Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SpamAssassin>
  3. devel
SA and Virus Warning Messages - Need Rule
marc at perkel
Apr 19, 2004, 9:40 AM
Post #1 of 2 (38 views)
Permalink
Technically virus warning messages aren't spam - or are they?

When a virus sends a message it always uses a fake email address as the
source so when virus filtering programs detect it - they send a warning
message to the wrong person that there is a virus in the email - and of
course - it's proud to announce what virus detector found it.

But - these message contain no useful information because the person who
sent the virus never gets the message and some innocent person who the
virus impersonated does the a wrong message that they have the virus.

I really think it's sort of a plot to sell virus software - but that's
another debate.

The POINT!

These message are annoying and misleading and are of no useful value and
I'd like to get rid of them. Looking for someone to write a virus bounce
message rule so I can blackhole these messages.
Re: SA and Virus Warning Messages - Need Rule [ In reply to ]
muir at idiom
Apr 19, 2004, 12:03 PM
Post #2 of 2 (38 views)
Permalink
* These message are annoying and misleading and are of no useful value and
* I'd like to get rid of them. Looking for someone to write a virus bounce
* message rule so I can blackhole these messages.

I count these as spam. Here are the rules that I use. These rules
are under constant adjustment...

A couple of them would be hard to generalize w/o additional
configuration directives.

Of the 3130 items I've blocked as spam today....

106 match MUIR0021
1391 match MUIR0022
21 match MUIR0023
19 match MUIR0024
0 match MUIR0025
0 match MUIR0027
1762 match MUIR0028
11 match MUIR0064

and...

35 were caught by ClamAV but not SpamAsssassin

-Dave


#
# This rule would be hard to generalize because it matches my specific
# network block.
#

header __MUIR0021C From =~ /Mail Delivery System|postmaster|mailer-daemon|<>|DrWeb-DAEMON|MAILER-IMP|Virus-Check/i
header __MUIR0021D Subject =~ /^(Mail Delivery System|Your Message Could Not Be Delivered|Delivery Notification|Returned mail: see transcript for details|Permanent Delivery Failure|Mail System Error - Returned Mail|Undeliverable Mail: Returned To Mailer|Undeliverable mail|Returned Mail: Error During Delivery|InterScan NT Alert)$/
header __MUIR0021E From =~ /masterrobot/
header __MUIR0021F Subject =~ /^(abort letter)$/
header __MUIR0021G Envelope-Sender =~ /MAILER-DAEMON/
header __MUIR0021H X-Envelope-From =~ /MAILER-DAEMON/
full __MUIR0021I /\AFrom MAILER-DAEMON\@/
full __MUIR0021J /\AFrom mailsrv\@/
header __MUIR0021K Subject =~ /Delivery Notification:/
full __MUIR0021L /\AFrom Mail-Administrator\@/
header __MUIR0021M Subject =~ /Mail Delivery/
meta __MUIR0021A (( __MUIR0021C || __MUIR0021D || __MUIR0021G || __MUIR0021H || __MUIR0021I || ( __MUIR0021E && __MUIR0021F) || ( __MUIR0021J && __MUIR0021K ) || ( __MUIR0021L && __MUIR0021M )) && ! __MUIR0018B )
full MUIR0021B /\A([^\n]|\n(?!\n))+\n\n.*\n\s*Received:(.|\n\s)*\[216\.240\.\d\d\.\d+\]/s
score MUIR0021B 0.0
meta MUIR0021 ( __MUIR0021A && ! MUIR0021B )
describe MUIR0021 Postmaster bounces w/o an idiom-network received line
score MUIR0021 2.5


meta MUIR0022 ( ( MUIR0021 || MUIR0028 ) && ( MICROSOFT_EXECUTABLE || LARGE_HEX ))
describe MUIR0022 Bounce or fraud with executables
score MUIR0022 5.01

header __MUIR0023A Subject =~ /virus|Aviso_de_detecci/i
meta MUIR0023 ( __MUIR0021A && ( __MUIR0023A || __MUIR0024A ))
describe MUIR0023 postmaster bounce with virus subject
score MUIR0023 2.51

