]>
Commit | Line | Data |
---|---|---|
b780ea8d SI |
1 | # A virus-bounce ruleset, suitable for use by anyone receiving a lot of joe-job |
2 | # virus-blowback, or spam-blowback bounce messages. | |
3 | # | |
4 | # Please don't modify this file as your changes will be overwritten with | |
5 | # the next update. Use /etc/mail/spamassassin/local.cf instead. | |
6 | # See 'perldoc Mail::SpamAssassin::Conf' for details. | |
7 | # | |
8 | # <@LICENSE> | |
9 | # Licensed to the Apache Software Foundation (ASF) under one or more | |
10 | # contributor license agreements. See the NOTICE file distributed with | |
11 | # this work for additional information regarding copyright ownership. | |
12 | # The ASF licenses this file to you under the Apache License, Version 2.0 | |
13 | # (the "License"); you may not use this file except in compliance with | |
14 | # the License. You may obtain a copy of the License at: | |
15 | # | |
16 | # http://www.apache.org/licenses/LICENSE-2.0 | |
17 | # | |
18 | # Unless required by applicable law or agreed to in writing, software | |
19 | # distributed under the License is distributed on an "AS IS" BASIS, | |
20 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
21 | # See the License for the specific language governing permissions and | |
22 | # limitations under the License. | |
23 | # </@LICENSE> | |
24 | # | |
25 | ########################################################################### | |
26 | # | |
27 | # If you use this, set up procmail or your mail app to spot the | |
28 | # "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move | |
29 | # messages that match that to a 'vbounce' folder. | |
30 | # | |
31 | # You should also add 'welcomelist_bounce_relays' lines, describing the names of | |
32 | # your own outgoing mail relays, like so: | |
33 | # | |
34 | # welcomelist_bounce_relays dogma.boxhost.net | |
35 | # | |
36 | # This is used to 'rescue' legitimate bounce messages that were generated in | |
37 | # response to mail you really *did* send. If you don't do this, the | |
38 | # "BOUNCE_MESSAGE" rule will not fire. See 'perldoc VBounce.pm' for more | |
39 | # details. | |
40 | # | |
41 | # This ruleset is substantially based on | |
42 | # https://www.timj.co.uk/linux/bogus-virus-warnings.cf ; the main difference is | |
43 | # that I (jm) prefer to keep bounces and spam separate, so it now uses a single | |
44 | # rule for each type of message, instead of having multiple individual rules | |
45 | # with high scores. That way, you can spot the individual rule names, as | |
46 | # described in the paragraph above. There's a couple of rules that were FPing, | |
47 | # too, so I fixed or removed them; and there's been substantial additions, too. | |
48 | # | |
49 | ########################################################################### | |
