* These message are annoying and misleading and are of no useful value and
* I'd like to get rid of them. Looking for someone to write a virus bounce
* message rule so I can blackhole these messages.
I count these as spam. Here are the rules that I use. These rules
are under constant adjustment...
A couple of them would be hard to generalize w/o additional
configuration directives.
Of the 3130 items I've blocked as spam today....
106 match MUIR0021
1391 match MUIR0022
21 match MUIR0023
19 match MUIR0024
0 match MUIR0025
0 match MUIR0027
1762 match MUIR0028
11 match MUIR0064
and...
35 were caught by ClamAV but not SpamAsssassin
-Dave
#
# This rule would be hard to generalize because it matches my specific
# network block.
#
header __MUIR0021C From =~ /Mail Delivery System|postmaster|mailer-daemon|<>|DrWeb-DAEMON|MAILER-IMP|Virus-Check/i
header __MUIR0021D Subject =~ /^(Mail Delivery System|Your Message Could Not Be Delivered|Delivery Notification|Returned mail: see transcript for details|Permanent Delivery Failure|Mail System Error - Returned Mail|Undeliverable Mail: Returned To Mailer|Undeliverable mail|Returned Mail: Error During Delivery|InterScan NT Alert)$/
header __MUIR0021E From =~ /masterrobot/
header __MUIR0021F Subject =~ /^(abort letter)$/
header __MUIR0021G Envelope-Sender =~ /MAILER-DAEMON/
header __MUIR0021H X-Envelope-From =~ /MAILER-DAEMON/
full __MUIR0021I /\AFrom MAILER-DAEMON\@/
full __MUIR0021J /\AFrom mailsrv\@/
header __MUIR0021K Subject =~ /Delivery Notification:/
full __MUIR0021L /\AFrom Mail-Administrator\@/
header __MUIR0021M Subject =~ /Mail Delivery/
meta __MUIR0021A (( __MUIR0021C || __MUIR0021D || __MUIR0021G || __MUIR0021H || __MUIR0021I || ( __MUIR0021E && __MUIR0021F) || ( __MUIR0021J && __MUIR0021K ) || ( __MUIR0021L && __MUIR0021M )) && ! __MUIR0018B )
full MUIR0021B /\A([^\n]|\n(?!\n))+\n\n.*\n\s*Received:(.|\n\s)*\[216\.240\.\d\d\.\d+\]/s
score MUIR0021B 0.0
meta MUIR0021 ( __MUIR0021A && ! MUIR0021B )
describe MUIR0021 Postmaster bounces w/o an idiom-network received line
score MUIR0021 2.5
meta MUIR0022 ( ( MUIR0021 || MUIR0028 ) && ( MICROSOFT_EXECUTABLE || LARGE_HEX ))
describe MUIR0022 Bounce or fraud with executables
score MUIR0022 5.01
header __MUIR0023A Subject =~ /virus|Aviso_de_detecci/i
meta MUIR0023 ( __MUIR0021A && ( __MUIR0023A || __MUIR0024A ))
describe MUIR0023 postmaster bounce with virus subject
score MUIR0023 2.51
full __MUIR0024A /ScanMail (?:for Microsoft Exchange )?(?:has )?(?:detected|blocked) (?:a virus|an attachment)\b|Your attachment \S+ contained virus|detected an email from your email address containing a virus|O nosso Sistema AntiV.rus detectou um poss.vel v.rus num mail enviado|because contains an infected object|as it was found to contain virus|The original attachment contains a virus|Your attachment \S+ contained virus|Network Associates WebShield SMTP V\S+ .{0,25}on \S+ detected virus|infected with the \S+ virus and was successfully cleaned|Found the \S+ virus|Found threat: Content disallowed by site policy|which was infected with the \S+ virus|You have sent a virus infected mail|following message had attachment\(s\) which contained viruses|you sent to \S+ contains a virus|file \S+ has been replaced as it contains the \S+ virus|Found virus \S+ in file \S+ |Le message suivant contenait des fichiers joints avec des virus|Virus a .t. d.tect..? dans un mail que vous avez en!
voy|Se ha detectado un virus en un mensaje enviado por Ud|Attention! \S+ sent you the message with the[\n\s]+VIRUS: \S+[\n\s]+It was rejected for delivery|\w+ anti-virus system has stopped the|The file met the blocking options set in the anti-virus system|the attachement included in your message was infected with a virus|Attachment \S+ was Deleted for the following reasons:\s*\n\s*Virus \S+ was found|This message is simply to warn you that your computer system may have a[\n\s]+virus present and should be checked|The mail system received a message from \S+ sent to\n\S+\nthat contains either infected or suspicious file\(s\) and it has|You have sent a virus infected mail.*\nwhich was quaratined to protect.*\nthe recipient|violated the content\s*\nfiltering rule Info: .* has blocked by|A file attached to this email was removed\s*\nbecause it was infected with a virus|Your email message was blocked by the .*Virus.* and was not forwarded|The \S+ detected a virus in the attached !
file listed|Antigen for Exchange found \S+ infected with VIRUS!
|\(reaso
n: 550 X-Clamd-Found: \S+\)|is removed from here because it contains a virus|The file you have sent was infected with a virus but InterScan E-Mail VirusWall|A virus has been detected in an e-mail message sent by you|Receiver, InterScan has detected virus\(es\) in the e-mail attachment|You are receiving\s*\nthis message because you recently sent an e-mail message containing an\s*\nattachment which was flagged by|A virus was found in an Email message you sent|Norton AntiVirus found a virus in an attachment you \(.*?\) sent\b|A virus was found in an Email message you sent|Our content checker found[\n\s]+virus: \S+[\n\s]+in email presumably from you|eSafe detected a hostile content in this email|Antigen for Exchange found.*?infected with|Um virus foi encontrado numa mensagem de Email que acabou de|The mail message sent to you from.*?contained an attachment named.*?which contained the \S+ virus|contained a computer virus\. The delivery was blocked\.|Symantec AntiVirus found a vir!
us in an attachment you|Please check your system for viruses, or ask your system administrator|Because it believes the message contains a virus|The Illegal attachment type was reported to be:[\s\n]+worm with|The attachment \S+ contained the virus \S+ and\b|One or more attachments were quarantined|The message you emailed to \S+ dated \S+ \S+ contains the \S+ virus in the \S+ attachment|Mail Transaction Failed - This mail couldn't be converted|Der Anhang \S+ enthielt den Virus \S+ und konnte|A message containing a virus was sent from your e-mail address|As a security measure our system cannot receive executable files|The message body contained \S+ virus\b|MAILSweeper found a VIRUS in a message from|The following mail was blocked since it contains sensitive content|Action taken: Deleted[\s\n]+Reason: Anti-Virus|Virus attachment file\(s\) found in your mail|Message sent to \S+ was quarantined because it contained|S I E V I R U S A L E R T| was blocked due to a content violati!
on found in the email message|-{10,50}[\n\s]+RAV Antivirus res!
ults[\n\
s]+-{10,50}|You sent an infected message|The attachment \S+ contained the virus/i
describe MUIR0024 virus notification
meta MUIR0024 (( __MUIR0023A || __MUIR0024B || MUIR0021 ) && __MUIR0024A )
score MUIR0024 5.01
header __MUIR0024B Subject =~ /Report to Sender|Virus [fF]ound in message|Returned due to virus|Antigen found VIRUS|virus found in sent message|VIRUS \(.*?\) IN MAIL FROM YOU|This alert event was sent by eSafe Protect Gateway|Antigen found VIRUS|virus encontrado em mensagem enviada|^VIRUS ALERT\!$|Virus detected in: Mail Delivery|\[MailServer Notification\] To External Sender: a virus was found|VIRUS IN YOUR MAIL|has detected a Virus in your message|Illegal attachment type found in sent message|SAV detected a violation in a document you authored|Norton AntiVirus detected and quarantined a virus in a message you sent|To Sender file blocking settings matched and action taken|Virus Warning$|Virus Alert: Mail Delivery failure|SAV hat einen Virus in einem|VIRUS ALERT: \S+$|This is an alert from eSafe|Email return due to potentially unsafe attachment|Virus Found in (?:a )?message|virus found or matched file blocking|Spam mail warning notification|Virus Alert|You have sent a virus!
|VIRUS en su email a sm|Banned Content Email - Deleted|Virus scan results|VIRUS FOUND in your message/
full __MUIR0025A /\A([^\n]|\n(?!\n))+\n\n.*\n\s*Received: /s
score __MUIR0025A 0.0
meta MUIR0025 ( MUIR0021 && __MUIR0025A )
describe MUIR0025 Bounce includes Received: lines but no reference idiom blocks
score MUIR0025 3.5
header __MUIR0027A Subject =~ /Mailman results for|Majordomo results/
body __MUIR0027B /Command\?.*MIME|Command 'content-transfer-encoding:'/
meta MUIR0027 ( __MUIR0027A && __MUIR0027B )
describe MUIR0027 MIME message sent to list subscribe address
score MUIR0027 3.2
#
# This one is particularly hard to generalize but it catches a lot
# of virus bounce email.
#
full MUIR0028 /\bReceived: (from \[(?!(127\.0\.0\.1|216\.240\.32.1))(\d+\.){3}\d+\] \((?:(?i)HELO)[ =]idiom\.com\)|(from\s+idiom\.com\n?|from \S+ \(HELO idiom\.com\)) \((\[|\S+\s*\[)?(?!(127\.0\.0\.1|216\.240\.32.1))(\d+\.){3}\d+\]?(\s*(\(may be forged\)|\(misconfigured sender\)|RDNS failed))?\))/
describe MUIR0028 someone is pretending to be idiom
score MUIR0028 2.51
body __MUIR0064A /Disallowed attach(?:ment)? type|Reason: "Ha sido encontrado un virus.|PROHIBITED FILE IN MESSAGE|550 Error: Message content rejected|Virus\(es\) found\. \S+ is infected with |Requested action not taken: Invalid file attachment|554 5.6.1 Body type not supported by Remote Host|Our content checker found|The message you sent contained an attachment which the recipient has chosen to block\.|has detected virus\(es\) in your e-mail attachment\.|The message and attachment, which contained a blocked extension, has been blocked\.|attachments that could contain malicious code\.|Your message was infected with a virus|Your message was infected by VIRUS|550 5\.7\.1 Message content rejected|Virus Found and Could Not Be Removed|This e-mail in its original form contained one or more attached files that were infected with a virus or|The following message contained restricted attachment|A problem with the message content was found|If the executable attachment you want to sen!
d|email server does not accept executable file attachments|we don't accept email with executable content|This message was rejected due to a possible virus|Potentially dangerous file in MIME attachment|This message contains malware|5\d\d \S+ Virus Detected|Unsafe Windows attachment|A virus was detected in the[\s\n]+message|Virus found!|scanner intercepted it and stopped the entire message/i
meta MUIR0064 ( MUIR0021 && __MUIR0064A )
describe MUIR0064 Bounce because of attchment
score MUIR0064 2.51