full __MUIR0024A /ScanMail (?:for Microsoft Exchange )?(?:has )?(?:detected|blocked) (?:a virus|an attachment)\b|Your attachment \S+ contained virus|detected an email from your email address containing a virus|O nosso Sistema AntiV.rus detectou um poss.vel v.rus num mail enviado|because contains an infected object|as it was found to contain virus|The original attachment contains a virus|Your attachment \S+ contained virus|Network Associates WebShield SMTP V\S+ .{0,25}on \S+ detected virus|infected with the \S+ virus and was successfully cleaned|Found the \S+ virus|Found threat: Content disallowed by site policy|which was infected with the \S+ virus|You have sent a virus infected mail|following message had attachment\(s\) which contained viruses|you sent to \S+ contains a virus|file \S+ has been replaced as it contains the \S+ virus|Found virus \S+ in file \S+ |Le message suivant contenait des fichiers joints avec des virus|Virus a .t. d.tect..? dans un mail que vous avez en!
voy|Se ha detectado un virus en un mensaje enviado por Ud|Attention! \S+ sent you the message with the[\n\s]+VIRUS: \S+[\n\s]+It was rejected for delivery|\w+ anti-virus system has stopped the|The file met the blocking options set in the anti-virus system|the attachement included in your message was infected with a virus|Attachment \S+ was Deleted for the following reasons:\s*\n\s*Virus \S+ was found|This message is simply to warn you that your computer system may have a[\n\s]+virus present and should be checked|The mail system received a message from \S+ sent to\n\S+\nthat contains either infected or suspicious file\(s\) and it has|You have sent a virus infected mail.*\nwhich was quaratined to protect.*\nthe recipient|violated the content\s*\nfiltering rule Info: .* has blocked by|A file attached to this email was removed\s*\nbecause it was infected with a virus|Your email message was blocked by the .*Virus.* and was not forwarded|The \S+ detected a virus in the attached !
file listed|Antigen for Exchange found \S+ infected with VIRUS!
|\(reaso
n: 550 X-Clamd-Found: \S+\)|is removed from here because it contains a virus|The file you have sent was infected with a virus but InterScan E-Mail VirusWall|A virus has been detected in an e-mail message sent by you|Receiver, InterScan has detected virus\(es\) in the e-mail attachment|You are receiving\s*\nthis message because you recently sent an e-mail message containing an\s*\nattachment which was flagged by|A virus was found in an Email message you sent|Norton AntiVirus found a virus in an attachment you \(.*?\) sent\b|A virus was found in an Email message you sent|Our content checker found[\n\s]+virus: \S+[\n\s]+in email presumably from you|eSafe detected a hostile content in this email|Antigen for Exchange found.*?infected with|Um virus foi encontrado numa mensagem de Email que acabou de|The mail message sent to you from.*?contained an attachment named.*?which contained the \S+ virus|contained a computer virus\. The delivery was blocked\.|Symantec AntiVirus found a vir!
us in an attachment you|Please check your system for viruses, or ask your system administrator|Because it believes the message contains a virus|The Illegal attachment type was reported to be:[\s\n]+worm with|The attachment \S+ contained the virus \S+ and\b|One or more attachments were quarantined|The message you emailed to \S+ dated \S+ \S+ contains the \S+ virus in the \S+ attachment|Mail Transaction Failed - This mail couldn't be converted|Der Anhang \S+ enthielt den Virus \S+ und konnte|A message containing a virus was sent from your e-mail address|As a security measure our system cannot receive executable files|The message body contained \S+ virus\b|MAILSweeper found a VIRUS in a message from|The following mail was blocked since it contains sensitive content|Action taken: Deleted[\s\n]+Reason: Anti-Virus|Virus attachment file\(s\) found in your mail|Message sent to \S+ was quarantined because it contained|S I E V I R U S A L E R T| was blocked due to a content violati!
on found in the email message|-{10,50}[\n\s]+RAV Antivirus res!
ults[\n\
s]+-{10,50}|You sent an infected message|The attachment \S+ contained the virus/i
describe MUIR0024 virus notification
meta MUIR0024 (( __MUIR0023A || __MUIR0024B || MUIR0021 ) && __MUIR0024A )
score MUIR0024 5.01
header __MUIR0024B Subject =~ /Report to Sender|Virus [fF]ound in message|Returned due to virus|Antigen found VIRUS|virus found in sent message|VIRUS \(.*?\) IN MAIL FROM YOU|This alert event was sent by eSafe Protect Gateway|Antigen found VIRUS|virus encontrado em mensagem enviada|^VIRUS ALERT\!$|Virus detected in: Mail Delivery|\[MailServer Notification\] To External Sender: a virus was found|VIRUS IN YOUR MAIL|has detected a Virus in your message|Illegal attachment type found in sent message|SAV detected a violation in a document you authored|Norton AntiVirus detected and quarantined a virus in a message you sent|To Sender file blocking settings matched and action taken|Virus Warning$|Virus Alert: Mail Delivery failure|SAV hat einen Virus in einem|VIRUS ALERT: \S+$|This is an alert from eSafe|Email return due to potentially unsafe attachment|Virus Found in (?:a )?message|virus found or matched file blocking|Spam mail warning notification|Virus Alert|You have sent a virus!
|VIRUS en su email a sm|Banned Content Email - Deleted|Virus scan results|VIRUS FOUND in your message/


full __MUIR0025A /\A([^\n]|\n(?!\n))+\n\n.*\n\s*Received: /s
score __MUIR0025A 0.0
meta MUIR0025 ( MUIR0021 && __MUIR0025A )
describe MUIR0025 Bounce includes Received: lines but no reference idiom blocks
score MUIR0025 3.5

header __MUIR0027A Subject =~ /Mailman results for|Majordomo results/
body __MUIR0027B /Command\?.*MIME|Command 'content-transfer-encoding:'/
meta MUIR0027 ( __MUIR0027A && __MUIR0027B )
describe MUIR0027 MIME message sent to list subscribe address
score MUIR0027 3.2

#
# This one is particularly hard to generalize but it catches a lot
# of virus bounce email.
#

full MUIR0028 /\bReceived: (from \[(?!(127\.0\.0\.1|216\.240\.32.1))(\d+\.){3}\d+\] \((?:(?i)HELO)[ =]idiom\.com\)|(from\s+idiom\.com\n?|from \S+ \(HELO idiom\.com\)) \((\[|\S+\s*\[)?(?!(127\.0\.0\.1|216\.240\.32.1))(\d+\.){3}\d+\]?(\s*(\(may be forged\)|\(misconfigured sender\)|RDNS failed))?\))/
describe MUIR0028 someone is pretending to be idiom
score MUIR0028 2.51


body __MUIR0064A /Disallowed attach(?:ment)? type|Reason: "Ha sido encontrado un virus.|PROHIBITED FILE IN MESSAGE|550 Error: Message content rejected|Virus\(es\) found\. \S+ is infected with |Requested action not taken: Invalid file attachment|554 5.6.1 Body type not supported by Remote Host|Our content checker found|The message you sent contained an attachment which the recipient has chosen to block\.|has detected virus\(es\) in your e-mail attachment\.|The message and attachment, which contained a blocked extension, has been blocked\.|attachments that could contain malicious code\.|Your message was infected with a virus|Your message was infected by VIRUS|550 5\.7\.1 Message content rejected|Virus Found and Could Not Be Removed|This e-mail in its original form contained one or more attached files that were infected with a virus or|The following message contained restricted attachment|A problem with the message content was found|If the executable attachment you want to sen!
d|email server does not accept executable file attachments|we don't accept email with executable content|This message was rejected due to a possible virus|Potentially dangerous file in MIME attachment|This message contains malware|5\d\d \S+ Virus Detected|Unsafe Windows attachment|A virus was detected in the[\s\n]+message|Virus found!|scanner intercepted it and stopped the entire message/i
meta MUIR0064 ( MUIR0021 && __MUIR0064A )
describe MUIR0064 Bounce because of attchment
score MUIR0064 2.51

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal