scanner =~ /^Infected/
1423     describe VIRUS_WARNING237 Unhelpful BitDefender 'virus warning' (237)
1424     score VIRUS_WARNING237 10
1425    
1426     # MK
1427     rawbody VIRUS_WARNING238 /^Ihre Mail beinhaltete verbotene Anhänge !$/
1428     describe VIRUS_WARNING238 Unhelpful 'virus warning' (238)
1429     score VIRUS_WARNING238 20
1430    
1431     # MK
1432     header VIRUS_WARNING239 Subject =~ /^<WatchDog: Verbotener Dateianhang>$/
1433     describe VIRUS_WARNING239 Unhelpful 'virus warning' (239)
1434     score VIRUS_WARNING239 20
1435    
1436     # PSI
1437     header VIRUS_WARNING240 Subject =~ /^Advarsel! Dit e-brev indeholder virus$/
1438     describe VIRUS_WARNING240 Unhelpful 'virus warning' (240)
1439     score VIRUS_WARNING240 20
1440    
1441     # PSI
1442     # TrendMicro Interscan eManager
1443     # apparently can FP when people set it up to reject otherwise-legit attachments
1444     rawbody VIRUS_WARNING241 /^The attachment file in the message has been removed by eManager\.$/
1445     describe VIRUS_WARNING241 Unhelpful Interscan 'virus warning'? (241)
1446     score VIRUS_WARNING241 3
1447    
1448     # PSI
1449     rawbody VIRUS_WARNING242 /^ScanMail has detected a virus during a real-time scan of the mail traffic\.$/
1450     describe VIRUS_WARNING242 Unhelpful ScanMail 'virus warning' (242)
1451     score VIRUS_WARNING242 5
1452    
1453     # PSI
1454     header VIRUS_WARNING243 Subject =~ /^Virus Alert - ScanMail for Lotus Notes -->/
1455     describe VIRUS_WARNING243 Unhelpful ScanMail 'virus warning' (243)
1456     score VIRUS_WARNING243 20
1457    
1458     # TJ
1459     body VIRUS_WARNING244 /^Our content checker found\s+viruses/
1460     describe VIRUS_WARNING244 Could be an unhelpful 'virus warning' (244)
1461     score VIRUS_WARNING244 5
1462    
1463     # TJ
1464     meta VIRUS_WARNING245 VIRUS_WARNING179 && VIRUS_WARNING244
1465     describe VIRUS_WARNING245 Unhelpful 'virus warning' (245)
1466     score VIRUS_WARNING245 20
1467    
1468     # PSI
1469     rawbody VIRUS_WARNING246 /^was stopped by MailSweeper because it contained an executable file\.$/
1470     describe VIRUS_WARNING246 Unhelpful 'virus warning' (246)
1471     score VIRUS_WARNING246 20
1472    
1473     # TJ
1474     rawbody VIRUS_WARNING247 /^Zalaczony plik (.{1,50}) zawiera wirusa +(.{1,50}) \.$/
1475     describe VIRUS_WARNING247 Unhelpful 'virus warning' (247)
1476     score VIRUS_WARNING247 20
1477    
1478     # TJ
1479     rawbody VIRUS_WARNING248 /^Disallowed attach type$/
1480     describe VIRUS_WARNING248 Unhelpful 'virus warning' (248)
1481     score VIRUS_WARNING248 20
1482    
1483     # PSI
1484     body VIRUS_WARNING249 /^This mail is not complete because a part of it \(body or attachment\) violated Norman Gateway Protection/
1485     describe VIRUS_WARNING249 Unhelpful 'virus warning' (249)
1486     score VIRUS_WARNING249 20
1487    
1488     # HPK
1489     # This is a general rule which will catch lots of MailScanner stuff.
1490     # MailScanner is a real PITA.
1491     rawbody VIRUS_WARNING250 /^This is a message from the MailScanner E-Mail Virus Protection Service/
1492     describe VIRUS_WARNING250 Some kind of MailScanner notification? (250)
1493     score VIRUS_WARNING250 1.5
1494    
1495     # HPK
1496     body VIRUS_WARNING251 /The file .{1,50} has been replaced as it contains the\s+.{1,50} virus\./
1497     describe VIRUS_WARNING251 Unhelpful GroupShield/Exch 'virus warning' (251)
1498     score VIRUS_WARNING251 20
1499    
1500     # HPK
1501     rawbody VIRUS_WARNING252 /^\*+\s+McAfee GroupShield for Microsoft Exchange\s+\*+$/
1502     describe VIRUS_WARNING252 Unhelpful GroupShield/Exch 'virus warning' (252)
1503     score VIRUS_WARNING252 10
1504    
1505     # TJ
1506     body VIRUS_WARNING253 /please (check your system for viruses|update your virus scanner|run an antivirus program)/i
1507     describe VIRUS_WARNING253 Asks you to check for viruses (253)
1508     score VIRUS_WARNING253 0.5
1509    
1510     # MK
1511     # Variant on 43
1512     header VIRUS_WARNING254 Subject =~ /^VIRUS \(.{1,50}\) IN MAIL$/
1513     describe VIRUS_WARNING254 Unhelpful 'virus warning' (254)
1514     score VIRUS_WARNING254 20
1515    
1516     # MK
1517     rawbody VIRUS_WARNING255 /^VIRUS-WARNUNG$/
1518     describe VIRUS_WARNING255 Looks like unhelpful 'virus warning' (255)
1519     score VIRUS_WARNING255 5
1520    
1521     # MK
1522     rawbody VIRUS_WARNING256 /^Our virus checker found/i
1523     describe VIRUS_WARNING256 Could be unhelpful 'virus warning' (256)
1524     score VIRUS_WARNING256 3
1525    
1526     # MK
1527     rawbody VIRUS_WARNING257 /^Content violation found in email message\.$/
1528     describe VIRUS_WARNING257 Unhelpful 'virus warning' (257)
1529     score VIRUS_WARNING257 20
1530    
1531     # MK
1532     # Site-specific, sigh
1533     body VIRUS_WARNING258 /had an attachment that is not accepted by the American Red Cross Email System/
1534     describe VIRUS_WARNING258 Unhelpful 'virus warning' (258)
1535     score VIRUS_WARNING258 20
1536    
1537     # TJ
1538     # The bit in the middle has been seen as "Inbound Messages"/"Anti-Virus (Inbound)"/"Content Security (Inbound)"
1539     rawbody VIRUS_WARNING259 /^MailMarshal Rule: .{1,50} : Block (Dangerous Attachments|EXECUTABLE Files|Known Virus Attachments|Virus|Stripped Attachments|Executables|Script and Code)$/
1540     describe VIRUS_WARNING259 Unhelpful MailMarshal 'virus warning' (259)
1541     score VIRUS_WARNING259 20
1542    
1543     # DJM/AF
1544     rawbody VIRUS_WARNING260 /^(ScanMail for Microsoft Exchange has detected virus-infected attachment\(s\)\.|Warning to sender\. ScanMail has detected a virus in an email you sent\.)$/
1545     describe VIRUS_WARNING260 Unhelpful ScanMail/Exch 'virus warning' (260)
1546     score VIRUS_WARNING260 20
1547    
1548     # AF
1549     # Not null-sender
1550     header VIRUS_WARNING261 Subject =~ /^Alerte de l'Anti-virus$/
1551     describe VIRUS_WARNING261 Unhelpful 'virus warning' (261)
1552     score VIRUS_WARNING261 20
1553    
1554     # AF
1555     # Seen with 261
1556     rawbody VIRUS_WARNING262 /^Details: (.{1,50}) Infected with/
1557     describe VIRUS_WARNING262 Unhelpful 'virus warning'? (262)
1558     score VIRUS_WARNING262 5
1559    
1560     # AF
1561     header VIRUS_WARNING263 Subject =~ /^Attachment Filter$/
1562     describe VIRUS_WARNING263 Unhelpful 'virus warning' (263)
1563     score VIRUS_WARNING263 10
1564    
1565     # AF
1566     # With/without null sender
1567     body VIRUS_WARNING264 /\*\*\*L'anti-virus AXERGY a détecté un virus (et l'a enlevé|ou une pièce jointe interdite dans ce mail)/
1568     describe VIRUS_WARNING264 Unhelpful 'virus warning' (264)
1569     score VIRUS_WARNING264 20
1570    
1571     # AF
1572     # DSN: Null, CT
1573     # Big thanks to Alan for helping to get rid of this big annoyance!
1574     # AOL handle aol.com, netscape.net, cs.com
1575     full __VIRUS_WARNING265 /mx\.aol\.com..The original message was received.{35,45}^from ([-.\w]+ (?<!aol\.com )\[[.\d]+\]).{1,99}^Content-Type: text\/rfc822-headers..Received: from\s\s(aol\.com|netscape\.net|cs\.com) \(\1\)/ms
1576     meta VIRUS_WARNING265 __REPORT_DSN && __VIRUS_WARNING265
1577     describe VIRUS_WARNING265 Unhelpful AOL bounce fake aol.com HELO (265)
1578     score VIRUS_WARNING265 15
1579    
1580     # AF/TJ
1581     # DSN: Null, CT
1582     # Similar to 265, but catches unqualified HELOs that aren't aol.com
1583     full __VIRUS_WARNING265A /mx\.aol\.com..The original message was received.{35,45}^from ([-.\w]+ (?<!aol\.com )\[[.\d]+\]).{1,99}^Content-Type: text\/rfc822-headers..Received: from\s\s[a-zA-Z0-9]+ \(\1\)/ms
1584     meta VIRUS_WARNING265A __REPORT_DSN && __VIRUS_WARNING265A
1585     describe VIRUS_WARNING265A Looks like unhelpful AOL virus bounce (265A)
1586     score VIRUS_WARNING265A 5
1587    
1588     # AF
1589     # DSN: Null, CT
1590     # Similar to 265, but catches mail received from hosts with no rDNS
1591     full __VIRUS_WARNING265B /mx\.aol\.com..The original message was received.{35,45}^from\s\s(\[[.\d]+\]).{1,99}^Content-Type: text\/rfc822-headers..Received: from\s\saol\.com \(\1\)/ms
1592     meta VIRUS_WARNING265B __REPORT_DSN && __VIRUS_WARNING265B
1593     describe VIRUS_WARNING265B AOL accept faked aol.com HELO (no PTR) (265B)
1594     score VIRUS_WARNING265B 15
1595    
1596     # PSI
1597     # DSN: Null, CT
1598     rawbody __VIRUS_WARNING266 /^Telenor Plus Virus Scan detected a virus in an e-mail you sent/
1599     meta VIRUS_WARNING266 __REPORT_DSN && __VIRUS_WARNING266
1600     describe VIRUS_WARNING266 Unhelpful Telenor 'virus warning' (266)
1601     score VIRUS_WARNING266 15
1602    
1603     # AF
1604     # DSN: Null
1605     # Another stupid big ISP which should know better
1606     header VIRUS_WARNING267 Subject =~ /^Mail virus incident report$/
1607     describe VIRUS_WARNING267 Unhelpful Via Networks 'virus warning' (267)
1608     score VIRUS_WARNING267 20
1609    
1610     # AF/TJ
1611     # General proactive rule - catches stuff about infections, asserted to start
1612     # of line (optionally with spaces)
1613     rawbody __VIRUS_WARNING268X /^\s*(infected(:|\s(with|file))|contain(ed|s) (a|the) (virus|viruses):|quarantine$)/i
1614     describe __VIRUS_WARNING268X Could be unhelpful 'virus warning'? (268X)
1615    
1616     # TJ
1617     # We split Sender and To off and only match if they have a preceding space
1618     # to avoid hits on forwards etc. with a Sender: header in the body
1619     rawbody __VIRUS_WARNING268A /^\s*(mail from|originator)\s*[:=]/i
1620     rawbody __VIRUS_WARNING268B /^(\s+(sender|from)\s*:|\s*(sender|from)\s*=)/i
1621     rawbody __VIRUS_WARNING268C /^\s*(((the )?(e-?)?mail )?recipient(s|\(s\))?|(e-?)?mail sent to)\s*[:=]/i
1622     rawbody __VIRUS_WARNING268D /^(\s+to\s*:|\s*to\s*=)/i
1623     meta __VIRUS_WARNING_SENDREC (__VIRUS_WARNING268A || __VIRUS_WARNING268B) && (__VIRUS_WARNING268C || __VIRUS_WARNING268D)
1624    
1625     meta VIRUS_WARNING268E (__VIRUS_WARNING268X && __VIRUS_WARNING_SENDREC)
1626     describe VIRUS_WARNING268E Looks like an unhelpful 'virus warning' (268E)
1627     score VIRUS_WARNING268E 3
1628    
1629     # May catch FP's - forwards etc. with Sender: in the body
1630     rawbody __VIRUS_WARNING268F /^(sender|from)\s*:.{1,50}/i
1631     body __VIRUS_WARNING268G /contain(ed|s) (a|the) virus/
1632    
1633     # This may catch some FP's - hence score low
1634     meta VIRUS_WARNING268H (__VIRUS_WARNING268C || __VIRUS_WARNING268D) && __VIRUS_WARNING268F && (__VIRUS_WARNING268X || __VIRUS_WARNING268G)
1635     describe VIRUS_WARNING268H Could be unhelpful 'virus warning' (268H)
1636     score VIRUS_WARNING268H 1
1637    
1638    
1639     # TJ
1640     rawbody VIRUS_WARNING269 /^This Email scanner intercepted it and stopped the entire message/
1641     describe VIRUS_WARNING269 Unhelpful 'virus warning' (269)
1642     score VIRUS_WARNING269 15
1643    
1644     # NL
1645     header VIRUS_WARNING270 Subject =~ /^Trovato virus nel messaggio/
1646     describe VIRUS_WARNING270 Unhelpful 'virus warning' (270)
1647     score VIRUS_WARNING270 10
1648    
1649     # NL
1650     rawbody VIRUS_WARNING271 /^Symantec AntiVirus ha trovato un virus in un allegato inviato/
1651     describe VIRUS_WARNING271 Unhelpful 'virus warning' (271)
1652     score VIRUS_WARNING271 5
1653    
1654     # MR
1655     header VIRUS_WARNING272 Subject =~ /^Viruswarnung$/
1656     describe VIRUS_WARNING272 Unhelpful 'virus warning' (272)
1657     score VIRUS_WARNING272 10
1658    
1659     # DJM
1660     header VIRUS_WARNING273 Subject =~ /^MailMonitor for Exchange has processed a suspicious mail$/
1661     describe VIRUS_WARNING273 Unhelpful MailMonitor/Exch 'virus warning' (273)
1662     score VIRUS_WARNING273 10
1663    
1664     # TJ
1665     body VIRUS_WARNING274 /The email you have sent to (\S+) has the virus/
1666     describe VIRUS_WARNING274 Unhelpful MIMEsweeper 'virus warning' (274)
1667     score VIRUS_WARNING274 5
1668    
1669     # TJ
1670     body VIRUS_WARNING275 /Scenarios\/Incoming/
1671     describe VIRUS_WARNING275 Unhelpful (MIMESweeper?) 'virus warning'? (275)
1672     score VIRUS_WARNING275 1
1673    
1674     # TJ
1675     # MIMESweeper?
1676     body VIRUS_WARNING276 /Threat: '[^']{1,50}' detected by '[^']{1,50}'/
1677     describe VIRUS_WARNING276 Unhelpful MIMEsweeper 'virus warning'? (276)
1678     score VIRUS_WARNING276 1
1679    
1680     # TJ
1681     body VIRUS_WARNING277 /A filename matching the file mask was detected: '[^']{1,50}'\./
1682     describe VIRUS_WARNING277 Unhelpful (MIMESweeper?) 'virus warning'? (277)
1683     score VIRUS_WARNING277 1
1684    
1685     # TJ
1686     # Sophos/MIMEsweeper
1687     meta VIRUS_WARNING278 ((VIRUS_WARNING110 + VIRUS_WARNING274 + VIRUS_WARNING275 + VIRUS_WARNING276 + VIRUS_WARNING277) > 2)
1688     describe VIRUS_WARNING278 Unhelpful Sophos/MIMEswp 'virus warning'? (277)
1689     score VIRUS_WARNING278 5
1690    
1691     # TJ
1692     # Another sadly misguided/out of date Exim user
1693     rawbody VIRUS_WARNING279 /^===== WARNING! WARNING! WARNING! - POSSIBLE VIRUS!/
1694     describe VIRUS_WARNING279 Unhelpful 'virus warning' (279)
1695     score VIRUS_WARNING279 20
1696    
1697     # JT
1698     # eTrust Lotus Notes Domino
1699     header VIRUS_WARNING280 Subject =~ /^eTrust Antivirus Lotus Notes Domino Option detected virus!$/
1700     describe VIRUS_WARNING280 Unhelpful eTrust/Domino 'virus warning' (280)
1701     score VIRUS_WARNING280 20
1702    
1703     # TJ
1704     rawbody VIRUS_WARNING281 /^The Ansbacher Email Gateway has stopped the following message:$/
1705     describe VIRUS_WARNING281 Unhelpful 'virus warning' (281)
1706     score VIRUS_WARNING281 20
1707    
1708     # TJ
1709     rawbody VIRUS_WARNING282 /^Status: 550 .{1,50} Unacceptable attachment \(170\)./
1710     describe VIRUS_WARNING282 Unhelpful 'virus warning' (282)
1711     score VIRUS_WARNING282 10
1712    
1713     # PSI
1714     header VIRUS_WARNING283 Subject =~ /^Symantec Mail Security detected that you sent a message containing prohibited content$/
1715     describe VIRUS_WARNING283 Unhelpful Symantec 'virus warning' (283)
1716     score VIRUS_WARNING283 20
1717    
1718     # VD
1719     header VIRUS_WARNING284 Subject =~ /^Virus infection detected!!!$/
1720     describe VIRUS_WARNING284 Unhelpful 'virus warning' (284)
1721     score VIRUS_WARNING284 20
1722    
1723     # AF
1724     header VIRUS_WARNING285 Subject =~ /^gefaehrlicher Anhang \(.{1,50}\) FROM YOUR E- MAIL ADDRESS$/
1725     describe VIRUS_WARNING285 Unhelpful 'virus warning' (285)
1726     score VIRUS_WARNING285 20
1727    
1728     # TJ
1729     # Not null sender, or any other DSN indications
1730     header VIRUS_WARNING286 Subject =~ /^Warning - Virus detected in email$/
1731     describe VIRUS_WARNING286 Unhelpful 'virus warning' (286)
1732     score VIRUS_WARNING286 20
1733    
1734     # TJ
1735     # Seen from postmaster@g-icap.com, no DSN indications
1736     rawbody VIRUS_WARNING287 /^This message has been blocked because it contains a virus\./
1737     describe VIRUS_WARNING287 Unhelpful 'virus warning' (287)
1738     score VIRUS_WARNING287 20
1739    
1740     # HD
1741     header VIRUS_WARNING288 Subject =~ /-- Email Scanner Report \[\d+\]$/
1742     describe VIRUS_WARNING288 Looks like unhelpful 'virus warning' (288)
1743     score VIRUS_WARNING288 5
1744    
1745     # HD
1746     rawbody VIRUS_WARNING289 /^Your email to <[^>]{1,50}> was blocked by our email scanning system!$/
1747     describe VIRUS_WARNING289 Unhelpful 'virus warning' (289)
1748     score VIRUS_WARNING289 20
1749    
1750     # PSI
1751     # No DSN indications
1752     header VIRUS_WARNING290 X-Originator =~ /^MailScan$/
1753     describe VIRUS_WARNING290 Unhelpful MailScan 'virus warning' (290)
1754     score VIRUS_WARNING290 5
1755    
1756     # PSI
1757     # See also 290
1758     header VIRUS_WARNING291 Subject =~ /^Virus Warning from MailScan to Mail-Sender!$/
1759     describe VIRUS_WARNING291 Unhelpful MailScan 'virus warning' (291)
1760     score VIRUS_WARNING291 20
1761    
1762     # TJ
1763     # DSN: Null, CT, !Attach
1764     # This rule MUST check for DSN; InterScan sometimes adds this junk to
1765     # non-infected mails
1766     rawbody __VIRUS_WARNING292 /^\*+\s*Message from InterScan E-Mail VirusWall NT\s*\*+$/
1767     meta VIRUS_WARNING292 __REPORT_DSN && __VIRUS_WARNING292
1768     describe VIRUS_WARNING292 Unhelpful InterScan 'virus warning' (292)
1769     score VIRUS_WARNING292 20
1770    
1771     # TJ
1772     # DSN: No DSN indications
1773     # Seen from MAILsweeper@Dyson.com
1774     header VIRUS_WARNING293 Subject =~ /^Warning Possible Virus Alert !!!$/
1775     describe VIRUS_WARNING293 Unhelpful MAILsweeper 'virus warning' (293)
1776     score VIRUS_WARNING293 20
1777    
1778     # TJ
1779     # DSN: Null, CT, !Attach
1780     rawbody VIRUS_WARNING294 /^The attachment to your E-mail has been disabled by the SonicWALL Virus Filter\./
1781     describe VIRUS_WARNING294 Unhelpful SonicWALL 'virus warning' (294)
1782     score VIRUS_WARNING294 20
1783    
1784     # AF
1785     # DSN: None
1786     rawbody VIRUS_WARNING295 /^A message filter removed the following attachment\(s\) from this message: .{1,50}/
1787     describe VIRUS_WARNING295 Unhelpful 'virus warning' (295)
1788     score VIRUS_WARNING295 10
1789    
1790     # AF
1791     # DSN: Null
1792     # Custom message from some particularly clue-impaired people at iucindore.ernet.in
1793     rawbody VIRUS_WARNING296 /^Viruswall at IUC server has scaned the mail\.$/
1794     describe VIRUS_WARNING296 Unhelpful 'virus warning' (296)
1795     score VIRUS_WARNING296 20
1796    
1797     # AF
1798     # DSN: Null, but could potentially vary as we're trying to catch instances
1799     # where someone scans the mail but bounces the infected version
1800     rawbody VIRUS_WARNING297 /^X-AMaViS-Alert: INFECTED, message contains virus:/
1801     describe VIRUS_WARNING297 Unhelpful 'virus warning' (297)
1802     score VIRUS_WARNING297 20
1803    
1804     # TJ
1805     header VIRUS_WARNING298 Subject =~ /^\[Magic OnLine\] Suppression du Virus/
1806     describe VIRUS_WARNING298 Unhelpful Magic OnLine 'virus warning' (296)
1807     score VIRUS_WARNING298 20
1808    
1809     # PB
1810     # See also 19
1811     rawbody VIRUS_WARNING299 /^Recipient of the infected attachment:/
1812     describe VIRUS_WARNING299 Unhelpful Norton Antivirus 'virus warning' (299)
1813     score VIRUS_WARNING299 5
1814    
1815     # AF
1816     # This should be caught by other MailScanner rules, but is here in case
1817     # they fail (e.g. bounced bounce etc.)
1818     rawbody VIRUS_WARNING300 /^Warning: Please read the "VirusWarning\.txt" attachment\(s\) for more information\.$/
1819     describe VIRUS_WARNING300 Unhelpful MailScanner 'virus warning' (300)
1820     score VIRUS_WARNING300 20
1821    
1822     # HD
1823     #Trend Micro GateLock
1824     header VIRUS_WARNING301 Subject =~ /^GateLock (Virus Notification|Viren-Benachrichtigung)\.$/
1825     describe VIRUS_WARNING301 Unhelpful GateLock 'virus warning' (301)
1826     score VIRUS_WARNING301 20
1827    
1828     # DP
1829     header VIRUS_WARNING302 Subject =~ /^NOTICE - Rejected atta?chment$/
1830     describe VIRUS_WARNING302 Unhelpful Watchdog 'virus warning' (302)
1831     score VIRUS_WARNING302 20
1832    
1833     # TJ
1834     # DSN: Null
1835     # Seen with "Creative Labs corporate" in place of .{1,50}; not sure if a customised
1836     # message or not
1837     # MessageSoft StormMail
1838     header VIRUS_WARNING303 Subject =~ /^The .{1,50} email system has detected a banned or restricted attachment in your mail\./
1839     describe VIRUS_WARNING303 Unhelpful StormMail 'virus warning' (303)
1840     score VIRUS_WARNING303 20
1841    
1842     # TJ
1843     # see also 303
1844     # MessageSoft StormMail
1845     header VIRUS_WARNING304 X-Mailer =~ /^MessageSoft StormMail$/
1846     describe VIRUS_WARNING304 Unhelpful StormMail 'virus warning'? (304)
1847     score VIRUS_WARNING304 5
1848    
1849     # HD
1850     rawbody VIRUS_WARNING305 /^A potentially dangerous document attachment not complying with our IT Security policy has been detected/
1851     describe VIRUS_WARNING305 Unhelpful 'virus warning' (305)
1852     score VIRUS_WARNING305 10
1853    
1854     # MK
1855     header VIRUS_WARNING306 Subject =~ /^VIRUS WARNING( :)?$/
1856     describe VIRUS_WARNING306 Unhelpful 'virus warning' (306)
1857     score VIRUS_WARNING306 20
1858    
1859     # MK/JT
1860     header VIRUS_WARNING307 Subject =~ /^Virus Found\.?$/i
1861     describe VIRUS_WARNING307 Unhelpful 'virus warning' (307)
1862     score VIRUS_WARNING307 20
1863    
1864     # MK
1865     header VIRUS_WARNING308 Subject =~ /^AVAST ALERT$/
1866     describe VIRUS_WARNING308 Unhelpful Avast/Exch 'virus warning' (308)
1867     score VIRUS_WARNING308 20
1868    
1869     # MK
1870     # Seen with 308
1871     rawbody VIRUS_WARNING309 /^You sent an infected message!$/
1872     describe VIRUS_WARNING309 Unhelpful Avast/Exch 'virus warning' (309)
1873     score VIRUS_WARNING309 5
1874    
1875     # MK
1876     header VIRUS_WARNING310 Subject =~ /^Atención: Virus detectado en e-mail$/
1877     describe VIRUS_WARNING310 Unhelpful 'virus warning' (310)
1878     score VIRUS_WARNING310 20
1879    
1880     # MK
1881     header VIRUS_WARNING311 Subject =~ /^Virus detected in:/
1882     describe VIRUS_WARNING311 Unhelpful 'virus warning' (311)
1883     score VIRUS_WARNING311 10
1884    
1885     # MK/TJ
1886     header VIRUS_WARNING312 Subject =~ /^\[GWAVA:[a-z0-9]+\] (Attachment block|Virus detect) message notification$/
1887     describe VIRUS_WARNING312 Unhelpful Novell GroupWise 'virus warning' (312)
1888     score VIRUS_WARNING312 20
1889    
1890     # MK/JT
1891     rawbody VIRUS_WARNING313 /^\*+ (eManager|Content Filter) Notification \*+$/
1892     describe VIRUS_WARNING313 Unhelpful eManager 'virus warning' (313)
1893     score VIRUS_WARNING313 20
1894    
1895     # MK
1896     rawbody VIRUS_WARNING314 /^Rejected by Kingsoft-EYOU Antivirus Gateway for the following reason:$/
1897     describe VIRUS_WARNING314 Unhelpful Kingsoft 'virus warning' (314)
1898     score VIRUS_WARNING314 20
1899    
1900     # MK
1901     header VIRUS_WARNING315 Subject =~ /^Message Blocked /
1902     describe VIRUS_WARNING315 Could be an unhelpful 'virus warning' (315)
1903     score VIRUS_WARNING315 3
1904    
1905     # MK
1906     header VIRUS_WARNING316 Subject =~ /^\s*File was infected with a virus$/
1907     describe VIRUS_WARNING316 Unhelpful 'virus warning' (316)
1908     score VIRUS_WARNING316 20
1909    
1910     # MK
1911     header VIRUS_WARNING317 Subject =~ /^\*\*\* You have sent a virus !$/
1912     describe VIRUS_WARNING317 Unhelpful 'virus warning' (317)
1913     score VIRUS_WARNING317 20
1914    
1915     # MK
1916     rawbody VIRUS_WARNING318 /^WARNING - Virus detected in message:$/
1917     describe VIRUS_WARNING318 Unhelpful 'virus warning' (318)
1918     score VIRUS_WARNING318 20
1919    
1920     # TJ
1921     rawbody VIRUS_WARNING319 /^Requested action not taken: virus detected$/
1922     describe VIRUS_WARNING319 Unhelpful 'virus warning' (319)
1923     score VIRUS_WARNING319 20
1924    
1925     # PSI
1926     # DSN: Null
1927     rawbody VIRUS_WARNING320 /^This following attachments is removed by TBS Virus Scan/
1928     describe VIRUS_WARNING320 Unhelpful TBS Virus Scan 'virus warning' (320)
1929     score VIRUS_WARNING320 20
1930    
1931     # PSI
1932     # See also 320
1933     # DSN: Null
1934     header VIRUS_WARNING321 Subject =~ /^NOTICE - Attachments removed$/
1935     describe VIRUS_WARNING321 Unhelpful TBS Virus Scan 'virus warning' (321)
1936     score VIRUS_WARNING321 10
1937    
1938     # MK
1939     header VIRUS_WARNING322A Subject =~ /\(Blocked attachment\)$/
1940     describe VIRUS_WARNING322A Looks like unhelpful XWall 'virus warning' (322A)
1941     score VIRUS_WARNING322A 2
1942    
1943     header __VIRUS_WARNING322B X-Mailer =~ /^XWall v/
1944    
1945     meta VIRUS_WARNING322 VIRUS_WARNING322A && __VIRUS_WARNING322B
1946     describe VIRUS_WARNING322 Unhelpful XWall 'virus warning' (322)
1947     score VIRUS_WARNING322 20
1948    
1949     # AF
1950     # Also seen bounced, see 324
1951     header VIRUS_WARNING323 Subject =~ /^\[VIRUS FOUND AND REMOVED\]/
1952     describe VIRUS_WARNING323 Unhelpful 'virus warning' (323)
1953     score VIRUS_WARNING323 10
1954    
1955     # AF
1956     rawbody __VIRUS_WARNING324 /^Subject: \[VIRUS FOUND AND REMOVED\]/
1957     meta VIRUS_WARNING324 __VIRUS_WARNING324 && __REPORT_DSN
1958     describe VIRUS_WARNING324 Unhelpful 'virus warning' (324)
1959     score VIRUS_WARNING324 10
1960    
1961     # AF
1962     # DSN: Null, CT
1963     rawbody VIRUS_WARNING325 /^\s*Reason: Virus \S+ is detected!$/
1964     describe VIRUS_WARNING325 Unhelpful 'virus warning' (325)
1965     score VIRUS_WARNING325 20
1966    
1967     # AF/TJ
1968     full VIRUS_WARNING326 /Content-type: text\/plain; Name=VirusAlert.txt/
1969     describe VIRUS_WARNING326 Unhelpful MailScanner 'virus warning'? (326)
1970     score VIRUS_WARNING326 3
1971    
1972     # AF
1973     # DSN: Anyone's guess. Has been seen forging the victim as RP etc.
1974     # TJ: There has got to be a better way of doing "multiline text anchored
1975     # to start of a line" than this...if anyone knows please tell me!