50 | ||
b780ea8d SI |
51 | ifplugin Mail::SpamAssassin::Plugin::VBounce |
52 | ||
dfdd1e08 SI |
53 | |
54 | if can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) | |
55 | body __MY_SERVERS_FOUND eval:check_welcomelist_bounce_relays() | |
56 | endif | |
57 | if !can(Mail::SpamAssassin::Conf::feature_welcomelist_blocklist) | |
58 | body __MY_SERVERS_FOUND eval:check_whitelist_bounce_relays() | |
59 | endif | |
60 | ||
b780ea8d SI |
61 | body __HAVE_BOUNCE_RELAYS eval:have_any_bounce_relays() |
62 | ||
63 | # --------------------------------------------------------------------------- | |
64 | # General bounce messages | |
65 | ||
66 | header __BOUNCE_FROM_DAEMON From =~ /(?:^(?:mail\S+daemon|d[ae][ae]mon|majordomo|postmaster|automated-response|mailadmin|mailmaster|surfcontrol|You_Got_Spammed|SMTP.gateway)\@|scanner\S*\@|<>)/i | |
67 | ||
68 | header __BOUNCE_RPATH_NULL Return-Path =~ /<>/ | |
69 | header __BOUNCE_READ_NOTIFICATION Subject =~ /^Read: / | |
70 | ||
71 | header __BOUNCE_RPATH_MD Return-Path =~ /(?:mailer-(?:daemon|deamon)|quotaagent|pleaseforward|autoresponder|autoresponse-\S+|devnull\S*)\@/i | |
72 | ||
73 | # can appear in non-bounce mails with __XM_VBULLETIN, | |
74 | # or with X-Cron-Env headers, so exclude those cases | |
75 | header __XM_VBULLETIN X-Mailer =~ /^vBulletin Mail/ | |
76 | header __X_CRON_ENV X-Cron-Env =~ /^</ | |
77 | ||
78 | header __AUTO_GEN_MS exists:X-MS-Embedded-Report | |
79 | header __AUTO_GEN_AG exists:X-autogenerated | |
80 | header __AUTO_GEN_CM exists:X-Choicemail-Registration-Request | |
81 | header __AUTO_GEN_3 X-MailScanner =~ /generated/ | |
82 | header __AUTO_GEN_4 X-Mailer =~ /autoresponder/i | |
83 | header __AUTO_GEN_XXSP X-XSP-Msgclass =~ /NOTIFICATION/ | |
84 | header __AUTO_GEN_PREC Precedence =~ /auto/ | |
85 | meta __BOUNCE_AUTO_GENERATED ((__AUTO_GEN_MS||__AUTO_GEN_3||__AUTO_GEN_4||__AUTO_GEN_AG||__AUTO_GEN_XXSP ||__AUTO_GEN_CM||__AUTO_GEN_PREC) && !__XM_VBULLETIN && !__X_CRON_ENV) | |
86 | ||
87 | header __BOUNCE_Y_AUTOGEN Subject =~ /^Yahoo! Auto Response/ | |
88 | header __BOUNCE_SYMANTEC Subject =~ /^Returned mail.{0,5}(?:Error During Delivery|see transcript for details|)$/i | |
89 | header __BOUNCE_X_ERR_STAT X-Error-Status =~ /User unknown/ | |
90 | header __BOUNCE_RETURNED Subject =~ /^Returned mail: (?:User unknown|unreachable recipients)/ | |
91 | header __BOUNCE_MAILDELFAIL Subject =~ /^Mail delivery failed: / | |
92 | header __BOUNCE_MSGDELFAIL Subject =~ /^Message Delivery Failure/ | |
93 | body __BOUNCE_ESMTP /^This messages was created automatically by mail delivery software/ | |
94 | # JM: prev versions used "automaticly", that was a typo | |
95 | ||
96 | body __BOUNCE_NEVER_SEE /\bThis is an autoresponder. I'll never see your message\b/i | |
97 | body __BOUNCE_NONWORKING /\bYou have reached a non.?working address. Please check\b/i | |
98 | ||
99 | header __BOUNCE_UNDELIVERABLE Subject =~ /^Undeliverable(?: -|:) / | |
100 | header __BOUNCE_UNDELIVERABLE_ML Subject =~ /^Undeliver(?:able|ed) Mail\b/ | |
101 | header __BOUNCE_NOTDEL Subject =~ /^MESSAGE NOT DELIVERED: / | |
102 | header __BOUNCE_ADDR_ERR Subject =~ /^e-mail addressing error \(/ | |
103 | header __BOUNCE_NO_VAL Subject =~ /^No valid recipient in / | |
104 | header __BOUNCE_DATA_FORMAT Subject =~ /^Returned mail: Data format error$/ | |
105 | header __BOUNCE_COULD_NOT Subject =~ /^Mail could not be delivered$/ | |
106 | header __BOUNCE_UNDEL_MSG Subject =~ /^Undeliverable (?:Message|Mail)$/ | |
107 | header __BOUNCE_CTYPE Content-Type =~ /\bmultipart\/report\b/ | |
108 | header __BOUNCE_DEL_FAIL Subject =~ /^Delivery Failure Notification/ | |
109 | header __BOUNCE_STAT_FAIL Subject =~ /^Delivery Status Notification/ | |
110 | ||
111 | header __BOUNCE_NOTIF Subject =~ /^Notification d\'.tat de la distribution$/ | |
112 | header __BOUNCE_RET_MAIL Subject =~ /^Returned Mail$/ | |
113 | header __BOUNCE_DEL_FAIL Subject =~ /^DELIVERY FAILURE/i | |
114 | header __BOUNCE_MAIL_DEL_FAIL Subject =~ /^Mail Delivery Failure$/ | |
115 | ||
116 | header __NONBOUNCE_READ_RECEIPT_CTYPE Content-Type =~ /\breport-type=disposition-notification\b/ | |
117 | # bug 6051, some bounces *do* use that ctype | |
118 | header __YESBOUNCE_AUTO_REPLIED_REJ Auto-Submitted =~ /^auto-replied \(rejected\)/ | |
119 | meta __NONBOUNCE_READ_RECEIPT (__NONBOUNCE_READ_RECEIPT_CTYPE && !__YESBOUNCE_AUTO_REPLIED_REJ) | |
120 | ||
121 | # Return-path: <delete@errmail.kagoya.net> | |
122 | # 'Invalid e-mail address.' | |
123 | header __BOUNCE_RPATH_ERRMAIL Return-Path =~ /delete\@errmail\./i | |
124 | ||
125 | header __BOUNCE_AUTO_RESPOND Subject =~ /^(?:Automatically Generated Response from |Auto-Respond E-Mail from )/ | |
126 | header __BOUNCE_AUTO_RESPONSE Subject =~ /^automated response$/i | |
127 | body __BOUNCE_ETRUST /^eTrust Secure Content Manager SMTPMAIL could not deliver the e-mail / | |
128 | header __BOUNCE_INTERSCAN From =~ /\bInterscan MSS Notification\b/ | |
129 | ||
130 | body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./ | |
131 | ||
151f49fd | 132 | header __BOUNCE_AUTO_REPLY Subject =~ /\b(?:automatic reply|AutoReply)\b/ |
b780ea8d SI |
133 | |
134 | meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && !OOOBOUNCE_MESSAGE && !__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY) | |
135 | ||
136 | describe BOUNCE_MESSAGE MTA bounce message | |
137 | ||
138 | # --------------------------------------------------------------------------- | |
139 | # Out Of Office bounces | |
140 | ||
141 | # Do not use subject/body rules without checking for autoreply headers also | |
142 | header __AUTOREPLY_XAR X-Autoreply =~ /\byes/i | |
143 | header __AUTOREPLY_PRE Precedence =~ /\bauto_reply/i | |
144 | header __AUTOREPLY_XPR X-Precedence =~ /\bauto_reply/i | |
145 | header __AUTOREPLY_ASU Auto-Submitted =~ /\bauto-(?:replied|generated)(?! \(rejected\))/i | |
146 | meta __BOUNCE_OOO_ARHDR __AUTOREPLY_XAR || __AUTOREPLY_PRE || __AUTOREPLY_XPR || __AUTOREPLY_ASU | |
147 | ||
148 | # Standalone subjects that are clearly out of office | |
149 | header __BOUNCE_OOO_S1 Subject =~ /^R.ponse automatique d'absence du bureau/ | |
150 | header __BOUNCE_OOO_S2 Subject =~ / \(away from the office\)$/ | |
151 | header __BOUNCE_OOO_S3 Subject =~ /^Out Of Office\b/ | |
152 | meta __BOUNCE_OOO_SUBJECT __BOUNCE_OOO_S1 || __BOUNCE_OOO_S2 || __BOUNCE_OOO_S3 | |
153 | ||
154 | # Standalone body clauses that are clearly out of office | |
155 | body __BOUNCE_OOO_B1 /\bI ?.m away until .{10,20} and am unable to read your message\b/ | |
156 | body __BOUNCE_OOO_B2 /\bI am currently out of the office\b/ | |
157 | meta __BOUNCE_OOO_BODY __BOUNCE_OOO_B1 || __BOUNCE_OOO_B2 | |
158 | ||
159 | # Combined subject+body checks | |
160 | header __BOUNCE_OOO_CS1 Subject =~ /^Automa(?:tic reply|attinen vastaus|tisch antwoord):/ | |
161 | body __BOUNCE_OOO_CB1 /\bout of (?:the )?office\b/i | |
162 | body __BOUNCE_OOO_CB2 /\bon (?:vacation|holiday)\b/i | |
163 | body __BOUNCE_OOO_CB3 /\bolen lomalla\b/i | |
164 | body __BOUNCE_OOO_CB4 /\breturn to (?:the )?office\b/i | |
165 | meta __BOUNCE_OOO_SUBJBODY __BOUNCE_OOO_CS1 && (__BOUNCE_OOO_CB1 || __BOUNCE_OOO_CB2 || __BOUNCE_OOO_CB3 || __BOUNCE_OOO_CB4) | |
166 | ||
167 | meta OOOBOUNCE_MESSAGE __BOUNCE_OOO_ARHDR && (__BOUNCE_OOO_SUBJECT || __BOUNCE_OOO_BODY || __BOUNCE_OOO_SUBJBODY) | |
168 | ||
169 | describe OOOBOUNCE_MESSAGE Out Of Office bounce message | |
170 | ||
171 | # --------------------------------------------------------------------------- | |
172 | # Challenge/Response bounces | |
173 | ||
174 | header __CRBOUNCE_UOL From =~ /\bAntiSpam UOL\b/ | |
175 | header __CRBOUNCE_VERIF Subject =~ /^(?:Your email requires verification verify:\S|Please Verify Your Email Address)/ | |
176 | header __CRBOUNCE_RP Return-Path =~ /<(?:spamblocker-challenge|spambush|apd\.sspam|spamhippo|devnull-quarantine)\@/i | |
177 | header __CRBOUNCE_RP_2 Return-Path =~ /\@(?:spamstomp\.com|ipermitmail\.com)>$/i | |
178 | header __CRBOUNCE_VANQ From =~ /<confirm-\S+\@spamguard\.vanquish\.com>/ | |
179 | header __CRBOUNCE_QURB Subject =~ /\[Qurb .\d+\]$/ | |
180 | ||
181 | uri __CRBOUNCE_0SPAM1 /^http:\/\/www\.0spam\.com\/v/ | |
182 | header __CRBOUNCE_0SPAM2 From:addr =~ /^verify\@0spam.com$/ | |
183 | meta __CRBOUNCE_0SPAM (__CRBOUNCE_0SPAM1 && __CRBOUNCE_0SPAM2) | |
184 | ||
185 | header __CRBOUNCE_SPAMARREST exists:X-Spamarrest-noauth | |
186 | ||
187 | # https://mailinblack.com , a French C/R system with no other reliable | |
188 | # signatures. annoying! | |
189 | header __CRBOUNCE_MIB Content-Type =~ /mUlTiPaRtBoUnDaRy_MailInBlack/ | |
190 | ||
191 | uri __CRBOUNCE_SI1 m,^http://si20.com/auth, | |
192 | header __CRBOUNCE_SI2 From:addr =~ /^siweb\@si20\.com/ | |
193 | meta __CRBOUNCE_SI (__CRBOUNCE_SI1 && __CRBOUNCE_SI2) | |
194 | ||
195 | # very frequent, using unrelated From lines; either spam or C/R, not yet | |
196 | # sure which | |
197 | header __CRBOUNCE_GETRESP Return-Path =~ /<bounce\S+\@\S+\.getresponse\.com>/ | |
198 | ||
199 | header __CRBOUNCE_TMDA Message-Id =~ /\@\S+\-tmda\-confirm>$/ | |
200 | header __CRBOUNCE_ASK X-AskVersion =~ /\d/ | |
201 | header __CRBOUNCE_SZ X-Spamazoid-MD =~ /\d/ | |
202 | header __CRBOUNCE_SPAMLION Spamlion =~ /\S/ | |
203 | ||
204 | # something called /cgi-bin/notaspammer does this! | |
205 | header __CRBOUNCE_PREC_SPAM Precedence =~ /spam/ | |
206 | ||
207 | header __AUTO_GEN_XBT exists:X-Boxtrapper | |
208 | header __AUTO_GEN_BBTL exists:X-Bluebottle-Request | |
209 | meta __CRBOUNCE_HEADER (__AUTO_GEN_XBT || __AUTO_GEN_BBTL) | |
210 | ||
211 | header __CRBOUNCE_EXI X-ExiSpam =~ /ExiSpam/ | |
212 | ||
213 | header __CRBOUNCE_UNVERIF Subject =~ /^Unverified email to / | |
214 | header __CRBOUNCE_BLOCKED Subject =~ /^\*\*Message you sent blocked by our bulk email filter\*\*$/ | |
215 | ||
216 | meta __CHALLENGE_RESPONSE __CRBOUNCE_UOL || __CRBOUNCE_VERIF || __CRBOUNCE_RP || __CRBOUNCE_VANQ || __CRBOUNCE_HEADER || __CRBOUNCE_QURB || __CRBOUNCE_0SPAM || __CRBOUNCE_GETRESP || __CRBOUNCE_TMDA || __CRBOUNCE_ASK || __CRBOUNCE_EXI || __CRBOUNCE_PREC_SPAM || __CRBOUNCE_SZ || __CRBOUNCE_SPAMLION || __CRBOUNCE_MIB || __CRBOUNCE_SI || __CRBOUNCE_UNVERIF || __CRBOUNCE_RP_2 || __CRBOUNCE_BLOCKED || __CRBOUNCE_SPAMARREST | |
217 | meta CHALLENGE_RESPONSE __MY_SERVERS_FOUND && __CHALLENGE_RESPONSE | |
218 | describe CHALLENGE_RESPONSE Challenge-Response message for mail you sent | |
219 | ||
220 | meta CRBOUNCE_MESSAGE !__MY_SERVERS_FOUND && __CHALLENGE_RESPONSE | |
221 | describe CRBOUNCE_MESSAGE Challenge-Response bounce message | |
222 | ||
223 | # --------------------------------------------------------------------------- | |
224 | # "Virus found in your mail" bounces | |
225 | ||
226 | # source: VirusBounceRules from the exit0 SA wiki | |
227 | ||
228 | body __VBOUNCE_EXIM /a potentially executable attachment / | |
229 | body __VBOUNCE_STRIP_ATTACH /\bhas stripped one or more attachments from the following message\b/ | |
230 | body __VBOUNCE_GUIN /message contains file attachments that are not permitted/ | |
231 | body __VBOUNCE_CISCO /^Found virus \S+ in file \S/m | |
232 | body __VBOUNCE_SMTP /host \S+ said: 5\d\d\s+Error: Message content rejected/ | |
233 | body __VBOUNCE_AOL /TRANSACTION FAILED - Unrepairable Virus Detected. / | |
234 | body __VBOUNCE_DUTCH /bevatte bijlage besmet welke besmet was met een virus/ | |
235 | body __VBOUNCE_MAILMARSHAL /Mail.?Marshal Rule: Inbound Messages : Block Dangerous Attachments/ | |
236 | header __VBOUNCE_MAILMARSHAL2 Subject =~ /^MailMarshal has detected possible spam in your message/ | |
237 | header __VBOUNCE_NAVFAIL Subject =~ /^Norton Anti.?Virus failed to scan an attachment in a message you sent/ | |
238 | header __VBOUNCE_REJECTED Subject =~ /^EMAIL REJECTED$/ | |
239 | header __VBOUNCE_PROBLEME Subject:raw =~ /^=?iso-8859-1?Q?Messagerie_.{1,100}_=3A_probl=E8me_de_s=E9curit=E9=2E?=/ | |
240 | header __VBOUNCE_NAV Subject =~ /^Norton Anti.?Virus detected and quarantined/ | |
241 | header __VBOUNCE_MELDING Subject =~ /^Virusmelding$/ | |
242 | body __VBOUNCE_VALERT /The mail message \S+ \S+ you sent to \S+ contains the virus/ | |
243 | body __VBOUNCE_REJ_FILT /Reason: Rejected by filter/ | |
244 | header __VBOUNCE_YOUSENT Subject =~ /^Warning - You sent a Virus Infected Email to / | |
245 | body __VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or more virus/ | |
246 | header __VBOUNCE_SCREENSAVER Subject =~ /\b(?:Re: ?)Wicked screensaver\b/i | |
247 | header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/ | |
248 | header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/ | |
151f49fd | 249 | header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(?:es)? detected/i |
b780ea8d SI |
250 | header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i |
251 | header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i | |
252 | header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i | |
253 | header __VBOUNCE_ALERT Subject =~ /^Virus Alert\b/i | |
254 | header __VBOUNCE_NAV2 Subject =~ /^NAV detected a virus in a document / | |
255 | body __VBOUNCE_NAV3 /^Reporting-MTA: Norton Anti.?Virus Gateway/ | |
256 | header __VBOUNCE_INTERSCAN2 Subject =~ /^InterScan MSS for SMTP has delivered a message/ | |
257 | header __VBOUNCE_INTERSCAN3 Subject =~ /^InterScan NT Alert/ | |
258 | header __VBOUNCE_ANTIGEN Subject =~ /^Antigen found\b/i | |
259 | header __VBOUNCE_LUTHER From =~ /\blutherh\@stratcom.com\b/ | |
260 | header __VBOUNCE_AMAVISD Subject =~ /^VIRUS IN YOUR MAIL /i | |
261 | body __VBOUNCE_AMAVISD2 /\bV I R U S\b/ | |
262 | header __VBOUNCE_GSHIELD Subject =~ /^McAfee GroupShield Alert/ | |
263 | ||
264 | # off: got an FP in a simple forward | |
265 | # rawbody __VBOUNCE_SUBJ_IN_MAIL /^\s*Subject:\s*(Re: )*((my|your) )?(application|details)/i | |
266 | # rawbody __VBOUNCE_SUBJ_IN_MAIL2 /^\s*Subject:\s*(Re: )*(Thank you!?|That movie|Wicked screensaver|Approved)/i | |
267 | ||
268 | header __VBOUNCE_SCANMAIL Subject =~ /^Scan.?Mail Message: .{0,30} virus found /i | |
269 | header __VBOUNCE_DOMINO1 Subject =~ /^Report to Sender/ | |
270 | body __VBOUNCE_DOMINO2 /^Incident Information:/ | |
271 | header __VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/ | |
272 | ||
273 | body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|the infected attachment)/ | |
274 | # Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages. | |
275 | ||
151f49fd | 276 | body __VBOUNCE_AVREPORT0 /(?:antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i |
b780ea8d SI |
277 | header __VBOUNCE_SENDER Subject =~ /^Virus to sender/ |
278 | body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i | |
279 | ||
280 | header __VBOUNCE_MAILSWEEP3 From =~ /\bmailsweeper\b/i | |
281 | # Bart says: This one could replace both MAILSWEEP2 and MAILSWEEP as far as I can tell. | |
282 | # Perhaps it's too general? | |
283 | ||
284 | body __VBOUNCE_CLICKBANK /\bvirus scanner deleted your message\b/i | |
285 | header __VBOUNCE_FORBIDDEN Subject =~ /\bFile type Forbidden\b/ | |
286 | header __VBOUNCE_MMS Subject =~ /^MMS Notification/ | |
287 | # added by JoeyKelly | |
288 | ||
289 | header __VBOUNCE_JMAIL Subject =~ /^Message Undeliverable: Possible Junk\/Spam Mail Identified$/ | |
290 | ||
291 | body __VBOUNCE_QUOTED_EXE /> TVqQAAMAAAAEAAAA/ | |
292 | ||
293 | # majordomo is really stupid about this stuff | |
294 | header __MAJORDOMO_SUBJ Subject =~ /^Majordomo results: / | |
295 | rawbody __MAJORDOMO_HELP_BODY /\*\*\*\* Help for [mM]ajordomo\@/ | |
296 | rawbody __MAJORDOMO_HELP_BODY2 /\*\*\*\* Command \'.{0,80}\' not recognized\b/ | |
297 | meta __VBOUNCE_MAJORDOMO_HELP (__MAJORDOMO_SUBJ && __MAJORDOMO_HELP_BODY && __MAJORDOMO_HELP_BODY2) | |
298 | ||
299 | header __VBOUNCE_AV_RESULTS Subject =~ /AntiVirus scan results/ | |
300 | header __VBOUNCE_EMVD Subject =~ /^Warning: E-mail viruses detected/ | |
301 | header __VBOUNCE_UNDELIV Subject =~ /^Undeliverable mail, invalid characters in header/ | |
302 | header __VBOUNCE_BANNED_MAT Subject =~ /^Banned or potentially offensive material/ | |
303 | header __VBOUNCE_NAV_DETECT Subject =~ /^Norton AntiVirus detected and quarantined/ | |
304 | header __VBOUNCE_DEL_WARN Subject =~ /^Delivery (?:warning|error) report id=/ | |
305 | header __VBOUNCE_MIME_INFO Subject =~ /^The MIME information you requested/ | |
306 | header __VBOUNCE_EMAIL_REJ Subject =~ /^EMAIL REJECTED/ | |
307 | header __VBOUNCE_CONT_VIOL Subject =~ /^Content violation/ | |
308 | header __VBOUNCE_SYM_AVF Subject =~ /^Symantec AVF detected / | |
309 | header __VBOUNCE_SYM_EMP Subject =~ /^Symantec E-Mail-Proxy / | |
310 | header __VBOUNCE_VIR_FOUND Subject =~ /^Virus Found in message/ | |
311 | header __VBOUNCE_INFLEX Subject =~ /^Inflex scan report \[/ | |
312 | header __VBOUNCE_BITDEFENDER X-Mailer =~ /^BitDefender VShield/ | |
313 | header __VBOUNCE_INF_ATTACH Subject =~ /^\[Mail Delivery .{20,100} infected attachment *removed/ | |
