You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by jm...@apache.org on 2005/09/29 03:02:41 UTC
svn commit: r292364 - in /spamassassin/rules/trunk: core/ lang/ lang/de/
lang/es/ lang/fr/ lang/it/ lang/nl/ lang/pl/ lang/pt_br/ sandbox/
sandbox/jm/ sandbox/jm/20_vbounce.cf
Author: jm
Date: Wed Sep 28 18:02:38 2005
New Revision: 292364
URL: http://svn.apache.org/viewcvs?rev=292364&view=rev
Log:
create initial directory structure of rules project
Added:
spamassassin/rules/trunk/core/
spamassassin/rules/trunk/lang/
spamassassin/rules/trunk/lang/de/
spamassassin/rules/trunk/lang/es/
spamassassin/rules/trunk/lang/fr/
spamassassin/rules/trunk/lang/it/
spamassassin/rules/trunk/lang/nl/
spamassassin/rules/trunk/lang/pl/
spamassassin/rules/trunk/lang/pt_br/
spamassassin/rules/trunk/sandbox/
spamassassin/rules/trunk/sandbox/jm/
spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf
Added: spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf
URL: http://svn.apache.org/viewcvs/spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf?rev=292364&view=auto
==============================================================================
--- spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf (added)
+++ spamassassin/rules/trunk/sandbox/jm/20_vbounce.cf Wed Sep 28 18:02:38 2005
@@ -0,0 +1,362 @@
+# A virus-bounce ruleset, suitable for use by anyone receiving a lot of joe-job
+# or virus-blowback bounce messages.
+#
+# if you use this, set up procmail or your mail app to spot the "BOUNCE_",
+# "CRBOUNCE_" or "VBOUNCE_" string in the X-Spam-Status line, and move messages
+# that match that to a 'vbounce' folder.
+#
+# This is substantially based on
+# http://www.timj.co.uk/linux/bogus-virus-warnings.cf ; the main difference is
+# that I prefer to keep bounces and spam separate, so this ruleset uses the
+# rule-name-prefix trick instead of giving the rules high scores. There's
+# a couple of rules that were FPing, too, so I fixed or removed them.
+#
+# lastmod Sep 10 2005 jm
+
+# ---------------------------------------------------------------------------
+# optional: rescue messages that contain your real MX ip addresses in the body,
+# because they're *real* bounces. you may not *want* real bounces though,
+# anyway, so this is optional ;)
+#
+# body MY_IP_BOUNCE /209\.237\.227\.\d+/
+# tflags MY_IP_BOUNCE nice
+# score MY_IP_BOUNCE -5
+
+# ---------------------------------------------------------------------------
+# General bounce messages
+
+header BOUNCE_FROM_DAEMON From =~ /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin)\S+\@|<>)/i
+score BOUNCE_FROM_DAEMON 0.1
+
+header BOUNCE_RPATH_NULL Return-Path =~ /<>/
+score BOUNCE_RPATH_NULL 0.1
+
+header BOUNCE_RPATH_MD Return-Path =~ /(?:mailer-(?:daemon|deamon)|quotaagent|pleaseforward|autoresponder|autoresponse-\S+)\@/i
+score BOUNCE_RPATH_MD 0.1
+
+header __AUTO_GEN_AS exists:Auto-Submitted
+header __AUTO_GEN_MS exists:X-MS-Embedded-Report
+header __AUTO_GEN_AG exists:X-autogenerated
+header __AUTO_GEN_CM exists:X-Choicemail-Registration-Request
+header __AUTO_GEN_3 X-MailScanner =~ /generated/
+header __AUTO_GEN_4 X-Mailer =~ /autoresponder/i
+header __AUTO_GEN_XXSP X-XSP-Msgclass =~ /NOTIFICATION/
+header __AUTO_GEN_PREC Precedence =~ /auto/
+meta BOUNCE_AUTO_GENERATED (__AUTO_GEN_AS||__AUTO_GEN_MS||__AUTO_GEN_3||__AUTO_GEN_4||__AUTO_GEN_AG||__AUTO_GEN_XXSP ||__AUTO_GEN_CM||__AUTO_GEN_PREC)
+score BOUNCE_AUTO_GENERATED 0.1
+
+header BOUNCE_Y_AUTOGEN Subject =~ /^Yahoo! Auto Response/
+describe BOUNCE_Y_AUTOGEN generated by Yahoo! auto-responder
+score BOUNCE_Y_AUTOGEN 0.1
+
+header BOUNCE_SYMANTEC Subject =~ /^Returned mail.{0,5}(?:Error During Delivery|see transcript for details|)$/i
