# A virus-bounce ruleset, suitable for use by anyone receiving a lot of joe-job # or virus-blowback bounce messages. # # if you use this, set up procmail or your mail app to spot the "BOUNCE_", # "CRBOUNCE_" or "VBOUNCE_" string in the X-Spam-Status line, and move messages # that match that to a 'vbounce' folder. # # This is substantially based on # http://www.timj.co.uk/linux/bogus-virus-warnings.cf ; the main difference is # that I prefer to keep bounces and spam separate, so this ruleset uses the # rule-name-prefix trick instead of giving the rules high scores. There's # a couple of rules that were FPing, too, so I fixed or removed them. # # lastmod Sep 10 2005 jm # --------------------------------------------------------------------------- # optional: rescue messages that contain your real MX ip addresses in the body, # because they're *real* bounces. you may not *want* real bounces though, # anyway, so this is optional ;) # # body MY_IP_BOUNCE /209\.237\.227\.\d+/ # tflags MY_IP_BOUNCE nice # score MY_IP_BOUNCE -5 # --------------------------------------------------------------------------- # General bounce messages header BOUNCE_FROM_DAEMON From =~ /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin)\S+\@|<>)/i score BOUNCE_FROM_DAEMON 0.1 header BOUNCE_RPATH_NULL Return-Path =~ /<>/ score BOUNCE_RPATH_NULL 0.1 header BOUNCE_RPATH_MD Return-Path =~ /(?:mailer-(?:daemon|deamon)|quotaagent|pleaseforward|autoresponder|autoresponse-\S+)\@/i score BOUNCE_RPATH_MD 0.1 header __AUTO_GEN_AS exists:Auto-Submitted header __AUTO_GEN_MS exists:X-MS-Embedded-Report header __AUTO_GEN_AG exists:X-autogenerated header __AUTO_GEN_CM exists:X-Choicemail-Registration-Request header __AUTO_GEN_3 X-MailScanner =~ /generated/ header __AUTO_GEN_4 X-Mailer =~ /autoresponder/i header __AUTO_GEN_XXSP X-XSP-Msgclass =~ /NOTIFICATION/ header __AUTO_GEN_PREC Precedence =~ /auto/ meta BOUNCE_AUTO_GENERATED (__AUTO_GEN_AS||__AUTO_GEN_MS||__AUTO_GEN_3||__AUTO_GEN_4||__AUTO_GEN_AG||__AUTO_GEN_XXSP ||__AUTO_GEN_CM||__AUTO_GEN_PREC) score BOUNCE_AUTO_GENERATED 0.1 header BOUNCE_Y_AUTOGEN Subject =~ /^Yahoo! Auto Response/ describe BOUNCE_Y_AUTOGEN generated by Yahoo! auto-responder score BOUNCE_Y_AUTOGEN 0.1 header BOUNCE_SYMANTEC Subject =~ /^Returned mail.{0,5}(?:Error During Delivery|see transcript for details|)$/i describe BOUNCE_SYMANTEC Bounce - "Returned mail" score BOUNCE_SYMANTEC 0.1 header BOUNCE_X_ERR_STAT X-Error-Status =~ /User unknown/ score BOUNCE_X_ERR_STAT 0.1 header BOUNCE_RETURNED Subject =~ /^Returned mail: User unknown/ describe BOUNCE_RETURNED AOL Postmaster "Returned mail: User unknown" score BOUNCE_RETURNED 0.1 header BOUNCE_MAILDELFAIL Subject =~ /^Mail delivery failed: / describe BOUNCE_MAILDELFAIL Bounce - iPlanet "Mail delivery failed" score BOUNCE_MAILDELFAIL 0.1 header BOUNCE_MSGDELFAIL