/[smeserver]/rpms/spamassassin/sme9/bogus-virus-warnings.cf
ViewVC logotype

Contents of /rpms/spamassassin/sme9/bogus-virus-warnings.cf

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Thu Jul 9 20:07:11 2015 UTC (9 years, 3 months ago) by vip-ire
Branch: MAIN
CVS Tags: spamassassin-3_4_1-1_el6_sme, spamassassin-3_3_2-59_el6_sme, spamassassin-3_4_2-2_el6_sme, spamassassin-3_4_2-1_el6_sme, spamassassin-3_3_2-60_el6_sme, spamassassin-3_3_2-58_el6_sme, HEAD
Initial import of spamassassin in our CVS

1 # bogus-virus-warnings.cf version 1.160 (2005-06-22) - NB new Rules Emporium address
2 # NB (2005-06-07) I still have a backlog of submissions so if yours hasn't
3 # made it in yet, it's nothing personal. Bear with me - thanks, TJ.
4
5 # Collated and maintained by Tim Jackson (tim@timj.co.uk)
6 # Latest version at:
7 #
8 # - http://www.rulesemporium.com/rules/bogus-virus-warnings.cf
9 # - http://www.timj.co.uk/linux/bogus-virus-warnings.cf
10 #
11 # Lists bogus virus warnings and similar
12 # This file is encoded using ISO-8859-1
13
14 # ------------ NEWS - 2004-04-03 --------------
15 # READ THIS CAREFULLY - CHECK YOUR SETUP!
16 # To reduce the risk of false positives, some rules now have checks to make
17 # sure that the message is a bounce. This checking is currently only enabled
18 # for rules that would match it irrelevant of Return-Path, but will soon
19 # be added to rules for which we need to determine for certain that the
20 # envelope sender (return path) is null. However, if you are scanning at SMTP
21 # time, and your MTA hasn't at that time inserted the Return-Path header
22 # (e.g. Exim/Exiscan), or an X-Envelope-From header (which I am told is added
23 # by amavisd-new), we can't necessarily tell that it is a bounce, so in
24 # that case you need to either get your MTA to add a header X-Is-A-Bounce: 1
25 # which tells us that it has a null sender, or disable the bounce checking.
26 # To disable bounce-checking, put this in your local.cf:
27 # meta __REPORT_DSN 1
28 #
29 # You can add an X-Is-A-Bounce header with Exim 4 using the following rule
30 # in your RCPT ACL:
31 #
32 # warn message = X-Is-A-Bounce: 1
33 # senders = :
34 #
35 # (You may wish to add "headers_remove"/"headers remove" directives to your
36 # remote_smtp router and system filter respectively, to strip these out again
37 # before the message is delivered)
38
39
40 # ----------- UPDATES & CONTRIBUTIONS ---------
41 # This ruleset is updated regularly; check for updates every now and then
42 # Automatic updates are OK, although please don't check too often.
43 # (More than once per day is too often)
44 # If you are checking automatically, please use appropriate methods
45 # (including HTTP HEAD) to avoid downloading unchanged versions.
46 # You can use the Rules du Jour script to easily check for updates in a
47 # responsible way: http://www.exit0.us/index.php/RulesDuJour
48
49 # Contributions/comments/corrections etc. are more than welcome, particularly
50 # complete samples of bogus warnings not caught by this rule. Please send to
51 # the following e-mail address: spam \-at/ timj.co.uk (replacing " \-at/ " with "@")
52 # PLEASE send complete samples (ideally as an attachment) if at all possible -
53 # it helps me maintain an archive for regression testing and so on.
54
55 # There is a Postfix derivative of this (not identical) by Niels
56 # Callesøe at: http://www.t29.dk/antiantivirus.txt
57
58 # A procmail derivative (derivative of a derivative!) of Niels's Postfix
59 # version is here: http://pekaje.homeip.net/antiantivirus_procmail.txt
60
61 # A useful ruleset by Martin Blapp that has some overlap with this but has
62 # slightly different aims can be found at: http://mx.imp.ch/worm_found.cf
63
64 # Contributors: (if I've missed anyone, I apologise - please let me know)
65 # TJ = Tim Jackson <tim@timj.co.uk>
66 # DD = Dennis Davis <ccsdhd/at\bath.ac.uk>
67 # BM = Brian Martin (indirectly via website article)
68 # see http://www.attrition.org/security/rant/av-spammers.html
69 # PV = Paul Vixie (indirectly via NANOG mailing list)
70 # see http://www.merit.edu/mail.archives/nanog/2004-01/msg00821.html
71 # and http://www.merit.edu/mail.archives/nanog/msg01014.html
72 # AF = Alan J. Flavell <a-dot-flavell/at/physics.gla.ac.uk>
73 # CE = Chris Edwards <C\dot\Edwards-at@-compserv.gla.ac.uk>
74 # NC = Niels Callesoe <nica\at/t29-dot-dk>
75 # JB = Jethro R Binks <jethro=dot=binks\@strath.ac.uk>
76 # ESR = Eric S. Raymond <esr\\a@t/snark.thyrsus^com>
77 # EA = Ed Avis <ed\at/membled.com>
78 # HP = Herb Peyerl <hpeyerl//at.beer.org>
79 # JBB = John B Batzel <batzel a t seas.upenn.edu>
80 # SC = Stephane Clodic <sclodic//at\teaser.fr>
81 # MK = Martin Kutschker <Martin-dot-Kutschker'at'blackbox.net>
82 # PB = Pieter B <PieterB-at/gewis.nl>
83 # PSI = Per Steinar Iversen <PerSteinar.Iversen/at/adm.hio.no>
84 # HPK = Homer Parker <hparker-at-pcsrvc.com>
85 # DJM = Damian Miller <djm/at/mindrot.org>
86 # VS = Jay 'veggiespam' Ball <jay//-at=veggiespam.com>
87 # NL = Nick Leverton <nick\-at$leverton.org>
88 # MR = Michael Roth <mroth%at%nessie.de>
89 # JT = Jona Tallieu <jona=at=tnt.be>
90 # VD = Vincent Deffontaines <vincent.deffontaines/at/coe.int>
91 # HD = Harald Deppeler
92 # DP = David Precious <dave=at=preshweb.co.uk>
93 # AS = Andreas Steinmetz <ast!at!domdv.de>
94 # GD = Guido Dorssers <g/dot/h/dot/j/dot/dorssers-at\ruiver.frontierfleet.net>
95 # MB = Martin Blapp <mb-at-imp.ch>
96 # RP = Rob van der Putten <rob=at-sput.nl>
97 # PBR = Peter Bieringer <pb\\at\bieringer.de>
98 # PC = Paul Cormier <pcormier--at--win-soft.com>
99 # TV = Tjerk Vonck <tjerk^^at/mirc.com>
100 # ML = Maurice Lucas <mslucas%at%taos-it.nl>
101 # MM = Marek Michalkiewicz <marekm(at)amelek.gda.pl>
102 # HB = Hanno Boeck <mail$at*hboeck.de>
103 # RN = Ronald I. Nutter <ronald_nutter#@!georgetowncollege.edu>
104 # JK = Josh Kelley <josh@@@@jbc.edu>
105
106
107 # ---------- BOUNCE DETECTION ---------
108 # General rule to indicate bounce or otherwise - used for some other rules
109 header __BOUNCE_HEADER X-Is-A-Bounce =~ /.{1,50}/
110
111 # This won't match for scanning done at SMTP time, at least with Exim
112 header __BOUNCE_RP1 Return-Path =~ /^<>$/
113
114 # NL says this is added by amavisd-new before passing to SA
115 header __BOUNCE_RP2 X-Return-Path =~ /^<>$/
116
117 # Mark Martinec says the above is incorrect, and it's X-Envelope-From
118 header __BOUNCE_RP3 X-Envelope-From =~ /^<>$/
119
120 meta __NULL_SENDER __BOUNCE_HEADER || __BOUNCE_RP1 || __BOUNCE_RP2 || __BOUNCE_RP3
121
122 # Thanks to AF
123 header __CT_DEL_STATUS Content-Type =~ /report-type=delivery-status/
124
125 meta __REPORT_DSN __NULL_SENDER || __CT_DEL_STATUS
126
127
128 # The rules are now slowly getting meta-information added to them, in the
129 # form of a "DSN:" message above the rule. The codes in this correspond to
130 # the following meanings:
131 #
132 # Null = Messages always come with null sender
133 # CT = Message always come with Content-Type =~ /report-type=delivery-status/
134 # !Attach = This rule matches the content of an attachment which has replaced
135 # a virus, so the Null/CT rules could conceivably vary
136 # A rule with a leading question mark means status unknown, for example:
137 # "DSN: Null, ?CT" means we know it always has a null sender, but not sure
138 # whether it has the Content-Type match.
139
140
141 # ---------- THE RULES PROPER -----------
142
143 blacklist_from antivirus@webtar.hu
144 blacklist_from asterix@ars.de
145 blacklist_from deadletter@wingateweb.com
146 blacklist_from mailsweeper@tso.co.uk
147 blacklist_from us-interscan.admins@alcatel.com
148 blacklist_from virus@praca.gov.pl
149
150
151 # TJ/HPK
152 header VIRUS_WARNING1 Subject =~ /^(NDN: )?\{(Virus|Filename)\?\}/i
153 describe VIRUS_WARNING1 Unhelpful 'virus warning' (1)
154 score VIRUS_WARNING1 20
155
156 # TJ
157 header VIRUS_WARNING2 Subject =~ /Virus Detected by Network Associates, Inc\. Webshield/
158 describe VIRUS_WARNING2 Unhelpful NAI Webshield 'virus warning' (2)
159 score VIRUS_WARNING2 20
160
161 # TJ
162 header VIRUS_WARNING3 Subject =~ /^---- Virus Detected ----$/
163 describe VIRUS_WARNING3 Unhelpful Mail Marshal 'virus warning' (3)
164 score VIRUS_WARNING3 20
165
166 # TJ/TV
167 # "Virus detected" is Tobit. "Virus Detected" seen from bang.ca.
168 header VIRUS_WARNING4 Subject =~ /^Virus detected$/i
169 describe VIRUS_WARNING4 Unhelpful 'virus warning' (4)
170 score VIRUS_WARNING4 20
171
172 # TJ
173 header VIRUS_WARNING4A Subject =~ /^Virus Detected:status/
174 describe VIRUS_WARNING4A Unhelpful MailSweeper 'virus warning' (4A)
175 score VIRUS_WARNING4A 20
176
177 # TJ/HPK/AF
178 header VIRUS_WARNING5 Subject =~ /^Virus (Alert|Warning|intercepted)!?$/i
179 describe VIRUS_WARNING5 Unhelpful 'virus warning' (5)
180 score VIRUS_WARNING5 20
181
182 # TJ/VS
183 header VIRUS_WARNING6 Subject =~/^InterScan (NT|Virus) Alert$/
184 describe VIRUS_WARNING6 Unhelpful InterScan 'virus warning' (6)
185 score VIRUS_WARNING6 20
186
187 # TJ
188 header VIRUS_WARNING7 Subject =~/^Virus found in the message$/
189 describe VIRUS_WARNING7 Unhelpful 'virus warning' (7)
190 score VIRUS_WARNING7 20
191
192 # TJ
193 header VIRUS_WARNING8 Subject =~/^Message quarantined$/
194 describe VIRUS_WARNING8 Unhelpful 'virus warning' (8)
195 score VIRUS_WARNING8 20
196
197 # TJ
198 # VIRUS_WARNING9 now rolled into VIRUS_WARNING5
199
200 # TJ
201 header VIRUS_WARNING10 Subject =~/^Virus found in e-mail \(/
202 describe VIRUS_WARNING10 Unhelpful Netpilot VPN 'virus warning' (10)
203 score VIRUS_WARNING10 20
204
205 # TJ
206 header VIRUS_WARNING11 Subject =~/^MDaemon Warning - Virus Found/
207 describe VIRUS_WARNING11 Unhelpful MDaemon 'virus warning' (11)
208 score VIRUS_WARNING11 20
209
210 # TJ
211 header VIRUS_WARNING12 From =~/F-Secure Anti-Virus for Internet Mail/
212 describe VIRUS_WARNING12 Unhelpful F-Secure 'virus warning' (12)
213 score VIRUS_WARNING12 20
214
215 # TJ
216 rawbody VIRUS_WARNING13 /If you meant to send this file then please/
217 describe VIRUS_WARNING13 Unhelpful Exim system_filter 'virus warning'? (13)
218 score VIRUS_WARNING13 3
219
220 # TJ
221 rawbody VIRUS_WARNING14 /package it up as a zip file and resend it/
222 describe VIRUS_WARNING14 Looks like Exim system_filter 'virus warning' (14)
223 score VIRUS_WARNING14 3
224
225 # TJ
226 meta VIRUS_WARNING_EXIM VIRUS_WARNING13 && VIRUS_WARNING14
227 describe VIRUS_WARNING_EXIM Unhelpful Exim system_filter 'virus warning'
228 score VIRUS_WARNING_EXIM 6
229
230 # TJ/JT
231 header VIRUS_WARNING15 Subject =~ /^(Warning: E-mail viruses detected|Waarschuwing: E-mail virus ontdekt)$/
232 describe VIRUS_WARNING15 Unhelpful MailScanner 'virus warning' (15)
233 score VIRUS_WARNING15 20
234
235 # TJ/PSI/AF
236 header VIRUS_WARNING16 Subject =~ /^ScanMail Message: To (Sender|Recipient) (virus found|file blocking settings matched)/
237 describe VIRUS_WARNING16 Unhelpful ScanMail/Exch 'virus warning' (16)
238 score VIRUS_WARNING16 20
239
240 # TJ
241 rawbody VIRUS_WARNING17 /The uncleanable file is deleted\./
242 describe VIRUS_WARNING17 Unhelpful Cisco 'virus warning' (17)
243 score VIRUS_WARNING17 10
244
245 # TJ/DD/PSI/TV
246 # Often customised.
247 # TJ: removed end-assertion (2004-06-06) to catch customisations
248 # NC has seen caseless version "Virus in mail from you."
249 # TV has seen "Banned file: "data.doc.pif" in mail from you"
250 header VIRUS_WARNING18 Subject =~/^(VIRUS|BANNED FILENAME|banned file:|BANNED) .{1,99}(IN YOUR MAIL|w Twoim mejlu|IN (A )?MAIL FROM YOU|NO SEU EMAIL)/i
251 describe VIRUS_WARNING18 Unhelpful 'virus warning' (18)
252 score VIRUS_WARNING18 20
253
254 # TJ
255 # Added optional space in v1.11 thanks to CE
256 # See also 299
257 header VIRUS_WARNING19 Subject =~/^Norton Anti ?Virus detected/
258 describe VIRUS_WARNING19 Unhelpful Norton AntiVirus 'virus warning' (19)
259 score VIRUS_WARNING19 20
260
261 # Rule 20 deprecated in favour of modified rule #18
262 # (DD: Subject: VIRUS (blah) IN YOUR MAIL)
263
264 # DD/MK
265 header VIRUS_WARNING21 Subject =~ /^Antigen found (VIRUS|FILE)/
266 describe VIRUS_WARNING21 Unhelpful Antigen 'virus warning' (21)
267 score VIRUS_WARNING21 20
268
269 # TJ
270 rawbody VIRUS_WARNING22 /^Panda Antivirus has taken the following actions/
271 describe VIRUS_WARNING22 Unhelpful Panda Antivirus 'virus warning' (22)
272 score VIRUS_WARNING22 20
273
274 # TJ
275 header VIRUS_WARNING23 Subject =~ /^Filter incident$/
276 describe VIRUS_WARNING23 Unhelpful Panda Antivirus 'virus warning'? (23)
277 score VIRUS_WARNING23 4
278
279 # TJ
280 rawbody VIRUS_WARNING24 /^<<< 554 TRANSACTION FAILED - Unrepairable Virus/
281 describe VIRUS_WARNING24 Unhelpful AOL 'virus warning' (24)
282 score VIRUS_WARNING24 20
283
284 # DD
285 rawbody VIRUS_WARNING25 /^Network Associates WebShield SMTP.{1,99}detected virus/
286 describe VIRUS_WARNING25 Unhelpful Network Associates 'virus warning' (25)
287 score VIRUS_WARNING25 20
288
289 # TJ
290 rawbody VIRUS_WARNING26 /^The name\(s\) of the blocked file\(s\) follow:/
291 describe VIRUS_WARNING26 Unhelpful 'virus warning' (26)
292 score VIRUS_WARNING26 20
293
294 # TJ
295 rawbody VIRUS_WARNING27 /V I R U S A L E R T/
296 describe VIRUS_WARNING27 Unhelpful amavisd 'virus warning' (27)
297 score VIRUS_WARNING27 20
298
299 # TJ
300 # Modified to remove "^Our" (thanks CE) as is sometimes customised like so:
301 # "The University of xxxx virus detector...."
302 rawbody VIRUS_WARNING28 /virus detector has just been triggered by a message you sent/
303 describe VIRUS_WARNING28 Unhelpful MailScanner 'virus warning' (28)
304 score VIRUS_WARNING28 20
305
306 # TJ
307 header VIRUS_WARNING29 Subject =~ /^Vírus figyelmeztetés! Virus warning!$/
308 describe VIRUS_WARNING29 Unhelpful Hungarian 'virus warning' (29)
309 score VIRUS_WARNING29 20
310
311 # TJ
312 body VIRUS_WARNING30 /The mail was deleted on the mailserver. The sender was informed about this incident/
313 describe VIRUS_WARNING30 Unhelpful 'virus warning' (30)
314 score VIRUS_WARNING30 20
315
316 # DD
317 rawbody VIRUS_WARNING31 /^The Declude Virus.{0,50}software on our mail server detected the/
318 describe VIRUS_WARNING31 Unhelpful Declude Virus software warning (31)
319 score VIRUS_WARNING31 20
320
321 # TJ
322 body VIRUS_WARNING32 /^\/infected with \w/
323 describe VIRUS_WARNING32 Unhelpful qmail-plugin virus warning (32)
324 score VIRUS_WARNING32 5
325
326 # BM
327 body VIRUS_WARNING33 /^The virus detector said this about the message/
328 describe VIRUS_WARNING33 Unhelpful MailScanner virus warning (33)
329 score VIRUS_WARNING33 12
330
331 # BM/AF
332 header VIRUS_WARNING34 Subject =~ /^Symantec (AVF|Mail Security|AntiVirus(\/Filtering)?) (for (Lotus Notes|Domino) )?detected/
333 describe VIRUS_WARNING34 Unhelpful Symantec virus warning (34)
334 score VIRUS_WARNING34 20
335
336 # BM/MK
337 # Borderware MXtreme Firewall
338 body VIRUS_WARNING35 /was stopped and (Rejected|Quarantined) because it contains one or more (viruses|forbidden attachments)/
339 describe VIRUS_WARNING35 Unhelpful BorderWare MXtreme virus warning (35)
340 score VIRUS_WARNING35 8
341
342 # BM
343 header VIRUS_WARNING36 Subject =~ /^Returned due to virus;/
344 describe VIRUS_WARNING36 Unhelpful 'virus warning' (36)
345 score VIRUS_WARNING36 20
346
347 # PV
348 header VIRUS_WARNING37 Subject =~ /^Anti-Virus Notification/
349 describe VIRUS_WARNING37 Unhelpful 'virus warning' (37)
350 score VIRUS_WARNING37 12
351
352 # PV/JT
353 # was Subject /^BANNED FILENAME .{0,99}IN MAIL FROM YOU/
354 # obsoleted by 18
355
356 # PV
357 header VIRUS_WARNING39 Subject =~ /^File blocked - ScanMail for Lotus/
358 describe VIRUS_WARNING39 Unhelpful ScanMail 'virus warning' (39)
359 score VIRUS_WARNING39 12
360
361 # PV
362 header VIRUS_WARNING40 Subject =~ /^Message deleted/
363 describe VIRUS_WARNING40 Unhelpful 'virus warning' (40)
364 score VIRUS_WARNING40 20
365
366 # PV
367 header VIRUS_WARNING41 Subject =~ /^NAV detected a virus/
368 describe VIRUS_WARNING41 Unhelpful 'virus warning' (41)
369 score VIRUS_WARNING41 20
370
371 # PV
372 header VIRUS_WARNING42 Subject =~ /^RAV AntiVirus scan/
373 describe VIRUS_WARNING42 Unhelpful RAV 'virus warning' (42)
374 score VIRUS_WARNING42 20
375
376 # PV
377 # was header VIRUS_WARNING43 Subject =~ /^VIRUS .{0,99}IN (A )?MAIL FROM YOU/i
378 # obsoleted by 18
379
380 # PV
381 header VIRUS_WARNING44 Subject =~ /^Virus Notification:/
382 describe VIRUS_WARNING44 Unhelpful 'virus warning' (44)
383 score VIRUS_WARNING44 20
384
385 # PV
386 header VIRUS_WARNING45 Subject =~ /^Virus found in a message you sent/
387 describe VIRUS_WARNING45 Unhelpful 'virus warning' (45)
388 score VIRUS_WARNING45 20
389
390 # PV
391 # CE contributed caseless start
392 header VIRUS_WARNING46 Subject =~ /^[Vv]irus found in sent message/
393 describe VIRUS_WARNING46 Unhelpful 'virus warning' (46)
394 score VIRUS_WARNING46 20
395
396 # PV
397 header VIRUS_WARNING47 From =~ /^GroupShield for Exchange/
398 describe VIRUS_WARNING47 Unhelpful GroupShield/Exch 'virus warning' (47)
399 score VIRUS_WARNING47 10
400
401 # PV
402 body VIRUS_WARNING48 /^The infected message's properties are:/
403 describe VIRUS_WARNING48 Unhelpful McAfee 'virus warning' (48)
404 score VIRUS_WARNING48 20
405
406 # AF
407 header VIRUS_WARNING49 Subject =~ /^VIRUS EN SU CORREO/
408 describe VIRUS_WARNING49 Unhelpful 'virus warning' (49)
409 score VIRUS_WARNING49 20
410
411 # AF
412 header VIRUS_WARNING50 Subject =~ /^Warning: antivirus system report$/
413 describe VIRUS_WARNING50 Unhelpful 'virus warning' (50)
414 score VIRUS_WARNING50 20
415
416 # AF
417 header VIRUS_WARNING51 Subject =~ /^MDaemon Notification -- Attachment Removed$/
418 describe VIRUS_WARNING51 Unhelpful 'virus warning' (51)
419 score VIRUS_WARNING51 20
420
421 # AF
422 header VIRUS_WARNING52 Subject =~ /^Information - Antivirus$/
423 describe VIRUS_WARNING52 Unhelpful 'virus warning' (52)
424 score VIRUS_WARNING52 20
425
426 # AF
427 header VIRUS_WARNING53 Subject =~ /^Symantec AntiVirus detected a violation/
428 describe VIRUS_WARNING53 Unhelpful 'virus warning' (53)
429 score VIRUS_WARNING53 20
430
431 # AF
432 header VIRUS_WARNING54 Subject =~ /^WARNING: YOU WERE SENT A VIRUS/
433 describe VIRUS_WARNING54 Unhelpful 'virus warning' (54)
434 score VIRUS_WARNING54 20
435
436 # AF
437 header VIRUS_WARNING55 Subject =~ /^SAV detected a violation in a/
438 describe VIRUS_WARNING55 Unhelpful SAV 'virus warning' (55)
439 score VIRUS_WARNING55 20
440
441 # AF/CE
442 # Virus version seen as "...a Virus in your message", not sure about other
443 header VIRUS_WARNING56 Subject =~ /^MailMarshal has detected a (Virus|suspect attachment)/
444 describe VIRUS_WARNING56 Unhelpful MailMarshal 'virus warning' (56)
445 score VIRUS_WARNING56 20
446
447 # AF/TV
448 header VIRUS_WARNING57 Subject =~ /^A virus was detected in your (mail|message)/i
449 describe VIRUS_WARNING57 Unhelpful 'virus warning' (57)
450 score VIRUS_WARNING57 20
451
452 # AF
453 header VIRUS_WARNING58 Subject =~ /^Recipient Virus-alert/
454 describe VIRUS_WARNING58 Unhelpful 'virus warning' (58)
455 score VIRUS_WARNING58 20
456
457 # AF/PBR
458 #lowercase version is VirusGuard "^Virus found in message to you!$"
459 header VIRUS_WARNING59 Subject =~ /^Virus [fF]ound in message/
460 describe VIRUS_WARNING59 Unhelpful 'virus warning' (59)
461 score VIRUS_WARNING59 20
462
463 # AF
464 # Roll into VIRUS_WARNING15?
465 header VIRUS_WARNING60 Subject =~ /^E-?mail viruses detected/
466 describe VIRUS_WARNING60 Unhelpful 'virus warning' (60)
467 score VIRUS_WARNING60 20
468
469 # AF
470 header VIRUS_WARNING61 Subject =~ /^Undelivered mail: VIRUS FOUND/
471 describe VIRUS_WARNING61 Unhelpful 'virus warning' (61)
472 score VIRUS_WARNING61 20
473
474 # AF/TJ/PB/HD/JT
475 # 2004-12-15: the Symantec@ doesn't seem to work, for reasons that are opaque to me
476 header VIRUS_WARNING62 From =~ /Antivirus|InterScan|MailScanner|virusscan|WebShield SMTP|NortonAV|DrWeb-DAEMON|amavisd-new|virenscanner|GateLockX200|Filtermails|MailMonitor|Symantec\@|Symantec E-Mail-Proxy/i
477 describe VIRUS_WARNING62 'From' indicates unhelpful 'virus warning' (62)
478 score VIRUS_WARNING62 3.5
479
480 # AF/TJ
481 # care: double count of this & 62 for 'amavisd-new'
482 header VIRUS_WARNING62A From =~ /amavis\@/
483 describe VIRUS_WARNING62A 'From' contains 'amavis'; 'virus warning'? (62A)
484 score VIRUS_WARNING62A 0.8
485
486 # AF/TJ/MK/JT
487 # Case-sensitive strong indications
488 header VIRUS_WARNING63 From =~ /mail.marshal\@|InterScan Notification|Antivirus-Daemon|Nemx Power Tools for MS Exchange Server|NAVMSE-|Norton_AntiVirus_|Unicom Anti-Virus|Symantec_AntiVirus_for_SMTP|ANTIVIRUS-SYSTEM|\"System Anti-Virus Administrator\"|Eclipse-VirusShield|Anti-Virus Scanner|SymantecSMTPSecurityServer|_WatchDog_Demon|MAILsweeper|InterScan Notification|eTrust_Antivirus_Lotus_Notes|BorderWare MXtreme Mail Firewall|DinaScanner|vba_filter|KAV for Microsoft Exchange|Guinevere Anti-Virus|Barracuda Spam Firewall|'Watchdog' Demon|Virus Scanner/
489 describe VIRUS_WARNING63 'From' strongly indicates 'virus warning' (63)
490 score VIRUS_WARNING63 8
491
492 # TJ/AF
493 # Case-insensitive strong indications
494 header VIRUS_WARNING63A From =~ /mailsweeper\@|avmailwall\@|virusscreen\@|virus-alert\@|antigen_|escanuser\@/i
495 describe VIRUS_WARNING63A 'From' strongly indicates 'virus warning' (63A)
496 score VIRUS_WARNING63A 8
497
498 # ML
499 # blacklist_from not used, because resent-from (added by some mailing lists) overrides.
500 header VIRUS_WARNING63B From =~ /viruscheckservice\@virusguardman\.com/i
501 describe VIRUS_WARNING63B Unhelpful 'virus warning' (blacklisted) (63B)
502 score VIRUS_WARNING63B 20
503
504 # AF
505 # False positive reported by Dan Miller <dan-dot-miller/at/ci-pinkerton.com>
506 # Has had a score of 20 for a long time.
507 # What a pain; Google shows huge amounts of junk
508 # 2004-08-09: removed after another FP report. Would love to know more about this.
509 #header VIRUS_WARNING64 X-BLTSYMAVREINSERT =~ /./
510 #describe VIRUS_WARNING64 Looks like unhelpful 'virus warning' (64)
511 #score VIRUS_WARNING64 3
512
513 # AF
514 header VIRUS_WARNING65 X-Virus-Scan-Result =~ /Repaired/
515 describe VIRUS_WARNING65 Unhelpful 'virus warning' (65)
516 score VIRUS_WARNING65 20
517
518 # AF
519 # This pattern has been seen as X-AtHome-MailScanner, X-Virus-Scanner,
520 # X-MailScanner, X-Antivirus, X-CTC-Iris-MailScanner, X-UTwente-MailScanner
521 header VIRUS_WARNING66 ALL =~ /Found to be infected/
522 describe VIRUS_WARNING66 Unhelpful 'virus warning' (66)
523 score VIRUS_WARNING66 20
524
525 # AF
526 header VIRUS_WARNING67 X-Scanned =~ /Symantec Antivirus Scan - Virus found/
527 describe VIRUS_WARNING67 Unhelpful 'virus warning' (67)
528 score VIRUS_WARNING67 20
529
530 # AF
531 header VIRUS_WARNING68 X-Sender =~ /NetMail AntiVirus Agent/
532 describe VIRUS_WARNING68 Unhelpful 'virus warning' (68)
533 score VIRUS_WARNING68 20
534
535 # Rule 69 was obsoleted by modified version of rule #66
536 # (AF: X-yoursite-Mailscanner: Found to be infected)
537
538 # AF
539 header VIRUS_WARNING70 Subject =~ /^Quarantined Mail: virus from/
540 describe VIRUS_WARNING70 Unhelpful 'virus warning' (70)
541 score VIRUS_WARNING70 20
542
543 # TJ
544 header VIRUS_WARNING71 Subject =~ /^Failed to clean virus/
545 describe VIRUS_WARNING71 Unhelpful InterScan 'virus warning' (71)
546 score VIRUS_WARNING71 20
547
548 # TJ
549 rawbody VIRUS_WARNING72 /^ Attempted to clean the file but it is not cleanable/
550 describe VIRUS_WARNING72 Unhelpful InterScan 'virus warning' (72)
551 score VIRUS_WARNING72 20
552
553 # AF
554 header VIRUS_WARNING73 X-Mirapoint-Virus =~ /DELETED/
555 describe VIRUS_WARNING73 Unhelpful Mirapoint 'virus warning' (73)
556 score VIRUS_WARNING73 20
557
558 # AF
559 # Part of "Attenzione Virus - Virus Alert"
560 header VIRUS_WARNING74 Subject =~ /^Attenzione Virus/
561 describe VIRUS_WARNING74 Unhelpful 'virus warning' (74)
562 score VIRUS_WARNING74 20
563
564 # AF
565 header VIRUS_WARNING75 X-Auto-Generated =~ /^Sophos antivirus plugin/
566 describe VIRUS_WARNING75 Unhelpful 'virus warning' (75)
567 score VIRUS_WARNING75 10
568
569 # AF/TJ
570 # Variant on #16
571 header VIRUS_WARNING76 Subject =~ /^\[MailServer Notification\]\s?To (Sender|External Sender|Recipient):? (virus found|a virus was found|file blocking settings matched|Message matched eManager setting)/
572 describe VIRUS_WARNING76 Unhelpful ScanMail 'virus warning' (76)
573 score VIRUS_WARNING76 20
574
575 # AF
576 header VIRUS_WARNING77 Subject =~ /^virus in verschickter Nachricht gefunden/
577 describe VIRUS_WARNING77 Unhelpful 'virus warning' (77)
578 score VIRUS_WARNING77 20
579
580 # AF
581 rawbody VIRUS_WARNING78 /Status: 5\.7\.0 \(other or undefined security status\)/
582 describe VIRUS_WARNING78 Could be a bogus virus warning (78)
583 score VIRUS_WARNING78 0.5
584
585 # AF
586 rawbody VIRUS_WARNING79 /Message-ID: <[^>]{1,50}> \(added by postmaster/
587 describe VIRUS_WARNING79 Could be a bogus virus warning (79)
588 score VIRUS_WARNING79 0.5
589
590 # AF
591 meta VIRUS_WARNING80 VIRUS_WARNING78 && VIRUS_WARNING79 && __REPORT_DSN
592 describe VIRUS_WARNING80 Likely to be a bogus virus warning (80)
593 score VIRUS_WARNING80 3.5
594
595 # Rule 81 combined with 56
596
597 # CE
598 header VIRUS_WARNING82 Subject =~ /^Virus encontrado en el mensaje enviado/
599 score VIRUS_WARNING82 20
600
601 # CE
602 header VIRUS_WARNING83 Subject =~ /^Security Alert - ScanMail for Lotus Notes/
603 describe VIRUS_WARNING83 Unhelpful ScanMail 'virus warning' (83)
604 score VIRUS_WARNING83 20
605
606 # CE/MK
607 # TJ: ...Detected is right-anchored
608 header VIRUS_WARNING84 Subject =~ /^Virus Infection (Alert|Detected)/
609 score VIRUS_WARNING84 20
610
611 # CE
612 header VIRUS_WARNING85 Subject =~ /^Warning - Virus Detected:/
613 score VIRUS_WARNING85 20
614
615 # CE
616 header VIRUS_WARNING86 Subject =~ /^Skynet Mail Protection scan results/
617 score VIRUS_WARNING86 20
618
619 # CE
620 rawbody VIRUS_WARNING87 /RAV AntiVirus plugin for CommuniGate Pro has found a virus in the e-mail you are about to send/
621 describe VIRUS_WARNING87 Unhelpful RAV 'virus warning' (87)
622 score VIRUS_WARNING87 20
623
624 # CE
625 rawbody VIRUS_WARNING88 /This is an automated return email from McAfee Virus Scan/
626 describe VIRUS_WARNING88 Unhelpful McAfee 'virus warning' (88)
627 score VIRUS_WARNING88 20
628
629 # CE
630 rawbody VIRUS_WARNING89 /------------------ Virus Warning Message/
631 describe VIRUS_WARNING89 Unhelpful 'virus warning' (89)
632 score VIRUS_WARNING89 20
633
634 # JB
635 body VIRUS_WARNING90 /^contained an attachment of a type that is frequently used to transport/
636 describe VIRUS_WARNING90 Looks like unhelpful ScanMail 'virus warning' (90)
637 score VIRUS_WARNING90 6
638
639 # JB
640 # Seen in "-- KO/Office has blocked your mail due to an email policy."
641 header VIRUS_WARNING91 Subject =~ /has blocked your mail due to an email policy\./
642 describe VIRUS_WARNING91 Looks like unhelpful ScanMail 'virus warning' (91)
643 score VIRUS_WARNING91 6
644
645 # NC: Contributed by "Safari" in n.a.n-a.e
646 header VIRUS_WARNING92 Subject =~ /^Virusveszely! Virus warning!/
647 score VIRUS_WARNING92 20
648
649 # NC
650 header VIRUS_WARNING93 Subject =~ /^Virus infection notice/
651 score VIRUS_WARNING93 20
652
653 # NC
654 header VIRUS_WARNING94 Subject =~ /^Possible virus found in message you sent/
655 score VIRUS_WARNING94 20
656
657 # NC
658 header VIRUS_WARNING95 Subject =~ /^AntiVir ALERT/
659 score VIRUS_WARNING95 20
660
661 # NC
662 # TJ: I suspect this may be specific to a site
663 header VIRUS_WARNING96 Subject =~ /^Centrale Anti-Virus melding/
664 score VIRUS_WARNING96 20
665
666 # NC
667 # Looks like #95
668 header VIRUS_WARNING97 Subject =~ /^Vexira ALERT/
669 score VIRUS_WARNING97 20
670
671 # NC
672 # TJ: again, suspect site-specific. Maybe change to ALL =~ ...?
