* These message are annoying and misleading and are of no useful value and
* I'd like to get rid of them. Looking for someone to write a virus bounce
* message rule so I can blackhole these messages.
I count these as spam. Here are the rules that I use. These rules
are under constant adjustment...
A couple of them would be hard to generalize w/o additional
configuration directives.
Of the 3130 items I've blocked as spam today....
106 match MUIR0021
1391 match MUIR0022
21 match MUIR0023
19 match MUIR0024
0 match MUIR0025
0 match MUIR0027
1762 match MUIR0028
11 match MUIR0064
and...
35 were caught by ClamAV but not SpamAsssassin
-Dave
#
# This rule would be hard to generalize because it matches my specific
# network block.
#
header __MUIR0021C From =~ /Mail Delivery
System|postmaster|mailer-daemon|<>|DrWeb-DAEMON|MAILER-IMP|Virus-Check/i
header __MUIR0021D Subject =~ /^(Mail Delivery System|Your Message
Could Not Be Delivered|Delivery Notification|Returned mail: see transcript for
details|Permanent Delivery Failure|Mail System Error - Returned
Mail|Undeliverable Mail: Returned To Mailer|Undeliverable mail|Returned Mail:
Error During Delivery|InterScan NT Alert)$/
header __MUIR0021E From =~ /masterrobot/
header __MUIR0021F Subject =~ /^(abort letter)$/
header __MUIR0021G Envelope-Sender =~ /MAILER-DAEMON/
header __MUIR0021H X-Envelope-From =~ /MAILER-DAEMON/
full __MUIR0021I /\AFrom MAILER-DAEMON\@/
full __MUIR0021J /\AFrom mailsrv\@/
header __MUIR0021K Subject =~ /Delivery Notification:/
full __MUIR0021L /\AFrom Mail-Administrator\@/
header __MUIR0021M Subject =~ /Mail Delivery/
meta __MUIR0021A (( __MUIR0021C || __MUIR0021D || __MUIR0021G ||
__MUIR0021H || __MUIR0021I || ( __MUIR0021E && __MUIR0021F) || ( __MUIR0021J &&
__MUIR0021K ) || ( __MUIR0021L && __MUIR0021M )) && ! __MUIR0018B )
full MUIR0021B
/\A([^\n]|\n(?!\n))+\n\n.*\n\s*Received:(.|\n\s)*\[216\.240\.\d\d\.\d+\]/s
score MUIR0021B 0.0
meta MUIR0021 ( __MUIR0021A && ! MUIR0021B )
describe MUIR0021 Postmaster bounces w/o an idiom-network
received line
score MUIR0021 2.5
meta MUIR0022 ( ( MUIR0021 || MUIR0028 ) && (
MICROSOFT_EXECUTABLE || LARGE_HEX ))
describe MUIR0022 Bounce or fraud with executables
score MUIR0022 5.01
header __MUIR0023A Subject =~ /virus|Aviso_de_detecci/i
meta MUIR0023 ( __MUIR0021A && ( __MUIR0023A || __MUIR0024A ))
describe MUIR0023 postmaster bounce with virus subject
score MUIR0023 2.51
full __MUIR0024A /ScanMail (?:for Microsoft Exchange )?(?:has
)?(?:detected|blocked) (?:a virus|an attachment)\b|Your attachment \S+
contained virus|detected an email from your email address containing a virus|O
nosso Sistema AntiV.rus detectou um poss.vel v.rus num mail enviado|because
contains an infected object|as it was found to contain virus|The original
attachment contains a virus|Your attachment \S+ contained virus|Network
Associates WebShield SMTP V\S+ .{0,25}on \S+ detected virus|infected with the
\S+ virus and was successfully cleaned|Found the \S+ virus|Found threat:
Content disallowed by site policy|which was infected with the \S+ virus|You
have sent a virus infected mail|following message had attachment\(s\) which
contained viruses|you sent to \S+ contains a virus|file \S+ has been replaced
as it contains the \S+ virus|Found virus \S+ in file \S+ |Le message suivant
contenait des fichiers joints avec des virus|Virus a .t. d.tect..? dans un mail
que vous avez en!
voy|Se ha detectado un virus en un mensaje enviado por Ud|Attention! \S+ sent
you the message with the[\n\s]+VIRUS: \S+[\n\s]+It was rejected for
delivery|\w+ anti-virus system has stopped the|The file met the blocking
options set in the anti-virus system|the attachement included in your message
was infected with a virus|Attachment \S+ was Deleted for the following
reasons:\s*\n\s*Virus \S+ was found|This message is simply to warn you that
your computer system may have a[\n\s]+virus present and should be checked|The
mail system received a message from \S+ sent to\n\S+\nthat contains either
infected or suspicious file\(s\) and it has|You have sent a virus infected
mail.*\nwhich was quaratined to protect.*\nthe recipient|violated the
content\s*\nfiltering rule Info: .* has blocked by|A file attached to this
email was removed\s*\nbecause it was infected with a virus|Your email message
was blocked by the .*Virus.* and was not forwarded|The \S+ detected a virus in
the attached !
file listed|Antigen for Exchange found \S+ infected with VIRUS!
|\(reaso
n: 550 X-Clamd-Found: \S+\)|is removed from here because it contains a
virus|The file you have sent was infected with a virus but InterScan E-Mail
VirusWall|A virus has been detected in an e-mail message sent by you|Receiver,
InterScan has detected virus\(es\) in the e-mail attachment|You are
receiving\s*\nthis message because you recently sent an e-mail message
containing an\s*\nattachment which was flagged by|A virus was found in an Email
message you sent|Norton AntiVirus found a virus in an attachment you \(.*?\)
sent\b|A virus was found in an Email message you sent|Our content checker
found[\n\s]+virus: \S+[\n\s]+in email presumably from you|eSafe detected a
hostile content in this email|Antigen for Exchange found.*?infected with|Um
virus foi encontrado numa mensagem de Email que acabou de|The mail message sent
to you from.*?contained an attachment named.*?which contained the \S+
virus|contained a computer virus\. The delivery was blocked\.|Symantec
AntiVirus found a vir!