1976     body __VIRUS_WARNING327A /An attachment named \S+ was removed from this document as it constituted a security hazard\./
1977     rawbody __VIRUS_WARNING327B /^An attachment named \S+ was removed from this document as it$/
1978     meta VIRUS_WARNING327 __VIRUS_WARNING327A && __VIRUS_WARNING327B
1979     describe VIRUS_WARNING327 Unhelpful MIMEDefang 'virus warning' (327)
1980     score VIRUS_WARNING327 10
1981    
1982     # TJ
1983     # DSN: Null
1984     header VIRUS_WARNING328 Subject =~ /^VIRUS REJECT$/
1985     describe VIRUS_WARNING328 Unhelpful 'virus warning' (328)
1986     score VIRUS_WARNING328 20
1987    
1988     # AS
1989     header VIRUS_WARNING329 Subject =~ /^BitDefender found an infected object$/
1990     describe VIRUS_WARNING329 Unhelpful 'virus warning' (329)
1991     score VIRUS_WARNING329 20
1992    
1993     # TJ
1994     # DSN: None
1995     body VIRUS_WARNING330 /the message with following attributes has not been delivered, because it contains infected object\(s\)./
1996     describe VIRUS_WARNING330 Unhelpful 'virus warning' (330)
1997     score VIRUS_WARNING330 10
1998    
1999     # TJ
2000     body VIRUS_WARNING331 /A message sent from, or apparently sent from, your email address, failed due to the presence of files frequently used to transmit viruses \(\.scr\/\.zip\/\.bat\/\.com\/\.exe\)\./
2001     describe VIRUS_WARNING331 Unhelpful 'virus warning' (331)
2002     score VIRUS_WARNING331 15
2003    
2004     # AF
2005     # DSN: None
2006     header VIRUS_WARNING332 Subject =~ /^\[Computer Cops\] Infected Email Found$/
2007     describe VIRUS_WARNING332 Unhelpful 'virus warning' (332)
2008     score VIRUS_WARNING332 20
2009    
2010     # AF
2011     rawbody VIRUS_WARNING333 /^\*+ UNSAFE FILE IS REJECTED! \*+$/
2012     describe VIRUS_WARNING333 Unhelpful 'virus warning' (333)
2013     score VIRUS_WARNING333 20
2014    
2015     # AF
2016     rawbody VIRUS_WARNING334 /^\s*Reason: This email is rejected because an unsafe file is found:/
2017     describe VIRUS_WARNING334 Unhelpful 'virus warning' (334)
2018     score VIRUS_WARNING334 10
2019    
2020     # TJ
2021     # Custom? From Uni. of Sydney
2022     # DSN: Null, CT
2023     rawbody VIRUS_WARNING335 /^\# The following files were found to be malicious and removed:$/
2024     describe VIRUS_WARNING335 Unhelpful 'virus warning' (335)
2025     score VIRUS_WARNING335 20
2026    
2027     # AF
2028     rawbody VIRUS_WARNING336 /^the message contains virus/
2029     describe VIRUS_WARNING336 Could be unhelpful KAV 'virus warning' (336)
2030     score VIRUS_WARNING336 1
2031    
2032     # AF
2033     rawbody VIRUS_WARNING337 /^\s*The message contains file attachments that are not permitted\.\s*$/
2034     describe VIRUS_WARNING337 Unhelpful Guinevere AV 'virus warning' (337)
2035     score VIRUS_WARNING337 10
2036    
2037     # TJ
2038     # Could be custom message - seen from postmaster@disney.com
2039     # DSN: Null
2040     header VIRUS_WARNING338 Subject =~ /^Warning: Message Not Delivered - Attachment Restriction$/
2041     describe VIRUS_WARNING338 Unhelpful 'virus warning' (338)
2042     score VIRUS_WARNING338 20
2043    
2044     # TJ
2045     # DSN: Null, CT, !Attach
2046     rawbody VIRUS_WARNING339 /^Warning: Please read the "ISSWarning\.txt" attachment\(s\) for more information\.$/
2047     describe VIRUS_WARNING339 Unhelpful MailScanner 'virus warning' (339)
2048     score VIRUS_WARNING339 20
2049    
2050     # TJ
2051     rawbody VIRUS_WARNING340 /^Warning: This message has had one or more attachments removed$/
2052     describe VIRUS_WARNING340 Unhelpful MailScanner 'virus warning' (340)
2053     score VIRUS_WARNING340 10
2054    
2055     # TJ/TV
2056     header VIRUS_WARNING341 Subject =~ /^eTrust Antivirus Gateway (SMTP|POP3): Virus notification message$/
2057     describe VIRUS_WARNING341 Unhelpful eTrust 'virus warning' (341)
2058     score VIRUS_WARNING341 20
2059    
2060     # TJ
2061     header VIRUS_WARNING342 Subject =~ /^AUTOMATED EMAIL BLOCK: VIRUS$/
2062     describe VIRUS_WARNING342 Unhelpful 'virus warning' (342)
2063     score VIRUS_WARNING342 20
2064    
2065     # TJ
2066     # Hopefully this should really kill all the variations of VirusWall/eManager junk
2067     header VIRUS_WARNING343 InterScan-Notification =~ /^yes$/
2068     describe VIRUS_WARNING343 Unhelpful InterScan 'virus warning' (343)
2069     score VIRUS_WARNING343 20
2070    
2071     # TJ
2072     # seen as VIRUS (foobar) EM SUA MENSAGEM
2073     # DSN: Null, CT
2074     header VIRUS_WARNING344 Subject =~ /^VIRUS.{0,99} EM SUA MENSAGEM$/
2075     describe VIRUS_WARNING344 Unhelpful 'virus warning' (344)
2076     score VIRUS_WARNING344 20
2077    
2078     # AF
2079     body VIRUS_WARNING345 /(This message contained attachments that have been blocked by Guinevere|This is an automatic message from the Guinevere Internet Antivirus Scanner)\./
2080     describe VIRUS_WARNING345 Unhelpful Guinevere 'virus warning' (345)
2081     score VIRUS_WARNING345 5
2082    
2083     rawbody VIRUS_WARNING345A /^\s*The message (apparently|probably) contains a virus\.\s*$/
2084     describe VIRUS_WARNING345A Uhelpful Guinevere 'virus warning'? (345A)
2085     score VIRUS_WARNING345A 2
2086    
2087     meta VIRUS_WARNING345B VIRUS_WARNING345 && VIRUS_WARNING345A
2088     describe VIRUS_WARNING345B Unhelpful Guinevere 'virus warning' (345B)
2089     score VIRUS_WARNING345B 10
2090    
2091     # AF
2092     # Guinevere crap again
2093     rawbody VIRUS_WARNING346 /^\w+\s+attachment type\(s\) blocked\s*$/
2094     describe VIRUS_WARNING346 Unhelpful Guinevere 'virus warning' (346)
2095     score VIRUS_WARNING346 5
2096    
2097     # AF
2098     rawbody VIRUS_WARNING347 /^KAV for MS Exchange Report on detecting virus in the following message:$/
2099     describe VIRUS_WARNING347 Unhelpful KAV 'virus warning' (347)
2100     score VIRUS_WARNING347 10
2101    
2102     # AF
2103     header VIRUS_WARNING348 Subject =~ /Report Message from KAV for MS Exchange Server/
2104     describe VIRUS_WARNING348 Unhelpful KAV 'virus warning'? (348)
2105     score VIRUS_WARNING348 3
2106    
2107     # TJ
2108     # DSN: none, modified message
2109     full VIRUS_WARNING349 /filename="Panda_Alert\.txt"/
2110     describe VIRUS_WARNING349 Unhelpful Panda Antivirus 'virus warning' (349)
2111     score VIRUS_WARNING349 10
2112    
2113     # TJ
2114     # DSN: none, modified message
2115     rawbody VIRUS_WARNING350 /^Panda Antivirus has found a virus in:/
2116     describe VIRUS_WARNING350 Unhelpful Panda Antivirus 'virus warning' (350)
2117     score VIRUS_WARNING350 10
2118    
2119     # TJ
2120     # DSN: unknown
2121     rawbody VIRUS_WARNING351 /^Message from SENDER was quarantined because it contained banned$/
2122     describe VIRUS_WARNING351 Unhelpful 'virus warning' (351)
2123     score VIRUS_WARNING351 20
2124    
2125     # AF
2126     # DSN: None
2127     rawbody VIRUS_WARNING352 /^This Mail has a Virus and has been blocked!$/
2128     describe VIRUS_WARNING352 Unhelpful 'virus warning' (352)
2129     score VIRUS_WARNING352 20
2130    
2131     # TJ
2132     # DSN: Null, CT
2133     # This regex is extraordinarily sensitive for some reason (surely "\s+.{1,50}\s+"
2134     # should be the same as "[^"]{1,50}" ? Apparently not!); handle with care!
2135     full VIRUS_WARNING353 /Your message was not delivered to the following recipients:\s*.{1,50}\s*:\s*Email rejected\s+because the attachment\s+.{1,50}\s+could contain a virus\./m
2136     describe VIRUS_WARNING353 Unhelpful 'virus warning' (353)
2137     score VIRUS_WARNING353 20
2138    
2139     # PSI
2140     # DSN: None
2141     rawbody __VIRUS_WARNING354A /\s*The email contained the virus: .{0,99}$/
2142     header __VIRUS_WARNING354B X-Nmp-Notice-Type =~ /^A message from you was blocked/
2143     meta VIRUS_WARNING354 __VIRUS_WARNING354A && __VIRUS_WARNING354B
2144     describe VIRUS_WARNING354 Unhelpful 'virus warning' (354)
2145     score VIRUS_WARNING354 20
2146    
2147     # GD/JT
2148     # DSN: None
2149     # TJ: This is sometimes sent in HTML, so cannot assert the body text
2150     header __VIRUS_WARNING355A Subject =~ /^Report to Sender$/
2151     body __VIRUS_WARNING355B /Incident Information:-/
2152     body __VIRUS_WARNING355C /infected with the \S+ virus and was/
2153     meta VIRUS_WARNING355 __VIRUS_WARNING355A && __VIRUS_WARNING355B && __VIRUS_WARNING355C
2154     describe VIRUS_WARNING355 Unhelpful Lotus Notes 'virus warning' (355)
2155     score VIRUS_WARNING355 20
2156    
2157     # HD
2158     # DSN: None
2159     rawbody VIRUS_WARNING356 /^A mail message with subject "[^"]{1,50}" has been found to contain a virus!$/
2160     describe VIRUS_WARNING356 Unhelpful 'virus warning' (356)
2161     score VIRUS_WARNING356 20
2162    
2163     # AF
2164     # DSN: Null, CT
2165     header VIRUS_WARNING357 Subject =~ /^\*\*Message you sent blocked by our bulk email filter\*\*$/
2166     describe VIRUS_WARNING357 Unhelpful 'virus warning' (357)
2167     score VIRUS_WARNING357 20
2168    
2169     # TJ
2170     # DSN: Null
2171     rawbody VIRUS_WARNING358 /^The above email was not delivered to the intended recipient as it was found to contain a virus\. The details of the message are as follows:$/
2172     describe VIRUS_WARNING358 Unhelpful 'virus warning' (358)
2173     score VIRUS_WARNING358 20
2174    
2175     # AF
2176     # DSN: None
2177     header __VIRUS_WARNING359A Subject =~ /^VIRUS POSLAN SA VASE ADRESE/
2178     rawbody __VIRUS_WARNING359B /^UPOZORENJE O VIRUSIMA!$/
2179     meta VIRUS_WARNING359 __VIRUS_WARNING359A || __VIRUS_WARNING359B
2180     describe VIRUS_WARNING359 Unhelpful 'virus warning' (359)
2181     score VIRUS_WARNING359 20
2182    
2183     # HD
2184     header VIRUS_WARNING360 Subject =~ /^virus in outgoing mail$/
2185     describe VIRUS_WARNING360 Unhelpful 'virus warning' (360)
2186     score VIRUS_WARNING360 20
2187    
2188     # JT
2189     # DSN: Null, CT
2190     rawbody VIRUS_WARNING361 /^WARNING -- A POSSIBLE VIRUS WAS DETECTED IN THIS MAIL MESSAGE$/
2191     describe VIRUS_WARNING361 Unhelpful 'virus warning' (361)
2192     score VIRUS_WARNING361 20
2193    
2194     # MB
2195     body VIRUS_WARNING362 /\bThe mail you have sent to one of our users is infected by a virus\b/
2196     describe VIRUS_WARNING362 Unhelpful 'virus warning' (361)
2197     score VIRUS_WARNING362 20
2198    
2199     # TJ
2200     header VIRUS_WARNING363 Subject =~ /^Warning: Virus found by AVAS Anti-Virus module$/
2201     describe VIRUS_WARNING363 Unhelpful AVAS 'virus warning' (363)
2202     score VIRUS_WARNING363 20
2203    
2204     # TJ
2205     # see http://www.antespam.co.uk/, run by David Pinnegar; further information at:
2206     # http://www.antespam.co.uk/how-we-filter-spam/
2207     # http://www.info-team.co.uk/david.pinnegar/
2208     # http://www.hammerwood.mistral.co.uk/compdoc.htm
2209     # http://www.info-world.com/spam.diagnosis/
2210     # http://www.info-team.co.uk/spam-stopper.php
2211     # Although acknowledging that they arise, David asserts that BVAs from his
2212     # systems are not sent out as a "blanket" response to viruses.
2213     #
2214     # This rule is therefore commented out by default for now.
2215     # Make your own decision about whether to enable it or not; you can contact
2216     # David via the above site to discuss his policies.
2217     #rawbody VIRUS_WARNING364 /^www.antespam.co.uk has intercepted a message from your address:-$/
2218     #describe VIRUS_WARNING364 Unhelpful 'virus warning' (364)
2219     #score VIRUS_WARNING364 20
2220    
2221     # AF/TJ
2222     full __VIRUS_WARNING365 /Content-Disposition: attachment;\s*filename=\"DELETED0.TXT\"/m
2223     meta VIRUS_WARNING365 __REPORT_DSN && __VIRUS_WARNING365
2224     describe VIRUS_WARNING365 Unhelpful 'virus warning' (365)
2225     score VIRUS_WARNING365 20
2226    
2227     # TJ
2228     full __VIRUS_WARNING366 /Content-Disposition: attachment;\s*filename=\"AV_nocleanMsg\.txt\"/m
2229     meta VIRUS_WARNING366 __REPORT_DSN && __VIRUS_WARNING366
2230     describe VIRUS_WARNING366 Unhelpful 'virus warning' (366)
2231     score VIRUS_WARNING366 20
2232    
2233     # JT
2234     # DSN: Null, CT
2235     rawbody __VIRUS_WARNING367 /^554 5\.7\.1 Virus \S+ found in mail - rejected$/
2236     meta VIRUS_WARNING367 __REPORT_DSN && __VIRUS_WARNING367
2237     describe VIRUS_WARNING367 Unhelpful 'virus warning' (367)
2238     score VIRUS_WARNING367 20
2239    
2240     # AF
2241     # DSN: Null, CT
2242     rawbody VIRUS_WARNING368 /^\[Attachment denied by WatchGuard SMTP proxy/
2243     describe VIRUS_WARNING368 Unhelpful 'virus warning' (368)
2244     score VIRUS_WARNING368 20
2245    
2246     # TJ
2247     # DSN: Null
2248     header VIRUS_WARNING369 Subject =~ /^Warning: E-mail virus detected$/
2249     describe VIRUS_WARNING369 Unhelpful 'virus warning' (369)
2250     score VIRUS_WARNING369 20
2251    
2252     # AF
2253     # DSN: Null
2254     header VIRUS_WARNING370 X-Mailer =~ /^ProScan Mail scanner$/
2255     describe VIRUS_WARNING370 Unhelpful ProScan 'virus warning' (370)
2256     score VIRUS_WARNING370 20
2257    
2258     # AF
2259     # DSN: Null
2260     # See also 370 - goes alongside it
2261     rawbody VIRUS_WARNING371 /^\s*The file attached to following mail is infected with virus\.$/
2262     describe VIRUS_WARNING371 Unhelpful 'virus warning' (371)
2263     score VIRUS_WARNING371 20
2264    
2265     # AF
2266     # DSN: Null, CT
2267     # This is for bounced collateral munged by a scanner
2268     rawbody VIRUS_WARNING372 /Subject: \[PMX:suspect attachment\]/
2269     describe VIRUS_WARNING372 Unhelpful 'virus warning' (372)
2270     score VIRUS_WARNING372 20
2271    
2272     # PB
2273     rawbody VIRUS_WARNING373 /^Il contenait un fichier attache non autoris/
2274     describe VIRUS_WARNING373 Unhelpful 'virus warning' (373)
2275     score VIRUS_WARNING373 20
2276    
2277     # PB
2278     rawbody VIRUS_WARNING374 /^Our SPAM\/CONTENT filter has rejected your message/
2279     describe VIRUS_WARNING374 Unhelpful 'virus warning' (374)
2280     score VIRUS_WARNING374 20
2281    
2282     # AF
2283     # DSN: None
2284     rawbody VIRUS_WARNING375 /^\s*AAPT Anti Virus has detected a virus contained in this email attachment/
2285     describe VIRUS_WARNING375 Unhelpful 'virus warning' (375)
2286     score VIRUS_WARNING375 20
2287    
2288     # TJ
2289     # DSN: Null
2290     # It's a shame some of the largest e-mail providers in the world
2291     # (Yahoo in this case) are such idiots and hypocrites (wrt "anti-spam")
2292     body VIRUS_WARNING376 /554 5\.7\.1 Message cannot be accepted, virus found/
2293     describe VIRUS_WARNING376 Unhelpful 'virus warning' (376)
2294     score VIRUS_WARNING376 20
2295    
2296     # AF
2297     # DSN: Null, CT
2298     header VIRUS_WARNING377 Subject =~ /^ALERTE VIRUS !$/
2299     describe VIRUS_WARNING377 Unhelpful 'virus warning' (377)
2300     score VIRUS_WARNING377 20
2301    
2302     # TJ
2303     # DSN: Null
2304     rawbody VIRUS_WARNING378 /^Attachment has been removed due to the presence of the following virus:$/
2305     describe VIRUS_WARNING378 Unhelpful 'virus warning' (378)
2306     score VIRUS_WARNING378 20
2307    
2308     # TJ
2309     # as seen in 378
2310     full VIRUS_WARNING379 /filename="ReplText6\.txt"/
2311     describe VIRUS_WARNING379 Could be unhelpful 'virus warning' (379)
2312     score VIRUS_WARNING379 0.8
2313    
2314     # RP
2315     rawbody VIRUS_WARNING380 /^This message was rejected due to a possible virus\.$/
2316     describe VIRUS_WARNING380 Unhelpful 'virus warning' (380)
2317     score VIRUS_WARNING380 20
2318    
2319     # PSI
2320     # DSN: Null
2321     rawbody VIRUS_WARNING381 /^Sender Note - Inbound Virus Found$/
2322     describe VIRUS_WARNING381 Unhelpful 'virus warning' (381)
2323     score VIRUS_WARNING381 20
2324    
2325     # TJ
2326     # DSN: None
2327     body VIRUS_WARNING382 /it contains an attachment that does not conform to the HMV Email Policy/
2328     describe VIRUS_WARNING382 Unhelpful HMV 'virus warning' (382)
2329     score VIRUS_WARNING382 20
2330    
2331     # TJ
2332     # DSN: Null
2333     header VIRUS_WARNING383 Subject =~ /^Unfortunately your message was blocked as a possible Virus was detected\.$/
2334     describe VIRUS_WARNING383 Unhelpful 'virus warning' (383)
2335     score VIRUS_WARNING383 20
2336    
2337     # MB
2338     # DSN: Null
2339     header VIRUS_WARNING384 Subject =~ /^Virus trovato in un messaggio inviato/
2340     describe VIRUS_WARNING384 Unhelpful 'virus warning' (384)
2341     score VIRUS_WARNING384 20
2342    
2343     # MB
2344     # DSN: Null
2345     header VIRUS_WARNING385 Subject =~ /^ACHTUNG! Sie haben eine mit einem Virus infizierte Mail verschickt\.$/
2346     describe VIRUS_WARNING385 Unhelpful 'virus warning' (385)
2347     score VIRUS_WARNING385 20
2348    
2349     # AF
2350     rawbody VIRUS_WARNING386 /^The following message attachments were flagged by the antivirus scanner:$/
2351     describe VIRUS_WARNING386 Unhelpful Mirapoint 'virus warning' (386)
2352     score VIRUS_WARNING386 20
2353    
2354     # AF
2355     # DSN: none
2356     # Seen from postmaster@fife.gov.uk
2357     # They even KNOW that virus spew is forged, but still send you the junk anyway...
2358     # surely incriminating themselves!
2359     rawbody VIRUS_WARNING387 /^has not been delivered as a virus has been detected. This e-mail may not have originated from you/
2360     describe VIRUS_WARNING387 Unhelpful 'virus warning' (387)
2361     score VIRUS_WARNING387 20
2362    
2363     # AF
2364     # DSN: none
2365     header VIRUS_WARNING388 Subject =~ /^Virus Alert -/
2366     describe VIRUS_WARNING388 Unhelpful 'virus warning' (388)
2367     score VIRUS_WARNING388 10
2368    
2369     # TJ
2370     # DSN: none
2371     # seen from administrator@shgroup.org.uk
2372     rawbody VIRUS_WARNING389 /^A message with Subject: \S+ contains a virus and has been quarantined\.$/
2373     describe VIRUS_WARNING389 Unhelpful 'virus warning' (389)
2374     score VIRUS_WARNING389 20
2375    
2376     # TJ/JT
2377     # DSN: varies, this is a general rule
2378     # see also 179
2379     header VIRUS_WARNING390 Subject =~ /^VIRUS ALERT:/
2380     describe VIRUS_WARNING390 Unhelpful 'virus warning' (390)
2381     score VIRUS_WARNING390 20
2382    
2383     # JT
2384     # DSN: None
2385     # usually caught also by 390
2386     header VIRUS_WARNING391 X-Mailer =~ /^OdeiaVir/
2387     describe VIRUS_WARNING391 Unhelpful OdeiaVir 'virus warning' (391)
2388     score VIRUS_WARNING391 20
2389    
2390     # AF
2391     # DSN: null
2392     header VIRUS_WARNING392 Subject =~ /^Suppression de fichier due a un virusMail Delivery/
2393     describe VIRUS_WARNING392 Unhelpful 'virus warning' (392)
2394     score VIRUS_WARNING392 20
2395    
2396     # AF
2397     # DSN: null
2398     body VIRUS_WARNING393 /The Attachment \S+ is replaced by this message because it contained a virus:/
2399     describe VIRUS_WARNING393 Unhelpful 'virus warning' (393)
2400     score VIRUS_WARNING393 20
2401    
2402     # JT
2403     # DSN: !Attach
2404     body VIRUS_WARNING394 /A virus \(\S+\) was detected in the file \(.{1,50}\)\. Action taken\s*= remove/
2405     describe VIRUS_WARNING394 Unhelpful 'virus warning' (394)
2406     score VIRUS_WARNING394 20
2407    
2408     # AF
2409     header VIRUS_WARNING395 Received =~ /from MailMarshal/
2410     describe VIRUS_WARNING395 MailMarshal bogus 'virus warning'? (395)
2411     score VIRUS_WARNING395 3
2412    
2413     # AF
2414     header VIRUS_WARNING396 Subject =~ /^McAfee detected a virus in a document sent to you\.$/
2415     describe VIRUS_WARNING396 Unhelpful McAfee 'virus warning' (396)
2416     score VIRUS_WARNING396 20
2417    
2418     # HPK
2419     # DSN: none
2420     body VIRUS_WARNING397 /A virus was found in a message sent by this account\./
2421     describe VIRUS_WARNING397 Unhelpful 'virus warning' (397)
2422     score VIRUS_WARNING397 8
2423    
2424     # HPK
2425     # see also 397
2426     rawbody VIRUS_WARNING398 /^Result: Virus Detected$/
2427     describe VIRUS_WARNING398 Unhelpful 'virus warning' (398)
2428     score VIRUS_WARNING398 5
2429    
2430     # AF
2431     # DSN: none
2432     # matches 400 too
2433     body VIRUS_WARNING399 /The file attached to this email was removed because it is infected with the (\S+) virus\./
2434     describe VIRUS_WARNING399 Unhelpful 'virus warning' (399)
2435     score VIRUS_WARNING399 20
2436    
2437     # AF
2438     # General
2439     rawbody VIRUS_WARNING400 /^\s*name="DELETED0.TXT"$/
2440     describe VIRUS_WARNING400 Looks like unhelpful 'virus warning' (400)
2441     score VIRUS_WARNING400 5
2442    
2443     # AF/TV
2444     # DSN: none
2445     header VIRUS_WARNING401 Subject =~ /^\[VIRUS\??\]/i
2446     describe VIRUS_WARNING401 Unhelpful 'virus warning' (401)
2447     score VIRUS_WARNING401 10
2448    
2449    
2450     # HPK
2451     # DSN: CT
2452     # the next two come together
2453     rawbody VIRUS_WARNING402A /^Virus scanner reported virus infection for/
2454     describe VIRUS_WARNING402A Looks like unhelpful 'virus warning' (402A)
2455     score VIRUS_WARNING402A 5
2456    
2457     rawbody VIRUS_WARNING402B /^Reason: Virus infection$/
2458     describe VIRUS_WARNING402B Looks like unhelpful 'virus warning' (402B)
2459     score VIRUS_WARNING402B 5
2460    
2461     meta VIRUS_WARNING402C VIRUS_WARNING402A && VIRUS_WARNING402B
2462     describe VIRUS_WARNING402C Looks a lot like unhelpful 'virus warning' (402C)
2463     score VIRUS_WARNING402C 10
2464    
2465    
2466     # JT
2467     # DSN: null,CT
2468     header VIRUS_WARNING403 Subject =~ /^Returned mail: Possible Virus Infection$/
2469     describe VIRUS_WARNING403 Unhelpful 'virus warning' (403)
2470     score VIRUS_WARNING403 20
2471    
2472     # PBR
2473     # DSN: null, !Attach
2474     rawbody VIRUS_WARNING404 /^= Message body deleted by antivirus subsystem on e-mail gateway=$/
2475     describe VIRUS_WARNING404 Unhelpful 'virus warning' (404)
2476     score VIRUS_WARNING404 20
2477    
2478     # PC
2479     # DSN: unknown
2480     rawbody VIRUS_WARNING405 /^Virus: "\S+" found!$/
2481     describe VIRUS_WARNING405 Unhelpful WinProxy 'virus warning' (405)
2482     score VIRUS_WARNING405 20
2483    
2484     #AF
2485     # DSN: none
2486     header VIRUS_WARNING406 Subject =~ /^\[NOD32: deleted\]/
2487     describe VIRUS_WARNING406 Unhelpful NOD32 'virus warning' (406)
2488     score VIRUS_WARNING406 20
2489    
2490     # AF
2491     # double-check for 406
2492     rawbody VIRUS_WARNING407 /^Warning: NOD32 Antivirus System for Linux Mail Server found the following infiltrations in this message/
2493     describe VIRUS_WARNING407 Unhelpful NOD32 'virus warning' (407)
2494     score VIRUS_WARNING407 10
2495    
2496     # TV
2497     header VIRUS_WARNING408 Subject =~ /^AVISO: Email rejeitado: VIRUS Detectado$/
2498     describe VIRUS_WARNING408 Unhelpful 'virus warning' (408)
2499     score VIRUS_WARNING408 20
2500    
2501     # TV
2502     header VIRUS_WARNING409 Subject =~ /^MDaemon Notificacion - Virus Encontrado!!!!$/
2503     describe VIRUS_WARNING409 Unhelpful MDaemon 'virus warning' (409)
2504     score VIRUS_WARNING409 20
2505    
2506     # TV
2507     # the Netcabo version appears to be a customised Antigen install
2508     header VIRUS_WARNING410 Subject =~ /^(Antigen|Netcabo Antivirus) found \S+ virus$/
2509     describe VIRUS_WARNING410 Unhelpful MDaemon 'virus warning' (410)
2510     score VIRUS_WARNING410 20
2511    
2512     # TV
2513     header VIRUS_WARNING411 Subject =~ /^ATENTIE !!! Virusi detectati$/
2514     describe VIRUS_WARNING411 Unhelpful 'virus warning' (411)
2515     score VIRUS_WARNING411 20
2516    
2517     #TV
2518     rawbody VIRUS_WARNING412 /^Vírus no seu e-mail\./
2519     describe VIRUS_WARNING412 Unhelpful 'virus warning' (412)
2520     score VIRUS_WARNING412 20
2521    
2522     # TV
2523     header VIRUS_WARNING413 Subject =~ /^Virus found, original message not delivered\.$/
2524     describe VIRUS_WARNING413 Unhelpful InterScan 'virus warning' (413)
2525     score VIRUS_WARNING413 20
2526    
2527     # TV
2528     rawbody VIRUS_WARNING414 /^We received a message from you containing a virus or other harmful content\.$/
2529     describe VIRUS_WARNING414 Unhelpful 'virus warning' (414)
2530     score VIRUS_WARNING414 20
2531    
2532     # PC
2533     rawbody VIRUS_WARNING415 /^RAV AntiVirus for Linux i686 version: \d/
2534     describe VIRUS_WARNING415 Unhelpful 'virus warning'? (415)
2535     score VIRUS_WARNING415 2
2536    
2537     # PC
2538     # not sure what the munged character is or whether this rule will even catch it
2539     # email forwarded to me had munged character encoding
2540     header VIRUS_WARNING416 Subject =~ /Resultado da procura por V.rus$/
2541     describe VIRUS_WARNING416 Unhelpful 'virus warning' (416)
2542     score VIRUS_WARNING416 3
2543    
2544     # PC
2545     header VIRUS_WARNING417 X-Mailer =~ /^ravmd\/\d/
2546     describe VIRUS_WARNING417 Unhelpful 'virus warning'? (417)
2547     score VIRUS_WARNING417 3
2548    
2549     # ML
2550     rawbody VIRUS_WARNING418 /^This attachment contained a virus and was stripped\.$/
2551     describe VIRUS_WARNING418 Unhelpful 'virus warning' (418)
2552     score VIRUS_WARNING418 20
2553    
2554     # ML
2555     header VIRUS_WARNING419 Subject =~ /^\[Virus attachment removed\]/
2556     describe VIRUS_WARNING419 Unhelpful 'virus warning' (419)
2557     score VIRUS_WARNING419 20
2558    
2559     # MM
2560     rawbody VIRUS_WARNING420 /^O Symantec Email Proxy excluiu a seguinte mensagem de e-mail:$/
2561     describe VIRUS_WARNING420 Unhelpful 'virus warning' (420)
2562     score VIRUS_WARNING420 20
2563    
2564     # PBR
2565     rawbody VIRUS_WARNING421 /^Disallowed file (.{1,50}) assosiated with unrelated MIME type (.{1,50}) - potential virus$/
2566     describe VIRUS_WARNING421 Unhelpful 'virus warning' (421)
2567     score VIRUS_WARNING421 4
2568    
2569     # PC
2570     rawbody VIRUS_WARNING422 /^Content-Disposition: attachment; filename="Norton AntiVirus Deleted1.txt"$/
2571     describe VIRUS_WARNING422 Unhelpful 'virus warning'? (422)
2572     score VIRUS_WARNING422 8
2573    
2574     header VIRUS_WARNING423 Subject =~ /^Policy Violation$/
2575     describe VIRUS_WARNING423 Unhelpful 'virus warning'? (423)
2576     score VIRUS_WARNING423 0.1
2577    
2578     meta VIRUS_WARNING424 VIRUS_WARNING188 && VIRUS_WARNING423
2579     describe VIRUS_WARNING424 Unhelpful 'virus warning' (424)
2580     score VIRUS_WARNING424 10
2581    
2582     header VIRUS_WARNING425 Subject =~ /^Mail rejected: Executable attachment "[^"]{1,50}" not permitted\.$/
2583     describe VIRUS_WARNING425 Unhelpful 'virus warning' (425)
2584     score VIRUS_WARNING425 20
2585    
2586     header VIRUS_WARNING426 Subject =~ /^Antivirus Notification$/
2587     describe VIRUS_WARNING426 Unhelpful 'virus warning' (426)
2588     score VIRUS_WARNING426 20
2589    
2590     # TV
2591     header VIRUS_WARNING427 Subject =~ /^Mail delivery error : Virus found$/
2592     describe VIRUS_WARNING427 Unhelpful 'virus warning' (427)
2593     score VIRUS_WARNING427 20
2594    
2595     # TV
2596     header VIRUS_WARNING428 Subject =~ /^Virus Detected in Email...$/
2597     describe VIRUS_WARNING428 Unhelpful InteProtectNow! 'virus warning' (428)
2598     score VIRUS_WARNING428 20
2599    
2600     # TV
2601     header VIRUS_WARNING429 Subject =~ /^Mass Mailing Virus Detected - Message was deleted.$/
2602     describe VIRUS_WARNING429 Unhelpful 'virus warning' (429)
2603     score VIRUS_WARNING429 20
2604    
2605     # AF
2606     header VIRUS_WARNING430 Subject =~ /^Iflex Mail Server detected an unrepairable virus in a message you sent/
2607     describe VIRUS_WARNING430 Unhelpful Iflex 'virus warning' (430)
2608     score VIRUS_WARNING430 20
2609    
2610     # TV
2611     rawbody VIRUS_WARNING431 /^Norton AntiVirus (hat folgende E-Mail gelöscht, da sie einen Virus enthielt:|ha eliminato il seguente messaggio di posta elettronica )$/
2612     describe VIRUS_WARNING431 Unhelpful Norton 'virus warning' (431)
2613     score VIRUS_WARNING431 20
2614    
2615     # NL
2616     # see also 420
2617     header VIRUS_WARNING432 Subject =~ /^Symantec Email Proxy Deleted Message$/
2618     describe VIRUS_WARNING432 Unhelpful Symantec 'virus warning' (432)
2619     score VIRUS_WARNING432 20
2620    
2621     # PB
2622     rawbody VIRUS_WARNING433 /^diagnostics\/Diagnose: (Worm|Virus)\./
2623     describe VIRUS_WARNING433 Unhelpful 'virus warning'? (433)
2624     score VIRUS_WARNING433 4
2625    
2626     # PB
2627     header VIRUS_WARNING434 X-Autoreply-Reason =~ /^(Worm|Virus)\./
2628     describe VIRUS_WARNING434 Unhelpful 'virus warning' (434)
2629     score VIRUS_WARNING434 20
2630    
2631     # AF
2632     # DSN: null
2633     rawbody VIRUS_WARNING435 /^<<< 554 5\.7\.1 Message from .{7,30} rejected because is infected/
2634     describe VIRUS_WARNING435 Unhelpful 'virus warning' (435)
2635     score VIRUS_WARNING435 20
2636    
2637     # ML
2638     header VIRUS_WARNING436 Subject =~ /^Virus in einer E-Mail von Ihnen gefunden!$/
2639     describe VIRUS_WARNING436 Unhelpful AntiVir MailGate 'virus warning' (436)
2640     score VIRUS_WARNING436 20
2641    
2642     # MB
2643     # TJ: this has no relation to 436, I just numbered it wrongly. Thanks Donald Dawson for spotting.
2644     rawbody VIRUS_WARNING436a /^550 This message contains malware/
2645     describe VIRUS_WARNING436a Unhelpful 'virus warning' (436)
2646     score VIRUS_WARNING436a 20
2647    
2648     # TJ
2649     rawbody VIRUS_WARNING437 /^(Symantec E-Mail-Proxy hat folgende E-Mail-Nachricht gelöscht|Le proxy de messagerie Symantec a supprimé l'message suivant ):$/
2650     describe VIRUS_WARNING437 Unhelpful Symantec 'virus warning' (437)
2651     score VIRUS_WARNING437 20
2652    
2653     # TV
2654     header VIRUS_WARNING438 Subject =~ /^VIRUS DETECTADO PARA /
2655     describe VIRUS_WARNING438 Unhelpful 'virus warning' (438)
2656     score VIRUS_WARNING438 20
2657    
2658     # TJ
2659     rawbody VIRUS_WARNING439 /^\*\*\* Aquest missatge contenia virus. \*\*\*$/
2660     describe VIRUS_WARNING439 Unhelpful Trend 'virus warning' (439)
2661     score VIRUS_WARNING439 20
2662    
2663     # JT
2664     header VIRUS_WARNING440 Subject =~ /^WARNING VIRUS FOUND!!!$/
2665     describe VIRUS_WARNING440 Unhelpful 'virus warning' (440)
2666     score VIRUS_WARNING440 20
2667    
2668     # TV
2669     header VIRUS_WARNING441 Subject =~ /^mensagem com virus$/
2670     describe VIRUS_WARNING441 Unhelpful 'virus warning' (441)
2671     score VIRUS_WARNING441 20
2672    
2673     # JT
2674     rawbody VIRUS_WARNING442 /^Viruses were detected in the following components:$/
2675     describe VIRUS_WARNING442 Unhelpful 'virus warning' (442)
2676     score VIRUS_WARNING442 10
2677    
2678     # TV
2679     header VIRUS_WARNING443 Subject =~ /^Panda ClientShield warning$/
2680     describe VIRUS_WARNING443 Unhelpful 'virus warning' (443)
2681     score VIRUS_WARNING443 10
2682    
2683     # JT
2684     rawbody VIRUS_WARNING444 /^The original email was deleted because it contained the virus .{1,50}$/
2685     describe VIRUS_WARNING444 Unhelpful 'virus warning' (444)
2686     score VIRUS_WARNING444 10
2687    
2688     # TV
2689     header VIRUS_WARNING445 Subject =~ /^Your mail was deleted by Norton Antivirus$/
2690     describe VIRUS_WARNING445 Unhelpful Norton 'virus warning' (445)
2691     score VIRUS_WARNING445 20
2692    
2693     # TV
2694     header VIRUS_WARNING446 Subject =~ /^Auto Notification : Virus Detected!!$/
2695     describe VIRUS_WARNING446 Unhelpful 'virus warning' (446)
2696     score VIRUS_WARNING446 20
2697    
2698     # AF
2699     header VIRUS_WARNING447 Subject =~ /^Warning: Possible Virus Infection$/
2700     describe VIRUS_WARNING447 Unhelpful Guinevere 'virus warning' (447)
2701     score VIRUS_WARNING447 20
2702    
2703     # TV
2704     header VIRUS_WARNING448 Subject =~ /^Anti-Virus Alert$/
2705     describe VIRUS_WARNING448 Unhelpful 'virus warning' (448)
2706     score VIRUS_WARNING448 20
2707    
2708     # TV
2709     header VIRUS_WARNING449 Subject =~ /^Aviso: Detectado formato de ficheiros invalido\.$/
2710     describe VIRUS_WARNING449 Unhelpful 'virus warning'? (449)
2711     score VIRUS_WARNING449 10
2712    
2713     # TJ
2714     header VIRUS_WARNING450 Subject =~ /^VIRUS ALERT !$/
2715     describe VIRUS_WARNING450 Unhelpful 'virus warning' (450)
2716     score VIRUS_WARNING450 20
2717    
2718     # TV
2719     header VIRUS_WARNING451 Subject =~ /^Content Filter Processed Your E-Mail$/
2720     describe VIRUS_WARNING451 Unhelpful 'virus warning'? (451)
2721     score VIRUS_WARNING451 2
2722    
2723     # TV
2724     rawbody VIRUS_WARNING452 /^Reason: Anti Virus$/
2725     describe VIRUS_WARNING452 Unhelpful 'virus warning'? (452)
2726     score VIRUS_WARNING452 2
2727    
2728     # TV
2729     meta VIRUS_WARNING453 VIRUS_WARNING451 && VIRUS_WARNING452
2730     describe VIRUS_WARNING453 Unhelpful virus warning (453)
2731     score VIRUS_WARNING453 10
2732    
2733     # PB
2734     # TODO:needs work, subject is encoded
2735     header VIRUS_WARNING454 Subject =~ /InterScan MSS has deleted a message/
2736     describe VIRUS_WARNING454 Unhelpful virus warning (454)
2737     score VIRUS_WARNING454 20
2738    
2739     # HB
2740     header VIRUS_WARNING455 Subject =~ /^\[WatchDog: Virus gefunden\]$/
2741     describe VIRUS_WARNING455 Unhelpful virus warning (455)
2742     score VIRUS_WARNING455 20
2743    
2744     # TV
2745     header VIRUS_WARNING456 Subject =~ /^AVISO: VIRUS Detectado$/
2746     describe VIRUS_WARNING456 Unhelpful virus warning (456)
2747     score VIRUS_WARNING456 20
2748    
2749     # TV
2750     header VIRUS_WARNING457 Subject =~ /^\[avast! - INFECTED\]/
2751     describe VIRUS_WARNING457 Unhelpful virus warning (457)
2752     score VIRUS_WARNING457 20
2753    
2754     # JT
2755     rawbody VIRUS_WARNING458 /^A message you sent was virus infected\.$/
2756     describe VIRUS_WARNING458 Unhelpful virus warning? (458)
2757     score VIRUS_WARNING458 3
2758    
2759     meta VIRUS_WARNING459 VIRUS_WARNING458 && VIRUS_WARNING63
2760     describe VIRUS_WARNING459 Unhelpful virus warning (459)
2761     score VIRUS_WARNING459 10
2762    
2763     # NL
2764     # DSN: none
2765     header VIRUS_WARNING460 Subject =~ /^\[VIRUS-DETECTED\]/
2766     describe VIRUS_WARNING460 Unhelpful virus warning (460)
2767     score VIRUS_WARNING460 20
2768    
2769     # TV
2770     # DSN: unknown
2771     header VIRUS_WARNING461 Subject =~ /^VIRUS DETECTED IN MESSAGE:/
2772     describe VIRUS_WARNING461 Unhelpful virus warning (461)
2773     score VIRUS_WARNING461 20
2774    
2775     # PB
2776     # DSN: unknown
2777     header VIRUS_WARNING462 Subject =~ /^CSAV for Exchange - Virus Alert$/
2778     describe VIRUS_WARNING462 Unhelpful virus warning (462)
2779     score VIRUS_WARNING462 20
2780    
2781     # TV
2782     # DSN: unknown
2783     header VIRUS_WARNING463 Subject =~ / VIRUS FOUND$/
2784     describe VIRUS_WARNING463 Unhelpful virus warning? (463)
2785     score VIRUS_WARNING463 2
2786    
2787     rawbody __VIRUS_WARNING464 /^You have sent a virus infected email message/
2788     meta VIRUS_WARNING464 VIRUS_WARNING463 && __VIRUS_WARNING464
2789     describe VIRUS_WARNING464 Unhelpful virus warning (464)
2790     score VIRUS_WARNING464 20
2791    
2792     # TV
2793     header VIRUS_WARNING465 Subject =~ /^SENDER! Virus found in message from you!$/
2794     describe VIRUS_WARNING465 Unhelpful virus warning (465)
2795     score VIRUS_WARNING465 20
2796    
2797     # ML
2798     header VIRUS_WARNING466 Subject =~ /^Virus Warning from eScan to Mail-Sender!$/
2799     describe VIRUS_WARNING466 Unhelpful eScan virus warning (466)
2800     score VIRUS_WARNING466 20
2801    
2802     # JT
2803     header VIRUS_WARNING467 Subject =~ /^Warning generated by Panda GateDefender\.$/
2804     describe VIRUS_WARNING467 Unhelpful Panda virus warning (467)
2805     score VIRUS_WARNING467 20
2806    
2807     # JK
2808     # TJ: Juno *really* should know better...
2809     header VIRUS_WARNING468 Subject =~ /^ALERT: Email you sent may have contained a virus$/
2810     describe VIRUS_WARNING468 Unhelpful Juno virus warning (468)
2811     score VIRUS_WARNING468 20
2812    
2813     # ML
2814     header VIRUS_WARNING469 Subject =~ /^\*\*VIRUS\*\*/
2815     describe VIRUS_WARNING469 Unhelpful virus warning (468)
2816     score VIRUS_WARNING469 20
2817    
2818    
2819     ### TJ: Executable. Could be a virus
2820     # See http://archives.neohapsis.com/archives/postfix/2002-04/1841.html
2821     # and http://archives.neohapsis.com/archives/postfix/2002-04/1931.html
2822     rawbody VIRUS_WARNING_EXE1 /^TV[nopqr][A-Z]...[AB]..A.A....{1,99}AAAA...{1,99}AAAA/
2823     describe VIRUS_WARNING_EXE1 Message appears to contain a Windows executable
2824     score VIRUS_WARNING_EXE1 2.0
2825    
2826     rawbody VIRUS_WARNING_EXE2 /^M35[GHIJK].`..`..{1,99}````/i
2827     describe VIRUS_WARNING_EXE2 Message contains a UUencoded Windows executable
2828     score VIRUS_WARNING_EXE2 2.0
2829    
2830    
2831     ### HD/TJ: Looks like some (unknown) virus
2832    
2833     # TJ/RN
2834     # Sober variants which are bothering everyone at the moment (2005-05-06)
2835     rawbody VIRUS_WARNING_SOBER /^\*\*\* (Server-AntiVirus|Attachment-Scanner|AntiVirus): (No Virus \(Clean\)|Status OK|No Virus found)$/
2836     describe VIRUS_WARNING_SOBER Looks like Sober virus or bounce thereof
2837     score VIRUS_WARNING_SOBER 20
2838    
2839    
2840     # Netsky variation?
2841     # line starts with +-+-+ or *** ...
2842     rawbody VIRUS_WARNING_XXX1 /^[\+\-\*]+ (Anti-\s?Virus|X-\s?Attachment_\s?Scanner|Mail-\s?Attachment|X-\s?Mail_Scanner): (NO VIRUS|No Virus found|No Virus!?|No suspicious Virus signatures)$/
2843     describe VIRUS_WARNING_XXX1 Unidentified virus or bounce thereof (2)
2844     score VIRUS_WARNING_XXX1 20
2845    
2846     ### TJ: Novarg, I think
2847     header __VIRUS_WARNING_NOVARG1A X-Virus-Scanned =~ /^Symantec AntiVirus Scan Engine$/
2848     header __VIRUS_WARNING_NOVARG1B X-Virus-Scan-Result =~ /^Repaired \d+/
2849     meta VIRUS_WARNING_NOVARG1 __VIRUS_WARNING_NOVARG1A && __VIRUS_WARNING_NOVARG1B
2850     describe VIRUS_WARNING_NOVARG1 Looks like Novarg virus
2851     score VIRUS_WARNING_NOVARG1 20
2852    
2853     # Bounce of Novarg
2854     rawbody __VIRUS_WARNING_NOVARG2A /^\s*X-Virus-Scanned: Symantec AntiVirus Scan Engine$/
2855     rawbody __VIRUS_WARNING_NOVARG2B /^\s*X-Virus-Scan-Result: Repaired \d+/
2856     meta VIRUS_WARNING_NOVARG2 __VIRUS_WARNING_NOVARG2A && __VIRUS_WARNING_NOVARG2B
2857     describe VIRUS_WARNING_NOVARG2 Looks like Novarg virus bounce
2858     score VIRUS_WARNING_NOVARG2 20
2859    
2860     ### TJ: Texts normally found in the body of Bagle.B viruses
2861    
2862     rawbody VIRUS_WARNING_BAGLE1 /^Subject: ID .{1,50}\.\.\. thanks$/
2863     describe VIRUS_WARNING_BAGLE1 Could be a Bagle.B bounce
2864     score VIRUS_WARNING_BAGLE1 4
2865    
2866     rawbody VIRUS_WARNING_BAGLE2 /^Yours ID/
2867     describe VIRUS_WARNING_BAGLE2 Could be a Bagle.B bounce
2868     score VIRUS_WARNING_BAGLE2 1
2869    
2870    
2871     ### TJ: Bagle-Q/R virus
2872    
2873     rawbody VIRUS_WARNING_BAGLE3 /^<OBJECT\s+STYLE="display:none"\s+DATA="http:\/\/[0-9\.]+(:81)?\/[0-9]+\.php">$/
2874     describe VIRUS_WARNING_BAGLE3 Looks like Bagle.Q/R virus/bounce
2875     score VIRUS_WARNING_BAGLE3 10
2876    
2877    
2878     ### TJ: Stuff to do with Netsky virus
2879    
2880     rawbody __VIRUS_WARNING_NETSKY1 /^Subject: (unknown|fake|stolen|information|warning|something for you|read it immediately|hello)$/
2881     #describe VIRUS_WARNING_NETSKY1 Could be a Netsky virus bounce (subject matched)
2882     #score VIRUS_WARNING_NETSKY1 1
2883    
2884     rawbody __VIRUS_WARNING_NETSKY2 /^(anything ok?|what does it mean?|ok|i'm waiting|read the details.|here is the document.|read it immediately!|my hero|here|is that true?|is that your name?|is that your account?|i wait for a reply!|is that from you?|you are a bad writer|I have your password!|something about you!|kill the writer of this document!|i hope it is not true!|your name is wrong|i found this document about you|yes, really?|that is bad|here it is|see you|greetings|stuff about you?|something is going wrong!|information about you|about me|from the chatter|here, the serials|here, the introduction|here, the cheats|that's funny|do you?|reply|take it easy|why?|thats wrong|misc|you earn money|you feel the same|you try to steal|you are bad|something is going wrong|something is fool)$/
2885     #describe VIRUS_WARNING_NETSKY2 Could be a Netsky virus bounce (body matched)
2886     #score VIRUS_WARNING_NETSKY2 1
2887    
2888     meta VIRUS_WARNING_NETSKY (__VIRUS_WARNING_NETSKY1 && __VIRUS_WARNING_NETSKY2)
2889     score VIRUS_WARNING_NETSKY 3
2890    
2891     # Netsky G - http://www.sophos.com/virusinfo/analyses/w32netskyg.html
2892     # There are many other subjects, but many are too common to reject on,
2893     # and I don't want this to become a virus scanner, but here are a few.
2894     body VIRUS_WARNING_NETSKY3 /^Subject: Re: (Re: Re: Your document|Re: Thanks!|Re: Document|Re: Message|Approved|Here is the document|Excel file|Word file)$/
2895     describe VIRUS_WARNING_NETSKY4 Netsky virus bounce (subject matched)
2896     score VIRUS_WARNING_NETSKY3 3
2897    
2898     body VIRUS_WARNING_NETSKY4 /In order to read the attach you have to use the following password:/
2899     describe VIRUS_WARNING_NETSKY4 Looks like Netsky bounce (body attached password)
2900     score VIRUS_WARNING_NETSKY4 5
2901    
2902     # Netsky P - http://www.sophos.com/virusinfo/analyses/w32netskyp.html
2903     # VS/TJ
2904     rawbody VIRUS_WARNING_NETSKY5A /^\++\s*Attachment: No Virus found$/
2905     describe VIRUS_WARNING_NETSKY5A Looks like Netsky/P bounce (5A)
2906     score VIRUS_WARNING_NETSKY5A 10
2907    
2908     rawbody VIRUS_WARNING_NETSKY5B /^\++\s*(MessageLabs|Norton|MC-Afee|Kaspersky|Norman|Panda|Kaspersky|F-Secure) AntiVirus/
2909     describe VIRUS_WARNING_NETSKY5B Looks like Netsky/P bounce (5B)
2910     score VIRUS_WARNING_NETSKY5B 10
2911    
2912     meta VIRUS_WARNING_NETSKY5 VIRUS_WARNING_NETSKY5A && VIRUS_WARNING_NETSKY5B
2913     describe VIRUS_WARNING_NETSKY5 Looks like Netsky/P bounce (5)
2914     score VIRUS_WARNING_NETSKY5 10
2915    
2916     ### TJ: Texts normally found in the body of MyDoom viruses
2917    
2918     rawbody VIRUS_WARNING_MYDOOM1 /The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment/
2919     describe VIRUS_WARNING_MYDOOM1 Body contains Mydoom text
2920     score VIRUS_WARNING_MYDOOM1 6.0
2921    
2922     rawbody VIRUS_WARNING_MYDOOM2 /The message contains Unicode characters and has been sent as a binary attachment\./
2923     describe VIRUS_WARNING_MYDOOM2 Body contains Mydoom text
2924     score VIRUS_WARNING_MYDOOM2 6.0
2925    
2926     rawbody VIRUS_WARNING_MYDOOM3 /Mail transaction failed. Partial message is available\./
2927     describe VIRUS_WARNING_MYDOOM3 Body contains Mydoom text
2928     score VIRUS_WARNING_MYDOOM3 6.0
2929    
2930     # Looks like a bounce containing a Mydoom message
2931     # Some bounces will match both 4 and 4a, so 4a is scored low
2932     # Next two rules used to contain a question mark at the end, to match
2933     # empty subject lines. Now removed, since the worst has passed
2934     rawbody __VIRUS_WARNING_MYDOOM4 /^Subject: (Hello|hi|test|mail delivery system|mail transaction failed|server report|status|error)$/i
2935     #describe VIRUS_WARNING_MYDOOM4 Body looks like a bounce which could be from Mydoom (contains Mydoom Subject)
2936     #score VIRUS_WARNING_MYDOOM4 1.3
2937    
2938     rawbody __VIRUS_WARNING_MYDOOM4A /\sSubject: (Hello|hi|test|mail delivery system|mail transaction failed|server report|status|error)$/i
2939     #describe VIRUS_WARNING_MYDOOM4A Body could be a Mydoom bounce (contains Mydoom Subject)
2940     #score VIRUS_WARNING_MYDOOM4A 0.5
2941    
2942     rawbody TJ_EMPTY_SUBJECT /^Subject: $/
2943     describe TJ_EMPTY_SUBJECT Empty subject. Could be a MyDoom bounce.
2944     score TJ_EMPTY_SUBJECT 0.5
2945    
2946     # Could be a bounce containing a Mydoom message
2947     body VIRUS_WARNING_MYDOOM5 /filename="(body|data|doc|document|file|message|readme|test)\.(bat|cmd|exe|pif|scr|zip|htm|txt|doc)/i
2948     describe VIRUS_WARNING_MYDOOM5 Body contains possible Mydoom attachment
2949     score VIRUS_WARNING_MYDOOM5 1.2
2950    
2951     meta VIRUS_WARNING_DOOM_BNC VIRUS_WARNING78 && (VIRUS_WARNING_MYDOOM4 || __VIRUS_WARNING_MYDOOM4A || VIRUS_WARNING_MYDOOM5)
2952     describe VIRUS_WARNING_DOOM_BNC Looks like a Mydoom bounce
2953     score VIRUS_WARNING_DOOM_BNC 7.5
2954    
2955    
2956     ### TJ: Failed/cleaned infections
2957     # Used to match empty subjects too
2958     #header VIRUS_CLEANED_MYDOOM Subject =~ /^(Hello|hi|test|mail delivery system|mail transaction failed|server report|status|error)$/i
2959     #describe VIRUS_CLEANED_MYDOOM Failed/cleaned Mydoom infection?
2960     #score VIRUS_CLEANED_MYDOOM 1
2961    
2962     # TJ/VS
2963     header VIRUS_CLEANED_SOBIG_F1 Subject =~ /^(Re: )?(Approved|Wicked screensaver|That movie|Thank you!)$/
2964     describe VIRUS_CLEANED_SOBIG_F1 Failed/cleaned Sobig/F infection? (1)
2965     score VIRUS_CLEANED_SOBIG_F1 2
2966    
2967     header VIRUS_CLEANED_SOBIG_F2 Subject =~ /^Re: (Re: )?((My|Your) )?Details$/
2968     describe VIRUS_CLEANED_SOBIG_F2 Failed/cleaned Sobig/F infection? (2)
2969     score VIRUS_CLEANED_SOBIG_F2 2
2970    
2971     header VIRUS_CLEANED_1 Subject =~ /^Re: Your application$/
2972     describe VIRUS_CLEANED_1 Failed/cleaned Sobig/F or Netsky/K infection? (1)
2973     score VIRUS_CLEANED_1 1

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed