##### virusnotification.rc # # Resource file for procmail. # Filters out all those annoying notifications "that I have a virus". Yeah # right, there is no Microsoft here, so I don't want to see this rubbish. # Because the current lot of viruses hide as a bounce message, they're caught # here as well. # Tested with: procmail v3.15.1 2001/01/08 # # Variables, in (set before calling): # LISTFOLDER where to store email if it's a virus notification; # nothing will be stored if this is empty # TAB a single TAB character # NL a single NEWLINE character # LISTFOLDER_UMASK if set, umask to use when saving to LISTFOLDER # SENDER_DOMAIN domain and IP from where you send your mail; if you get # SENDER_IP a bounce not from these -> dump it; this particular # test is skipped if these are unset # Variables, returned: # ISVIRUSNOTIFICATION set to "1" if it's a virus notification, # unset otherwise # SUBJECT_VIRUSALERT set to "1" if Subject: is a virus alert, # unset otherwise # SUBJECT_DELIVERFAIL set to "1" if Subject: is delivery failure, # unset otherwise # LISTFOLDER unset # # Run with e.g.: # LISTFOLDER=somepath/virus-rubbish # INCLUDERC=yourpath/virusnotification.rc # or # LISTFOLDER= # INCLUDERC=yourpath/virusnotification.rc # :0 # * ISVIRUSNOTIFICATION ?? ^^1^^ # { ... } # in your $HOME/.procmailrc. # # The latest version is always available from: # http://volker.dnsalias.net/soft/procmail/ # # Copyright (C) by Volker Kuhlmann # Released under the terms of the GNU General Public License (GPL) Version 2. # See http://www.gnu.org/ for details. # # Volker Kuhlmann # 3, 4, 5, 9, 10, 30 Sep; 1, 2, 7, 8, 10, 12, 13, 16, 21, 24, 28 Oct 2003 # 30, 31 Jan; 2 Feb 2004 # ##### Variables ## Common virus subject strings (not anchored!) VIRUS_SUBJ_SOBIGF="((Re|Aw): *)*(Wicked screensaver|That movie|Approved|(|my |Your )Details|(|Your )Application|Thank you!)" word1="(((Microsoft|MS)|Corporation|)|)" word2="(Critical|Internet|Network|Security|Latest|Public)" word3="(Email *)?(Delivery *)?(Patch|Pack|Upgrade|Update|Center|Assistance|Service(s|)|Division|Security)" VIRUS_SUBJ_1="$word1( |)$word2 $word3" ## Microsoft executable extensions MICKEY_EXE="(exe|scr|pif|bat|com)" # mime filename matching: #name=[^>]*\.(ade|adp|asd|bas|bat|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|inf|ins|isp|lnk|js|jse|lnk|ocx|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pi|pif|prf|reg|scf|scr|sct|shb|shm|shs|swf|uue|vb|vbe|vbs|vbx|vxd|wab|wsc|wsf|wsh) ## Common virus document names VIRUS_DOCNAMES_1="(document_all|your_document|thank_you).pif" VIRUS_DOCNAMES_2="(VirusWarning|removed0|deleted0).txt" # delivery failures with any of these attachment names -> dumped VIRUS_DOCNAMES_3="((file|message)\.zip|text.cmd.htm|alert.txt|.*$MICKEY_EXE)" ## Common virus names VIRUS_NAMES="(swen|sobig|novarg|worm.sco|mydoom|mimail.r)" ## Common MS-domains used by viruses VIRUS_MS_DOMAIN="([a-z_.