us in an attachment you|Please check your system for viruses, or ask your
system administrator|Because it believes the message contains a virus|The
Illegal attachment type was reported to be:[\s\n]+worm with|The attachment \S+
contained the virus \S+ and\b|One or more attachments were quarantined|The
message you emailed to \S+ dated \S+ \S+ contains the \S+ virus in the \S+
attachment|Mail Transaction Failed - This mail couldn't be converted|Der Anhang
\S+ enthielt den Virus \S+ und konnte|A message containing a virus was sent
from your e-mail address|As a security measure our system cannot receive
executable files|The message body contained \S+ virus\b|MAILSweeper found a
VIRUS in a message from|The following mail was blocked since it contains
sensitive content|Action taken: Deleted[\s\n]+Reason: Anti-Virus|Virus
attachment file\(s\) found in your mail|Message sent to \S+ was quarantined
because it contained|S I E V I R U S A L E R T| was blocked due to a content
violati!
on found in the email message|-{10,50}[\n\s]+RAV Antivirus res!
ults[\n\
s]+-{10,50}|You sent an infected message|The attachment \S+ contained the
virus/i
describe MUIR0024 virus notification
meta MUIR0024 (( __MUIR0023A || __MUIR0024B || MUIR0021 ) &&
__MUIR0024A )
score MUIR0024 5.01
header __MUIR0024B Subject =~ /Report to Sender|Virus [fF]ound in
message|Returned due to virus|Antigen found VIRUS|virus found in sent
message|VIRUS \(.*?\) IN MAIL FROM YOU|This alert event was sent by eSafe
Protect Gateway|Antigen found VIRUS|virus encontrado em mensagem enviada|^VIRUS
ALERT\!$|Virus detected in: Mail Delivery|\[MailServer Notification\] To
External Sender: a virus was found|VIRUS IN YOUR MAIL|has detected a Virus in
your message|Illegal attachment type found in sent message|SAV detected a
violation in a document you authored|Norton AntiVirus detected and quarantined
a virus in a message you sent|To Sender file blocking settings matched and
action taken|Virus Warning$|Virus Alert: Mail Delivery failure|SAV hat einen
Virus in einem|VIRUS ALERT: \S+$|This is an alert from eSafe|Email return due
to potentially unsafe attachment|Virus Found in (?:a )?message|virus found or
matched file blocking|Spam mail warning notification|Virus Alert|You have sent
a virus!
|VIRUS en su email a sm|Banned Content Email - Deleted|Virus scan
results|VIRUS FOUND in your message/
full __MUIR0025A /\A([^\n]|\n(?!\n))+\n\n.*\n\s*Received: /s
score __MUIR0025A 0.0
meta MUIR0025 ( MUIR0021 && __MUIR0025A )
describe MUIR0025 Bounce includes Received: lines but no
reference idiom blocks
score MUIR0025 3.5
header __MUIR0027A Subject =~ /Mailman results for|Majordomo
results/
body __MUIR0027B /Command\?.*MIME|Command
'content-transfer-encoding:'/
meta MUIR0027 ( __MUIR0027A && __MUIR0027B )
describe MUIR0027 MIME message sent to list subscribe address
score MUIR0027 3.2
#
# This one is particularly hard to generalize but it catches a lot
# of virus bounce email.
#
full MUIR0028 /\bReceived: (from
\[(?!(127\.0\.0\.1|216\.240\.32.1))(\d+\.){3}\d+\] \((?:(?i)HELO)[
=]idiom\.com\)|(from\s+idiom\.com\n?|from \S+ \(HELO idiom\.com\))
\((\[|\S+\s*\[)?(?!(127\.0\.0\.1|216\.240\.32.1))(\d+\.){3}\d+\]?(\s*(\(may be
forged\)|\(misconfigured sender\)|RDNS failed))?\))/
describe MUIR0028 someone is pretending to be idiom
score MUIR0028 2.51
body __MUIR0064A /Disallowed attach(?:ment)? type|Reason: "Ha
sido encontrado un virus.|PROHIBITED FILE IN MESSAGE|550 Error: Message content
rejected|Virus\(es\) found\. \S+ is infected with |Requested action not taken:
Invalid file attachment|554 5.6.1 Body type not supported by Remote Host|Our
content checker found|The message you sent contained an attachment which the
recipient has chosen to block\.|has detected virus\(es\) in your e-mail
attachment\.|The message and attachment, which contained a blocked extension,
has been blocked\.|attachments that could contain malicious code\.|Your message
was infected with a virus|Your message was infected by VIRUS|550 5\.7\.1
Message content rejected|Virus Found and Could Not Be Removed|This e-mail in
its original form contained one or more attached files that were infected with
a virus or|The following message contained restricted attachment|A problem with
the message content was found|If the executable attachment you want to sen!
d|email server does not accept executable file attachments|we don't accept
email with executable content|This message was rejected due to a possible
virus|Potentially dangerous file in MIME attachment|This message contains
malware|5\d\d \S+ Virus Detected|Unsafe Windows attachment|A virus was detected
in the[\s\n]+message|Virus found!|scanner intercepted it and stopped the entire
message/i
meta MUIR0064 ( MUIR0021 && __MUIR0064A )
describe MUIR0064 Bounce because of attchment
score MUIR0064 2.51