+describe BOUNCE_SYMANTEC Bounce - "Returned mail"
+score BOUNCE_SYMANTEC 0.1
+
+header BOUNCE_X_ERR_STAT X-Error-Status =~ /User unknown/
+score BOUNCE_X_ERR_STAT 0.1
+
+header BOUNCE_RETURNED Subject =~ /^Returned mail: User unknown/
+describe BOUNCE_RETURNED AOL Postmaster "Returned mail: User unknown"
+score BOUNCE_RETURNED 0.1
+
+header BOUNCE_MAILDELFAIL Subject =~ /^Mail delivery failed: /
+describe BOUNCE_MAILDELFAIL Bounce - iPlanet "Mail delivery failed"
+score BOUNCE_MAILDELFAIL 0.1
+
+header BOUNCE_MSGDELFAIL Subject =~ /^Message Delivery Failure/
+describe BOUNCE_MSGDELFAIL Bounce - Plesk "Message Delivery Failure"
+score BOUNCE_MSGDELFAIL 0.1
+
+body BOUNCE_ESMTP /^This messages was created automatically by mail delivery software/
+describe BOUNCE_ESMTP ESMTP bounce message
+score BOUNCE_ESMTP 0.1
+# JM: prev versions used "automaticly", that was a typo
+
+body BOUNCE_OOO_1 /\bI(.m| am| will be) out of the office (?:to|until|after)\b/i
+score BOUNCE_OOO_1 0.1
+
+body BOUNCE_OOO_2 /\bI ?.m away until .{10,20} and am unable to read your message\b/
+score BOUNCE_OOO_2 0.1
+
+body BOUNCE_NEVER_SEE /\bThis is an autoresponder. I'll never see your message\b/i
+score BOUNCE_NEVER_SEE 0.1
+
+body BOUNCE_NONWORKING /\bYou have reached a non.?working address. Please check\b/i
+score BOUNCE_NONWORKING 0.1
+
+header BOUNCE_UNDELIVERABLE Subject =~ /^Undeliverable: /
+describe BOUNCE_UNDELIVERABLE Bounce - "Undeliverable: ..."
+score BOUNCE_UNDELIVERABLE 0.1
+
+header BOUNCE_UNDELIVERABLE_ML Subject =~ /^Undeliver(?:able|ed) Mail\b/
+describe BOUNCE_UNDELIVERABLE_ML Bounce - "Undeliverable Mail"
+score BOUNCE_UNDELIVERABLE_ML 0.1
+
+header BOUNCE_NOTDEL Subject =~ /^MESSAGE NOT DELIVERED: /
+describe BOUNCE_NOTDEL Bounce - "MESSAGE NOT DELIVERED:"
+score BOUNCE_NOTDEL 0.1
+
+header BOUNCE_CTYPE Content-Type =~ /\bmultipart\/report\b/
+describe BOUNCE_CTYPE Bounce according to Content-Type
+score BOUNCE_CTYPE 0.1
+
+header BOUNCE_DEL_FAIL Subject =~ /^Delivery Failure Notification/
+score BOUNCE_DEL_FAIL 0.1
+
+# ---------------------------------------------------------------------------
+# Challenge/Response bounces
+
+header CRBOUNCE_UOL From =~ /\bAntiSpam UOL\b/
+describe CRBOUNCE_UOL Challenge/response bounce - UOL
+score CRBOUNCE_UOL 0.1
+
+header CRBOUNCE_RP Return-Path =~ /<(?:spamblocker-challenge|spambush|apd\.sspam)\@/i
+describe CRBOUNCE_RP Challenge/response bounce - by Return-Path
+score CRBOUNCE_RP 0.1
+
+header __AUTO_GEN_XBT exists:X-Boxtrapper
+meta CRBOUNCE_HEADER (__AUTO_GEN_XBT)
+describe CRBOUNCE_HEADER Challenge/response bounce - by header
+score CRBOUNCE_HEADER 0.1
+
+# ---------------------------------------------------------------------------
+# "Virus found in your mail" bounces
+
+body VBOUNCE_WARNING /Virus Warning/
+score VBOUNCE_WARNING 0.1
+
+# source: VirusBounceRules from the exit0 SA wiki
+
+body VBOUNCE_EXIM /a potentially executable attachment /
+describe VBOUNCE_EXIM Virus bounce - sf.net
+score VBOUNCE_EXIM 0.1
+
+body VBOUNCE_GUIN /message contains file attachments that are not permitted/
+describe VBOUNCE_GUIN Virus bounce - Guinevere
+score VBOUNCE_GUIN 0.1
+
+body VBOUNCE_CISCO /^Found virus \S+ in file \S+/m
+describe VBOUNCE_CISCO Virus bounce - Cisco.com
+score VBOUNCE_CISCO 0.1
+
+body VBOUNCE_SMTP /host \S+ said: 5\d\d\s+Error: Message content rejected/
+describe VBOUNCE_SMTP Virus bounce - SMTP error via postfix
+score VBOUNCE_SMTP 0.1
+
+body VBOUNCE_AOL /TRANSACTION FAILED - Unrepairable Virus Detected. /
+describe VBOUNCE_AOL Virus bounce - AOL
+score VBOUNCE_AOL 0.1
+
+body VBOUNCE_DUTCH /bevatte bijlage besmet welke besmet was met een virus/
+describe VBOUNCE_DUTCH Virus bounce - something in Dutch!