-]*(microsoft|msdn|msn)|[a-z_.-]*\.(ms))\.(com|net|org)" ## Common virus sender addresses VIRUS_FROM_1="(Internet Storage System|Net Mail Delivery)" ## Common virus receiver addresses VIRUS_TO_1="(Net(|work)|Mail) (User|Receiver)" ## Sender of delivery problem notifications FROM_NOTIFY="(Mail|message) Delivery (|Sub)System|.*MAILER-DAEMON@|(|.*<)postmaster[^ @]*@|gatekeeper@|virus-alert@|amavisd" FROM_NOTIFY="^From: *\"?($FROM_NOTIFY)" ## MIME types used by virus VIRUS_MIME_AUDIO_RE="^Content-Type:[ $TAB]*audio/x-(wav|midi);" ## Set ISVIRUSNOTIFICATION if match occurs ISVIRUSNOTIFICATION= ##### Subject: tests # Subject contains virus alert SUBJECT_VIRUSALERT= :0 * 1^0 ^Subject: *Virus in your (letter|e?mail|message) * 1^0 ^Subject: *VIRUS ALERT * 1^0 ^Subject: *VIRUS IN YOUR E?MAIL * 1^0 ^Subject: *VIRUS.*IN E?MAIL FROM YOU * 1^0 ^Subject:.*(virus.*detect|detect.*virus) * 1^0 ^Subject:.*Bug Advice { SUBJECT_VIRUSALERT=1 } ## Subject contains a delivery failure SUBJECT_DELIVERFAIL= :0 * 1^0 ^Subject: *failure notice * 1^0 ^Subject: *(|Mail )delivery fail(ed|ure) * 1^0 ^Subject: *((Returned|Undelivered) mail|Message)(: (.*User unknown|see transcript for details))? * 1^0 ^Subject: *Undeliver(ed|able) (Mail|Message):? Returned to Sender * 1^0 ^Subject: *Undeliverable: * 1^0 ^Subject:.*undeliverable mail * 1^0 ^Subject: *Mail System Error.*Returned Mail * 1^0 ^Subject: *Delivery Status Notification { SUBJECT_DELIVERFAIL=1 } ##### "Your message was infected" notices; also "msg to you was cleaned" # General condition 1 :0 * SUBJECT_VIRUSALERT ?? ^^1^^ * $ $FROM_NOTIFY { ISVIRUSNOTIFICATION=1 } # General condition 2 :0 * $ $FROM_NOTIFY { :0 B * 1^0 ^---* .*(virus|worm|warning).* -- * 1^0 (virus|worm) * 1^0 $ $VIRUS_NAMES * 1^0 $ \.$MICKEY_EXE\.?($|[^a-z]) * -2^0 . { ISVIRUSNOTIFICATION=1 } } # General condition 3 :0 * SUBJECT_VIRUSALERT ?? ^^1^^ { :0 B * 2^1 ((contain|detect).*virus|(was|were) (delete|found|detect)|virus name is) * 1^0 $ $VIRUS_NAMES * -2^0 . { ISVIRUSNOTIFICATION=1 } } # AMaViS :0 * SUBJECT_VIRUSALERT ?? ^^1^^ * ^From: *(postmaster@|amavisd) * 2^0 $ B ?? ^[ $TAB]*V *I *R *U *S *A *L *E *R *T * 2^0 $ B ?? ^[ $TAB]*viruschecker found a VIRUS in your email * 1^0 $ B ?? ^[ $TAB]*Our content checker found * 2^0 $ B ?? ^[ $TAB]*Please check your system for vir * -2^0 . { ISVIRUSNOTIFICATION=1 } # Antigen :0 * ^From: *Antigen[_@] * 1^0 ^Subject:.*(virus|worm) * 1^0 ^Subject:.*(detected|found) * B ?? (was infected with|attachment with a (virus|worm)) { ISVIRUSNOTIFICATION=1 } # Exchange :0 B * ISVIRUSNOTIFICATION ?? ^^^^ * ^ScanMail for Microsoft Exchange * ^Action taken on message * quarantined { ISVIRUSNOTIFICATION=1 } # Inflex :0 * ^From: *(avadmin|postmaster)@ * ^Subject: Inflex scan report * B ?? ^AntiVirus Results * B ?? ^Virus.