314 | ||
315 | header __VBOUNCE_RAPPORT Subject =~ /^Spam rapport \/ Spam report \S+ -\s+\(\S+\)$/ | |
316 | header __VBOUNCE_GWAVA Subject =~ /^GWAVA Sender Notification \(RBL block\)$/ | |
317 | header __VBOUNCE_GWAVA2 Subject =~ /Blocked Message \(RBL block\)$/ | |
318 | ||
319 | header __VBOUNCE_EMANAGER Subject =~ /^\[MailServer Notification\]/ | |
320 | header __VBOUNCE_MSGLABS Return-Path =~ /alert\@notification\.messagelabs\.com/i | |
321 | body __VBOUNCE_ATT_QUAR /\bThe attachment was quarantined\b/ | |
322 | body __VBOUNCE_SECURIQ /\bGROUP securiQ.Wall\b/ | |
323 | ||
324 | header __VBOUNCE_PT_BLOCKED Subject =~ /^\*\*\*\s*Mensagem Bloqueada/i | |
325 | ||
326 | meta VBOUNCE_MESSAGE !__MY_SERVERS_FOUND && (__VBOUNCE_MSGLABS || __VBOUNCE_EXIM || __VBOUNCE_GUIN || __VBOUNCE_CISCO || __VBOUNCE_SMTP || __VBOUNCE_AOL || __VBOUNCE_DUTCH || __VBOUNCE_MAILMARSHAL || __VBOUNCE_MAILMARSHAL2 || __VBOUNCE_NAVFAIL || __VBOUNCE_REJECTED || __VBOUNCE_PROBLEME || __VBOUNCE_NAV || __VBOUNCE_MELDING || __VBOUNCE_VALERT || __VBOUNCE_REJ_FILT || __VBOUNCE_YOUSENT || __VBOUNCE_MAILSWEEP || __VBOUNCE_SCREENSAVER || __VBOUNCE_DISALLOWED || __VBOUNCE_FROMPT || __VBOUNCE_WARNING || __VBOUNCE_DETECTED || __VBOUNCE_INTERSCAN || __VBOUNCE_VIOLATION || __VBOUNCE_ALERT || __VBOUNCE_NAV2 || __VBOUNCE_NAV3 || __VBOUNCE_INTERSCAN2 || __VBOUNCE_INTERSCAN3 || __VBOUNCE_ANTIGEN || __VBOUNCE_LUTHER || __VBOUNCE_AMAVISD || __VBOUNCE_AMAVISD2 || __VBOUNCE_SCANMAIL || __VBOUNCE_DOMINO1 || __VBOUNCE_DOMINO2 || __VBOUNCE_RAV || __VBOUNCE_GSHIELD || __VBOUNCE_ATTACHMENT0 || __VBOUNCE_AVREPORT0 || __VBOUNCE_SENDER || __VBOUNCE_MAILSWEEP2 || __VBOUNCE_MAILSWEEP3 || __VBOUNCE_CLICKBANK || __VBOUNCE_FORBIDDEN || __VBOUNCE_MMS || __VBOUNCE_QUOTED_EXE || __VBOUNCE_MAJORDOMO_HELP || __VBOUNCE_AV_RESULTS || __VBOUNCE_EMVD || __VBOUNCE_UNDELIV || __VBOUNCE_BANNED_MAT || __VBOUNCE_NAV_DETECT || __VBOUNCE_DEL_WARN || __VBOUNCE_MIME_INFO || __VBOUNCE_EMAIL_REJ || __VBOUNCE_CONT_VIOL || __VBOUNCE_SYM_AVF || __VBOUNCE_SYM_EMP || __VBOUNCE_ATT_QUAR || __VBOUNCE_SECURIQ || __VBOUNCE_VIR_FOUND || __VBOUNCE_EMANAGER || __VBOUNCE_JMAIL || __VBOUNCE_GWAVA || __VBOUNCE_GWAVA2 || __VBOUNCE_PT_BLOCKED || __VBOUNCE_INFLEX || __VBOUNCE_INF_ATTACH || __VBOUNCE_STRIP_ATTACH || __VBOUNCE_BITDEFENDER) | |
327 | ||
328 | describe VBOUNCE_MESSAGE Virus-scanner bounce message | |
329 | ||
330 | # --------------------------------------------------------------------------- | |
331 | # a catch-all type for all the above | |
332 | ||
333 | meta ANY_BOUNCE_MESSAGE (CRBOUNCE_MESSAGE||BOUNCE_MESSAGE||VBOUNCE_MESSAGE||OOOBOUNCE_MESSAGE) | |
334 | describe ANY_BOUNCE_MESSAGE Message is some kind of bounce message | |
335 | ||
dfdd1e08 SI |
336 | |
337 | endif # Mail::SpamAssassin::Plugin::VBounce | |
338 |