Subject =~ /^Message Delivery Failure/ describe BOUNCE_MSGDELFAIL Bounce - Plesk "Message Delivery Failure" score BOUNCE_MSGDELFAIL 0.1 body BOUNCE_ESMTP /^This messages was created automatically by mail delivery software/ describe BOUNCE_ESMTP ESMTP bounce message score BOUNCE_ESMTP 0.1 # JM: prev versions used "automaticly", that was a typo body BOUNCE_OOO_1 /\bI(.m| am| will be) out of the office (?:to|until|after)\b/i score BOUNCE_OOO_1 0.1 body BOUNCE_OOO_2 /\bI ?.m away until .{10,20} and am unable to read your message\b/ score BOUNCE_OOO_2 0.1 body BOUNCE_NEVER_SEE /\bThis is an autoresponder. I'll never see your message\b/i score BOUNCE_NEVER_SEE 0.1 body BOUNCE_NONWORKING /\bYou have reached a non.?working address. Please check\b/i score BOUNCE_NONWORKING 0.1 header BOUNCE_UNDELIVERABLE Subject =~ /^Undeliverable: / describe BOUNCE_UNDELIVERABLE Bounce - "Undeliverable: ..." score BOUNCE_UNDELIVERABLE 0.1 header BOUNCE_UNDELIVERABLE_ML Subject =~ /^Undeliver(?:able|ed) Mail\b/ describe BOUNCE_UNDELIVERABLE_ML Bounce - "Undeliverable Mail" score BOUNCE_UNDELIVERABLE_ML 0.1 header BOUNCE_NOTDEL Subject =~ /^MESSAGE NOT DELIVERED: / describe BOUNCE_NOTDEL Bounce - "MESSAGE NOT DELIVERED:" score BOUNCE_NOTDEL 0.1 header BOUNCE_CTYPE Content-Type =~ /\bmultipart\/report\b/ describe BOUNCE_CTYPE Bounce according to Content-Type score BOUNCE_CTYPE 0.1 header BOUNCE_DEL_FAIL Subject =~ /^Delivery Failure Notification/ score BOUNCE_DEL_FAIL 0.1 # --------------------------------------------------------------------------- # Challenge/Response bounces header CRBOUNCE_UOL From =~ /\bAntiSpam UOL\b/ describe CRBOUNCE_UOL Challenge/response bounce - UOL score CRBOUNCE_UOL 0.1 header CRBOUNCE_RP Return-Path =~ /<(?:spamblocker-challenge|spambush|apd\.sspam)\@/i describe CRBOUNCE_RP Challenge/response bounce - by Return-Path score CRBOUNCE_RP 0.1 header __AUTO_GEN_XBT exists:X-Boxtrapper meta CRBOUNCE_HEADER (__AUTO_GEN_XBT) describe CRBOUNCE_HEADER Challenge/response bounce - by header score CRBOUNCE_HEADER 0.1 # --------------------------------------------------------------------------- # "Virus found in your mail" bounces body VBOUNCE_WARNING /Virus Warning/ score VBOUNCE_WARNING 0.1 # source: VirusBounceRules from the exit0 SA wiki body VBOUNCE_EXIM /a potentially executable attachment / describe VBOUNCE_EXIM Virus bounce - sf.net score VBOUNCE_EXIM 0.1 body VBOUNCE_GUIN /message contains file attachments that are not permitted/ describe VBOUNCE_GUIN Virus bounce - Guinevere score VBOUNCE_GUIN 0.1 body VBOUNCE_CISCO /^Found virus \S+ in file \S+/m describe VBOUNCE_CISCO Virus bounce - Cisco.com score VBOUNCE_CISCO 0.1 body VBOUNCE_SMTP /host \S+ said: 5\d\d\s+Error: Message content rejected/ describe VBOUNCE_SMTP Virus bounce - SMTP error via postfix score VBOUNCE_SMTP 0.1 body VBOUNCE_AOL /TRANSACTION FAILED - Unrepairable Virus Detected. / describe VBOUNCE_AOL Virus bounce - AOL score VBOUNCE_AOL 0.1 body VBOUNCE_DUTCH /bevatte bijlage besmet welke besmet was met een virus/ describe VBOUNCE_DUTCH Virus bounce - something in Dutch! score VBOUNCE_DUTCH 0.1 body VBOUNCE_MAILMARSHAL /Mail.?Marshal Rule: Inbound Messages : Block Dangerous Attachments/ describe VBOUNCE_MAILMARSHAL Virus bounce - Mail Marshal score VBOUNCE_MAILMARSHAL 0.1 header VBOUNCE_MAILMARSHAL2 Subject =~ /^MailMarshal has detected possible spam in your message/ describe VBOUNCE_MAILMARSHAL2 Virus bounce - Mail Marshal (2) score VBOUNCE_MAILMARSHAL2 0.1 header VBOUNCE_NAVFAIL Subject =~ /^Norton Anti.?Virus failed to scan an attachment in a message you sent/ describe VBOUNCE_NAVFAIL Virus bounce - Norton AV failure score VBOUNCE_NAVFAIL 0.1 header VBOUNCE_REJECTED Subject =~ /^EMAIL REJECTED$/ describe VBOUNCE_REJECTED Virus bounce - REJECTED score VBOUNCE_REJECTED 0.1 header VBOUNCE_NAV Subject =~ /^Norton Anti.?Virus detected and quarantined/ describe VBOUNCE_NAV Virus bounce - Norton score VBOUNCE_NAV 0.1 header VBOUNCE_MELDING Subject =~ /^Virusmelding$/ describe VBOUNCE_MELDING Virus bounce - 'virusmelding' score VBOUNCE_MELDING 0.1 body VBOUNCE_VALERT /The mail message \S+ \S+ you sent to \S+ contains the virus/ describe VBOUNCE_VALERT Virus bounce - contains the virus score VBOUNCE_VALERT 0.1 body VBOUNCE_REJ_FILT /Reason: Rejected by filter/ describe VBOUNCE_REJ_FILT Virus bounce - rejected by filter score VBOUNCE_REJ_FILT 0.1 header VBOUNCE_YOUSENT Subject =~ /^Warning - You sent a Virus Infected Email to / describe VBOUNCE_YOUSENT Virus bounce - a virus infected email score VBOUNCE_YOUSENT 0.1 body VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or more virus/ describe VBOUNCE_MAILSWEEP Virus bounce - MAILsweeper score VBOUNCE_MAILSWEEP 0.1 header VBOUNCE_SCREENSAVER Subject =~ /(Re: ?)+Wicked screensaver\b/i describe VBOUNCE_SCREENSAVER Virus bounce - variation on Re: Wicked screensaver score VBOUNCE_SCREENSAVER 0.1 header VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/ describe VBOUNCE_DISALLOWED Virus bounce - "Disallowed attachment type" score VBOUNCE_DISALLOWED 0.1 header VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/ describe VBOUNCE_FROMPT From P&T SecurityScan AntiVirus score VBOUNCE_FROMPT 0.1 header VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i describe VBOUNCE_WARNING Variations on "Warning: E-mail viruses detected" score VBOUNCE_WARNING 0.1 header VBOUNCE_DETECTED Subject =~ /^Virus detected /i describe VBOUNCE_DETECTED "Virus detected" (Network Associates Webshield) score VBOUNCE_DETECTED 0.1 header VBOUNCE_AUTOMATIC Subject =~ /\b(automatic reply|AutoReply)\b/ describe VBOUNCE_AUTOMATIC Variations on "automatic reply" score VBOUNCE_AUTOMATIC 0.1 header VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i describe VBOUNCE_INTERSCAN InterScan E-Mail VirusWall score VBOUNCE_INTERSCAN 0.1 header VBOUNCE_VIOLATION Subject =~ /^Content violation/i describe VBOUNCE_VIOLATION L-3com.com "Content violation" score VBOUNCE_VIOLATION 0.1 header VBOUNCE_ALERT Subject =~ /^Virus Alert\b/i describe VBOUNCE_ALERT multivac.de Viruswall score VBOUNCE_ALERT 0.1 header VBOUNCE_NAV2 Subject =~ /^NAV detected a virus in a document / describe VBOUNCE_NAV2 Norton Anti-Virus score VBOUNCE_NAV2 0.1 body VBOUNCE_NAV3 /^Reporting-MTA: Norton Anti.?Virus Gateway/ describe VBOUNCE_NAV3 Norton Anti-Virus score VBOUNCE_NAV3 0.1 header VBOUNCE_INTERSCAN2 Subject =~ /^InterScan MSS for SMTP has delivered a message/ describe VBOUNCE_INTERSCAN2 InterScan MSS Delivery message score VBOUNCE_INTERSCAN2 0.1 header VBOUNCE_INTERSCAN3 Subject =~ /^InterScan NT Alert/ describe VBOUNCE_INTERSCAN3 InterScan NT score VBOUNCE_INTERSCAN3 0.1 header VBOUNCE_ANTIGEN Subject =~ /^Antigen found\b/i describe VBOUNCE_ANTIGEN Antigen for Exchange score VBOUNCE_ANTIGEN 0.1 header VBOUNCE_LUTHER From =~ /\blutherh\@stratcom.com\b/ describe VBOUNCE_LUTHER Strategic Computer Solutions, Inc. bounce score VBOUNCE_LUTHER 0.1 header VBOUNCE_AMAVISD Subject =~ /^VIRUS IN YOUR MAIL /i describe VBOUNCE_AMAVISD amavisd virus alert (subject) score VBOUNCE_AMAVISD 0.1 body VBOUNCE_AMAVISD2 /\bV I R U S\b/ describe VBOUNCE_AMAVISD2 amavisd virus alert ("V I R U S") score VBOUNCE_AMAVISD2 0.1 # off: got an FP in a simple forward # rawbody VBOUNCE_SUBJ_IN_MAIL /^\s*Subject:\s*(Re: )*((my|your) )?(application|details)/i # rawbody VBOUNCE_SUBJ_IN_MAIL2 /^\s*Subject:\s*(Re: )*(Thank you!?|That movie|Wicked screensaver|Approved)/i header VBOUNCE_SCANMAIL Subject =~ /^Scan.?Mail Message: .{0,30} virus found /i describe VBOUNCE_SCANMAIL ScanMail for Microsoft Exchange score VBOUNCE_SCANMAIL 0.1 header VBOUNCE_DOMINO1 Subject =~ /^Report to Sender/ describe VBOUNCE_DOMINO1 Nike/FNX/Domino server report score VBOUNCE_DOMINO1 0.1 body VBOUNCE_DOMINO2 /^Incident Information:/ describe VBOUNCE_DOMINO2 Nike/FNX/Domino server report body score VBOUNCE_DOMINO2 0.1 header VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/ describe VBOUNCE_RAV RAV AntiVirus score VBOUNCE_RAV 0.1 body VBOUNCE_ATTACHMENT0 /(Attachment.{0,40}was Deleted|Virus.{1,40}was found|the infected attachment)/i describe VBOUNCE_ATTACHMENT0 Virus Bounce - some attachment was deleted score VBOUNCE_ATTACHMENT0 0.1 # Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages. body VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i describe VBOUNCE_AVREPORT0 Virus Bounce - AV system report score VBOUNCE_AVREPORT0 0.1 header VBOUNCE_SENDER Subject =~ /^Virus to sender/ describe VBOUNCE_SENDER Virus bounce - sweeperadmin.co.za score VBOUNCE_SENDER 0.1 body VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i describe VBOUNCE_MAILSWEEP2 Virus bounce - MAILsweeper, second format score VBOUNCE_MAILSWEEP2 0.1 header VBOUNCE_MAILSWEEP3 From =~ /\bmailsweeper\b/i describe VBOUNCE_MAILSWEEP3 Virus bounce - From MAILsweeper score VBOUNCE_MAILSWEEP3 0.1 # Bart says: This one could replace both MAILSWEEP2 and MAILSWEEP as far as I can tell. # Perhaps it's too general? body VBOUNCE_CLICKBANK /\bvirus scanner deleted your message\b/i describe VBOUNCE_CLICKBANK Virus bounce - clickbank.com score VBOUNCE_CLICKBANK 0.1 header VBOUNCE_FORBIDDEN Subject =~ /\bFile type Forbidden\b/ describe VBOUNCE_FORBIDDEN Virus bounce - Spamscanner at tbbs.net score VBOUNCE_FORBIDDEN 0.1 header VBOUNCE_MMS Subject =~ /^MMS Notification/ describe VBOUNCE_MMS Virus bounce - bounces from MFS System Security score VBOUNCE_MMS 0.1 # added by JoeyKelly body VBOUNCE_QUOTED_EXE /> TVqQAAMAAAAEAAAA/ describe VBOUNCE_QUOTED_EXE Virus bounce - quoted EXE file score VBOUNCE_QUOTED_EXE 0.1 # majordomo is really stupid about this stuff header __MAJORDOMO_SUBJ Subject =~ /^Majordomo results: / body __MAJORDOMO_HELP_BODY /\*\*\*\* Help for majordomo\@/ body __MAJORDOMO_HELP_BODY2 /\bNo valid commands found.\b/ meta VBOUNCE_MAJORDOMO_HELP (__MAJORDOMO_SUBJ && __MAJORDOMO_HELP_BODY && __MAJORDOMO_HELP_BODY2) describe VBOUNCE_MAJORDOMO_HELP Virus bounce - Majordomo help score VBOUNCE_MAJORDOMO_HELP 0.1 header VBOUNCE_AV_RESULTS Subject =~ /AntiVirus scan results/ header VBOUNCE_EMVD Subject =~ /^Warning: E-mail viruses detected/ header VBOUNCE_UNDELIV Subject =~ /^Undeliverable mail, invalid characters in header/ header VBOUNCE_BANNED_MAT Subject =~ /^Banned or potentially offensive material/ header VBOUNCE_NAV_DETECT Subject =~ /^Norton AntiVirus detected and quarantined/ header VBOUNCE_DEL_WARN Subject =~ /^Delivery warning report id=/ header VBOUNCE_MIME_INFO Subject =~ /^The MIME information you requested/ header VBOUNCE_EMAIL_REJ Subject =~ /^EMAIL REJECTED/ header VBOUNCE_CONT_VIOL Subject =~ /^Content violation/ header VBOUNCE_SYM_AVF Subject =~ /^Symantec AVF detected / header VBOUNCE_SYM_EMP Subject =~ /^Symantec E-Mail-Proxy / header VBOUNCE_VIR_FOUND Subject =~ /^Virus Found in message/ header VBOUNCE_EMANAGER Subject =~ /^\[MailServer Notification\]/ body VBOUNCE_ATT_QUAR /\bThe attachment was quarantined\b/ body VBOUNCE_SECURIQ /\bGROUP securiQ.Wall\b/ score VBOUNCE_AV_RESULTS 0.1 score VBOUNCE_EMVD 0.1 score VBOUNCE_UNDELIV 0.1 score VBOUNCE_BANNED_MAT 0.1 score VBOUNCE_NAV_DETECT 0.1 score VBOUNCE_DEL_WARN 0.1 score VBOUNCE_MIME_INFO 0.1 score VBOUNCE_EMAIL_REJ 0.1 score VBOUNCE_CONT_VIOL 0.1 score VBOUNCE_SYM_AVF 0.1 score VBOUNCE_SYM_EMP 0.1 score VBOUNCE_ATT_QUAR 0.1 score VBOUNCE_SECURIQ 0.1 score VBOUNCE_VIR_FOUND 0.1 score VBOUNCE_EMANAGER 0.1