*found in file { ISVIRUSNOTIFICATION=1 } # InterScan :0 * ^From: *InterScan Notification * ^Subject:.*not.*delivered * B ?? virus.*was detected * B ?? attachment.*was infected { ISVIRUSNOTIFICATION=1 } :0 # what's this crap about? * ^From: *InterScan Notification * ^Subject: InterScan.*has delivered a message * B ?? to inform you that a message has been delivered { ISVIRUSNOTIFICATION=1 } # MailScanner, Email Virus Scanner (www.mailscanner.info) :0 * ^From: *MailScanner * ^Subject:.*((warning|virus).*(warning|virus)|Disinfected) { :0 * B ?? ^Our virus detector has just been triggered by a message you sent * B ?? ^This message is simply to warn you that your computer system may * B ?? ^The virus detector said this about the message { ISVIRUSNOTIFICATION=1 } :0 * 1^0 B ?? ^A message you recently received from * 1^0 B ?? ^contained one or more viruses * 1^0 B ?? ^The viruses have been removed * 1^0 B ?? ^Email Virus Scanner * -1^0 . { ISVIRUSNOTIFICATION=1 } } # Otto.de :0 * ^From: *POSTMASTER@ * ^Subject:.*Virus * $ B ?? ^$VIRUS_SUBJ_SOBIGF$ * B ?? ^In der Nachricht * B ?? ^ist ein Virus { ISVIRUSNOTIFICATION=1 } # Panda :0 * ^From:.*Panda * ^Subject: *Virus incident * B ?? has found a virus { ISVIRUSNOTIFICATION=1 } :0 * ^X-.*pandasoft * 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^ * 1^1 B ?? (Panda Antivirus GateDefender|antivirus|panda.?soft) * -3^0 . { ISVIRUSNOTIFICATION=1 } # Ravadmin :0 * ^From:.*ravadmin * ^Subject:.*virus scan * 1^0 ^Importance: high * 1^0 ^X-Mailer: ravmd { ISVIRUSNOTIFICATION=1 } # Road Runner :0 * ^Received:.*\.rr\.com * B ?? Road Runner scans all outbound e-mail attachments * B ?? contained.*files that were infected with { ISVIRUSNOTIFICATION=1 } # ScanMail for Microsoft Exchange (also matches blocked file warnings) :0 * ^From: *System Attendant * ^Subject: ScanMail Message:.*virus found or matched file blocking * B ?? ^ScanMail for Microsoft Exchange has taken action on the message * B ?? ^The attachment.*matched file blocking settings { ISVIRUSNOTIFICATION=1 } # Sophos :0 * ^Subject: Virus detected in: * B ?? ^Scenarios.*virus.*detect * B ?? ^contained a computer virus * B ?? ^http://www.sophos.com/ { ISVIRUSNOTIFICATION=1 } # Symantec :0 * ^X-Virus-Scanned:.*Symantec * ^X-Virus-Scan-Result: Repaired { ISVIRUSNOTIFICATION=1 } # TecnoFlex Informatica :0 * ^From: *postmaster@ #* ^Subject: Virus no e-mail enviado para foto * ^Subject: Virus no e-mail { :0 B * 1^0 ^ATENÇÃO - VIRUS * 1^0 ^Mail Virus Scanner.*TecnoFlex Informatica * 1^0 ^http://.*tecnoflex * -1^0 . { ISVIRUSNOTIFICATION=1 } } # Wakwak :0 * ^From:.*virus.*wakwak * ^Subject:.*WAKWAK virus detect * B ?? ^WAKWAK Virus Detect { ISVIRUSNOTIFICATION=1 } # Dunno :0 * ^Subject:.*(virus|bug letter) { :0 B * 1^0 detected a virus .* in your (mail|msg|message|email|e-mail) * 1^0 antivirus { ISVIRUSNOTIFICATION=1 } :0 * ^From:.*administrator { ISVIRUSNOTIFICATION=1 } } # Idiots don't say :0 * ^From:.*postmaster@ { :0 B * 1^0 ^El Software Declude Virus instalado * 1^0 ^El E-mail conteniendo el virus { ISVIRUSNOTIFICATION=1 } } ##### MIME Body tests VIRUS_MIME_AUDIO= :0 B * ISVIRUSNOTIFICATION ?? ^^^^ * $ $VIRUS_MIME_AUDIO_RE { VIRUS_MIME_AUDIO=1 } VIRUS_MIME_BASE64= :0 B * ISVIRUSNOTIFICATION ?? ^^^^ * $ ^Content-Transfer-Encoding:[ $TAB]*base64 { VIRUS_MIME_BASE64=1 } VIRUS_MIME_MICKEY_EXE= :0 B * ISVIRUSNOTIFICATION ?? ^^^^ * $ ^Content-Type:.*;$NL?[ $TAB]*name=.*\.$MICKEY_EXE { VIRUS_MIME_MICKEY_EXE=1 } ##### Undeliverable / Undelivered ## Either because of unknown recipient or because of disallowed attachment ## or any other reason. ## Not necessarily virus warnings, but undoubtedly caused by a virus. ## Body contains delivery failure typically used by viruses VIRUS_BODY_DELIVERFAIL__= :0 B * ISVIRUSNOTIFICATION ?? ^^^^ * 1^0 ^(|<.*> *)I\'m sorry to have to inform you * 1^0 ^(|<.*> *)the message returned below could not be delivered * 1^0 ^(|<.*> *)to (one or more destinations|the following address) * 1^0 ^(|<.*> *)Undeliver(able|ed) *([^ ]* *|)to * 1^0 ^(|<.*> *)Message follows: * 1^0 ^(|<.*> *)This is the qmail program # this is used by a real MTA bounce, however as virii try to look like a real # bounce, it's indistinguishable: * 1^0 ^(|<.*> *)Your message was not delivered for the following reason * -1^0 . { VIRUS_BODY_DELIVERFAIL__=1 } #VERBOSE=1 :0 * 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^ * 1^0 $ ^Subject:.*$VIRUS_SUBJ_SOBIGF # encapsulate to speed up processing { ## body contains a virus filter notice VIRUS_BODY_FILTERNOTICE__= :0 B * 1^0 (is|was) infected (with|by) * 0.7^0 antivirus * 1^0 message.*contain.*virus * 1^0 virus.*(was|were).*detect * 1^0 antivirus.*found.*virus * 1^0 found.*virus.*in file * 1^0 removed.*because.*contain.*virus * 1^0 reason.*infected * 1^0 was infected with.*(virus|worm) * 0.7^0 Antiviral Toolkit * 0.7^0 attachment.*removed * $ 0.7^0 ^Subject: *$VIRUS_SUBJ_SOBIGF$ * -1.99^0 . { VIRUS_BODY_FILTERNOTICE__=1 } ## body contains a delivery failure notice ## (result is the score, if > 0.0, i.e. at least one condition matched) VIRUS_BODYBOUNCE_SCORE__= :0 B # AOL * 1^0 ^Your e-mail is being returned to you because there was a problem * 1^0 ^--AOL Postmaster # qmail @miami.edu * 1^0 ^Hi. This is the qmail-send program * 1^0 ^I\'m afraid I wasn\'t able to deliver your message to # Postfix * 1^0 ^This is the Postfix program at * 1^0 ^(I\'m sorry to have to inform you|below could not be delivered) # ?? * 1^0 ^A message (|that )you sent could not be delivered * 1^0 ^(message has been rejected because|potentially executable attachment) # * 2^0 VIRUS_BODY_DELIVERFAIL__ ?? ^^1^^ { VIRUS_BODYBOUNCE_SCORE__=$= } :0 * $ $FROM_NOTIFY * VIRUS_BODY_FILTERNOTICE__ ?? ^^1^^ { ISVIRUSNOTIFICATION=1 } :0 B # this condition is a must * $ $FROM_NOTIFY * $ ^Subject: *$VIRUS_SUBJ_SOBIGF$ # score of VIRUS_BODYBOUNCE_SCORE__ * $ $VIRUS_BODYBOUNCE_SCORE__^0 . # * $ 1^0 name=\"?