+score VBOUNCE_DUTCH 0.1
+
+body VBOUNCE_MAILMARSHAL /Mail.?Marshal Rule: Inbound Messages : Block Dangerous Attachments/
+describe VBOUNCE_MAILMARSHAL Virus bounce - Mail Marshal
+score VBOUNCE_MAILMARSHAL 0.1
+
+header VBOUNCE_MAILMARSHAL2 Subject =~ /^MailMarshal has detected possible spam in your message/
+describe VBOUNCE_MAILMARSHAL2 Virus bounce - Mail Marshal (2)
+score VBOUNCE_MAILMARSHAL2 0.1
+
+header VBOUNCE_NAVFAIL Subject =~ /^Norton Anti.?Virus failed to scan an attachment in a message you sent/
+describe VBOUNCE_NAVFAIL Virus bounce - Norton AV failure
+score VBOUNCE_NAVFAIL 0.1
+
+header VBOUNCE_REJECTED Subject =~ /^EMAIL REJECTED$/
+describe VBOUNCE_REJECTED Virus bounce - REJECTED
+score VBOUNCE_REJECTED 0.1
+
+header VBOUNCE_NAV Subject =~ /^Norton Anti.?Virus detected and quarantined/
+describe VBOUNCE_NAV Virus bounce - Norton
+score VBOUNCE_NAV 0.1
+
+header VBOUNCE_MELDING Subject =~ /^Virusmelding$/
+describe VBOUNCE_MELDING Virus bounce - 'virusmelding'
+score VBOUNCE_MELDING 0.1
+
+body VBOUNCE_VALERT /The mail message \S+ \S+ you sent to \S+ contains the virus/
+describe VBOUNCE_VALERT Virus bounce - contains the virus
+score VBOUNCE_VALERT 0.1
+
+body VBOUNCE_REJ_FILT /Reason: Rejected by filter/
+describe VBOUNCE_REJ_FILT Virus bounce - rejected by filter
+score VBOUNCE_REJ_FILT 0.1
+
+header VBOUNCE_YOUSENT Subject =~ /^Warning - You sent a Virus Infected Email to /
+describe VBOUNCE_YOUSENT Virus bounce - a virus infected email
+score VBOUNCE_YOUSENT 0.1
+
+body VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or more virus/
+describe VBOUNCE_MAILSWEEP Virus bounce - MAILsweeper
+score VBOUNCE_MAILSWEEP 0.1
+
+header VBOUNCE_SCREENSAVER Subject =~ /(Re: ?)+Wicked screensaver\b/i
+describe VBOUNCE_SCREENSAVER Virus bounce - variation on Re: Wicked screensaver
+score VBOUNCE_SCREENSAVER 0.1
+
+header VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/
+describe VBOUNCE_DISALLOWED Virus bounce - "Disallowed attachment type"
+score VBOUNCE_DISALLOWED 0.1
+
+header VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/
+describe VBOUNCE_FROMPT From P&T SecurityScan AntiVirus
+score VBOUNCE_FROMPT 0.1
+
+header VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i
+describe VBOUNCE_WARNING Variations on "Warning: E-mail viruses detected"
+score VBOUNCE_WARNING 0.1
+
+header VBOUNCE_DETECTED Subject =~ /^Virus detected /i
+describe VBOUNCE_DETECTED "Virus detected" (Network Associates Webshield)
+score VBOUNCE_DETECTED 0.1
+
+header VBOUNCE_AUTOMATIC Subject =~ /\b(automatic reply|AutoReply)\b/
+describe VBOUNCE_AUTOMATIC Variations on "automatic reply"
+score VBOUNCE_AUTOMATIC 0.1
+
+header VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i
+describe VBOUNCE_INTERSCAN InterScan E-Mail VirusWall
+score VBOUNCE_INTERSCAN 0.1
+
+header VBOUNCE_VIOLATION Subject =~ /^Content violation/i
+describe VBOUNCE_VIOLATION L-3com.com "Content violation"
+score VBOUNCE_VIOLATION 0.1
+
+header VBOUNCE_ALERT Subject =~ /^Virus Alert\b/i
+describe VBOUNCE_ALERT multivac.de Viruswall
+score VBOUNCE_ALERT 0.1
+
+header VBOUNCE_NAV2 Subject =~ /^NAV detected a virus in a document /
+describe VBOUNCE_NAV2 Norton Anti-Virus
+score VBOUNCE_NAV2 0.1
+
+body VBOUNCE_NAV3 /^Reporting-MTA: Norton Anti.?Virus Gateway/
+describe VBOUNCE_NAV3 Norton Anti-Virus
+score VBOUNCE_NAV3 0.1
+
+header VBOUNCE_INTERSCAN2 Subject =~ /^InterScan MSS for SMTP has delivered a message/
+describe VBOUNCE_INTERSCAN2 InterScan MSS Delivery message
+score VBOUNCE_INTERSCAN2 0.1
+
+header VBOUNCE_INTERSCAN3 Subject =~ /^InterScan NT Alert/
+describe VBOUNCE_INTERSCAN3 InterScan NT
+score VBOUNCE_INTERSCAN3 0.1
+
+header VBOUNCE_ANTIGEN Subject =~ /^Antigen found\b/i
+describe VBOUNCE_ANTIGEN Antigen for Exchange
+score VBOUNCE_ANTIGEN 0.1
+
+header VBOUNCE_LUTHER From =~ /\blutherh\@stratcom.com\b/
+describe VBOUNCE_LUTHER Strategic Computer Solutions, Inc. bounce
+score VBOUNCE_LUTHER 0.1
+
+header VBOUNCE_AMAVISD Subject =~ /^VIRUS IN YOUR MAIL /i
+describe VBOUNCE_AMAVISD amavisd virus alert (subject)
+score VBOUNCE_AMAVISD 0.1
+
+body VBOUNCE_AMAVISD2 /\bV I R U S\b/
+describe VBOUNCE_AMAVISD2 amavisd virus alert ("V I R U S")
+score VBOUNCE_AMAVISD2 0.1
+
+# off: got an FP in a simple forward
+# rawbody VBOUNCE_SUBJ_IN_MAIL /^\s*Subject:\s*(Re: )*((my|your) )?(application|details)/i
+# rawbody VBOUNCE_SUBJ_IN_MAIL2 /^\s*Subject:\s*(Re: )*(Thank you!?|That movie|Wicked screensaver|Approved)/i
+
+header VBOUNCE_SCANMAIL Subject =~ /^Scan.?Mail Message: .{0,30} virus found /i
+describe VBOUNCE_SCANMAIL ScanMail for Microsoft Exchange
+score VBOUNCE_SCANMAIL 0.1
+
+header VBOUNCE_DOMINO1 Subject =~ /^Report to Sender/
+describe VBOUNCE_DOMINO1 Nike/FNX/Domino server report
+score VBOUNCE_DOMINO1 0.1
+
+body VBOUNCE_DOMINO2 /^Incident Information:/
+describe VBOUNCE_DOMINO2 Nike/FNX/Domino server report body
+score VBOUNCE_DOMINO2 0.1
+
+header VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/
+describe VBOUNCE_RAV RAV AntiVirus
+score VBOUNCE_RAV 0.1
+
+body VBOUNCE_ATTACHMENT0 /(Attachment.{0,40}was Deleted|Virus.{1,40}was found|the infected attachment)/i
+describe VBOUNCE_ATTACHMENT0 Virus Bounce - some attachment was deleted
+score VBOUNCE_ATTACHMENT0 0.1
+# Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages.
+
+body VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i
+describe VBOUNCE_AVREPORT0 Virus Bounce - AV system report
+score VBOUNCE_AVREPORT0 0.1
+
+header VBOUNCE_SENDER Subject =~ /^Virus to sender/
+describe VBOUNCE_SENDER Virus bounce - sweeperadmin.co.za
+score VBOUNCE_SENDER 0.1
+
+body VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i
+describe VBOUNCE_MAILSWEEP2 Virus bounce - MAILsweeper, second format
+score VBOUNCE_MAILSWEEP2 0.1
+
+header VBOUNCE_MAILSWEEP3 From =~ /\bmailsweeper\b/i
+describe VBOUNCE_MAILSWEEP3 Virus bounce - From MAILsweeper
+score VBOUNCE_MAILSWEEP3 0.1
+# Bart says: This one could replace both MAILSWEEP2 and MAILSWEEP as far as I can tell.
+# Perhaps it's too general?
+
+body VBOUNCE_CLICKBANK /\bvirus scanner deleted your message\b/i
+describe VBOUNCE_CLICKBANK Virus bounce - clickbank.com
+score VBOUNCE_CLICKBANK 0.1
+
+header VBOUNCE_FORBIDDEN Subject =~ /\bFile type Forbidden\b/
+describe VBOUNCE_FORBIDDEN Virus bounce - Spamscanner at tbbs.net
+score VBOUNCE_FORBIDDEN 0.1
+
+header VBOUNCE_MMS Subject =~ /^MMS Notification/
+describe VBOUNCE_MMS Virus bounce - bounces from MFS System Security
+score VBOUNCE_MMS 0.1
+# added by JoeyKelly
+
+body VBOUNCE_QUOTED_EXE /> TVqQAAMAAAAEAAAA/
+describe VBOUNCE_QUOTED_EXE Virus bounce - quoted EXE file
+score VBOUNCE_QUOTED_EXE 0.1
+
+# majordomo is really stupid about this stuff
+header __MAJORDOMO_SUBJ Subject =~ /^Majordomo results: /
+body __MAJORDOMO_HELP_BODY /\*\*\*\* Help for majordomo\@/
+body __MAJORDOMO_HELP_BODY2 /\bNo valid commands found.\b/
+meta VBOUNCE_MAJORDOMO_HELP (__MAJORDOMO_SUBJ && __MAJORDOMO_HELP_BODY && __MAJORDOMO_HELP_BODY2)
+describe VBOUNCE_MAJORDOMO_HELP Virus bounce - Majordomo help
+score VBOUNCE_MAJORDOMO_HELP 0.1
+
+header VBOUNCE_AV_RESULTS Subject =~ /AntiVirus scan results/
+header VBOUNCE_EMVD Subject =~ /^Warning: E-mail viruses detected/
+header VBOUNCE_UNDELIV Subject =~ /^Undeliverable mail, invalid characters in header/
+header VBOUNCE_BANNED_MAT Subject =~ /^Banned or potentially offensive material/
+header VBOUNCE_NAV_DETECT Subject =~ /^Norton AntiVirus detected and quarantined/
+header VBOUNCE_DEL_WARN Subject =~ /^Delivery warning report id=/
+header VBOUNCE_MIME_INFO Subject =~ /^The MIME information you requested/
+header VBOUNCE_EMAIL_REJ Subject =~ /^EMAIL REJECTED/
+header VBOUNCE_CONT_VIOL Subject =~ /^Content violation/
+header VBOUNCE_SYM_AVF Subject =~ /^Symantec AVF detected /
+header VBOUNCE_SYM_EMP Subject =~ /^Symantec E-Mail-Proxy /
+header VBOUNCE_VIR_FOUND Subject =~ /^Virus Found in message/
+header VBOUNCE_EMANAGER Subject =~ /^\[MailServer Notification\]/
+body VBOUNCE_ATT_QUAR /\bThe attachment was quarantined\b/
+body VBOUNCE_SECURIQ /\bGROUP securiQ.Wall\b/
+
+score VBOUNCE_AV_RESULTS 0.1
+score VBOUNCE_EMVD 0.1
+score VBOUNCE_UNDELIV 0.1
+score VBOUNCE_BANNED_MAT 0.1
+score VBOUNCE_NAV_DETECT 0.1
+score VBOUNCE_DEL_WARN 0.1
+score VBOUNCE_MIME_INFO 0.1
+score VBOUNCE_EMAIL_REJ 0.1
+score VBOUNCE_CONT_VIOL 0.1
+score VBOUNCE_SYM_AVF 0.1
+score VBOUNCE_SYM_EMP 0.1
+score VBOUNCE_ATT_QUAR 0.1
+score VBOUNCE_SECURIQ 0.1
+score VBOUNCE_VIR_FOUND 0.1
+score VBOUNCE_EMANAGER 0.1
+