# A virus-bounce ruleset, suitable for use by anyone receiving a lot of joe-job # virus-blowback, or spam-blowback bounce messages. # # Please don't modify this file as your changes will be overwritten with # the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead. # See 'perldoc Mail::SpamAssassin::Conf' for details. # # <@LICENSE> # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to you under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at: # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # # ########################################################################### # # If you use this, set up procmail or your mail app to spot the # "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. # # You should also add 'whitelist_bounce_relays' lines, describing the names of # your own outgoing mail relays, like so: # # whitelist_bounce_relays dogma.boxhost.net # # This is used to 'rescue' legitimate bounce messages that were generated in # response to mail you really *did* send. If you don't do this, the # "BOUNCE_MESSAGE" rule will not fire. See 'perldoc VBounce.pm' for more # details. # # This ruleset is substantially based on # http://www.timj.co.uk/linux/bogus-virus-warnings.cf ; the main difference is # that I (jm) prefer to keep bounces and spam separate, so it now uses a single # rule for each type of message, instead of having multiple individual rules # with high scores. That way, you can spot the individual rule names, as # described in the paragraph above. There's a couple of rules that were FPing, # too, so I fixed or removed them; and there's been substantial additions, too. # ########################################################################### ifplugin Mail::SpamAssassin::Plugin::VBounce body __MY_SERVERS_FOUND eval:check_whitelist_bounce_relays() tflags __MY_SERVERS_FOUND nice score __MY_SERVERS_FOUND -0.001 body __HAVE_BOUNCE_RELAYS eval:have_any_bounce_relays() tflags __HAVE_BOUNCE_RELAYS nice endif # --------------------------------------------------------------------------- # General bounce messages header __BOUNCE_FROM_DAEMON From =~ /(?:^(?:mail\S+daemon|d[ae][ae]mon|majordomo|postmaster|automated-response|mailadmin|mailmaster|surfcontrol|You_Got_Spammed|SMTP.gateway)\@|scanner\S*\@|<>)/i header __BOUNCE_RPATH_NULL Return-Path =~ /<>/ header __BOUNCE_READ_NOTIFICATION Subject =~ /^Read: / header __BOUNCE_RPATH_MD Return-Path =~ /(?:mailer-(?:daemon|deamon)|quotaagent|pleaseforward|autoresponder|autoresponse-\S+|devnull\S*)\@/i # can appear in non-bounce mails with __XM_VBULLETIN, # or with X-Cron-Env headers, so exclude those cases header __XM_VBULLETIN X-Mailer =~ /^vBulletin Mail/ header __X_CRON_ENV X-Cron-Env =~ /^ # 'Invalid e-mail address.' header __BOUNCE_RPATH_ERRMAIL Return-Path =~ /delete\@errmail\./i header __BOUNCE_AUTO_RESPOND Subject =~ /^(?:Automatically Generated Response from |Auto-Respond E-Mail from )/ header __BOUNCE_AUTO_RESPONSE Subject =~ /^automated response$/i body __BOUNCE_ETRUST /^eTrust Secure Content Manager SMTPMAIL could not deliver the e-mail / header __BOUNCE_INTERSCAN From =~ /\bInterscan MSS Notification\b/ body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./ header __BOUNCE_AUTO_REPLY Subject =~ /\b(automatic reply|AutoReply)\b/ meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && (!__MY_SERVERS_FOUND && !ALL_TRUSTED && !__NONBOUNCE_READ_RECEIPT && (__BOUNCE_FROM_DAEMON || (__BOUNCE_RPATH_NULL && !__BOUNCE_READ_NOTIFICATION) || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_OOO_2 || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_STAT_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_OOO_H1 || __BOUNCE_OOO_H2 || __BOUNCE_OOO_H3 || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_OOO_3 || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND || __BOUNCE_NOTIF || __BOUNCE_RET_MAIL || __BOUNCE_DEL_FAIL || __BOUNCE_MAIL_DEL_FAIL || __BOUNCE_AUTO_REPLY)) describe BOUNCE_MESSAGE MTA bounce message # --------------------------------------------------------------------------- # Challenge/Response bounces header __CRBOUNCE_UOL From =~ /\bAntiSpam UOL\b/ header __CRBOUNCE_VERIF Subject =~ /^(?:Your email requires verification verify:\S|Please Verify Your Email Address)/ header __CRBOUNCE_RP Return-Path =~ /<(?:spamblocker-challenge|spambush|apd\.sspam|spamhippo|devnull-quarantine)\@/i header __CRBOUNCE_RP_2 Return-Path =~ /\@(?:spamstomp\.com|ipermitmail\.com)>$/i header __CRBOUNCE_VANQ From =~ // header __CRBOUNCE_QURB Subject =~ /\[Qurb .\d+\]$/ uri __CRBOUNCE_0SPAM1 /^http:\/\/www\.0spam\.com\/v/ header __CRBOUNCE_0SPAM2 From:addr =~ /^verify\@0spam.com$/ meta __CRBOUNCE_0SPAM (__CRBOUNCE_0SPAM1 && __CRBOUNCE_0SPAM2) header __CRBOUNCE_SPAMARREST exists:X-Spamarrest-noauth # http://mailinblack.com , a French C/R system with no other reliable # signatures. annoying! header __CRBOUNCE_MIB Content-Type =~ /mUlTiPaRtBoUnDaRy_MailInBlack/ uri __CRBOUNCE_SI1 m,^http://si20.com/auth, header __CRBOUNCE_SI2 From:addr =~ /^siweb\@si20\.com/ meta __CRBOUNCE_SI (__CRBOUNCE_SI1 && __CRBOUNCE_SI2) # very frequent, using unrelated From lines; either spam or C/R, not yet # sure which header __CRBOUNCE_GETRESP Return-Path =~ // header __CRBOUNCE_TMDA Message-Id =~ /\@\S+\-tmda\-confirm>$/ header __CRBOUNCE_ASK X-AskVersion =~ /\d/ header __CRBOUNCE_SZ X-Spamazoid-MD =~ /\d/ header __CRBOUNCE_SPAMLION Spamlion =~ /\S/ # something called /cgi-bin/notaspammer does this! header __CRBOUNCE_PREC_SPAM Precedence =~ /spam/ header __AUTO_GEN_XBT exists:X-Boxtrapper header __AUTO_GEN_BBTL exists:X-Bluebottle-Request meta __CRBOUNCE_HEADER (__AUTO_GEN_XBT || __AUTO_GEN_BBTL) header __CRBOUNCE_EXI X-ExiSpam =~ /ExiSpam/ header __CRBOUNCE_UNVERIF Subject =~ /^Unverified email to / header __CRBOUNCE_BLOCKED Subject =~ /^\*\*Message you sent blocked by our bulk email filter\*\*$/ meta __CHALLENGE_RESPONSE __CRBOUNCE_UOL || __CRBOUNCE_VERIF || __CRBOUNCE_RP || __CRBOUNCE_VANQ || __CRBOUNCE_HEADER || __CRBOUNCE_QURB || __CRBOUNCE_0SPAM || __CRBOUNCE_GETRESP || __CRBOUNCE_TMDA || __CRBOUNCE_ASK || __CRBOUNCE_EXI || __CRBOUNCE_PREC_SPAM || __CRBOUNCE_SZ || __CRBOUNCE_SPAMLION || __CRBOUNCE_MIB || __CRBOUNCE_SI || __CRBOUNCE_UNVERIF || __CRBOUNCE_RP_2 || __CRBOUNCE_BLOCKED || __CRBOUNCE_SPAMARREST meta CHALLENGE_RESPONSE __MY_SERVERS_FOUND && __CHALLENGE_RESPONSE describe CHALLENGE_RESPONSE Challenge-Response message for mail you sent meta CRBOUNCE_MESSAGE !__MY_SERVERS_FOUND && __CHALLENGE_RESPONSE describe CRBOUNCE_MESSAGE Challenge-Response bounce message # --------------------------------------------------------------------------- # "Virus found in your mail" bounces # source: VirusBounceRules from the exit0 SA wiki body __VBOUNCE_EXIM /a potentially executable attachment / body __VBOUNCE_STRIP_ATTACH /\bhas stripped one or more attachments from the following message\b/ body __VBOUNCE_GUIN /message contains file attachments that are not permitted/ body __VBOUNCE_CISCO /^Found virus \S+ in file \S/m body __VBOUNCE_SMTP /host \S+ said: 5\d\d\s+Error: Message content rejected/ body __VBOUNCE_AOL /TRANSACTION