$VIRUS_DOCNAMES_1 * 1^0 ^X-Mailer:.*Microsoft * 1^0 ^Virus (identity found|name): * 1^0 (was infected with (the|a)|virus has been (deleted|removed)) # require a score of 2 for a match * -1^0 . { ISVIRUSNOTIFICATION=1 } :0 B * $ $FROM_NOTIFY * ^-* *Virus Warning Message * 1^0 removed from here because it * 1^0 was cleaned by { ISVIRUSNOTIFICATION=1 } :0 * VIRUS_BODY_FILTERNOTICE__ ?? ^^1^^ * $ $VIRUS_BODYBOUNCE_SCORE__^0 * -1^0 . { ISVIRUSNOTIFICATION=1 } } #VERBOSE=0 ## One of the bigger blights on the internet are dipshits who tell *me* when ## someone else sends them an email which causes them a problem. # # These emails often contain in the body (as multipart?) the received: headers # of the email from someone else to them. If those received: don't show our own # domain or IP, or the domain and IP don't match, we can safely dump it. # #VERBOSE=1 :0 * ISVIRUSNOTIFICATION ?? ^^^^ * ! SENDER_DOMAIN ?? ^^^^ * ! SENDER_IP ?? ^^^^ * 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^ * 1^0 $ ($FROM_NOTIFY|^From:.*antivirus) { :0 B * $ ^Received:\/.*from.*[^@a-z0-9._-]$SENDER_DOMAIN([^a-z0-9_-].*|)$([ $TAB].*$)* * ! MATCH ^^^^ * MATCH ?? .?[[(][0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[])] { :0 * ! $ MATCH ?? .?[[(]$SENDER_IP[])] { ISVIRUSNOTIFICATION=1 } } } #VERBOSE=0 ##### Rejected - virus, disallowed extension, unknown :0 * ^From: *System Anti-Virus Administrator * 1^0 $ ^(From|Subject):.*$VIRUS_SUBJ_1 * 1^0 $ $VIRUS_MIME_AUDIO_RE$NL?[ $TAB]*name=.*\.$MICKEY_EXE\"?[ $TAB]*$ * -1^0 . { ISVIRUSNOTIFICATION=1 } # A bit more ruthless (an audio file shouldn't be executable): :0 B * VIRUS_MIME_BASE64 ?? ^^1^^ * $ $VIRUS_MIME_AUDIO_RE$NL?[ $TAB]*name=.*\.$MICKEY_EXE { ISVIRUSNOTIFICATION=1 } # Even more ruthless (any MS program which comes by email = virus): :0 B * VIRUS_MIME_BASE64 ?? ^^1^^ * $ ^Content-Type:[ $TAB]*application/x-msdownload;$NL?[ $TAB]*name=.*\.$MICKEY_EXE\"?[ $TAB]*$ { ISVIRUSNOTIFICATION=1 } # Could append .virus to $LISTFOLDER here to indicate the virus may still be # in the email VERBOSE=0 } ## Virus with bounce text in body, type wav, base 64 :0 * ! ISVIRUSNOTIFICATION ?? ^^1^^ * VIRUS_BODY_DELIVERFAIL__ ?? ^^1^^ * VIRUS_MIME_AUDIO ?? ^^1^^ * VIRUS_MIME_BASE64 ?? ^^1^^ { ISVIRUSNOTIFICATION=1 } ## :0 B * ! ISVIRUSNOTIFICATION ?? ^^1^^ * $ ^Content-Type:.*;$NL?[ $TAB]*name=\"?(.*\.$MICKEY_EXE|$VIRUS_DOCNAMES_2) * $ ^Content-Type:[ $TAB]*text/html * 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^ * 1^0 VIRUS_BODY_DELIVERFAIL__ ?? ^^1^^ { ISVIRUSNOTIFICATION=1 } ## typical virus :0 * ISVIRUSNOTIFICATION ?? ^^^^ * 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^ * 1^0 $ $FROM_NOTIFY { :0 B * $ ^Content-Type:[^;]*;$NL?