673 header VIRUS_WARNING98 X-ELTE-VirusStatus =~ /^was_infected/
674 score VIRUS_WARNING98 20
675
676 # NC: contributed by B Briggs in n.a.n-a.e
677 header VIRUS_WARNING99 Subject =~ /^You sent potentially unsafe content/
678 score VIRUS_WARNING99 20
679
680 # NC
681 # TJ: looks site-specific to me
682 header VIRUS_WARNING100 Subject =~ /^Hov, du har sendt Jubii en virus !!!$/
683 score VIRUS_WARNING100 20
684
685 # NC
686 header VIRUS_WARNING101 Subject =~ /^\[message from .{0,99}virus detect system\]$/
687 score VIRUS_WARNING101 20
688
689 # NC
690 header VIRUS_WARNING102 Subject =~ /^Net Integrator Virus Alert$/
691 score VIRUS_WARNING102 20
692
693 # NC
694 header VIRUS_WARNING103 Subject =~ /^Information - Antivirus$/
695 score VIRUS_WARNING103 20
696
697 # NC
698 header VIRUS_WARNING104 Subject =~ /^AntiVirus Alert!$/
699 score VIRUS_WARNING104 20
700
701 # NC
702 header VIRUS_WARNING105 Subject =~ /^\{ALERTA DE VIRUS\}/
703 score VIRUS_WARNING105 20
704
705 # NC
706 header VIRUS_WARNING106 Subject =~ /^Virus in una mail per lei/
707 score VIRUS_WARNING106 20
708
709 # NC
710 header VIRUS_WARNING107 Subject =~ /AntiVirus scan results/
711 describe VIRUS_WARNING107 Looks like an unhelpful 'virus warning' (107)
712 score VIRUS_WARNING107 7
713
714 # TJ
715 header VIRUS_WARNING108 Subject =~ /^Returned due to - ATTACHMENT BLOCKINGS/
716 describe VIRUS_WARNING108 Unhelpful WebShield 'virus warning' (108)
717 score VIRUS_WARNING108 20
718
719 # TJ
720 # deprecated in favour of 186
721
722 # JB/TJ
723 body VIRUS_WARNING110 /^Please inform your (system)? administrator (and have your virus scanning|or check your machine for viruses)/
724 describe VIRUS_WARNING110 Unhelpful MIMEsweeper 'virus warning'? (110)
725 score VIRUS_WARNING110 8
726
727 # JB
728 body VIRUS_WARNING111 /^Scan: Threat: '[^']{1,50}' detected by/
729 describe VIRUS_WARNING111 Unhelpful MIMEsweeper 'virus warning'? (111)
730 score VIRUS_WARNING111 6
731
732 # ESR
733 header VIRUS_WARNING112 Subject =~ /^Virus Detected in your Email message!/
734 describe VIRUS_WARNING112 Unhelpful Norton Antivirus 'virus warning' (112)
735 score VIRUS_WARNING112 20
736
737 # ESR
738 rawbody VIRUS_WARNING113 /infected with the W32.Mydoom.A\@mm virus/
739 describe VIRUS_WARNING113 Unhelpful Mydoom virus warning (113)
740 score VIRUS_WARNING113 6
741
742 # TJ
743 body VIRUS_WARNING114 /RAV AntiVirus plugin for .{1,50} has found a virus/
744 describe VIRUS_WARNING114 Unhelpful RAV plugin 'virus warning' (114)
745 score VIRUS_WARNING114 7.5
746
747 # TJ
748 body VIRUS_WARNING115 /^Remote host said: 5.. Message rejected due to possible virus/
749 describe VIRUS_WARNING115 Qmail bounce of unhelpful virus warning (115)
750 score VIRUS_WARNING115 10
751
752 # ESR
753 # Similar to rule 23
754 header VIRUS_WARNING116 Subject =~ /^Virus incident/
755 describe VIRUS_WARNING116 Unhelpful Panda virus warning (116)
756 score VIRUS_WARNING116 6
757
758 # TJ
759 rawbody VIRUS_WARNING117 /^A known virus was discovered and deleted\./
760 describe VIRUS_WARNING117 Looks like MIMEDefang 'virus warning' (117)
761 score VIRUS_WARNING117 4
762
763 # TJ/AF
764 rawbody VIRUS_WARNING117A /^WARNING: This e-mail has been altered by (SATN-)?MIMEDefang/
765 describe VIRUS_WARNING117A MIMEDefang modified message (117A)
766 score VIRUS_WARNING117A 0.2
767
768 # AF
769 rawbody VIRUS_WARNING117B /^I found the \S+ virus\.$/
770 describe VIRUS_WARNING117B Unhelpful MIMEDefang 'virus warning' (117B)
771 score VIRUS_WARNING117B 5
772
773 # TJ
774 meta VIRUS_WARNING_DEFANG VIRUS_WARNING117 && VIRUS_WARNING117A
775 describe VIRUS_WARNING_DEFANG Unhelpful MIMEDefang 'virus warning'
776 score VIRUS_WARNING_DEFANG 10
777
778 # EA
779 # Sample at: http://article.gmane.org/gmane.comp.tv.xmltv.devel/2772
780 body VIRUS_WARNING118 /^The delivery of this message has been rejected. This message appears to have a.{0,99} virus/
781 describe VIRUS_WARNING118 Unhelpful 'virus warning' (118)
782 score VIRUS_WARNING118 10
783
784 # EA
785 # Sample at: http://article.gmane.org/gmane.comp.tv.xmltv.devel/2773
786 header VIRUS_WARNING119 Subject =~ /^WARNING: YOU MAY HAVE A VIRUS/
787 describe VIRUS_WARNING119 Unhelpful 'virus warning' (119)
788 score VIRUS_WARNING119 20
789
790 # EA
791 # Sample at: http://article.gmane.org/gmane.comp.tv.xmltv.devel/2773
792 body VIRUS_WARNING120 /^The E-mail containing the virus has been removed/
793 describe VIRUS_WARNING120 Unhelpful 'virus warning' (120)
794 score VIRUS_WARNING120 10
795
796 # PV
797 header VIRUS_WARNING121 Subject =~ /^ALERTE \- Vous avez envoye un mail avec virus/
798 describe VIRUS_WARNING121 Unhelpful 'virus warning' (121)
799 score VIRUS_WARNING121 20
800
801 # PV
802 header VIRUS_WARNING122 Subject =~ /^ALERTE: un virus a /
803 describe VIRUS_WARNING122 Unhelpful 'virus warning' (122)
804 score VIRUS_WARNING122 20
805
806 # PV
807 header VIRUS_WARNING123 Subject =~ /^Anti-Virus Notification/
808 describe VIRUS_WARNING123 Unhelpful 'virus warning/ (123)
809 score VIRUS_WARNING123 20
810
811 # PV
812 header VIRUS_WARNING124 Subject =~ /^Antigen Notification/
813 describe VIRUS_WARNING124 Unhelpful Antigen 'virus warning' (124)
814 score VIRUS_WARNING124 20
815
816 # PV
817 header VIRUS_WARNING125 Subject =~ /Antivirus stopped your message/
818 describe VIRUS_WARNING125 Unhelpful 'virus warning' (125)
819 score VIRUS_WARNING125 10
820
821 # PV
822 header VIRUS_WARNING126 Subject =~ /^Email Quarantined Due to Virus/
823 score VIRUS_WARNING126 10
824
825 # PV/MK
826 # TJ: often anchored to start, but can have prefix
827 header VIRUS_WARNING127 Subject =~ /Inflex scan report \[\d+\]$/
828 describe VIRUS_WARNING127 Unhelpful Inflex 'virus warning' (127)
829 score VIRUS_WARNING127 20
830
831 # PV
832 header VIRUS_WARNING128 Subject =~ /^MMS Notification/
833 score VIRUS_WARNING128 4.5
834
835 # PV
836 header VIRUS_WARNING129 Subject =~ /MailSure Virus Alert/
837 score VIRUS_WARNING129 10
838
839 # PV
840 header VIRUS_WARNING130 Subject =~ /Ochrona antywirusowa/
841 score VIRUS_WARNING130 5
842
843 # PV
844 header VIRUS_WARNING131 Subject =~ /(SENDER|RECIPIENT) \! Virus Notify \!/
845 score VIRUS_WARNING131 10
846
847 # PV/TJ
848 header VIRUS_WARNING132 Subject =~ /VIRUS (NO|EM) SEU EMAIL/i
849 score VIRUS_WARNING132 20
850
851 # PV
852 header VIRUS_WARNING133 Subject =~ /Virus Check Alert/
853 score VIRUS_WARNING133 10
854
855 # TJ
856 # Variation on 133
857 header VIRUS_WARNING133A Subject =~ /^\#\# Virus Check Alert \#\#$/
858 score VIRUS_WARNING133A 20
859
860 # PV
861 # Seen as 'Virus Notification from Redstone'
862 # TJ: checked
863 header VIRUS_WARNING134 Subject =~ /^Virus Notification from/
864 score VIRUS_WARNING134 20
865
866 # PV
867 # TJ: checked
868 header VIRUS_WARNING135 Subject =~ /^Virus Quarantine Notification$/
869 score VIRUS_WARNING135 20
870
871 # PV/TJ
872 # TJ: checked, and seen separately with optional virus name
873 header VIRUS_WARNING136 Subject =~ /^Virus (\(.{1,50}\) )?in Ihrer Nachricht/i
874 describe VIRUS_WARNING136 Unhelpful amavisd-new 'virus warning' [DE] (136)
875 score VIRUS_WARNING136 10
876
877 # PV
878 header VIRUS_WARNING137 Subject =~ /Votre message contient un virus/
879 score VIRUS_WARNING137 8
880
881 # PV
882 # TJ: checked
883 header VIRUS_WARNING138 Subject =~ /^WorldSecure Server notification$/
884 describe VIRUS_WARNING138 Unhelpful WorldSecure 'virus warning' (138)
885 score VIRUS_WARNING138 20
886
887 # PV
888 header VIRUS_WARNING139 Subject =~ /\[SmartFilter\] Virus Alert /
889 score VIRUS_WARNING139 8
890
891 # PV
892 header VIRUS_WARNING140 Subject =~ /\[Virus detected\]/
893 score VIRUS_WARNING140 6
894
895 # 141 obsoleted by 142
896
897 # PV/TJ
898 header VIRUS_WARNING142 Subject =~ /^virus (trouve dans le message envoye|trovato in un messaggio inviato)/
899 describe VIRUS_WARNING142 Unhelpful 'virus warning'
900 score VIRUS_WARNING142 20
901
902 # HP
903 # BorderWare Mail Gateway
904 rawbody VIRUS_WARNING143 /^This is a recorded message from the BorderWare Mail Gateway/
905 describe VIRUS_WARNING143 Unhelpful BorderWare 'virus warning' (143)
906 score VIRUS_WARNING143 6
907
908 # HP
909 # Also from BorderWare Mail Gateway
910 header VIRUS_WARNING144 Subject =~ /^Discarded Email/
911 describe VIRUS_WARNING144 Unhelpful BorderWare 'virus warning'? (144)
912 score VIRUS_WARNING144 5
913
914 # TJ
915 body VIRUS_WARNING145 /A L E R T A\s+D E\s+V [IÍ] R U S/
916 describe VIRUS_WARNING145 Unhelpful MailScanner 'virus warning' (145)
917 score VIRUS_WARNING145 4
918
919 # AF
920 body VIRUS_WARNING146 /^The content of the following email has been checked by the HBOS plc/
921 describe VIRUS_WARNING146 Unhelpful 'virus warning' - HBOS/Halifax? (146)
922 score VIRUS_WARNING146 3.5
923
924 # AF
925 body VIRUS_WARNING147 /Aquest missatge contenia un fitxer adjunt amb virus que s'ha eliminat/
926 score VIRUS_WARNING147 4
927
928 # AF
929 header VIRUS_WARNING148 Subject =~ /^HBOS plc Automated Email Administrator/
930 describe VIRUS_WARNING148 Unhelpful 'virus warning'- HBOS plc/Halifax (148)
931 score VIRUS_WARNING148 10
932
933 # TJ
934 header VIRUS_WARNING149 Subject =~ /^Disallowed attachment type found in sent message/
935 describe VIRUS_WARNING149 Unhelpful 'virus warning' (149)
936 score VIRUS_WARNING149 20
937
938 # TJ
939 body VIRUS_WARNING150 /550 Error: VB0007 - Rejected: Probably a virus/
940 describe VIRUS_WARNING150 Probably a virus bounce (club-internet.fr) (150)
941 score VIRUS_WARNING150 4
942
943 # TJ
944 rawbody VIRUS_WARNING151 /^Virus\(es\) found\.$/
945 describe VIRUS_WARNING151 McAfee/CommuniGate Pro 'virus warning' (151)
946 score VIRUS_WARNING151 7
947
948 # TJ
949 body VIRUS_WARNING152 /^Captured by McAfee antivirus plugin/
950 describe VIRUS_WARNING152 Unhelpful McAfee plugin 'virus warning' (152)
951 score VIRUS_WARNING152 4
952
953 # TJ
954 rawbody VIRUS_WARNING153 /^\S+ is infected with/
955 describe VIRUS_WARNING153 Unhelpful McAfee plugin 'virus warning'? (153)
956 score VIRUS_WARNING153 3
957
958 # TJ
959 rawbody VIRUS_WARNING154 /^WARNING! Your message was infected by VIRUS:$/
960 describe VIRUS_WARNING154 Unhelpful 'virus warning' (154)
961 score VIRUS_WARNING154 15
962
963 # TJ
964 rawbody VIRUS_WARNING155 /^Antiviral program output:$/
965 describe VIRUS_WARNING155 Unhelpful 'virus warning' (155)
966 score VIRUS_WARNING155 3
967
968 # AF
969 header VIRUS_WARNING156 Subject =~ /^Virus found:/
970 describe VIRUS_WARNING156 Unhelpful SurfControl 'virus warning' (156)
971 score VIRUS_WARNING156 20
972
973 # AF - should normally be caught by 156
974 rawbody VIRUS_WARNING157 /^SurfControl E-mail Anti-Virus Agent and has detected the Virus/
975 describe VIRUS_WARNING157 Unhelpful SurfControl 'virus warning' (157)
976 score VIRUS_WARNING157 5
977
978 # JBB
979 header VIRUS_WARNING158 Subject =~ /^Your mail server sent us a virus/
980 describe VIRUS_WARNING158 Unhelpful Declude 'virus warning' (158)
981 score VIRUS_WARNING158 20
982
983 # AF
984 header VIRUS_WARNING159 Subject =~ /^This is an alert from eSafe$/
985 describe VIRUS_WARNING159 Unhelpful eSafe 'virus warning' (159)
986 score VIRUS_WARNING159 20
987
988 # AF/PB - sometimes, but not always caught by 159
989 rawbody VIRUS_WARNING160 /^\*\*\* eSafe detected (a )?hostile content in this email( and removed it)?. \*\*\*$/
990 describe VIRUS_WARNING160 Unhelpful eSafe 'virus warning' (160)
991 score VIRUS_WARNING160 12
992
993 # AF
994 header VIRUS_WARNING161 Subject =~ /^Virus encontrado/
995 describe VIRUS_WARNING161 Unhelpful 'virus warning' (161)
996 score VIRUS_WARNING161 4
997
998 # AF
999 rawbody VIRUS_WARNING162 /^---uvscan results ---$/
1000 describe VIRUS_WARNING162 Looks like unhelpful 'virus warning' (162)
1001 score VIRUS_WARNING162 3.5
1002
1003 # TJ
1004 rawbody VIRUS_WARNING162A /^---perlscanner results ---$/
1005 describe VIRUS_WARNING162A Looks like unhelpful 'virus warning' (162A)
1006 score VIRUS_WARNING162A 2.0
1007
1008 # AF
1009 rawbody VIRUS_WARNING163 /^Scan result/
1010 describe VIRUS_WARNING163 Unhelpful 'virus warning'? (163)
1011 score VIRUS_WARNING163 2
1012
1013 # SC - seen as 2Notification du serveur antivirus SEII"
1014 # TrendMicro Viruswall
1015 header VIRUS_WARNING164 Subject =~ /^Notification du serveur antivirus/
1016 describe VIRUS_WARNING164 Unhelpful Viruswall 'virus warning' (164)
1017 score VIRUS_WARNING164 6
1018
1019 # SC
1020 rawbody VIRUS_WARNING165 /^Un virus a été détecté dans votre $/
1021 describe VIRUS_WARNING165 Unhelpful Viruswall 'virus warning'? (165)
1022 score VIRUS_WARNING165 4
1023
1024 # SC
1025 rawbody VIRUS_WARNING166 /^Un virus \(.{1,50}\) a été déte/
1026 describe VIRUS_WARNING166 Unhelpful Viruswall 'virus warning'? (166)
1027 score VIRUS_WARNING166 4
1028
1029 # SC
1030 header VIRUS_WARNING167 Subject =~ /^NAV ha rilevato un virus in un documento inviato$/
1031 describe VIRUS_WARNING167 Unhelpful NAV 'virus warning' (167)
1032 score VIRUS_WARNING167 100
1033
1034 # SC
1035 rawbody VIRUS_WARNING168 /^Il documento analizzato è in QUARANTEA\.$/
1036 describe VIRUS_WARNING168 Unhelpful NAV 'virus warning' (168)
1037 score VIRUS_WARNING168 4
1038
1039 # SC
1040 rawbody VIRUS_WARNING169 /^Informazioni sul virus:$/
1041 describe VIRUS_WARNING169 Unhelpful NAV 'virus warning' (169)
1042 score VIRUS_WARNING169 4
1043
1044 # AF
1045 # Hmm, maybe use X-WSS-ID: <uid> header? Looks like it's a NAI WS spamsign
1046 header VIRUS_WARNING170 Subject =~ /^Network Associates Webshield - e-mail Content Alert$/
1047 describe VIRUS_WARNING170 Unhelpful Webshield 'attachment warning' (170)
1048 score VIRUS_WARNING170 20
1049
1050 # AF
1051 rawbody VIRUS_WARNING171 /^Network Associates WebShield SMTP.{1,50}intercepted a mail/
1052 describe VIRUS_WARNING171 Unhelpful Webshield 'attachment warning' (171)
1053 score VIRUS_WARNING171 5
1054
1055 # TJ
1056 rawbody VIRUS_WARNING172 /^Virus identity found:/
1057 describe VIRUS_WARNING172 Unhelpful MailMonitor 'virus warning' (172)
1058 score VIRUS_WARNING172 5
1059
1060 # TJ
1061 rawbody VIRUS_WARNING173 /^The Firstnet Anti-Virus \(FAV\) system intercepted it/
1062 describe VIRUS_WARNING173 Unhelpful Firstnet AV 'virus warning' (173)
1063 score VIRUS_WARNING173 5
1064
1065 # TJ - this is generated by the braindead qmail-scanner patch
1066 header VIRUS_WARNING174 X-Tnz-Problem-Type =~ /.{1,50}/
1067 describe VIRUS_WARNING174 Unhelpful qmail-scanner 'virus warning' (174)
1068 score VIRUS_WARNING174 1
1069
1070 # TJ
1071 rawbody VIRUS_WARNING175 /^Panda Antivirus has found the following viruses in the message:$/
1072 describe VIRUS_WARNING175 Unhelpful Panda Antivirus 'virus warning' (175)
1073 score VIRUS_WARNING175 8
1074
1075 # TJ - can't assert the end of this string for some reason
1076 rawbody VIRUS_WARNING176 /^Report generated by Panda Antivirus/
1077 describe VIRUS_WARNING176 Unhelpful Panda Antivirus 'virus warning' (176)
1078 score VIRUS_WARNING176 5
1079
1080 # AF
1081 # as in "...virus in a document you authored"
1082 header VIRUS_WARNING177 Subject =~ /^Symantec AntiVirus\/Filtering for Domino detected a virus/
1083 describe VIRUS_WARNING177 Unhelpful Symantec for Domino 'virus warning'(177)
1084 score VIRUS_WARNING177 20
1085
1086 # TJ
1087 # Honestly, ISPs should know better than this. Idiots.
1088 header VIRUS_WARNING178 Subject =~ /^Eclipse Internet VIRUSshield detected VIRUS/
1089 describe VIRUS_WARNING178 Unhelpful Eclipse Internet 'virus warning' (178)
1090 score VIRUS_WARNING178 20
1091
1092 # TJ
1093 # see also 390
1094 rawbody VIRUS_WARNING179 /^VIRUS ALERT/
1095 describe VIRUS_WARNING179 Could be a bogus 'virus warning' (179)
1096 score VIRUS_WARNING179 2.5
1097
1098 # TJ
1099 # Norton Antivirus Gateway
1100 header VIRUS_WARNING180 Subject =~ /^VIRUS MESSAGE$/
1101 describe VIRUS_WARNING180 Unhelpful Norton AV Gateway 'virus warning' (180)
1102 score VIRUS_WARNING180 4.5
1103
1104 # AF
1105 header VIRUS_WARNING181 Subject =~ /^Internet Mail Failure - Virus Alert$/
1106 describe VIRUS_WARNING181 Unhelpful 'virus warning' (181)
1107 score VIRUS_WARNING181 20
1108
1109 # AF
1110 rawbody VIRUS_WARNING182 /^Virus Scanner found the$/
1111 describe VIRUS_WARNING182 Unhelpful 'virus warning'? (182)
1112 score VIRUS_WARNING182 1.5
1113
1114 # TJ
1115 rawbody VIRUS_WARNING183 /^YOUR MAIL HAD THE VIRUS/
1116 describe VIRUS_WARNING183 Unhelpful 'virus warning' (WebShield?) (183)
1117 score VIRUS_WARNING183 2.0
1118
1119 # TJ
1120 header VIRUS_WARNING184 Subject =~ /^FOUND VIRUS IN YOUR MAIL TO:/
1121 describe VIRUS_WARNING184 Unhelpful ArmourPlate 'virus warning' (184)
1122 score VIRUS_WARNING184 10.0
1123
1124 # TJ
1125 rawbody VIRUS_WARNING185 /^ArmourPlate protects organisations/
1126 describe VIRUS_WARNING185 Unhelpful ArmourPlate 'virus warning' spam (185)
1127 score VIRUS_WARNING185 3.0
1128
1129 # AF
1130 rawbody VIRUS_WARNING186 /^<p>The WebShield&reg; .{1,50} Appliance discovered a virus/
1131 describe VIRUS_WARNING186 Unhelpful WebShield 'virus warning' (186)
1132 score VIRUS_WARNING186 10.0
1133
1134 # AF
1135 header VIRUS_WARNING187 Subject =~ /^\s*"Returned due to virus/
1136 describe VIRUS_WARNING187 Unhelpful WebShield 'virus warning' (187)
1137 score VIRUS_WARNING187 2.0
1138
1139 # AF
1140 # TJ: From WebShield, but fairly generic
1141 rawbody VIRUS_WARNING188 /^\s*(Virus name|diagnostics\/Diagnose):/i
1142 describe VIRUS_WARNING188 Looks like unhelpful 'virus warning' (188)
1143 score VIRUS_WARNING188 1.5
1144
1145 # AF
1146 # From some kind of Exchange-based scanner
1147 header VIRUS_WARNING189 Subject =~ /^ALERT - Virus .{1,50} found/
1148 describe VIRUS_WARNING189 Unhelpful 'virus warning' (189)
1149 score VIRUS_WARNING189 8.0
1150
1151 # AF/TJ
1152 rawbody VIRUS_WARNING190 /^(Infected\? Yes|Stato file:\s*Infetto)$/i
1153 describe VIRUS_WARNING190 Unhelpful 'virus warning' (190)
1154 score VIRUS_WARNING190 2.0
1155
1156 # TJ
1157 # Mis-spelling is intentional!
1158 rawbody VIRUS_WARNING191 /^WARNING! Virus foudn in attachment/
1159 describe VIRUS_WARNING191 Unhelpful Wharf T&T 'virus warning' (191)
1160 score VIRUS_WARNING191 10
1161
1162 # TJ
1163 # Something to do with VirusWall?
1164 # matches Mirapoint too (2004-07-14)
1165 rawbody __VIRUS_WARNING192A /^.{1,50} is removed from here because it contains a virus\.$/
1166 rawbody __VIRUS_WARNING192B /^-{40,80}( \(on .{1,50}\))?$/
1167 meta VIRUS_WARNING192 __VIRUS_WARNING192A && __VIRUS_WARNING192B
1168 describe VIRUS_WARNING192 Unhelpful 'virus warning' (192)
1169 score VIRUS_WARNING192 20
1170
1171 # AF
1172 header VIRUS_WARNING193 Subject =~ /Suppresion du Virus/
1173 describe VIRUS_WARNING193 Looks like unhelpful 'virus warning' (193)
1174 score VIRUS_WARNING193 2.0
1175
1176 # TJ
1177 rawbody VIRUS_WARNING194 /^A possible virus was detected in your message/
1178 describe VIRUS_WARNING194 Looks like unhelpful 'virus warning' (194)
1179 score VIRUS_WARNING194 2.0
1180
1181 # TJ
1182 rawbody VIRUS_WARNING195 /^.{1,50}\@.{1,50}: Email Content Not Allowed/
1183 describe VIRUS_WARNING195 Could be unhelpful 'virus warning' (195)
1184 score VIRUS_WARNING195 0.5
1185
1186 # AF
1187 # From postmaster@
1188 rawbody VIRUS_WARNING196 /^[a-zA-Z0-9_\-\.] detected a hostile content in this email and removed it/
1189 describe VIRUS_WARNING196 Unhelpful 'virus warning' (196)
1190 score VIRUS_WARNING196 6.0
1191
1192 # AF
1193 header VIRUS_WARNING197 Subject =~ /^Tipo de arquivo anexo nao permitido!/
1194 describe VIRUS_WARNING197 Unhelpful 'virus warning' (197)
1195 score VIRUS_WARNING197 8.0
1196
1197 # TJ
1198 header VIRUS_WARNING198 Subject =~ /^Illegal attachment type found in sent message/
1199 describe VIRUS_WARNING198 Unhelpful qmail-scanner 'virus warning' (198)
1200 score VIRUS_WARNING198 10
1201
1202 # TJ
1203 rawbody VIRUS_WARNING199 /A Illegal attachment type was found in an Email message you sent\.$/
1204 describe VIRUS_WARNING199 Unhelpful qmail-scanner 'virus warning' (199)
1205 score VIRUS_WARNING199 4.0
1206
1207 # TJ
1208 header VIRUS_WARNING200 Subject =~ /^Message Deleted:/
1209 describe VIRUS_WARNING200 Unhelpful 'virus warning' (200)
1210 score VIRUS_WARNING200 6.0
1211
1212 # TJ
1213 rawbody VIRUS_WARNING201 /^An attachment \(.{0,99}\) in the message violated system permissions/
1214 describe VIRUS_WARNING201 Unhelpful 'virus warning' (201)
1215 score VIRUS_WARNING201 2.0
1216
1217 # TJ
1218 meta VIRUS_WARNING201A VIRUS_WARNING200 && VIRUS_WARNING201
1219 describe VIRUS_WARNING201A Unhelpful 'virus warning' (201A)
1220 score VIRUS_WARNING201A 4.0
1221
1222 # TJ
1223 # Seen from ipworldcom.ch
1224 rawbody VIRUS_WARNING202 /^\s*\S+ is infected with/
1225 describe VIRUS_WARNING202 Unhelpful 'virus warning' (202)
1226 score VIRUS_WARNING202 3.0
1227
1228 # TJ
1229 rawbody VIRUS_WARNING203 /^Your computer seems to send a message containing a virus/
1230 describe VIRUS_WARNING203 Unhelpful 'virus warning' (203)
1231 score VIRUS_WARNING203 3.0
1232
1233 # TJ
1234 meta VIRUS_WARNING203A VIRUS_WARNING202 && VIRUS_WARNING203
1235 describe VIRUS_WARNING203A Unhelpful 'virus warning' (203A)
1236 score VIRUS_WARNING203A 4.0
1237
1238 # TJ
1239 rawbody VIRUS_WARNING204 /^file contains virus:/
1240 describe VIRUS_WARNING204 Unhelpful 'virus warning' (204)
1241 score VIRUS_WARNING204 3.0
1242
1243 # TJ
1244 header VIRUS_WARNING205 Subject =~ /\[.{1,50}: Virus detected\]$/
1245 describe VIRUS_WARNING205 Unhelpful 'virus warning' (205)
1246 score VIRUS_WARNING205 3.0
1247
1248 # TJ
1249 rawbody VIRUS_WARNING206 /^This e-mail contained attachments which were virus infected/
1250 describe VIRUS_WARNING206 Unhelpful 'virus warning' (206)
1251 score VIRUS_WARNING206 2.5
1252
1253 # TJ
1254 header VIRUS_WARNING207 Subject =~ /^RAV[0-9]+ Antivirus notification/
1255 describe VIRUS_WARNING207 Unhelpful RAV 'virus warning' (207)
1256 score VIRUS_WARNING207 20
1257
1258 # TJ
1259 header VIRUS_WARNING208 Subject =~ /^Invalid content in mail message/
1260 describe VIRUS_WARNING208 Unhelpful Kerio Mailserver 'virus warning' (208)
1261 score VIRUS_WARNING208 7.5
1262
1263 # TJ
1264 meta VIRUS_WARNING209 VIRUS_WARNING208 && VIRUS_WARNING188
1265 describe VIRUS_WARNING209 Unhelpful Kerio Mailserver 'virus warning' (209)
1266 score VIRUS_WARNING209 5.0
1267
1268 # TJ
1269 rawbody VIRUS_WARNING210 /^This virus has been deleted/i
1270 describe VIRUS_WARNING210 Unhelpful 'virus warning' (210)
1271 score VIRUS_WARNING210 2.0
1272
1273 # AF
1274 header VIRUS_WARNING211 Subject =~ /^IcoMailServer: Virus détect$/
1275 describe VIRUS_WARNING211 Unhelpful IcoMailServer 'virus warning' (211)
1276 score VIRUS_WARNING211 20
1277
1278 # AF
1279 rawbody VIRUS_WARNING212 /^IcoMailServer Antivirus v[0-9\.]+ a détectén virus/
1280 describe VIRUS_WARNING212 Unhelpful IcoMailServer 'virus warning' (212)
1281 score VIRUS_WARNING212 5
1282
1283 # TJ
1284 rawbody VIRUS_WARNING213 /^Bola Vam poslana elektronicka posta s prilohou. Obsahuje VIRUS!$/
1285 describe VIRUS_WARNING213 Unhelpful 'virus warning'
1286 score VIRUS_WARNING213 20
1287
1288 # MK
1289 header VIRUS_WARNING214 Subject =~ /^ALERT!! Infected mail sent by you!$/
1290 describe VIRUS_WARNING214 Unhelpful NAVMSE 'virus warning' (214)
1291 score VIRUS_WARNING214 20
1292
1293 # AF
1294 header VIRUS_WARNING215 Subject =~ /^NAV hat einen Virus oder nicht erlaubten Inhalt/
1295 describe VIRUS_WARNING215 Unhelpful NAV 'virus warning' (215)
1296 score VIRUS_WARNING215 20
1297
1298 # AF
1299 rawbody VIRUS_WARNING216 /^The infected component in the scanned document was deleted\.$/
1300 describe VIRUS_WARNING216 Unhelpful NAV 'virus warning' (216)
1301 score VIRUS_WARNING216 5
1302
1303 # AF
1304 rawbody VIRUS_WARNING217 /^The attachment \S+ contained the virus \S+/
1305 describe VIRUS_WARNING217 Unhelpful NAV 'virus warning' (217)
1306 score VIRUS_WARNING217 5
1307
1308 # PB/JT
1309 # DSN: None
1310 # note 2004-08-18: sometimes has trailing space
1311 header VIRUS_WARNING218 Subject =~ /McAfee GroupShield Alert\s*$/
1312 describe VIRUS_WARNING218 Unhelpful GroupShield 'virus warning'? (218)
1313 score VIRUS_WARNING218 4
1314
1315 rawbody VIRUS_WARNING218A /^Reason: Anti-Virus/
1316
1317 meta VIRUS_WARNING218B VIRUS_WARNING218 && VIRUS_WARNING218A
1318 describe VIRUS_WARNING218B Definitely GroupShield 'virus warning' (218B)
1319 score VIRUS_WARNING218B 20
1320
1321 # TJ
1322 header VIRUS_WARNING219 Subject =~ /^Illegal Content Violation - Message [0-9]+$/
1323 describe VIRUS_WARNING219 Unhelpful 'virus warning' (219)
1324 score VIRUS_WARNING219 20
1325
1326 # MK
1327 # Seen alonside 221
1328 header VIRUS_WARNING220 Subject =~ /^Virus found in message from you!$/
1329 describe VIRUS_WARNING220 Unhelpful Kaspersky 'virus warning' (220)
1330 score VIRUS_WARNING220 20
1331
1332 # MK
1333 header VIRUS_WARNING221 X-Mailer =~ /^Kaspersky SMTPSCAN/
1334 describe VIRUS_WARNING221 Could be unhelpful Kaspersky 'virus warning' (221)
1335 score VIRUS_WARNING221 2
1336
1337 # TJ
1338 rawbody VIRUS_WARNING222 /^X-NAI-WebShield[a-zA-Z0-9]+-mimepp: Attachment repaired$/
1339 describe VIRUS_WARNING222 Could be unhelpful NAI 'virus warning' (222)
1340 score VIRUS_WARNING222 8
1341
1342 # MK/JT
1343 header VIRUS_WARNING223 Subject =~ /^(Spam mail warning notification!|VirusWall has detected a sensitive e-mail !!!) \(Attachment Removal\)$/
1344 describe VIRUS_WARNING223 Unhelpful eManager 'virus warning' (223)
1345 score VIRUS_WARNING223 20
1346
1347 # MK/JT
1348 rawbody VIRUS_WARNING224 /^(The following mail was blocked since it contains sensitive content|eManager has removed a sensitive attachment file in the email)\.$/
1349 describe VIRUS_WARNING224 Unhelpful eManager 'virus warning'? (224)
1350 score VIRUS_WARNING224 2.5
1351
1352 # PSI
1353 header VIRUS_WARNING225 Subject =~ /^A Virus was detected in the message you sent$/i
1354 describe VIRUS_WARNING225 Unhelpful MAILsweeper 'virus warning' (225)
1355 score VIRUS_WARNING225 20
1356
1357 # TJ
1358 rawbody VIRUS_WARNING226 /^\/var\/spool\/mailscanner.{1,50} Infection:/
1359 describe VIRUS_WARNING226 Unhelpful MailScanner 'virus warning' (226)
1360 score VIRUS_WARNING226 5
1361
1362 # AF
1363 # BT-specific
1364 body VIRUS_WARNING227 /^"An attempt has been made to send a file called \S+ into BT's e-mail/
1365 describe VIRUS_WARNING227 Unhelpful BT 'virus warning' (227)
1366 score VIRUS_WARNING227 10
1367
1368 # TJ
1369 # Goes alonside 229
1370 rawbody VIRUS_WARNING228 /^Found the \S+in message\.$/
1371 describe VIRUS_WARNING228 Unhelpful 'virus warning' (228)
1372 score VIRUS_WARNING228 2.5
1373
1374 # TJ
1375 rawbody VIRUS_WARNING229 /^Found the (W32\/\S+|.{1,50}\@MM\S*)in message\.$/
1376 describe VIRUS_WARNING229 Unhelpful 'virus warning' (229)
1377 score VIRUS_WARNING229 10
1378
1379 # TJ
1380 # Don't double count
1381 meta VIRUS_WARNING229A VIRUS_WARNING228 && VIRUS_WARNING229
1382 describe VIRUS_WARNING229A Don't double-count 228/229
1383 score VIRUS_WARNING229A -3.5
1384
1385 # PB
1386 rawbody VIRUS_WARNING230 /^Dr\. Web (detailed )?report:$/
1387 describe VIRUS_WARNING230 Unhelpful Dr. Web 'virus warning' (230)
1388 score VIRUS_WARNING230 10
1389
1390 # PB
1391 header VIRUS_WARNING231 Content-Type =~ /boundary="001-DrWeb-MailFilter-Notification"$/
1392 describe VIRUS_WARNING231 Looks like Dr. Web notification (231)
1393 score VIRUS_WARNING231 10
1394
1395 # PSI
1396 rawbody VIRUS_WARNING232 /^Found virus .{1,50} in file .{1,50}$/
1397 describe VIRUS_WARNING232 Unhelpful 'virus warning' (232)
1398 score VIRUS_WARNING232 5
1399
1400 # PSI
1401 rawbody VIRUS_WARNING233 /^The file is deleted\.$/
1402 describe VIRUS_WARNING233 Looks like unhelpful 'virus warning' (233)
1403 score VIRUS_WARNING233 1
1404
1405 # PSI
1406 rawbody VIRUS_WARNING234 /^-+\s*Virus i denne meldingen er fjernet/
1407 describe VIRUS_WARNING234 Looks like unhelpful 'virus warning' (234)
1408 score VIRUS_WARNING234 4
1409
1410 # PSI
1411 rawbody VIRUS_WARNING235 /^550 Error: The message probably contains the .{1,50} virus/
1412 describe VIRUS_WARNING235 Could be unhelpful 'virus warning' (235)
1413 score VIRUS_WARNING235 2
1414
1415 # AF
1416 body VIRUS_WARNING236 /^Votre mail a été rejeté car il comporte une pièce jointe qui n'est pas acceptée par notre outil de filtrage/
1417 describe VIRUS_WARNING236 Unhelpful 'virus warning' (236)
1418 score VIRUS_WARNING236 7
1419
1420 # AF
1421 # Could be virus infection too
1422 header VIRUS_WARNING237 X-BitDefender-Scanner =~ /^Infected/
1423 describe VIRUS_WARNING237 Unhelpful BitDefender 'virus warning' (237)
1424 score VIRUS_WARNING237 10
1425
1426 # MK
1427 rawbody VIRUS_WARNING238 /^Ihre Mail beinhaltete verbotene Anhänge !$/
1428 describe VIRUS_WARNING238 Unhelpful 'virus warning' (238)
1429 score VIRUS_WARNING238 20
1430
1431 # MK
1432 header VIRUS_WARNING239 Subject =~ /^<WatchDog: Verbotener Dateianhang>$/
1433 describe VIRUS_WARNING239 Unhelpful 'virus warning' (239)
1434 score VIRUS_WARNING239 20
1435
1436 # PSI
1437 header VIRUS_WARNING240 Subject =~ /^Advarsel! Dit e-brev indeholder virus$/
1438 describe VIRUS_WARNING240 Unhelpful 'virus warning' (240)
1439 score VIRUS_WARNING240 20
1440
1441 # PSI
1442 # TrendMicro Interscan eManager
1443 # apparently can FP when people set it up to reject otherwise-legit attachments
1444 rawbody VIRUS_WARNING241 /^The attachment file in the message has been removed by eManager\.$/
1445 describe VIRUS_WARNING241 Unhelpful Interscan 'virus warning'? (241)
1446 score VIRUS_WARNING241 3
1447
1448 # PSI
1449 rawbody VIRUS_WARNING242 /^ScanMail has detected a virus during a real-time scan of the mail traffic\.$/
1450 describe VIRUS_WARNING242 Unhelpful ScanMail 'virus warning' (242)
1451 score VIRUS_WARNING242 5
1452
1453 # PSI
1454 header VIRUS_WARNING243 Subject =~ /^Virus Alert - ScanMail for Lotus Notes -->/
1455 describe VIRUS_WARNING243 Unhelpful ScanMail 'virus warning' (243)
1456 score VIRUS_WARNING243 20
1457
1458 # TJ
1459 body VIRUS_WARNING244 /^Our content checker found\s+viruses/
1460 describe VIRUS_WARNING244 Could be an unhelpful 'virus warning' (244)
1461 score VIRUS_WARNING244 5
1462
1463 # TJ
1464 meta VIRUS_WARNING245 VIRUS_WARNING179 && VIRUS_WARNING244
1465 describe VIRUS_WARNING245 Unhelpful 'virus warning' (245)
1466 score VIRUS_WARNING245 20
1467
1468 # PSI
1469 rawbody VIRUS_WARNING246 /^was stopped by MailSweeper because it contained an executable file\.$/
1470 describe VIRUS_WARNING246 Unhelpful 'virus warning' (246)
1471 score VIRUS_WARNING246 20
1472
1473 # TJ
1474 rawbody VIRUS_WARNING247 /^Zalaczony plik (.{1,50}) zawiera wirusa +(.{1,50}) \.$/
1475 describe VIRUS_WARNING247 Unhelpful 'virus warning' (247)
1476 score VIRUS_WARNING247 20
1477
1478 # TJ
1479 rawbody VIRUS_WARNING248 /^Disallowed attach type$/
1480 describe VIRUS_WARNING248 Unhelpful 'virus warning' (248)
1481 score VIRUS_WARNING248 20
1482
1483 # PSI
1484 body VIRUS_WARNING249 /^This mail is not complete because a part of it \(body or attachment\) violated Norman Gateway Protection/
1485 describe VIRUS_WARNING249 Unhelpful 'virus warning' (249)
1486 score VIRUS_WARNING249 20
1487
1488 # HPK
1489 # This is a general rule which will catch lots of MailScanner stuff.
1490 # MailScanner is a real PITA.
1491 rawbody VIRUS_WARNING250 /^This is a message from the MailScanner E-Mail Virus Protection Service/
1492 describe VIRUS_WARNING250 Some kind of MailScanner notification? (250)
1493 score VIRUS_WARNING250 1.5
1494
1495 # HPK
1496 body VIRUS_WARNING251 /The file .{1,50} has been replaced as it contains the\s+.{1,50} virus\./
1497 describe VIRUS_WARNING251 Unhelpful GroupShield/Exch 'virus warning' (251)
1498 score VIRUS_WARNING251 20
1499
1500 # HPK
1501 rawbody VIRUS_WARNING252 /^\*+\s+McAfee GroupShield for Microsoft Exchange\s+\*+$/
1502 describe VIRUS_WARNING252 Unhelpful GroupShield/Exch 'virus warning' (252)
1503 score VIRUS_WARNING252 10
1504
1505 # TJ
1506 body VIRUS_WARNING253 /please (check your system for viruses|update your virus scanner|run an antivirus program)/i
1507 describe VIRUS_WARNING253 Asks you to check for viruses (253)
1508 score VIRUS_WARNING253 0.5
1509
1510 # MK
1511 # Variant on 43
1512 header VIRUS_WARNING254 Subject =~ /^VIRUS \(.{1,50}\) IN MAIL$/
1513 describe VIRUS_WARNING254 Unhelpful 'virus warning' (254)
1514 score VIRUS_WARNING254 20
1515
1516 # MK
1517 rawbody VIRUS_WARNING255 /^VIRUS-WARNUNG$/
1518 describe VIRUS_WARNING255 Looks like unhelpful 'virus warning' (255)
1519 score VIRUS_WARNING255 5
1520
1521 # MK
1522 rawbody VIRUS_WARNING256 /^Our virus checker found/i
1523 describe VIRUS_WARNING256 Could be unhelpful 'virus warning' (256)
1524 score VIRUS_WARNING256 3
1525
1526 # MK
1527 rawbody VIRUS_WARNING257 /^Content violation found in email message\.$/
1528 describe VIRUS_WARNING257 Unhelpful 'virus warning' (257)
1529 score VIRUS_WARNING257 20
1530
1531 # MK
1532 # Site-specific, sigh
1533 body VIRUS_WARNING258 /had an attachment that is not accepted by the American Red Cross Email System/
1534 describe VIRUS_WARNING258 Unhelpful 'virus warning' (258)
1535 score VIRUS_WARNING258 20
1536
1537 # TJ
1538 # The bit in the middle has been seen as "Inbound Messages"/"Anti-Virus (Inbound)"/"Content Security (Inbound)"
1539 rawbody VIRUS_WARNING259 /^MailMarshal Rule: .{1,50} : Block (Dangerous Attachments|EXECUTABLE Files|Known Virus Attachments|Virus|Stripped Attachments|Executables|Script and Code)$/
1540 describe VIRUS_WARNING259 Unhelpful MailMarshal 'virus warning' (259)
1541 score VIRUS_WARNING259 20
1542
1543 # DJM/AF
1544 rawbody VIRUS_WARNING260 /^(ScanMail for Microsoft Exchange has detected virus-infected attachment\(s\)\.|Warning to sender\. ScanMail has detected a virus in an email you sent\.)$/
1545 describe VIRUS_WARNING260 Unhelpful ScanMail/Exch 'virus warning' (260)
1546 score VIRUS_WARNING260 20
1547
1548 # AF
1549 # Not null-sender
1550 header VIRUS_WARNING261 Subject =~ /^Alerte de l'Anti-virus$/
1551 describe VIRUS_WARNING261 Unhelpful 'virus warning' (261)
1552 score VIRUS_WARNING261 20
1553
1554 # AF
1555 # Seen with 261
1556 rawbody VIRUS_WARNING262 /^Details: (.{1,50}) Infected with/
1557 describe VIRUS_WARNING262 Unhelpful 'virus warning'? (262)
1558 score VIRUS_WARNING262 5
1559
1560 # AF
1561 header VIRUS_WARNING263 Subject =~ /^Attachment Filter$/
1562 describe VIRUS_WARNING263 Unhelpful 'virus warning' (263)
1563 score VIRUS_WARNING263 10
1564
1565 # AF
1566 # With/without null sender
1567 body VIRUS_WARNING264 /\*\*\*L'anti-virus AXERGY a détecté un virus (et l'a enlevé|ou une pièce jointe interdite dans ce mail)/
1568 describe VIRUS_WARNING264 Unhelpful 'virus warning' (264)
1569 score VIRUS_WARNING264 20
1570
1571 # AF
1572 # DSN: Null, CT
1573 # Big thanks to Alan for helping to get rid of this big annoyance!
1574 # AOL handle aol.com, netscape.net, cs.com
1575 full __VIRUS_WARNING265 /mx\.aol\.com..The original message was received.{35,45}^from ([-.\w]+ (?<!aol\.com )\[[.\d]+\]).{1,99}^Content-Type: text\/rfc822-headers..Received: from\s\s(aol\.com|netscape\.net|cs\.com) \(\1\)/ms
1576 meta VIRUS_WARNING265 __REPORT_DSN && __VIRUS_WARNING265
1577 describe VIRUS_WARNING265 Unhelpful AOL bounce fake aol.com HELO (265)
1578 score VIRUS_WARNING265 15
1579
1580 # AF/TJ
1581 # DSN: Null, CT
1582 # Similar to 265, but catches unqualified HELOs that aren't aol.com
1583 full __VIRUS_WARNING265A /mx\.aol\.com..The original message was received.{35,45}^from ([-.\w]+ (?<!aol\.com )\[[.\d]+\]).{1,99}^Content-Type: text\/rfc822-headers..Received: from\s\s[a-zA-Z0-9]+ \(\1\)/ms
1584 meta VIRUS_WARNING265A __REPORT_DSN && __VIRUS_WARNING265A
1585 describe VIRUS_WARNING265A Looks like unhelpful AOL virus bounce (265A)
1586 score VIRUS_WARNING265A 5
1587
1588 # AF
1589 # DSN: Null, CT
1590 # Similar to 265, but catches mail received from hosts with no rDNS
1591 full __VIRUS_WARNING265B /mx\.aol\.com..The original message was received.{35,45}^from\s\s(\[[.\d]+\]).{1,99}^Content-Type: text\/rfc822-headers..Received: from\s\saol\.com \(\1\)/ms
1592 meta VIRUS_WARNING265B __REPORT_DSN && __VIRUS_WARNING265B
1593 describe VIRUS_WARNING265B AOL accept faked aol.com HELO (no PTR) (265B)
1594 score VIRUS_WARNING265B 15
1595
1596 # PSI
1597 # DSN: Null, CT
1598 rawbody __VIRUS_WARNING266 /^Telenor Plus Virus Scan detected a virus in an e-mail you sent/
1599 meta VIRUS_WARNING266 __REPORT_DSN && __VIRUS_WARNING266
1600 describe VIRUS_WARNING266 Unhelpful Telenor 'virus warning' (266)
1601 score VIRUS_WARNING266 15
1602
1603 # AF
1604 # DSN: Null
1605 # Another stupid big ISP which should know better
1606 header VIRUS_WARNING267 Subject =~ /^Mail virus incident report$/
1607 describe VIRUS_WARNING267 Unhelpful Via Networks 'virus warning' (267)
1608 score VIRUS_WARNING267 20
1609
1610 # AF/TJ
1611 # General proactive rule - catches stuff about infections, asserted to start
1612 # of line (optionally with spaces)
1613 rawbody __VIRUS_WARNING268X /^\s*(infected(:|\s(with|file))|contain(ed|s) (a|the) (virus|viruses):|quarantine$)/i
1614 describe __VIRUS_WARNING268X Could be unhelpful 'virus warning'? (268X)
1615
1616 # TJ
1617 # We split Sender and To off and only match if they have a preceding space
1618 # to avoid hits on forwards etc. with a Sender: header in the body
1619 rawbody __VIRUS_WARNING268A /^\s*(mail from|originator)\s*[:=]/i
1620 rawbody __VIRUS_WARNING268B /^(\s+(sender|from)\s*:|\s*(sender|from)\s*=)/i
1621 rawbody __VIRUS_WARNING268C /^\s*(((the )?(e-?)?mail )?recipient(s|\(s\))?|(e-?)?mail sent to)\s*[:=]/i
1622 rawbody __VIRUS_WARNING268D /^(\s+to\s*:|\s*to\s*=)/i
1623 meta __VIRUS_WARNING_SENDREC (__VIRUS_WARNING268A || __VIRUS_WARNING268B) && (__VIRUS_WARNING268C || __VIRUS_WARNING268D)
1624
1625 meta VIRUS_WARNING268E (__VIRUS_WARNING268X && __VIRUS_WARNING_SENDREC)
1626 describe VIRUS_WARNING268E Looks like an unhelpful 'virus warning' (268E)
1627 score VIRUS_WARNING268E 3
1628
1629 # May catch FP's - forwards etc. with Sender: in the body
1630 rawbody __VIRUS_WARNING268F /^(sender|from)\s*:.{1,50}/i
1631 body __VIRUS_WARNING268G /contain(ed|s) (a|the) virus/
1632
1633 # This may catch some FP's - hence score low
1634 meta VIRUS_WARNING268H (__VIRUS_WARNING268C || __VIRUS_WARNING268D) && __VIRUS_WARNING268F && (__VIRUS_WARNING268X || __VIRUS_WARNING268G)
1635 describe VIRUS_WARNING268H Could be unhelpful 'virus warning' (268H)
1636 score VIRUS_WARNING268H 1
1637
1638
1639 # TJ
1640 rawbody VIRUS_WARNING269 /^This Email scanner intercepted it and stopped the entire message/
1641 describe VIRUS_WARNING269 Unhelpful 'virus warning' (269)
1642 score VIRUS_WARNING269 15
1643
1644 # NL
1645 header VIRUS_WARNING270 Subject =~ /^Trovato virus nel messaggio/
1646 describe VIRUS_WARNING270 Unhelpful 'virus warning' (270)
1647 score VIRUS_WARNING270 10
1648
1649 # NL
1650 rawbody VIRUS_WARNING271 /^Symantec AntiVirus ha trovato un virus in un allegato inviato/
1651 describe VIRUS_WARNING271 Unhelpful 'virus warning' (271)
1652 score VIRUS_WARNING271 5
1653
1654 # MR
1655 header VIRUS_WARNING272 Subject =~ /^Viruswarnung$/
1656 describe VIRUS_WARNING272 Unhelpful 'virus warning' (272)
1657 score VIRUS_WARNING272 10
1658
1659 # DJM
1660 header VIRUS_WARNING273 Subject =~ /^MailMonitor for Exchange has processed a suspicious mail$/
1661 describe VIRUS_WARNING273 Unhelpful MailMonitor/Exch 'virus warning' (273)
1662 score VIRUS_WARNING273 10
1663
1664 # TJ
1665 body VIRUS_WARNING274 /The email you have sent to (\S+) has the virus/
1666 describe VIRUS_WARNING274 Unhelpful MIMEsweeper 'virus warning' (274)
1667 score VIRUS_WARNING274 5
1668
1669 # TJ
1670 body VIRUS_WARNING275 /Scenarios\/Incoming/
1671 describe VIRUS_WARNING275 Unhelpful (MIMESweeper?) 'virus warning'? (275)
1672 score VIRUS_WARNING275 1
1673
1674 # TJ
1675 # MIMESweeper?
1676 body VIRUS_WARNING276 /Threat: '[^']{1,50}' detected by '[^']{1,50}'/
1677 describe VIRUS_WARNING276 Unhelpful MIMEsweeper 'virus warning'? (276)
1678 score VIRUS_WARNING276 1
1679
1680 # TJ
1681 body VIRUS_WARNING277 /A filename matching the file mask was detected: '[^']{1,50}'\./
1682 describe VIRUS_WARNING277 Unhelpful (MIMESweeper?) 'virus warning'? (277)
1683 score VIRUS_WARNING277 1
1684
1685 # TJ
1686 # Sophos/MIMEsweeper
1687 meta VIRUS_WARNING278 ((VIRUS_WARNING110 + VIRUS_WARNING274 + VIRUS_WARNING275 + VIRUS_WARNING276 + VIRUS_WARNING277) > 2)
1688 describe VIRUS_WARNING278 Unhelpful Sophos/MIMEswp 'virus warning'? (277)
1689 score VIRUS_WARNING278 5
1690
1691 # TJ
1692 # Another sadly misguided/out of date Exim user
1693 rawbody VIRUS_WARNING279 /^===== WARNING! WARNING! WARNING! - POSSIBLE VIRUS!/
1694 describe VIRUS_WARNING279 Unhelpful 'virus warning' (279)
1695 score VIRUS_WARNING279 20
1696
1697 # JT
1698 # eTrust Lotus Notes Domino
1699 header VIRUS_WARNING280 Subject =~ /^eTrust Antivirus Lotus Notes Domino Option detected virus!$/
1700 describe VIRUS_WARNING280 Unhelpful eTrust/Domino 'virus warning' (280)
1701 score VIRUS_WARNING280 20
1702
1703 # TJ
1704 rawbody VIRUS_WARNING281 /^The Ansbacher Email Gateway has stopped the following message:$/
1705 describe VIRUS_WARNING281 Unhelpful 'virus warning' (281)
1706 score VIRUS_WARNING281 20
1707
1708 # TJ
1709 rawbody VIRUS_WARNING282 /^Status: 550 .{1,50} Unacceptable attachment \(170\)./
1710 describe VIRUS_WARNING282 Unhelpful 'virus warning' (282)
1711 score VIRUS_WARNING282 10
1712
1713 # PSI
1714 header VIRUS_WARNING283 Subject =~ /^Symantec Mail Security detected that you sent a message containing prohibited content$/
1715 describe VIRUS_WARNING283 Unhelpful Symantec 'virus warning' (283)
1716 score VIRUS_WARNING283 20
1717
1718 # VD
1719 header VIRUS_WARNING284 Subject =~ /^Virus infection detected!!!$/
1720 describe VIRUS_WARNING284 Unhelpful 'virus warning' (284)
1721 score VIRUS_WARNING284 20
1722
1723 # AF
1724 header VIRUS_WARNING285 Subject =~ /^gefaehrlicher Anhang \(.{1,50}\) FROM YOUR E- MAIL ADDRESS$/
1725 describe VIRUS_WARNING285 Unhelpful 'virus warning' (285)
1726 score VIRUS_WARNING285 20
1727
1728 # TJ
1729 # Not null sender, or any other DSN indications
1730 header VIRUS_WARNING286 Subject =~ /^Warning - Virus detected in email$/
1731 describe VIRUS_WARNING286 Unhelpful 'virus warning' (286)
1732 score VIRUS_WARNING286 20
1733
1734 # TJ
1735 # Seen from postmaster@g-icap.com, no DSN indications
1736 rawbody VIRUS_WARNING287 /^This message has been blocked because it contains a virus\./
1737 describe VIRUS_WARNING287 Unhelpful 'virus warning' (287)
1738 score VIRUS_WARNING287 20
1739
1740 # HD
1741 header VIRUS_WARNING288 Subject =~ /-- Email Scanner Report \[\d+\]$/
1742 describe VIRUS_WARNING288 Looks like unhelpful 'virus warning' (288)
1743 score VIRUS_WARNING288 5
1744
1745 # HD
1746 rawbody VIRUS_WARNING289 /^Your email to <[^>]{1,50}> was blocked by our email scanning system!$/
1747 describe VIRUS_WARNING289 Unhelpful 'virus warning' (289)
1748 score VIRUS_WARNING289 20
1749
1750 # PSI
1751 # No DSN indications
1752 header VIRUS_WARNING290 X-Originator =~ /^MailScan$/
1753 describe VIRUS_WARNING290 Unhelpful MailScan 'virus warning' (290)
1754 score VIRUS_WARNING290 5
1755
1756 # PSI
1757 # See also 290
1758 header VIRUS_WARNING291 Subject =~ /^Virus Warning from MailScan to Mail-Sender!$/
1759 describe VIRUS_WARNING291 Unhelpful MailScan 'virus warning' (291)
1760 score VIRUS_WARNING291 20
1761
1762 # TJ
1763 # DSN: Null, CT, !Attach
1764 # This rule MUST check for DSN; InterScan sometimes adds this junk to
1765 # non-infected mails
1766 rawbody __VIRUS_WARNING292 /^\*+\s*Message from InterScan E-Mail VirusWall NT\s*\*+$/
1767 meta VIRUS_WARNING292 __REPORT_DSN && __VIRUS_WARNING292
1768 describe VIRUS_WARNING292 Unhelpful InterScan 'virus warning' (292)
1769 score VIRUS_WARNING292 20
1770
1771 # TJ
1772 # DSN: No DSN indications
1773 # Seen from MAILsweeper@Dyson.com
1774 header VIRUS_WARNING293 Subject =~ /^Warning Possible Virus Alert !!!$/
1775 describe VIRUS_WARNING293 Unhelpful MAILsweeper 'virus warning' (293)
1776 score VIRUS_WARNING293 20
1777
1778 # TJ
1779 # DSN: Null, CT, !Attach
1780 rawbody VIRUS_WARNING294 /^The attachment to your E-mail has been disabled by the SonicWALL Virus Filter\./
1781 describe VIRUS_WARNING294 Unhelpful SonicWALL 'virus warning' (294)
1782 score VIRUS_WARNING294 20
1783
1784 # AF
1785 # DSN: None
1786 rawbody VIRUS_WARNING295 /^A message filter removed the following attachment\(s\) from this message: .{1,50}/
1787 describe VIRUS_WARNING295 Unhelpful 'virus warning' (295)
1788 score VIRUS_WARNING295 10
1789
1790 # AF
1791 # DSN: Null
1792 # Custom message from some particularly clue-impaired people at iucindore.ernet.in
1793 rawbody VIRUS_WARNING296 /^Viruswall at IUC server has scaned the mail\.$/
1794 describe VIRUS_WARNING296 Unhelpful 'virus warning' (296)
1795 score VIRUS_WARNING296 20
1796
1797 # AF
1798 # DSN: Null, but could potentially vary as we're trying to catch instances
1799 # where someone scans the mail but bounces the infected version
1800 rawbody VIRUS_WARNING297 /^X-AMaViS-Alert: INFECTED, message contains virus:/
1801 describe VIRUS_WARNING297 Unhelpful 'virus warning' (297)
1802 score VIRUS_WARNING297 20
1803
1804 # TJ
1805 header VIRUS_WARNING298 Subject =~ /^\[Magic OnLine\] Suppression du Virus/
1806 describe VIRUS_WARNING298 Unhelpful Magic OnLine 'virus warning' (296)
1807 score VIRUS_WARNING298 20
1808
1809 # PB
1810 # See also 19
1811 rawbody VIRUS_WARNING299 /^Recipient of the infected attachment:/
1812 describe VIRUS_WARNING299 Unhelpful Norton Antivirus 'virus warning' (299)
1813 score VIRUS_WARNING299 5
1814
1815 # AF
1816 # This should be caught by other MailScanner rules, but is here in case
1817 # they fail (e.g. bounced bounce etc.)
1818 rawbody VIRUS_WARNING300 /^Warning: Please read the "VirusWarning\.txt" attachment\(s\) for more information\.$/
1819 describe VIRUS_WARNING300 Unhelpful MailScanner 'virus warning' (300)
1820 score VIRUS_WARNING300 20
1821
1822 # HD
1823 #Trend Micro GateLock
1824 header VIRUS_WARNING301 Subject =~ /^GateLock (Virus Notification|Viren-Benachrichtigung)\.$/
1825 describe VIRUS_WARNING301 Unhelpful GateLock 'virus warning' (301)
1826 score VIRUS_WARNING301 20
1827
1828 # DP
1829 header VIRUS_WARNING302 Subject =~ /^NOTICE - Rejected atta?chment$/
1830 describe VIRUS_WARNING302 Unhelpful Watchdog 'virus warning' (302)
1831 score VIRUS_WARNING302 20
1832
1833 # TJ
1834 # DSN: Null
1835 # Seen with "Creative Labs corporate" in place of .{1,50}; not sure if a customised
1836 # message or not
1837 # MessageSoft StormMail
1838 header VIRUS_WARNING303 Subject =~ /^The .{1,50} email system has detected a banned or restricted attachment in your mail\./
1839 describe VIRUS_WARNING303 Unhelpful StormMail 'virus warning' (303)
1840 score VIRUS_WARNING303 20
1841
1842 # TJ
1843 # see also 303
1844 # MessageSoft StormMail
1845 header VIRUS_WARNING304 X-Mailer =~ /^MessageSoft StormMail$/
1846 describe VIRUS_WARNING304 Unhelpful StormMail 'virus warning'? (304)
1847 score VIRUS_WARNING304 5
1848
1849 # HD
1850 rawbody VIRUS_WARNING305 /^A potentially dangerous document attachment not complying with our IT Security policy has been detected/
1851 describe VIRUS_WARNING305 Unhelpful 'virus warning' (305)
1852 score VIRUS_WARNING305 10
1853
1854 # MK
1855 header VIRUS_WARNING306 Subject =~ /^VIRUS WARNING( :)?$/
1856 describe VIRUS_WARNING306 Unhelpful 'virus warning' (306)
1857 score VIRUS_WARNING306 20
1858
1859 # MK/JT
1860 header VIRUS_WARNING307 Subject =~ /^Virus Found\.?$/i
1861 describe VIRUS_WARNING307 Unhelpful 'virus warning' (307)
1862 score VIRUS_WARNING307 20
1863
1864 # MK
1865 header VIRUS_WARNING308 Subject =~ /^AVAST ALERT$/
1866 describe VIRUS_WARNING308 Unhelpful Avast/Exch 'virus warning' (308)
1867 score VIRUS_WARNING308 20
1868
1869 # MK
1870 # Seen with 308
1871 rawbody VIRUS_WARNING309 /^You sent an infected message!$/
1872 describe VIRUS_WARNING309 Unhelpful Avast/Exch 'virus warning' (309)
1873 score VIRUS_WARNING309 5
1874
1875 # MK
1876 header VIRUS_WARNING310 Subject =~ /^Atención: Virus detectado en e-mail$/
1877 describe VIRUS_WARNING310 Unhelpful 'virus warning' (310)
1878 score VIRUS_WARNING310 20
1879
1880 # MK
1881 header VIRUS_WARNING311 Subject =~ /^Virus detected in:/
1882 describe VIRUS_WARNING311 Unhelpful 'virus warning' (311)
1883 score VIRUS_WARNING311 10
1884
1885 # MK/TJ
1886 header VIRUS_WARNING312 Subject =~ /^\[GWAVA:[a-z0-9]+\] (Attachment block|Virus detect) message notification$/
1887 describe VIRUS_WARNING312 Unhelpful Novell GroupWise 'virus warning' (312)
1888 score VIRUS_WARNING312 20
1889
1890 # MK/JT
1891 rawbody VIRUS_WARNING313 /^\*+ (eManager|Content Filter) Notification \*+$/
1892 describe VIRUS_WARNING313 Unhelpful eManager 'virus warning' (313)
1893 score VIRUS_WARNING313 20
1894
1895 # MK
1896 rawbody VIRUS_WARNING314 /^Rejected by Kingsoft-EYOU Antivirus Gateway for the following reason:$/
1897 describe VIRUS_WARNING314 Unhelpful Kingsoft 'virus warning' (314)
1898 score VIRUS_WARNING314 20
1899
1900 # MK
1901 header VIRUS_WARNING315 Subject =~ /^Message Blocked /
1902 describe VIRUS_WARNING315 Could be an unhelpful 'virus warning' (315)
1903 score VIRUS_WARNING315 3
1904
1905 # MK
1906 header VIRUS_WARNING316 Subject =~ /^\s*File was infected with a virus$/
1907 describe VIRUS_WARNING316 Unhelpful 'virus warning' (316)
1908 score VIRUS_WARNING316 20
1909
1910 # MK
1911 header VIRUS_WARNING317 Subject =~ /^\*\*\* You have sent a virus !$/
1912 describe VIRUS_WARNING317 Unhelpful 'virus warning' (317)
1913 score VIRUS_WARNING317 20
1914
1915 # MK
1916 rawbody VIRUS_WARNING318 /^WARNING - Virus detected in message:$/
1917 describe VIRUS_WARNING318 Unhelpful 'virus warning' (318)
1918 score VIRUS_WARNING318 20
1919
1920 # TJ
1921 rawbody VIRUS_WARNING319 /^Requested action not taken: virus detected$/
1922 describe VIRUS_WARNING319 Unhelpful 'virus warning' (319)
1923 score VIRUS_WARNING319 20
1924
1925 # PSI
1926 # DSN: Null
1927 rawbody VIRUS_WARNING320 /^This following attachments is removed by TBS Virus Scan/
1928 describe VIRUS_WARNING320 Unhelpful TBS Virus Scan 'virus warning' (320)
1929 score VIRUS_WARNING320 20
1930
1931 # PSI
1932 # See also 320
1933 # DSN: Null
1934 header VIRUS_WARNING321 Subject =~ /^NOTICE - Attachments removed$/
1935 describe VIRUS_WARNING321 Unhelpful TBS Virus Scan 'virus warning' (321)
1936 score VIRUS_WARNING321 10
1937
1938 # MK
1939 header VIRUS_WARNING322A Subject =~ /\(Blocked attachment\)$/
1940 describe VIRUS_WARNING322A Looks like unhelpful XWall 'virus warning' (322A)
1941 score VIRUS_WARNING322A 2
1942
1943 header __VIRUS_WARNING322B X-Mailer =~ /^XWall v/
1944
1945 meta VIRUS_WARNING322 VIRUS_WARNING322A && __VIRUS_WARNING322B
1946 describe VIRUS_WARNING322 Unhelpful XWall 'virus warning' (322)
1947 score VIRUS_WARNING322 20
1948
1949 # AF
1950 # Also seen bounced, see 324
1951 header VIRUS_WARNING323 Subject =~ /^\[VIRUS FOUND AND REMOVED\]/
1952 describe VIRUS_WARNING323 Unhelpful 'virus warning' (323)
1953 score VIRUS_WARNING323 10
1954
1955 # AF
1956 rawbody __VIRUS_WARNING324 /^Subject: \[VIRUS FOUND AND REMOVED\]/
1957 meta VIRUS_WARNING324 __VIRUS_WARNING324 && __REPORT_DSN
1958 describe VIRUS_WARNING324 Unhelpful 'virus warning' (324)
1959 score VIRUS_WARNING324 10
1960
1961 # AF
1962 # DSN: Null, CT
1963 rawbody VIRUS_WARNING325 /^\s*Reason: Virus \S+ is detected!$/
1964 describe VIRUS_WARNING325 Unhelpful 'virus warning' (325)
1965 score VIRUS_WARNING325 20
1966
1967 # AF/TJ
1968 full VIRUS_WARNING326 /Content-type: text\/plain; Name=VirusAlert.txt/
1969 describe VIRUS_WARNING326 Unhelpful MailScanner 'virus warning'? (326)
1970 score VIRUS_WARNING326 3
1971
1972 # AF
1973 # DSN: Anyone's guess. Has been seen forging the victim as RP etc.
1974 # TJ: There has got to be a better way of doing "multiline text anchored
1975 # to start of a line" than this...if anyone knows please tell me!
1976 body __VIRUS_WARNING327A /An attachment named \S+ was removed from this document as it constituted a security hazard\./
1977 rawbody __VIRUS_WARNING327B /^An attachment named \S+ was removed from this document as it$/
1978 meta VIRUS_WARNING327 __VIRUS_WARNING327A && __VIRUS_WARNING327B
1979 describe VIRUS_WARNING327 Unhelpful MIMEDefang 'virus warning' (327)
1980 score VIRUS_WARNING327 10
1981
1982 # TJ
1983 # DSN: Null
1984 header VIRUS_WARNING328 Subject =~ /^VIRUS REJECT$/
1985 describe VIRUS_WARNING328 Unhelpful 'virus warning' (328)
1986 score VIRUS_WARNING328 20
1987
1988 # AS
1989 header VIRUS_WARNING329 Subject =~ /^BitDefender found an infected object$/
1990 describe VIRUS_WARNING329 Unhelpful 'virus warning' (329)
1991 score VIRUS_WARNING329 20
1992
1993 # TJ
1994 # DSN: None
1995 body VIRUS_WARNING330 /the message with following attributes has not been delivered, because it contains infected object\(s\)./
1996 describe VIRUS_WARNING330 Unhelpful 'virus warning' (330)
1997 score VIRUS_WARNING330 10
1998
1999 # TJ
2000 body VIRUS_WARNING331 /A message sent from, or apparently sent from, your email address, failed due to the presence of files frequently used to transmit viruses \(\.scr\/\.zip\/\.bat\/\.com\/\.exe\)\./
2001 describe VIRUS_WARNING331 Unhelpful 'virus warning' (331)
2002 score VIRUS_WARNING331 15
2003
2004 # AF
2005 # DSN: None
2006 header VIRUS_WARNING332 Subject =~ /^\[Computer Cops\] Infected Email Found$/
2007 describe VIRUS_WARNING332 Unhelpful 'virus warning' (332)
2008 score VIRUS_WARNING332 20
2009
2010 # AF
2011 rawbody VIRUS_WARNING333 /^\*+ UNSAFE FILE IS REJECTED! \*+$/
2012 describe VIRUS_WARNING333 Unhelpful 'virus warning' (333)
2013 score VIRUS_WARNING333 20
2014
2015 # AF
2016 rawbody VIRUS_WARNING334 /^\s*Reason: This email is rejected because an unsafe file is found:/
2017 describe VIRUS_WARNING334 Unhelpful 'virus warning' (334)
2018 score VIRUS_WARNING334 10
2019
2020 # TJ
2021 # Custom? From Uni. of Sydney
2022 # DSN: Null, CT
2023 rawbody VIRUS_WARNING335 /^\# The following files were found to be malicious and removed:$/
2024 describe VIRUS_WARNING335 Unhelpful 'virus warning' (335)
2025 score VIRUS_WARNING335 20
2026
2027 # AF
2028 rawbody VIRUS_WARNING336 /^the message contains virus/
2029 describe VIRUS_WARNING336 Could be unhelpful KAV 'virus warning' (336)
2030 score VIRUS_WARNING336 1
2031
2032 # AF
2033 rawbody VIRUS_WARNING337 /^\s*The message contains file attachments that are not permitted\.\s*$/
2034 describe VIRUS_WARNING337 Unhelpful Guinevere AV 'virus warning' (337)
2035 score VIRUS_WARNING337 10
2036
2037 # TJ
2038 # Could be custom message - seen from postmaster@disney.com
2039 # DSN: Null
2040 header VIRUS_WARNING338 Subject =~ /^Warning: Message Not Delivered - Attachment Restriction$/
2041 describe VIRUS_WARNING338 Unhelpful 'virus warning' (338)
2042 score VIRUS_WARNING338 20
2043
2044 # TJ
2045 # DSN: Null, CT, !Attach
2046 rawbody VIRUS_WARNING339 /^Warning: Please read the "ISSWarning\.txt" attachment\(s\) for more information\.$/
2047 describe VIRUS_WARNING339 Unhelpful MailScanner 'virus warning' (339)
2048 score VIRUS_WARNING339 20
2049
2050 # TJ
2051 rawbody VIRUS_WARNING340 /^Warning: This message has had one or more attachments removed$/
2052 describe VIRUS_WARNING340 Unhelpful MailScanner 'virus warning' (340)
2053 score VIRUS_WARNING340 10
2054
2055 # TJ/TV
2056 header VIRUS_WARNING341 Subject =~ /^eTrust Antivirus Gateway (SMTP|POP3): Virus notification message$/
2057 describe VIRUS_WARNING341 Unhelpful eTrust 'virus warning' (341)
2058 score VIRUS_WARNING341 20
2059
2060 # TJ
2061 header VIRUS_WARNING342 Subject =~ /^AUTOMATED EMAIL BLOCK: VIRUS$/
2062 describe VIRUS_WARNING342 Unhelpful 'virus warning' (342)
2063 score VIRUS_WARNING342 20
2064
2065 # TJ
2066 # Hopefully this should really kill all the variations of VirusWall/eManager junk
2067 header VIRUS_WARNING343 InterScan-Notification =~ /^yes$/
2068 describe VIRUS_WARNING343 Unhelpful InterScan 'virus warning' (343)
2069 score VIRUS_WARNING343 20
2070
2071 # TJ
2072 # seen as VIRUS (foobar) EM SUA MENSAGEM
2073 # DSN: Null, CT
2074 header VIRUS_WARNING344 Subject =~ /^VIRUS.{0,99} EM SUA MENSAGEM$/
2075 describe VIRUS_WARNING344 Unhelpful 'virus warning' (344)
2076 score VIRUS_WARNING344 20
2077
2078 # AF
2079 body VIRUS_WARNING345 /(This message contained attachments that have been blocked by Guinevere|This is an automatic message from the Guinevere Internet Antivirus Scanner)\./
2080 describe VIRUS_WARNING345 Unhelpful Guinevere 'virus warning' (345)
2081 score VIRUS_WARNING345 5
2082
2083 rawbody VIRUS_WARNING345A /^\s*The message (apparently|probably) contains a virus\.\s*$/
2084 describe VIRUS_WARNING345A Uhelpful Guinevere 'virus warning'? (345A)
2085 score VIRUS_WARNING345A 2
2086
2087 meta VIRUS_WARNING345B VIRUS_WARNING345 && VIRUS_WARNING345A
2088 describe VIRUS_WARNING345B Unhelpful Guinevere 'virus warning' (345B)
2089 score VIRUS_WARNING345B 10
2090
2091 # AF
2092 # Guinevere crap again
2093 rawbody VIRUS_WARNING346 /^\w+\s+attachment type\(s\) blocked\s*$/
2094 describe VIRUS_WARNING346 Unhelpful Guinevere 'virus warning' (346)
2095 score VIRUS_WARNING346 5
2096
2097 # AF
2098 rawbody VIRUS_WARNING347 /^KAV for MS Exchange Report on detecting virus in the following message:$/
2099 describe VIRUS_WARNING347 Unhelpful KAV 'virus warning' (347)
2100 score VIRUS_WARNING347 10
2101
2102 # AF
2103 header VIRUS_WARNING348 Subject =~ /Report Message from KAV for MS Exchange Server/
2104 describe VIRUS_WARNING348 Unhelpful KAV 'virus warning'? (348)
2105 score VIRUS_WARNING348 3
2106
2107 # TJ
2108 # DSN: none, modified message
2109 full VIRUS_WARNING349 /filename="Panda_Alert\.txt"/
2110 describe VIRUS_WARNING349 Unhelpful Panda Antivirus 'virus warning' (349)
2111 score VIRUS_WARNING349 10
2112
2113 # TJ
2114 # DSN: none, modified message
2115 rawbody VIRUS_WARNING350 /^Panda Antivirus has found a virus in:/
2116 describe VIRUS_WARNING350 Unhelpful Panda Antivirus 'virus warning' (350)
2117 score VIRUS_WARNING350 10
2118
2119 # TJ
2120 # DSN: unknown
2121 rawbody VIRUS_WARNING351 /^Message from SENDER was quarantined because it contained banned$/
2122 describe VIRUS_WARNING351 Unhelpful 'virus warning' (351)
2123 score VIRUS_WARNING351 20
2124
2125 # AF
2126 # DSN: None
2127 rawbody VIRUS_WARNING352 /^This Mail has a Virus and has been blocked!$/
2128 describe VIRUS_WARNING352 Unhelpful 'virus warning' (352)
2129 score VIRUS_WARNING352 20
2130
2131 # TJ
2132 # DSN: Null, CT
2133 # This regex is extraordinarily sensitive for some reason (surely "\s+.{1,50}\s+"
2134 # should be the same as "[^"]{1,50}" ? Apparently not!); handle with care!
2135 full VIRUS_WARNING353 /Your message was not delivered to the following recipients:\s*.{1,50}\s*:\s*Email rejected\s+because the attachment\s+.{1,50}\s+could contain a virus\./m
2136 describe VIRUS_WARNING353 Unhelpful 'virus warning' (353)
2137 score VIRUS_WARNING353 20
2138
2139 # PSI
2140 # DSN: None
2141 rawbody __VIRUS_WARNING354A /\s*The email contained the virus: .{0,99}$/
2142 header __VIRUS_WARNING354B X-Nmp-Notice-Type =~ /^A message from you was blocked/
2143 meta VIRUS_WARNING354 __VIRUS_WARNING354A && __VIRUS_WARNING354B
2144 describe VIRUS_WARNING354 Unhelpful 'virus warning' (354)
2145 score VIRUS_WARNING354 20
2146
2147 # GD/JT
2148 # DSN: None
2149 # TJ: This is sometimes sent in HTML, so cannot assert the body text
2150 header __VIRUS_WARNING355A Subject =~ /^Report to Sender$/
2151 body __VIRUS_WARNING355B /Incident Information:-/
2152 body __VIRUS_WARNING355C /infected with the \S+ virus and was/
2153 meta VIRUS_WARNING355 __VIRUS_WARNING355A && __VIRUS_WARNING355B && __VIRUS_WARNING355C
2154 describe VIRUS_WARNING355 Unhelpful Lotus Notes 'virus warning' (355)
2155 score VIRUS_WARNING355 20
2156
2157 # HD
2158 # DSN: None
2159 rawbody VIRUS_WARNING356 /^A mail message with subject "[^"]{1,50}" has been found to contain a virus!$/
2160 describe VIRUS_WARNING356 Unhelpful 'virus warning' (356)
2161 score VIRUS_WARNING356 20
2162
2163 # AF
2164 # DSN: Null, CT
2165 header VIRUS_WARNING357 Subject =~ /^\*\*Message you sent blocked by our bulk email filter\*\*$/
2166 describe VIRUS_WARNING357 Unhelpful 'virus warning' (357)
2167 score VIRUS_WARNING357 20
2168
2169 # TJ
2170 # DSN: Null
2171 rawbody VIRUS_WARNING358 /^The above email was not delivered to the intended recipient as it was found to contain a virus\. The details of the message are as follows:$/
2172 describe VIRUS_WARNING358 Unhelpful 'virus warning' (358)
2173 score VIRUS_WARNING358 20
2174
2175 # AF
2176 # DSN: None
2177 header __VIRUS_WARNING359A Subject =~ /^VIRUS POSLAN SA VASE ADRESE/
2178 rawbody __VIRUS_WARNING359B /^UPOZORENJE O VIRUSIMA!$/
2179 meta VIRUS_WARNING359 __VIRUS_WARNING359A || __VIRUS_WARNING359B
2180 describe VIRUS_WARNING359 Unhelpful 'virus warning' (359)
2181 score VIRUS_WARNING359 20
2182
2183 # HD
2184 header VIRUS_WARNING360 Subject =~ /^virus in outgoing mail$/
2185 describe VIRUS_WARNING360 Unhelpful 'virus warning' (360)
2186 score VIRUS_WARNING360 20
2187
2188 # JT
2189 # DSN: Null, CT
2190 rawbody VIRUS_WARNING361 /^WARNING -- A POSSIBLE VIRUS WAS DETECTED IN THIS MAIL MESSAGE$/
2191 describe VIRUS_WARNING361 Unhelpful 'virus warning' (361)
2192 score VIRUS_WARNING361 20
2193
2194 # MB
2195 body VIRUS_WARNING362 /\bThe mail you have sent to one of our users is infected by a virus\b/
2196 describe VIRUS_WARNING362 Unhelpful 'virus warning' (361)
2197 score VIRUS_WARNING362 20
2198
2199 # TJ
2200 header VIRUS_WARNING363 Subject =~ /^Warning: Virus found by AVAS Anti-Virus module$/
2201 describe VIRUS_WARNING363 Unhelpful AVAS 'virus warning' (363)
2202 score VIRUS_WARNING363 20
2203
2204 # TJ
2205 # see http://www.antespam.co.uk/, run by David Pinnegar; further information at:
2206 # http://www.antespam.co.uk/how-we-filter-spam/
2207 # http://www.info-team.co.uk/david.pinnegar/
2208 # http://www.hammerwood.mistral.co.uk/compdoc.htm
2209 # http://www.info-world.com/spam.diagnosis/
2210 # http://www.info-team.co.uk/spam-stopper.php
2211 # Although acknowledging that they arise, David asserts that BVAs from his
2212 # systems are not sent out as a "blanket" response to viruses.
2213 #
2214 # This rule is therefore commented out by default for now.
2215 # Make your own decision about whether to enable it or not; you can contact
2216 # David via the above site to discuss his policies.