FAILED - Unrepairable Virus Detected. / body __VBOUNCE_DUTCH /bevatte bijlage besmet welke besmet was met een virus/ body __VBOUNCE_MAILMARSHAL /Mail.?Marshal Rule: Inbound Messages : Block Dangerous Attachments/ header __VBOUNCE_MAILMARSHAL2 Subject =~ /^MailMarshal has detected possible spam in your message/ header __VBOUNCE_NAVFAIL Subject =~ /^Norton Anti.?Virus failed to scan an attachment in a message you sent/ header __VBOUNCE_REJECTED Subject =~ /^EMAIL REJECTED$/ header __VBOUNCE_PROBLEME Subject:raw =~ /^=?iso-8859-1?Q?Messagerie_.{1,100}_=3A_probl=E8me_de_s=E9curit=E9=2E?=/ header __VBOUNCE_NAV Subject =~ /^Norton Anti.?Virus detected and quarantined/ header __VBOUNCE_MELDING Subject =~ /^Virusmelding$/ body __VBOUNCE_VALERT /The mail message \S+ \S+ you sent to \S+ contains the virus/ body __VBOUNCE_REJ_FILT /Reason: Rejected by filter/ header __VBOUNCE_YOUSENT Subject =~ /^Warning - You sent a Virus Infected Email to / body __VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or more virus/ header __VBOUNCE_SCREENSAVER Subject =~ /\b(?:Re: ?)Wicked screensaver\b/i header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/ header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/ header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i header __VBOUNCE_ALERT Subject =~ /^Virus Alert\b/i header __VBOUNCE_NAV2 Subject =~ /^NAV detected a virus in a document / body __VBOUNCE_NAV3 /^Reporting-MTA: Norton Anti.?Virus Gateway/ header __VBOUNCE_INTERSCAN2 Subject =~ /^InterScan MSS for SMTP has delivered a message/ header __VBOUNCE_INTERSCAN3 Subject =~ /^InterScan NT Alert/ header __VBOUNCE_ANTIGEN Subject =~ /^Antigen found\b/i header __VBOUNCE_LUTHER From =~ /\blutherh\@stratcom.com\b/ header __VBOUNCE_AMAVISD Subject =~ /^VIRUS IN YOUR MAIL /i body __VBOUNCE_AMAVISD2 /\bV I R U S\b/ header __VBOUNCE_GSHIELD Subject =~ /^McAfee GroupShield Alert/ # off: got an FP in a simple forward # rawbody __VBOUNCE_SUBJ_IN_MAIL /^\s*Subject:\s*(Re: )*((my|your) )?(application|details)/i # rawbody __VBOUNCE_SUBJ_IN_MAIL2 /^\s*Subject:\s*(Re: )*(Thank you!?|That movie|Wicked screensaver|Approved)/i header __VBOUNCE_SCANMAIL Subject =~ /^Scan.?Mail Message: .{0,30} virus found /i header __VBOUNCE_DOMINO1 Subject =~ /^Report to Sender/ body __VBOUNCE_DOMINO2 /^Incident Information:/ header __VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/ body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|the infected attachment)/ # Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages. body __VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i header __VBOUNCE_SENDER Subject =~ /^Virus to sender/ body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i header __VBOUNCE_MAILSWEEP3 From =~ /\bmailsweeper\b/i # Bart says: This one could replace both MAILSWEEP2 and MAILSWEEP as far as I can tell. # Perhaps it's too general? body __VBOUNCE_CLICKBANK /\bvirus scanner deleted your message\b/i header __VBOUNCE_FORBIDDEN Subject =~ /\bFile type Forbidden\b/ header __VBOUNCE_MMS Subject =~ /^MMS Notification/ # added by JoeyKelly header __VBOUNCE_JMAIL Subject =~ /^Message Undeliverable: Possible Junk\/Spam Mail Identified$/ body __VBOUNCE_QUOTED_EXE /> TVqQAAMAAAAEAAAA/ # majordomo is really stupid about this stuff header __MAJORDOMO_SUBJ Subject =~ /^Majordomo results: / rawbody __MAJORDOMO_HELP_BODY /\*\*\*\* Help for [mM]ajordomo\@/ rawbody __MAJORDOMO_HELP_BODY2 /\*\*\*\* Command \'.