[ $TAB]*name=\"?$VIRUS_DOCNAMES_3 { ISVIRUSNOTIFICATION=1 } } ## Jan 04 virus :0 B * ISVIRUSNOTIFICATION ?? ^^^^ * SUBJECT_DELIVERFAIL ?? ^^1^^ * charset=\"?windows-1252 * ^The message cannot be represented in 7-bit ASCII encoding { ISVIRUSNOTIFICATION=1 } ## virus itself VIRUS_BODY_SCORE_1= :0 B * ! ISVIRUSNOTIFICATION ?? ^^1^^ * 1^0 this is the latest version of security update * 1^0 Cumulative Patch * 1^0 all known security vulnerabilities affecting * 1^0 MS Internet Explorer, MS Outlook and MS Outlook Express * 1^0 as well as three newly discovered vulnerabilities * 1^0 Install now to (help| )maintain the security of your computer * 1^0 from these vulnerabilities, the most serious of which could * 1^0 allow an attacker to run executable on your computer * 1^0 This update includes the functionality * 1^0 of all previously released patches * 1^0 System requirements: Windows * 1^0 This update applies to * 1^0 Recommendation: Customers should install the patch * 1^0 at the earliest opportunity. * 1^0 How to install: Run attached file * 1^0 For security-related information about Microsoft products * 1^0 ^http://www.microsoft.com/security/ * 1^0 ^Please do not reply to this message. * -7^0 . { VIRUS_BODY_SCORE_1=$= } ## either a suspicious subject or from, plus a high score of virus body :0 * ! ISVIRUSNOTIFICATION ?? ^^1^^ * $ 1^0 ^Subject:.*$VIRUS_SUBJ_1 * $ 1^0 ^From:.*$VIRUS_MS_DOMAIN { :0 * $ $VIRUS_BODY_SCORE_1^0 * -3^0 . { ISVIRUSNOTIFICATION=1 } } :0 B * ! ISVIRUSNOTIFICATION ?? ^^1^^ * 2^0 VIRUS_MIME_MICKEY_EXE ?? ^^1^^ * 1^0 ^Content-Type:[ $TAB]*text/html * 1^0 name=\"?$VIRUS_DOCNAMES_2(\"|$) * -1^0 . { :0 * ! VIRUS_BODY_SCORE_1 ?? ^^^^ { ISVIRUSNOTIFICATION=1 } } ## WARNING: THIS MAY CATCH DISCUSSIONS ABOUT VIRUS FILTERS!!!!! ## Virus attachment name, base 64, and some suspicious words in body ## (This may be an outgoing mail scan) #VERBOSE=1 :0 B * ! ISVIRUSNOTIFICATION ?? ^^1^^ * VIRUS_MIME_BASE64 ?? ^^1^^ * $ ^(Content-Type:.*;|)[ $TAB]*name=\"?$VIRUS_DOCNAMES_2 * 1^1 (infected|virus|worm|malicious|attachment|scan(ed|ning)|security threat) * -7^0 . { ISVIRUSNOTIFICATION=1 } #VERBOSE=0 ##### Some generalised patterns #VERBOSE=1 :0 * ! ISVIRUSNOTIFICATION ?? ^^1^^ * 1^0 $ ^From:.*$VIRUS_FROM_1 * 1^0 $ ^To:.*$VIRUS_TO_1 { # if previous score > 1 = virus :0 * $ $=^0 * -1^0 . { ISVIRUSNOTIFICATION=1 } :0 B * 1^1 virus * 1^1 worm * 1^1 $ $VIRUS_NAMES * 1^1 $ \.$MICKEY_EXE($|[^a-z]) * -1^0 . { ISVIRUSNOTIFICATION=1 } } ## Suspicious subject: and from: :0 * $ ^From:.*$VIRUS_SUBJ_1 * SUBJECT_DELIVERFAIL ?? ^^1^^ { ISVIRUSNOTIFICATION=1 } #VERBOSE=0 ##### If match occurred and LISTFOLDER is set, save to LISTFOLDER :0 * ISVIRUSNOTIFICATION ?? ^^1^^ * ! LISTFOLDER ?? ^^^^ { :0 * ! LISTFOLDER_UMASK ?? ^^^^ { UMASK=$LISTFOLDER_UMASK } :0 : $LISTFOLDER } LISTFOLDER= ##### EOF virusnotification.rc