2217 #rawbody VIRUS_WARNING364 /^www.antespam.co.uk has intercepted a message from your address:-$/
2218 #describe VIRUS_WARNING364 Unhelpful 'virus warning' (364)
2219 #score VIRUS_WARNING364 20
2220
2221 # AF/TJ
2222 full __VIRUS_WARNING365 /Content-Disposition: attachment;\s*filename=\"DELETED0.TXT\"/m
2223 meta VIRUS_WARNING365 __REPORT_DSN && __VIRUS_WARNING365
2224 describe VIRUS_WARNING365 Unhelpful 'virus warning' (365)
2225 score VIRUS_WARNING365 20
2226
2227 # TJ
2228 full __VIRUS_WARNING366 /Content-Disposition: attachment;\s*filename=\"AV_nocleanMsg\.txt\"/m
2229 meta VIRUS_WARNING366 __REPORT_DSN && __VIRUS_WARNING366
2230 describe VIRUS_WARNING366 Unhelpful 'virus warning' (366)
2231 score VIRUS_WARNING366 20
2232
2233 # JT
2234 # DSN: Null, CT
2235 rawbody __VIRUS_WARNING367 /^554 5\.7\.1 Virus \S+ found in mail - rejected$/
2236 meta VIRUS_WARNING367 __REPORT_DSN && __VIRUS_WARNING367
2237 describe VIRUS_WARNING367 Unhelpful 'virus warning' (367)
2238 score VIRUS_WARNING367 20
2239
2240 # AF
2241 # DSN: Null, CT
2242 rawbody VIRUS_WARNING368 /^\[Attachment denied by WatchGuard SMTP proxy/
2243 describe VIRUS_WARNING368 Unhelpful 'virus warning' (368)
2244 score VIRUS_WARNING368 20
2245
2246 # TJ
2247 # DSN: Null
2248 header VIRUS_WARNING369 Subject =~ /^Warning: E-mail virus detected$/
2249 describe VIRUS_WARNING369 Unhelpful 'virus warning' (369)
2250 score VIRUS_WARNING369 20
2251
2252 # AF
2253 # DSN: Null
2254 header VIRUS_WARNING370 X-Mailer =~ /^ProScan Mail scanner$/
2255 describe VIRUS_WARNING370 Unhelpful ProScan 'virus warning' (370)
2256 score VIRUS_WARNING370 20
2257
2258 # AF
2259 # DSN: Null
2260 # See also 370 - goes alongside it
2261 rawbody VIRUS_WARNING371 /^\s*The file attached to following mail is infected with virus\.$/
2262 describe VIRUS_WARNING371 Unhelpful 'virus warning' (371)
2263 score VIRUS_WARNING371 20
2264
2265 # AF
2266 # DSN: Null, CT
2267 # This is for bounced collateral munged by a scanner
2268 rawbody VIRUS_WARNING372 /Subject: \[PMX:suspect attachment\]/
2269 describe VIRUS_WARNING372 Unhelpful 'virus warning' (372)
2270 score VIRUS_WARNING372 20
2271
2272 # PB
2273 rawbody VIRUS_WARNING373 /^Il contenait un fichier attache non autoris/
2274 describe VIRUS_WARNING373 Unhelpful 'virus warning' (373)
2275 score VIRUS_WARNING373 20
2276
2277 # PB
2278 rawbody VIRUS_WARNING374 /^Our SPAM\/CONTENT filter has rejected your message/
2279 describe VIRUS_WARNING374 Unhelpful 'virus warning' (374)
2280 score VIRUS_WARNING374 20
2281
2282 # AF
2283 # DSN: None
2284 rawbody VIRUS_WARNING375 /^\s*AAPT Anti Virus has detected a virus contained in this email attachment/
2285 describe VIRUS_WARNING375 Unhelpful 'virus warning' (375)
2286 score VIRUS_WARNING375 20
2287
2288 # TJ
2289 # DSN: Null
2290 # It's a shame some of the largest e-mail providers in the world
2291 # (Yahoo in this case) are such idiots and hypocrites (wrt "anti-spam")
2292 body VIRUS_WARNING376 /554 5\.7\.1 Message cannot be accepted, virus found/
2293 describe VIRUS_WARNING376 Unhelpful 'virus warning' (376)
2294 score VIRUS_WARNING376 20
2295
2296 # AF
2297 # DSN: Null, CT
2298 header VIRUS_WARNING377 Subject =~ /^ALERTE VIRUS !$/
2299 describe VIRUS_WARNING377 Unhelpful 'virus warning' (377)
2300 score VIRUS_WARNING377 20
2301
2302 # TJ
2303 # DSN: Null
2304 rawbody VIRUS_WARNING378 /^Attachment has been removed due to the presence of the following virus:$/
2305 describe VIRUS_WARNING378 Unhelpful 'virus warning' (378)
2306 score VIRUS_WARNING378 20
2307
2308 # TJ
2309 # as seen in 378
2310 full VIRUS_WARNING379 /filename="ReplText6\.txt"/
2311 describe VIRUS_WARNING379 Could be unhelpful 'virus warning' (379)
2312 score VIRUS_WARNING379 0.8
2313
2314 # RP
2315 rawbody VIRUS_WARNING380 /^This message was rejected due to a possible virus\.$/
2316 describe VIRUS_WARNING380 Unhelpful 'virus warning' (380)
2317 score VIRUS_WARNING380 20
2318
2319 # PSI
2320 # DSN: Null
2321 rawbody VIRUS_WARNING381 /^Sender Note - Inbound Virus Found$/
2322 describe VIRUS_WARNING381 Unhelpful 'virus warning' (381)
2323 score VIRUS_WARNING381 20
2324
2325 # TJ
2326 # DSN: None
2327 body VIRUS_WARNING382 /it contains an attachment that does not conform to the HMV Email Policy/
2328 describe VIRUS_WARNING382 Unhelpful HMV 'virus warning' (382)
2329 score VIRUS_WARNING382 20
2330
2331 # TJ
2332 # DSN: Null
2333 header VIRUS_WARNING383 Subject =~ /^Unfortunately your message was blocked as a possible Virus was detected\.$/
2334 describe VIRUS_WARNING383 Unhelpful 'virus warning' (383)
2335 score VIRUS_WARNING383 20
2336
2337 # MB
2338 # DSN: Null
2339 header VIRUS_WARNING384 Subject =~ /^Virus trovato in un messaggio inviato/
2340 describe VIRUS_WARNING384 Unhelpful 'virus warning' (384)
2341 score VIRUS_WARNING384 20
2342
2343 # MB
2344 # DSN: Null
2345 header VIRUS_WARNING385 Subject =~ /^ACHTUNG! Sie haben eine mit einem Virus infizierte Mail verschickt\.$/
2346 describe VIRUS_WARNING385 Unhelpful 'virus warning' (385)
2347 score VIRUS_WARNING385 20
2348
2349 # AF
2350 rawbody VIRUS_WARNING386 /^The following message attachments were flagged by the antivirus scanner:$/
2351 describe VIRUS_WARNING386 Unhelpful Mirapoint 'virus warning' (386)
2352 score VIRUS_WARNING386 20
2353
2354 # AF
2355 # DSN: none
2356 # Seen from postmaster@fife.gov.uk
2357 # They even KNOW that virus spew is forged, but still send you the junk anyway...
2358 # surely incriminating themselves!
2359 rawbody VIRUS_WARNING387 /^has not been delivered as a virus has been detected. This e-mail may not have originated from you/
2360 describe VIRUS_WARNING387 Unhelpful 'virus warning' (387)
2361 score VIRUS_WARNING387 20
2362
2363 # AF
2364 # DSN: none
2365 header VIRUS_WARNING388 Subject =~ /^Virus Alert -/
2366 describe VIRUS_WARNING388 Unhelpful 'virus warning' (388)
2367 score VIRUS_WARNING388 10
2368
2369 # TJ
2370 # DSN: none
2371 # seen from administrator@shgroup.org.uk
2372 rawbody VIRUS_WARNING389 /^A message with Subject: \S+ contains a virus and has been quarantined\.$/
2373 describe VIRUS_WARNING389 Unhelpful 'virus warning' (389)
2374 score VIRUS_WARNING389 20
2375
2376 # TJ/JT
2377 # DSN: varies, this is a general rule
2378 # see also 179
2379 header VIRUS_WARNING390 Subject =~ /^VIRUS ALERT:/
2380 describe VIRUS_WARNING390 Unhelpful 'virus warning' (390)
2381 score VIRUS_WARNING390 20
2382
2383 # JT
2384 # DSN: None
2385 # usually caught also by 390
2386 header VIRUS_WARNING391 X-Mailer =~ /^OdeiaVir/
2387 describe VIRUS_WARNING391 Unhelpful OdeiaVir 'virus warning' (391)
2388 score VIRUS_WARNING391 20
2389
2390 # AF
2391 # DSN: null
2392 header VIRUS_WARNING392 Subject =~ /^Suppression de fichier due a un virusMail Delivery/
2393 describe VIRUS_WARNING392 Unhelpful 'virus warning' (392)
2394 score VIRUS_WARNING392 20
2395
2396 # AF
2397 # DSN: null
2398 body VIRUS_WARNING393 /The Attachment \S+ is replaced by this message because it contained a virus:/
2399 describe VIRUS_WARNING393 Unhelpful 'virus warning' (393)
2400 score VIRUS_WARNING393 20
2401
2402 # JT
2403 # DSN: !Attach
2404 body VIRUS_WARNING394 /A virus \(\S+\) was detected in the file \(.{1,50}\)\. Action taken\s*= remove/
2405 describe VIRUS_WARNING394 Unhelpful 'virus warning' (394)
2406 score VIRUS_WARNING394 20
2407
2408 # AF
2409 header VIRUS_WARNING395 Received =~ /from MailMarshal/
2410 describe VIRUS_WARNING395 MailMarshal bogus 'virus warning'? (395)
2411 score VIRUS_WARNING395 3
2412
2413 # AF
2414 header VIRUS_WARNING396 Subject =~ /^McAfee detected a virus in a document sent to you\.$/
2415 describe VIRUS_WARNING396 Unhelpful McAfee 'virus warning' (396)
2416 score VIRUS_WARNING396 20
2417
2418 # HPK
2419 # DSN: none
2420 body VIRUS_WARNING397 /A virus was found in a message sent by this account\./
2421 describe VIRUS_WARNING397 Unhelpful 'virus warning' (397)
2422 score VIRUS_WARNING397 8
2423
2424 # HPK
2425 # see also 397
2426 rawbody VIRUS_WARNING398 /^Result: Virus Detected$/
2427 describe VIRUS_WARNING398 Unhelpful 'virus warning' (398)
2428 score VIRUS_WARNING398 5
2429
2430 # AF
2431 # DSN: none
2432 # matches 400 too
2433 body VIRUS_WARNING399 /The file attached to this email was removed because it is infected with the (\S+) virus\./
2434 describe VIRUS_WARNING399 Unhelpful 'virus warning' (399)
2435 score VIRUS_WARNING399 20
2436
2437 # AF
2438 # General
2439 rawbody VIRUS_WARNING400 /^\s*name="DELETED0.TXT"$/
2440 describe VIRUS_WARNING400 Looks like unhelpful 'virus warning' (400)
2441 score VIRUS_WARNING400 5
2442
2443 # AF/TV
2444 # DSN: none
2445 header VIRUS_WARNING401 Subject =~ /^\[VIRUS\??\]/i
2446 describe VIRUS_WARNING401 Unhelpful 'virus warning' (401)
2447 score VIRUS_WARNING401 10
2448
2449
2450 # HPK
2451 # DSN: CT
2452 # the next two come together
2453 rawbody VIRUS_WARNING402A /^Virus scanner reported virus infection for/
2454 describe VIRUS_WARNING402A Looks like unhelpful 'virus warning' (402A)
2455 score VIRUS_WARNING402A 5
2456
2457 rawbody VIRUS_WARNING402B /^Reason: Virus infection$/
2458 describe VIRUS_WARNING402B Looks like unhelpful 'virus warning' (402B)
2459 score VIRUS_WARNING402B 5
2460
2461 meta VIRUS_WARNING402C VIRUS_WARNING402A && VIRUS_WARNING402B
2462 describe VIRUS_WARNING402C Looks a lot like unhelpful 'virus warning' (402C)
2463 score VIRUS_WARNING402C 10
2464
2465
2466 # JT
2467 # DSN: null,CT
2468 header VIRUS_WARNING403 Subject =~ /^Returned mail: Possible Virus Infection$/
2469 describe VIRUS_WARNING403 Unhelpful 'virus warning' (403)
2470 score VIRUS_WARNING403 20
2471
2472 # PBR
2473 # DSN: null, !Attach
2474 rawbody VIRUS_WARNING404 /^= Message body deleted by antivirus subsystem on e-mail gateway=$/
2475 describe VIRUS_WARNING404 Unhelpful 'virus warning' (404)
2476 score VIRUS_WARNING404 20
2477
2478 # PC
2479 # DSN: unknown
2480 rawbody VIRUS_WARNING405 /^Virus: "\S+" found!$/
2481 describe VIRUS_WARNING405 Unhelpful WinProxy 'virus warning' (405)
2482 score VIRUS_WARNING405 20
2483
2484 #AF
2485 # DSN: none
2486 header VIRUS_WARNING406 Subject =~ /^\[NOD32: deleted\]/
2487 describe VIRUS_WARNING406 Unhelpful NOD32 'virus warning' (406)
2488 score VIRUS_WARNING406 20
2489
2490 # AF
2491 # double-check for 406
2492 rawbody VIRUS_WARNING407 /^Warning: NOD32 Antivirus System for Linux Mail Server found the following infiltrations in this message/
2493 describe VIRUS_WARNING407 Unhelpful NOD32 'virus warning' (407)
2494 score VIRUS_WARNING407 10
2495
2496 # TV
2497 header VIRUS_WARNING408 Subject =~ /^AVISO: Email rejeitado: VIRUS Detectado$/
2498 describe VIRUS_WARNING408 Unhelpful 'virus warning' (408)
2499 score VIRUS_WARNING408 20
2500
2501 # TV
2502 header VIRUS_WARNING409 Subject =~ /^MDaemon Notificacion - Virus Encontrado!!!!$/
2503 describe VIRUS_WARNING409 Unhelpful MDaemon 'virus warning' (409)
2504 score VIRUS_WARNING409 20
2505
2506 # TV
2507 # the Netcabo version appears to be a customised Antigen install
2508 header VIRUS_WARNING410 Subject =~ /^(Antigen|Netcabo Antivirus) found \S+ virus$/
2509 describe VIRUS_WARNING410 Unhelpful MDaemon 'virus warning' (410)
2510 score VIRUS_WARNING410 20
2511
2512 # TV
2513 header VIRUS_WARNING411 Subject =~ /^ATENTIE !!! Virusi detectati$/
2514 describe VIRUS_WARNING411 Unhelpful 'virus warning' (411)
2515 score VIRUS_WARNING411 20
2516
2517 #TV
2518 rawbody VIRUS_WARNING412 /^Vírus no seu e-mail\./
2519 describe VIRUS_WARNING412 Unhelpful 'virus warning' (412)
2520 score VIRUS_WARNING412 20
2521
2522 # TV
2523 header VIRUS_WARNING413 Subject =~ /^Virus found, original message not delivered\.$/
2524 describe VIRUS_WARNING413 Unhelpful InterScan 'virus warning' (413)
2525 score VIRUS_WARNING413 20
2526
2527 # TV
2528 rawbody VIRUS_WARNING414 /^We received a message from you containing a virus or other harmful content\.$/
2529 describe VIRUS_WARNING414 Unhelpful 'virus warning' (414)
2530 score VIRUS_WARNING414 20
2531
2532 # PC
2533 rawbody VIRUS_WARNING415 /^RAV AntiVirus for Linux i686 version: \d/
2534 describe VIRUS_WARNING415 Unhelpful 'virus warning'? (415)
2535 score VIRUS_WARNING415 2
2536
2537 # PC
2538 # not sure what the munged character is or whether this rule will even catch it
2539 # email forwarded to me had munged character encoding
2540 header VIRUS_WARNING416 Subject =~ /Resultado da procura por V.rus$/
2541 describe VIRUS_WARNING416 Unhelpful 'virus warning' (416)
2542 score VIRUS_WARNING416 3
2543
2544 # PC
2545 header VIRUS_WARNING417 X-Mailer =~ /^ravmd\/\d/
2546 describe VIRUS_WARNING417 Unhelpful 'virus warning'? (417)
2547 score VIRUS_WARNING417 3
2548
2549 # ML
2550 rawbody VIRUS_WARNING418 /^This attachment contained a virus and was stripped\.$/
2551 describe VIRUS_WARNING418 Unhelpful 'virus warning' (418)
2552 score VIRUS_WARNING418 20
2553
2554 # ML
2555 header VIRUS_WARNING419 Subject =~ /^\[Virus attachment removed\]/
2556 describe VIRUS_WARNING419 Unhelpful 'virus warning' (419)
2557 score VIRUS_WARNING419 20
2558
2559 # MM
2560 rawbody VIRUS_WARNING420 /^O Symantec Email Proxy excluiu a seguinte mensagem de e-mail:$/
2561 describe VIRUS_WARNING420 Unhelpful 'virus warning' (420)
2562 score VIRUS_WARNING420 20
2563
2564 # PBR
2565 rawbody VIRUS_WARNING421 /^Disallowed file (.{1,50}) assosiated with unrelated MIME type (.{1,50}) - potential virus$/
2566 describe VIRUS_WARNING421 Unhelpful 'virus warning' (421)
2567 score VIRUS_WARNING421 4
2568
2569 # PC
2570 rawbody VIRUS_WARNING422 /^Content-Disposition: attachment; filename="Norton AntiVirus Deleted1.txt"$/
2571 describe VIRUS_WARNING422 Unhelpful 'virus warning'? (422)
2572 score VIRUS_WARNING422 8
2573
2574 header VIRUS_WARNING423 Subject =~ /^Policy Violation$/
2575 describe VIRUS_WARNING423 Unhelpful 'virus warning'? (423)
2576 score VIRUS_WARNING423 0.1
2577
2578 meta VIRUS_WARNING424 VIRUS_WARNING188 && VIRUS_WARNING423
2579 describe VIRUS_WARNING424 Unhelpful 'virus warning' (424)
2580 score VIRUS_WARNING424 10
2581
2582 header VIRUS_WARNING425 Subject =~ /^Mail rejected: Executable attachment "[^"]{1,50}" not permitted\.$/
2583 describe VIRUS_WARNING425 Unhelpful 'virus warning' (425)
2584 score VIRUS_WARNING425 20
2585
2586 header VIRUS_WARNING426 Subject =~ /^Antivirus Notification$/
2587 describe VIRUS_WARNING426 Unhelpful 'virus warning' (426)
2588 score VIRUS_WARNING426 20
2589
2590 # TV
2591 header VIRUS_WARNING427 Subject =~ /^Mail delivery error : Virus found$/
2592 describe VIRUS_WARNING427 Unhelpful 'virus warning' (427)
2593 score VIRUS_WARNING427 20
2594
2595 # TV
2596 header VIRUS_WARNING428 Subject =~ /^Virus Detected in Email...$/
2597 describe VIRUS_WARNING428 Unhelpful InteProtectNow! 'virus warning' (428)
2598 score VIRUS_WARNING428 20
2599
2600 # TV
2601 header VIRUS_WARNING429 Subject =~ /^Mass Mailing Virus Detected - Message was deleted.$/
2602 describe VIRUS_WARNING429 Unhelpful 'virus warning' (429)
2603 score VIRUS_WARNING429 20
2604
2605 # AF
2606 header VIRUS_WARNING430 Subject =~ /^Iflex Mail Server detected an unrepairable virus in a message you sent/
2607 describe VIRUS_WARNING430 Unhelpful Iflex 'virus warning' (430)
2608 score VIRUS_WARNING430 20
2609
2610 # TV
2611 rawbody VIRUS_WARNING431 /^Norton AntiVirus (hat folgende E-Mail gelöscht, da sie einen Virus enthielt:|ha eliminato il seguente messaggio di posta elettronica )$/
2612 describe VIRUS_WARNING431 Unhelpful Norton 'virus warning' (431)
2613 score VIRUS_WARNING431 20
2614
2615 # NL
2616 # see also 420
2617 header VIRUS_WARNING432 Subject =~ /^Symantec Email Proxy Deleted Message$/
2618 describe VIRUS_WARNING432 Unhelpful Symantec 'virus warning' (432)
2619 score VIRUS_WARNING432 20
2620
2621 # PB
2622 rawbody VIRUS_WARNING433 /^diagnostics\/Diagnose: (Worm|Virus)\./
2623 describe VIRUS_WARNING433 Unhelpful 'virus warning'? (433)
2624 score VIRUS_WARNING433 4
2625
2626 # PB
2627 header VIRUS_WARNING434 X-Autoreply-Reason =~ /^(Worm|Virus)\./
2628 describe VIRUS_WARNING434 Unhelpful 'virus warning' (434)
2629 score VIRUS_WARNING434 20
2630
2631 # AF
2632 # DSN: null
2633 rawbody VIRUS_WARNING435 /^<<< 554 5\.7\.1 Message from .{7,30} rejected because is infected/
2634 describe VIRUS_WARNING435 Unhelpful 'virus warning' (435)
2635 score VIRUS_WARNING435 20
2636
2637 # ML
2638 header VIRUS_WARNING436 Subject =~ /^Virus in einer E-Mail von Ihnen gefunden!$/
2639 describe VIRUS_WARNING436 Unhelpful AntiVir MailGate 'virus warning' (436)
2640 score VIRUS_WARNING436 20
2641
2642 # MB
2643 # TJ: this has no relation to 436, I just numbered it wrongly. Thanks Donald Dawson for spotting.