{0,80}\' not recognized\b/ meta __VBOUNCE_MAJORDOMO_HELP (__MAJORDOMO_SUBJ && __MAJORDOMO_HELP_BODY && __MAJORDOMO_HELP_BODY2) header __VBOUNCE_AV_RESULTS Subject =~ /AntiVirus scan results/ header __VBOUNCE_EMVD Subject =~ /^Warning: E-mail viruses detected/ header __VBOUNCE_UNDELIV Subject =~ /^Undeliverable mail, invalid characters in header/ header __VBOUNCE_BANNED_MAT Subject =~ /^Banned or potentially offensive material/ header __VBOUNCE_NAV_DETECT Subject =~ /^Norton AntiVirus detected and quarantined/ header __VBOUNCE_DEL_WARN Subject =~ /^Delivery (?:warning|error) report id=/ header __VBOUNCE_MIME_INFO Subject =~ /^The MIME information you requested/ header __VBOUNCE_EMAIL_REJ Subject =~ /^EMAIL REJECTED/ header __VBOUNCE_CONT_VIOL Subject =~ /^Content violation/ header __VBOUNCE_SYM_AVF Subject =~ /^Symantec AVF detected / header __VBOUNCE_SYM_EMP Subject =~ /^Symantec E-Mail-Proxy / header __VBOUNCE_VIR_FOUND Subject =~ /^Virus Found in message/ header __VBOUNCE_INFLEX Subject =~ /^Inflex scan report \[/ header __VBOUNCE_BITDEFENDER X-Mailer =~ /^BitDefender VShield/ header __VBOUNCE_INF_ATTACH Subject =~ /^\[Mail Delivery .{20,100} infected attachment *removed/ header __VBOUNCE_RAPPORT Subject =~ /^Spam rapport \/ Spam report \S+ -\s+\(\S+\)$/ header __VBOUNCE_GWAVA Subject =~ /^GWAVA Sender Notification \(RBL block\)$/ header __VBOUNCE_GWAVA2 Subject =~ /Blocked Message \(RBL block\)$/ header __VBOUNCE_EMANAGER Subject =~ /^\[MailServer Notification\]/ header __VBOUNCE_MSGLABS Return-Path =~ /alert\@notification\.messagelabs\.com/i body __VBOUNCE_ATT_QUAR /\bThe attachment was quarantined\b/ body __VBOUNCE_SECURIQ /\bGROUP securiQ.Wall\b/ header __VBOUNCE_PT_BLOCKED Subject =~ /^\*\*\*\s*Mensagem Bloqueada/i meta VBOUNCE_MESSAGE !__MY_SERVERS_FOUND && (__VBOUNCE_MSGLABS || __VBOUNCE_EXIM || __VBOUNCE_GUIN || __VBOUNCE_CISCO || __VBOUNCE_SMTP || __VBOUNCE_AOL || __VBOUNCE_DUTCH || __VBOUNCE_MAILMARSHAL || __VBOUNCE_MAILMARSHAL2 || __VBOUNCE_NAVFAIL || __VBOUNCE_REJECTED || __VBOUNCE_PROBLEME || __VBOUNCE_NAV || __VBOUNCE_MELDING || __VBOUNCE_VALERT || __VBOUNCE_REJ_FILT || __VBOUNCE_YOUSENT || __VBOUNCE_MAILSWEEP || __VBOUNCE_SCREENSAVER || __VBOUNCE_DISALLOWED || __VBOUNCE_FROMPT || __VBOUNCE_WARNING || __VBOUNCE_DETECTED || __VBOUNCE_INTERSCAN || __VBOUNCE_VIOLATION || __VBOUNCE_ALERT || __VBOUNCE_NAV2 || __VBOUNCE_NAV3 || __VBOUNCE_INTERSCAN2 || __VBOUNCE_INTERSCAN3 || __VBOUNCE_ANTIGEN || __VBOUNCE_LUTHER || __VBOUNCE_AMAVISD || __VBOUNCE_AMAVISD2 || __VBOUNCE_SCANMAIL || __VBOUNCE_DOMINO1 || __VBOUNCE_DOMINO2 || __VBOUNCE_RAV || __VBOUNCE_GSHIELD || __VBOUNCE_ATTACHMENT0 || __VBOUNCE_AVREPORT0 || __VBOUNCE_SENDER || __VBOUNCE_MAILSWEEP2 || __VBOUNCE_MAILSWEEP3 || __VBOUNCE_CLICKBANK || __VBOUNCE_FORBIDDEN || __VBOUNCE_MMS || __VBOUNCE_QUOTED_EXE || __VBOUNCE_MAJORDOMO_HELP || __VBOUNCE_AV_RESULTS || __VBOUNCE_EMVD || __VBOUNCE_UNDELIV || __VBOUNCE_BANNED_MAT || __VBOUNCE_NAV_DETECT || __VBOUNCE_DEL_WARN || __VBOUNCE_MIME_INFO || __VBOUNCE_EMAIL_REJ || __VBOUNCE_CONT_VIOL || __VBOUNCE_SYM_AVF || __VBOUNCE_SYM_EMP || __VBOUNCE_ATT_QUAR || __VBOUNCE_SECURIQ || __VBOUNCE_VIR_FOUND || __VBOUNCE_EMANAGER || __VBOUNCE_JMAIL || __VBOUNCE_GWAVA || __VBOUNCE_GWAVA2 || __VBOUNCE_PT_BLOCKED || __VBOUNCE_INFLEX || __VBOUNCE_INF_ATTACH || __VBOUNCE_STRIP_ATTACH || __VBOUNCE_BITDEFENDER) describe VBOUNCE_MESSAGE Virus-scanner bounce message # --------------------------------------------------------------------------- # a catch-all type for all the above meta ANY_BOUNCE_MESSAGE (CRBOUNCE_MESSAGE||BOUNCE_MESSAGE||VBOUNCE_MESSAGE) describe ANY_BOUNCE_MESSAGE Message is some kind of bounce message