2644 rawbody VIRUS_WARNING436a /^550 This message contains malware/
2645 describe VIRUS_WARNING436a Unhelpful 'virus warning' (436)
2646 score VIRUS_WARNING436a 20
2647
2648 # TJ
2649 rawbody VIRUS_WARNING437 /^(Symantec E-Mail-Proxy hat folgende E-Mail-Nachricht gelöscht|Le proxy de messagerie Symantec a supprimé l'message suivant ):$/
2650 describe VIRUS_WARNING437 Unhelpful Symantec 'virus warning' (437)
2651 score VIRUS_WARNING437 20
2652
2653 # TV
2654 header VIRUS_WARNING438 Subject =~ /^VIRUS DETECTADO PARA /
2655 describe VIRUS_WARNING438 Unhelpful 'virus warning' (438)
2656 score VIRUS_WARNING438 20
2657
2658 # TJ
2659 rawbody VIRUS_WARNING439 /^\*\*\* Aquest missatge contenia virus. \*\*\*$/
2660 describe VIRUS_WARNING439 Unhelpful Trend 'virus warning' (439)
2661 score VIRUS_WARNING439 20
2662
2663 # JT
2664 header VIRUS_WARNING440 Subject =~ /^WARNING VIRUS FOUND!!!$/
2665 describe VIRUS_WARNING440 Unhelpful 'virus warning' (440)
2666 score VIRUS_WARNING440 20
2667
2668 # TV
2669 header VIRUS_WARNING441 Subject =~ /^mensagem com virus$/
2670 describe VIRUS_WARNING441 Unhelpful 'virus warning' (441)
2671 score VIRUS_WARNING441 20
2672
2673 # JT
2674 rawbody VIRUS_WARNING442 /^Viruses were detected in the following components:$/
2675 describe VIRUS_WARNING442 Unhelpful 'virus warning' (442)
2676 score VIRUS_WARNING442 10
2677
2678 # TV
2679 header VIRUS_WARNING443 Subject =~ /^Panda ClientShield warning$/
2680 describe VIRUS_WARNING443 Unhelpful 'virus warning' (443)
2681 score VIRUS_WARNING443 10
2682
2683 # JT
2684 rawbody VIRUS_WARNING444 /^The original email was deleted because it contained the virus .{1,50}$/
2685 describe VIRUS_WARNING444 Unhelpful 'virus warning' (444)
2686 score VIRUS_WARNING444 10
2687
2688 # TV
2689 header VIRUS_WARNING445 Subject =~ /^Your mail was deleted by Norton Antivirus$/
2690 describe VIRUS_WARNING445 Unhelpful Norton 'virus warning' (445)
2691 score VIRUS_WARNING445 20
2692
2693 # TV
2694 header VIRUS_WARNING446 Subject =~ /^Auto Notification : Virus Detected!!$/
2695 describe VIRUS_WARNING446 Unhelpful 'virus warning' (446)
2696 score VIRUS_WARNING446 20
2697
2698 # AF
2699 header VIRUS_WARNING447 Subject =~ /^Warning: Possible Virus Infection$/
2700 describe VIRUS_WARNING447 Unhelpful Guinevere 'virus warning' (447)
2701 score VIRUS_WARNING447 20
2702
2703 # TV
2704 header VIRUS_WARNING448 Subject =~ /^Anti-Virus Alert$/
2705 describe VIRUS_WARNING448 Unhelpful 'virus warning' (448)
2706 score VIRUS_WARNING448 20
2707
2708 # TV
2709 header VIRUS_WARNING449 Subject =~ /^Aviso: Detectado formato de ficheiros invalido\.$/
2710 describe VIRUS_WARNING449 Unhelpful 'virus warning'? (449)
2711 score VIRUS_WARNING449 10
2712
2713 # TJ
2714 header VIRUS_WARNING450 Subject =~ /^VIRUS ALERT !$/
2715 describe VIRUS_WARNING450 Unhelpful 'virus warning' (450)
2716 score VIRUS_WARNING450 20
2717
2718 # TV
2719 header VIRUS_WARNING451 Subject =~ /^Content Filter Processed Your E-Mail$/
2720 describe VIRUS_WARNING451 Unhelpful 'virus warning'? (451)
2721 score VIRUS_WARNING451 2
2722
2723 # TV
2724 rawbody VIRUS_WARNING452 /^Reason: Anti Virus$/
2725 describe VIRUS_WARNING452 Unhelpful 'virus warning'? (452)
2726 score VIRUS_WARNING452 2
2727
2728 # TV
2729 meta VIRUS_WARNING453 VIRUS_WARNING451 && VIRUS_WARNING452
2730 describe VIRUS_WARNING453 Unhelpful virus warning (453)
2731 score VIRUS_WARNING453 10
2732
2733 # PB
2734 # TODO:needs work, subject is encoded
2735 header VIRUS_WARNING454 Subject =~ /InterScan MSS has deleted a message/
2736 describe VIRUS_WARNING454 Unhelpful virus warning (454)
2737 score VIRUS_WARNING454 20
2738
2739 # HB
2740 header VIRUS_WARNING455 Subject =~ /^\[WatchDog: Virus gefunden\]$/
2741 describe VIRUS_WARNING455 Unhelpful virus warning (455)
2742 score VIRUS_WARNING455 20
2743
2744 # TV
2745 header VIRUS_WARNING456 Subject =~ /^AVISO: VIRUS Detectado$/
2746 describe VIRUS_WARNING456 Unhelpful virus warning (456)
2747 score VIRUS_WARNING456 20
2748
2749 # TV
2750 header VIRUS_WARNING457 Subject =~ /^\[avast! - INFECTED\]/
2751 describe VIRUS_WARNING457 Unhelpful virus warning (457)
2752 score VIRUS_WARNING457 20
2753
2754 # JT
2755 rawbody VIRUS_WARNING458 /^A message you sent was virus infected\.$/
2756 describe VIRUS_WARNING458 Unhelpful virus warning? (458)
2757 score VIRUS_WARNING458 3
2758
2759 meta VIRUS_WARNING459 VIRUS_WARNING458 && VIRUS_WARNING63
2760 describe VIRUS_WARNING459 Unhelpful virus warning (459)
2761 score VIRUS_WARNING459 10
2762
2763 # NL
2764 # DSN: none
2765 header VIRUS_WARNING460 Subject =~ /^\[VIRUS-DETECTED\]/
2766 describe VIRUS_WARNING460 Unhelpful virus warning (460)
2767 score VIRUS_WARNING460 20
2768
2769 # TV
2770 # DSN: unknown
2771 header VIRUS_WARNING461 Subject =~ /^VIRUS DETECTED IN MESSAGE:/
2772 describe VIRUS_WARNING461 Unhelpful virus warning (461)
2773 score VIRUS_WARNING461 20
2774
2775 # PB
2776 # DSN: unknown
2777 header VIRUS_WARNING462 Subject =~ /^CSAV for Exchange - Virus Alert$/
2778 describe VIRUS_WARNING462 Unhelpful virus warning (462)
2779 score VIRUS_WARNING462 20
2780
2781 # TV
2782 # DSN: unknown
2783 header VIRUS_WARNING463 Subject =~ / VIRUS FOUND$/
2784 describe VIRUS_WARNING463 Unhelpful virus warning? (463)
2785 score VIRUS_WARNING463 2
2786
2787 rawbody __VIRUS_WARNING464 /^You have sent a virus infected email message/
2788 meta VIRUS_WARNING464 VIRUS_WARNING463 && __VIRUS_WARNING464
2789 describe VIRUS_WARNING464 Unhelpful virus warning (464)
2790 score VIRUS_WARNING464 20
2791
2792 # TV
2793 header VIRUS_WARNING465 Subject =~ /^SENDER! Virus found in message from you!$/
2794 describe VIRUS_WARNING465 Unhelpful virus warning (465)
2795 score VIRUS_WARNING465 20
2796
2797 # ML
2798 header VIRUS_WARNING466 Subject =~ /^Virus Warning from eScan to Mail-Sender!$/
2799 describe VIRUS_WARNING466 Unhelpful eScan virus warning (466)
2800 score VIRUS_WARNING466 20
2801
2802 # JT
2803 header VIRUS_WARNING467 Subject =~ /^Warning generated by Panda GateDefender\.$/
2804 describe VIRUS_WARNING467 Unhelpful Panda virus warning (467)
2805 score VIRUS_WARNING467 20
2806
2807 # JK
2808 # TJ: Juno *really* should know better...
2809 header VIRUS_WARNING468 Subject =~ /^ALERT: Email you sent may have contained a virus$/
2810 describe VIRUS_WARNING468 Unhelpful Juno virus warning (468)
2811 score VIRUS_WARNING468 20
2812
2813 # ML
2814 header VIRUS_WARNING469 Subject =~ /^\*\*VIRUS\*\*/
2815 describe VIRUS_WARNING469 Unhelpful virus warning (468)
2816 score VIRUS_WARNING469 20
2817
2818
2819 ### TJ: Executable. Could be a virus
2820 # See http://archives.neohapsis.com/archives/postfix/2002-04/1841.html
2821 # and http://archives.neohapsis.com/archives/postfix/2002-04/1931.html
2822 rawbody VIRUS_WARNING_EXE1 /^TV[nopqr][A-Z]...[AB]..A.A....{1,99}AAAA...{1,99}AAAA/
2823 describe VIRUS_WARNING_EXE1 Message appears to contain a Windows executable
2824 score VIRUS_WARNING_EXE1 2.0
2825
2826 rawbody VIRUS_WARNING_EXE2 /^M35[GHIJK].`..`..{1,99}````/i
2827 describe VIRUS_WARNING_EXE2 Message contains a UUencoded Windows executable
2828 score VIRUS_WARNING_EXE2 2.0
2829
2830
2831 ### HD/TJ: Looks like some (unknown) virus
2832
2833 # TJ/RN
2834 # Sober variants which are bothering everyone at the moment (2005-05-06)
2835 rawbody VIRUS_WARNING_SOBER /^\*\*\* (Server-AntiVirus|Attachment-Scanner|AntiVirus): (No Virus \(Clean\)|Status OK|No Virus found)$/
2836 describe VIRUS_WARNING_SOBER Looks like Sober virus or bounce thereof
2837 score VIRUS_WARNING_SOBER 20
2838
2839
2840 # Netsky variation?
2841 # line starts with +-+-+ or *** ...
2842 rawbody VIRUS_WARNING_XXX1 /^[\+\-\*]+ (Anti-\s?Virus|X-\s?Attachment_\s?Scanner|Mail-\s?Attachment|X-\s?Mail_Scanner): (NO VIRUS|No Virus found|No Virus!?|No suspicious Virus signatures)$/
2843 describe VIRUS_WARNING_XXX1 Unidentified virus or bounce thereof (2)
2844 score VIRUS_WARNING_XXX1 20
2845
2846 ### TJ: Novarg, I think
2847 header __VIRUS_WARNING_NOVARG1A X-Virus-Scanned =~ /^Symantec AntiVirus Scan Engine$/
2848 header __VIRUS_WARNING_NOVARG1B X-Virus-Scan-Result =~ /^Repaired \d+/
2849 meta VIRUS_WARNING_NOVARG1 __VIRUS_WARNING_NOVARG1A && __VIRUS_WARNING_NOVARG1B
2850 describe VIRUS_WARNING_NOVARG1 Looks like Novarg virus
2851 score VIRUS_WARNING_NOVARG1 20
2852
2853 # Bounce of Novarg
2854 rawbody __VIRUS_WARNING_NOVARG2A /^\s*X-Virus-Scanned: Symantec AntiVirus Scan Engine$/
2855 rawbody __VIRUS_WARNING_NOVARG2B /^\s*X-Virus-Scan-Result: Repaired \d+/
2856 meta VIRUS_WARNING_NOVARG2 __VIRUS_WARNING_NOVARG2A && __VIRUS_WARNING_NOVARG2B
2857 describe VIRUS_WARNING_NOVARG2 Looks like Novarg virus bounce
2858 score VIRUS_WARNING_NOVARG2 20
2859
2860 ### TJ: Texts normally found in the body of Bagle.B viruses
2861
2862 rawbody VIRUS_WARNING_BAGLE1 /^Subject: ID .{1,50}\.\.\. thanks$/
2863 describe VIRUS_WARNING_BAGLE1 Could be a Bagle.B bounce
2864 score VIRUS_WARNING_BAGLE1 4
2865
2866 rawbody VIRUS_WARNING_BAGLE2 /^Yours ID/
2867 describe VIRUS_WARNING_BAGLE2 Could be a Bagle.B bounce
2868 score VIRUS_WARNING_BAGLE2 1
2869
2870
2871 ### TJ: Bagle-Q/R virus
2872
2873 rawbody VIRUS_WARNING_BAGLE3 /^<OBJECT\s+STYLE="display:none"\s+DATA="http:\/\/[0-9\.]+(:81)?\/[0-9]+\.php">$/
2874 describe VIRUS_WARNING_BAGLE3 Looks like Bagle.Q/R virus/bounce
2875 score VIRUS_WARNING_BAGLE3 10
2876
2877
2878 ### TJ: Stuff to do with Netsky virus
2879
2880 rawbody __VIRUS_WARNING_NETSKY1 /^Subject: (unknown|fake|stolen|information|warning|something for you|read it immediately|hello)$/
2881 #describe VIRUS_WARNING_NETSKY1 Could be a Netsky virus bounce (subject matched)
2882 #score VIRUS_WARNING_NETSKY1 1
2883
2884 rawbody __VIRUS_WARNING_NETSKY2 /^(anything ok?|what does it mean?|ok|i'm waiting|read the details.|here is the document.|read it immediately!|my hero|here|is that true?|is that your name?|is that your account?|i wait for a reply!|is that from you?|you are a bad writer|I have your password!|something about you!|kill the writer of this document!|i hope it is not true!|your name is wrong|i found this document about you|yes, really?|that is bad|here it is|see you|greetings|stuff about you?|something is going wrong!|information about you|about me|from the chatter|here, the serials|here, the introduction|here, the cheats|that's funny|do you?|reply|take it easy|why?|thats wrong|misc|you earn money|you feel the same|you try to steal|you are bad|something is going wrong|something is fool)$/
2885 #describe VIRUS_WARNING_NETSKY2 Could be a Netsky virus bounce (body matched)
2886 #score VIRUS_WARNING_NETSKY2 1
2887
2888 meta VIRUS_WARNING_NETSKY (__VIRUS_WARNING_NETSKY1 && __VIRUS_WARNING_NETSKY2)
2889 score VIRUS_WARNING_NETSKY 3
2890
2891 # Netsky G - http://www.sophos.com/virusinfo/analyses/w32netskyg.html
2892 # There are many other subjects, but many are too common to reject on,
2893 # and I don't want this to become a virus scanner, but here are a few.
2894 body VIRUS_WARNING_NETSKY3 /^Subject: Re: (Re: Re: Your document|Re: Thanks!|Re: Document|Re: Message|Approved|Here is the document|Excel file|Word file)$/
2895 describe VIRUS_WARNING_NETSKY4 Netsky virus bounce (subject matched)
2896 score VIRUS_WARNING_NETSKY3 3
2897
2898 body VIRUS_WARNING_NETSKY4 /In order to read the attach you have to use the following password:/
2899 describe VIRUS_WARNING_NETSKY4 Looks like Netsky bounce (body attached password)
2900 score VIRUS_WARNING_NETSKY4 5
2901
2902 # Netsky P - http://www.sophos.com/virusinfo/analyses/w32netskyp.html
2903 # VS/TJ
2904 rawbody VIRUS_WARNING_NETSKY5A /^\++\s*Attachment: No Virus found$/
2905 describe VIRUS_WARNING_NETSKY5A Looks like Netsky/P bounce (5A)
2906 score VIRUS_WARNING_NETSKY5A 10
2907
2908 rawbody VIRUS_WARNING_NETSKY5B /^\++\s*(MessageLabs|Norton|MC-Afee|Kaspersky|Norman|Panda|Kaspersky|F-Secure) AntiVirus/
2909 describe VIRUS_WARNING_NETSKY5B Looks like Netsky/P bounce (5B)
2910 score VIRUS_WARNING_NETSKY5B 10
2911
2912 meta VIRUS_WARNING_NETSKY5 VIRUS_WARNING_NETSKY5A && VIRUS_WARNING_NETSKY5B
2913 describe VIRUS_WARNING_NETSKY5 Looks like Netsky/P bounce (5)
2914 score VIRUS_WARNING_NETSKY5 10
2915
2916 ### TJ: Texts normally found in the body of MyDoom viruses
2917
2918 rawbody VIRUS_WARNING_MYDOOM1 /The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment/
2919 describe VIRUS_WARNING_MYDOOM1 Body contains Mydoom text
2920 score VIRUS_WARNING_MYDOOM1 6.0
2921
2922 rawbody VIRUS_WARNING_MYDOOM2 /The message contains Unicode characters and has been sent as a binary attachment\./
2923 describe VIRUS_WARNING_MYDOOM2 Body contains Mydoom text
2924 score VIRUS_WARNING_MYDOOM2 6.0
2925
2926 rawbody VIRUS_WARNING_MYDOOM3 /Mail transaction failed. Partial message is available\./
2927 describe VIRUS_WARNING_MYDOOM3 Body contains Mydoom text
2928 score VIRUS_WARNING_MYDOOM3 6.0
2929
2930 # Looks like a bounce containing a Mydoom message
2931 # Some bounces will match both 4 and 4a, so 4a is scored low
2932 # Next two rules used to contain a question mark at the end, to match
2933 # empty subject lines. Now removed, since the worst has passed
2934 rawbody __VIRUS_WARNING_MYDOOM4 /^Subject: (Hello|hi|test|mail delivery system|mail transaction failed|server report|status|error)$/i
2935 #describe VIRUS_WARNING_MYDOOM4 Body looks like a bounce which could be from Mydoom (contains Mydoom Subject)
2936 #score VIRUS_WARNING_MYDOOM4 1.3
2937
2938 rawbody __VIRUS_WARNING_MYDOOM4A /\sSubject: (Hello|hi|test|mail delivery system|mail transaction failed|server report|status|error)$/i
2939 #describe VIRUS_WARNING_MYDOOM4A Body could be a Mydoom bounce (contains Mydoom Subject)
2940 #score VIRUS_WARNING_MYDOOM4A 0.5
2941
2942 rawbody TJ_EMPTY_SUBJECT /^Subject: $/
2943 describe TJ_EMPTY_SUBJECT Empty subject. Could be a MyDoom bounce.
2944 score TJ_EMPTY_SUBJECT 0.5
2945
2946 # Could be a bounce containing a Mydoom message
2947 body VIRUS_WARNING_MYDOOM5 /filename="(body|data|doc|document|file|message|readme|test)\.(bat|cmd|exe|pif|scr|zip|htm|txt|doc)/i
2948 describe VIRUS_WARNING_MYDOOM5 Body contains possible Mydoom attachment
2949 score VIRUS_WARNING_MYDOOM5 1.2
2950
2951 meta VIRUS_WARNING_DOOM_BNC VIRUS_WARNING78 && (VIRUS_WARNING_MYDOOM4 || __VIRUS_WARNING_MYDOOM4A || VIRUS_WARNING_MYDOOM5)
2952 describe VIRUS_WARNING_DOOM_BNC Looks like a Mydoom bounce
2953 score VIRUS_WARNING_DOOM_BNC 7.5
2954
2955
2956 ### TJ: Failed/cleaned infections
2957 # Used to match empty subjects too
2958 #header VIRUS_CLEANED_MYDOOM Subject =~ /^(Hello|hi|test|mail delivery system|mail transaction failed|server report|status|error)$/i
2959 #describe VIRUS_CLEANED_MYDOOM Failed/cleaned Mydoom infection?
2960 #score VIRUS_CLEANED_MYDOOM 1
2961
2962 # TJ/VS
2963 header VIRUS_CLEANED_SOBIG_F1 Subject =~ /^(Re: )?(Approved|Wicked screensaver|That movie|Thank you!)$/
2964 describe VIRUS_CLEANED_SOBIG_F1 Failed/cleaned Sobig/F infection? (1)
2965 score VIRUS_CLEANED_SOBIG_F1 2
2966
2967 header VIRUS_CLEANED_SOBIG_F2 Subject =~ /^Re: (Re: )?((My|Your) )?Details$/
2968 describe VIRUS_CLEANED_SOBIG_F2 Failed/cleaned Sobig/F infection? (2)
2969 score VIRUS_CLEANED_SOBIG_F2 2
2970
2971 header VIRUS_CLEANED_1 Subject =~ /^Re: Your application$/
2972 describe VIRUS_CLEANED_1 Failed/cleaned Sobig/F or Netsky/K infection? (1)
2973 score VIRUS_CLEANED_1 1

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed