##### virusnotification.rc
#
# Resource file for procmail.
# Filters out all those annoying notifications "that I have a virus". Yeah
# right, there is no Microsoft here, so I don't want to see this rubbish.
# Because the current lot of viruses hide as a bounce message, they're caught
# here as well.
# Tested with: procmail v3.15.1 2001/01/08, procmail v3.22 2001/09/10
#
# Variables, in (set before calling):
#   LISTFOLDER		Where to store email if it's a virus notification;
#			  nothing will be stored if this is empty.
#			  Further strings may be added to the name in this
#			  variable.
#   TAB			a single TAB character
#   NL			a single NEWLINE character
#   LISTFOLDER_UMASK	if set, umask to use when saving to LISTFOLDER
#   SENDER_DOMAIN	Domain and IP from where you send your mail; if you get
#   SENDER_IP		  a bounce not from these -> dump it; this particular
#			  test is skipped if these 2 variables are unset.
#			  Depending on your mail setup, you may have to include
#			  127.0.0.1 and the unqualified (short) host name here
#			  as well.
#   ATTACHMENTWHITELIST	name of a file which contains email addresses, one per
#			  line, who are permitted to send attachments with names
#			  listed below in ATTACHMENT_BLOCK_NAME
#			  requires $PROCDIR/addrlistlookup.rc
#			  test is skipped if this variable is unset
# Variables, returned:
#   ISVIRUSNOTIFICATION		set to "1" if it's a virus notification,
#				  unset otherwise
#   SUBJECT_VIRUSALERT		set to "1" if Subject: is a virus alert,
#				  unset otherwise
#   SUBJECT_DELIVERFAIL		set to "1" if Subject: is delivery failure,
#				  unset otherwise
#   FROM_NOTIFY			set to "1" if From: is a delivery failure or
#				  virus alert, unset otherwise
#   LISTFOLDER		unset
#
# Run with e.g.:
#   TAB="	"
#   NL="
#   "
#   SENDER_DOMAIN="(mydomain.net|myisp.co.nz)"
#   SENDER_IP="(123\.456\.[0-9]+\.[0-9]+)"
#   LISTFOLDER=somepath/virus-rubbish
#   INCLUDERC=yourpath/virusnotification.rc
# or
#   ...
#   LISTFOLDER=
#   INCLUDERC=yourpath/virusnotification.rc
#   :0
#   * ISVIRUSNOTIFICATION ?? ^^1^^
#   { ... }
# in your $HOME/.procmailrc.
#
# The latest version is always available from:
# http://volker.dnsalias.net/soft/procmail/
#
# Copyright (C) by Volker Kuhlmann <VolkerKuhlmann@GMX.de>
# Released under the terms of the GNU General Public License (GPL) Version 2.
# See http://www.gnu.org/ for details.
#
# Volker Kuhlmann
#   3, 4, 5, 9, 10, 30 Sep; 1, 2, 7, 8, 10, 12, 13, 16, 21, 24, 28 Oct 2003
#   30, 31 Jan; 2, 6, 7, 11, 24, 25 Feb; 1, 3, 4, 6 Mar; 14 Apr; 1 Jul;
#     3, 4 Aug; 14 Nov 2004
#   1 Feb; 21 Oct; 3 Dec 2005
#   1 Jan 2006
#   1 Jul 2007
#


##### Variables
#####

## Common virus subject strings (not anchored!)
VIRUS_SUBJ_SOBIGF="((Re|Aw): *)*(Wicked screensaver|That movie|Approved|(|my |Your )Details|(|Your )Application|Thank you!)"
word1="(((Microsoft|MS)|Corporation|)|)"
word2="(Critical|Internet|Network|Security|Latest|Public)"
word3="(Email *)?(Delivery *)?(Patch|Pack|Upgrade|Update|Center|Assistance|Service(s|)|Division|Security)"
VIRUS_SUBJ_1="$word1( |)$word2 $word3"

## Microsoft executable extensions
MICKEY_EXE="(exe|scr|pif|bat|com|cmd|dll|vbs|vbx)"
# mime filename matching:
#name=[^>]*\.(ade|adp|asd|bas|bat|chm|cmd|com|cpl|crt|dbx|dll|exe|hlp|hta|inf|ins|isp|lnk|js|jse|lnk|ocx|mde|mdt|mdw|msc|msi|msp|mst|nws|ops|pcd|pi|pif|prf|reg|scf|scr|sct|shb|shm|shs|swf|uue|vb|vbe|vbs|vbx|vxd|wab|wsc|wsf|wsh)

## Attachments with these names/extensions are blocked unless from a whitelisted
## sender (listed in file $ATTACHMENTWHITELIST; requires addrlistlookup.rc)
ATTACHMENT_BLOCK_NAME=".*\.(zip|$MICKEY_EXE)"

## Common virus document names
VIRUS_DOCNAMES_1="(document_all|your_document|thank_you).pif"
VIRUS_DOCNAMES_2="(VirusWarning|removed0|deleted0).txt"
# delivery failures with any of these attachment names -> dumped
VIRUS_DOCNAMES_3="((file|message)\.zip|text.cmd.htm|alert.txt|.*$MICKEY_EXE)"

## Common virus names
VIRUS_NAMES="(bagle.[a-z]|swen|sobig|novarg|worm.sco|mydoom|mimail.r|netsky.[a-z]|worm.somefool)"

## Common MS-domains used by viruses
VIRUS_MS_DOMAIN="([a-z_.-]*(microsoft|msdn|msn)|[a-z_.-]*\.(ms))\.(com|net|org)"

## Common virus sender addresses
VIRUS_FROM_1="(Internet Storage System|Net Mail Delivery)"

## Common virus receiver addresses
VIRUS_TO_1="(Net(|work)|Mail) (User|Receiver)"

## MIME types used by virus
VIRUS_MIME_AUDIO_RE="^Content-Type:[ $TAB]*audio/x-(wav|midi);"

## Sender of delivery problem notifications
FROM_NOTIFY_FAIL_RE="(Mail|message) Delivery (|Sub)System|.*MAILER-DAEMON@|(|.*<)postmaster[^ @]*@|gatekeeper@|virus-alert@|amavisd|root@"
#
## Sender of virus notifications
FROM_NOTIFY_VIRUS_RE=".*(virus(admin|master|check)@|anti.?virus|antivir[^@]*adm)"
#
FROM_NOTIFY_RE="^From:[ $TAB]*\"?($FROM_NOTIFY_FAIL_RE|$FROM_NOTIFY_VIRUS_RE)"
FROM_NOTIFY_FAIL_RE="^From:[ $TAB]*\"?($FROM_NOTIFY_FAIL_RE)"
FROM_NOTIFY_VIRUS_RE="^From:[ $TAB]*\"?($FROM_NOTIFY_VIRUS_RE)"

## Set ISVIRUSNOTIFICATION if match occurs
ISVIRUSNOTIFICATION=


##### Subject: tests
#####

# Subject contains virus alert (or cleaning notification)
SUBJECT_VIRUSALERT=
:0
* 1^0 ^Subject: *Virus in your (letter|e?mail|message)
* 1^0 ^Subject: *VIRUS (ALERT|IN YOUR E?MAIL)
* 1^0 ^Subject: *VIRUS.*IN (E?MAIL FROM YOU|YOUR E?MAIL)
* 1^0 ^Subject:.*(virus.*(detect|found)|(detect|found).*virus)
* 1^0 ^Subject:.*scan.*\<alert
* 1^0 ^Subject:.*Bug Advice
* 1^0 ^Subject: *Failed to clean virus
* 1^0 ^Subject: *problem found in sent message
* 1^0 ^Subject: *(Policy Violation|=\?utf-8\?B\?UG9saWN5IFZpb2xhdGlvbm)
{ SUBJECT_VIRUSALERT=1 }

## Subject contains a delivery failure
SUBJECT_DELIVERFAIL=
:0
* 1^0 ^Subject: *failure notice
* 1^0 ^Subject: *(|Mail )delivery \(?fail(ed|ure)
* 1^0 ^Subject: *((Returned|Undelivered) mail|Message)(: (.*User unknown|see transcript for details))?
* 1^0 ^Subject: *Undeliver(ed|able) (Mail|Message):? Returned to Sender
* 1^0 ^Subject: *Undeliverable:
* 1^0 ^Subject:.*undeliverable mail
* 1^0 ^Subject: *Mail System Error.*Returned Mail
* 1^0 ^Subject: *Delivery Status Notification
{ SUBJECT_DELIVERFAIL=1 }

## From contains delivery failure or virus notification
FROM_NOTIFY=
:0
* $ $FROM_NOTIFY_RE
{ FROM_NOTIFY=1 }


##### "Your message was infected" notices; also "msg to you was cleaned"
#####

# General condition 1
:0
* SUBJECT_VIRUSALERT ?? ^^1^^
* FROM_NOTIFY ?? ^^1^^
{ ISVIRUSNOTIFICATION=1 }

# General condition 2
:0
* $ $FROM_NOTIFY_VIRUS_RE
* 1^0 SUBJECT_VIRUSALERT ?? ^^1^^
* 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^
{ ISVIRUSNOTIFICATION=1 }

# General condition 3
:0
* FROM_NOTIFY ?? ^^1^^
{
  :0 B
  *  1^0 ^---* .*(virus|worm|warning).* --
  *  1^0 (virus|worm)
  *  1^0 $ $VIRUS_NAMES
  *  1^0 $ \.$MICKEY_EXE\.?($|[^a-z])
  * -2^0 .
  { ISVIRUSNOTIFICATION=1 }
}

# General condition 4
:0
* SUBJECT_VIRUSALERT ?? ^^1^^
{
  :0 B
  *  2^1 ((contain|delete|found|detect|infect).*virus|(was|were) (delete|found|detect|infect)|virus name)
  *  1^0 (message.*(you sent|sent by this account))
  *  1^0 $ $VIRUS_NAMES
  * -2^0 .
  { ISVIRUSNOTIFICATION=1 }
}

# General condition 5 - enough is enough
:0
* ^Subject: *virus alert$
{ ISVIRUSNOTIFICATION=1 }

# AMaViS
:0
* SUBJECT_VIRUSALERT ?? ^^1^^
* ^From: *(postmaster@|amavisd)
*   2^0 $ B ?? ^[ $TAB]*V *I *R *U *S *A *L *E *R *T
*   2^0 $ B ?? ^[ $TAB]*viruschecker found a VIRUS in your email
*   1^0 $ B ?? ^[ $TAB]*Our content checker found
*   2^0 $ B ?? ^[ $TAB]*Please check your system for vir
*  -2^0 .
{ ISVIRUSNOTIFICATION=1 }

# Antigen
:0
* ^From: *Antigen[_@]
* 1^0 ^Subject:.*(virus|worm)
* 1^0 ^Subject:.*(detected|found)
* B ?? (was infected with|attachment with a (virus|worm))
{ ISVIRUSNOTIFICATION=1 }

# Bitdefender
:0
* ^Subject: BitDefender found an infected
* ^From: bitdefender@
{ ISVIRUSNOTIFICATION=1 }

# eSafe
:0
* ^Subject:.*alert.*esafe
*  1^0 ^From:.*\<esafe\>
*  1^0 B ?? ^Scan result:.*(remove|malicious|content)
* -1^0 .
{ ISVIRUSNOTIFICATION=1 }

# Exchange
:0 B
* ISVIRUSNOTIFICATION ?? ^^^^
* ^ScanMail for Microsoft Exchange
* ^Action taken on message
* quarantined
{ ISVIRUSNOTIFICATION=1 }

# Groupshield
:0
* ^From:.*GroupShield
* ^Subject:.*GroupShield
* B ?? ^(infect|virus)
{ ISVIRUSNOTIFICATION=1 }

# Inflex
:0
* ^From: *(avadmin|postmaster)@
* ^Subject: Inflex scan report
* B ?? ^AntiVirus Results
* B ?? ^Virus.*found in file
{ ISVIRUSNOTIFICATION=1 }

# InterScan
:0
* ^From: *InterScan
* ^Subject:.*(not.*delivered|InterScan)
*  1^0 B ?? (virus.*was detected|detected virus)
*  1^0 B ?? attachment.*was infected
*  2^0 B ?? contain.*virus
* -1^0 .
{ ISVIRUSNOTIFICATION=1 }
:0	# what's this crap about?
* ^From: *InterScan Notification
* ^Subject: InterScan.*has delivered a message
* B ?? to inform you that a message has been delivered
{ ISVIRUSNOTIFICATION=1 }

# IRIS
:0
* ^From: *IRIS_AntiVirus@
{ ISVIRUSNOTIFICATION=1 }

# MailScanner, Email Virus Scanner (www.mailscanner.info)
:0
* ^From: *MailScanner
* ^Subject:.*((warning|virus).*(warning|virus)|Disinfected)
{
  :0
  * B ?? ^Our virus detector has just been triggered by a message you sent
  * B ?? ^This message is simply to warn you that your computer system may
  * B ?? ^The virus detector said this about the message
  { ISVIRUSNOTIFICATION=1 }
  :0
  *  1^0 B ?? ^A message you recently received from
  *  1^0 B ?? ^contained one or more viruses
  *  1^0 B ?? ^The viruses have been removed
  *  1^0 B ?? ^Email Virus Scanner
  * -1^0 .
  { ISVIRUSNOTIFICATION=1 }
}

# Otto.de
:0
* ^From: *POSTMASTER@
* ^Subject:.*Virus
* $ B ?? ^$VIRUS_SUBJ_SOBIGF$
* B ?? ^In der Nachricht
* B ?? ^ist ein Virus
{ ISVIRUSNOTIFICATION=1 }

# Panda
:0
* ^From:.*Panda
* ^Subject: *Virus incident
* B ?? has found a virus
{ ISVIRUSNOTIFICATION=1 }
:0
* ^X-.*pandasoft
*  1^0 SUBJECT_DELIVERFAIL ?? ^^1^^
*  1^1 B ?? (Panda Antivirus GateDefender|antivirus|panda.?soft)
* -3^0 .
{ ISVIRUSNOTIFICATION=1 }

# Ravadmin
:0
* ^From:.*ravadmin
* ^Subject:.*virus scan
* 1^0 ^Importance: high
* 1^0 ^X-Mailer: ravmd
{ ISVIRUSNOTIFICATION=1 }

# Road Runner
:0
* ^Received:.*\.rr\.com
* B ?? Road Runner scans all outbound e-mail attachments
* B ?? contained.*files that were infected with
{ ISVIRUSNOTIFICATION=1 }

# SIT
:0
* B ?? ^^The following message sent by this account has violated system policy
{ ISVIRUSNOTIFICATION=1 }

# ScanMail for Microsoft Exchange (also matches blocked file warnings)
:0
* ^From: *System Attendant
* ^Subject: ScanMail Message:.*virus found or matched file blocking
* B ?? ^ScanMail for Microsoft Exchange has taken action on the message
* B ?? ^The attachment.*matched file blocking settings
{ ISVIRUSNOTIFICATION=1 }

# Sophos
:0
* ^Subject: Virus detected in:
* B ?? ^Scenarios.*virus.*detect
* B ?? ^contained a computer virus
* B ?? ^http://www.sophos.com/
{ ISVIRUSNOTIFICATION=1 }

# Symantec
:0
* ^X-Virus-Scanned:.*Symantec
* ^X-Virus-Scan-Result: Repaired
{ ISVIRUSNOTIFICATION=1 }
:0
* ^From: Symantec_AntiVirus
{ ISVIRUSNOTIFICATION=1 }

# SYMPA
:0
* ^From: SYMPA
* ^Subject: Results of your commands
{
  :0 B
  * No command
  { ISVIRUSNOTIFICATION=1 }
}

# TecnoFlex Informatica
:0
* ^From: *postmaster@
#* ^Subject: Virus no e-mail enviado para foto
* ^Subject: Virus no e-mail
{
  :0 B
  * 1^0 ^ATENÇÃO - VIRUS
  * 1^0 ^Mail Virus Scanner.*TecnoFlex Informatica
  * 1^0 ^http://.*tecnoflex
  * -1^0 .
  { ISVIRUSNOTIFICATION=1 }
}

# Wakwak
:0
* ^From:.*virus.*wakwak
* ^Subject:.*WAKWAK virus detect
* B ?? ^WAKWAK Virus Detect
{ ISVIRUSNOTIFICATION=1 }

# Dunno
:0
* ^Subject:.*(virus|bug letter)
{
  :0 B
  * 1^0 detected a virus .* in your (mail|msg|message|email|e-mail)
  * 1^0 antivirus
  { ISVIRUSNOTIFICATION=1 }
  :0
  * ^From:.*administrator
  { ISVIRUSNOTIFICATION=1 }
}

# Don't say
:0
* ^From:.*postmaster@
{
  :0 B
  * 1^0 ^El Software Declude Virus instalado
  * 1^0 ^El E-mail conteniendo el virus
  { ISVIRUSNOTIFICATION=1 }
}


##### MIME Body tests
#####

VIRUS_MIME_AUDIO=
VIRUS_MIME_BASE64=
VIRUS_MIME_MICKEY_EXE=

:0
* $ ^Content-Type:.*\<multipart\>.*\<boundary[ $TAB]*=[ $TAB]*\"?\/[^\" $TAB]+
{
  BOUNDARY = $MATCH
  #:0 i
  #* BOUNDARY ?? ^^"
  #BOUNDARY =| perl -e '$ENV{BOUNDARY} =~ /^"((?:\\.|[^\\"]+)+)"/; '
  #		   -e '$_ = $1; s/\\(.)/$1/g; print; '
  #:0B
  #* $ ^--$\BOUNDARY$(.+$)*Content-(Type|Disposition):(.|$[   ])*\.(list|of|bad|ex|ten|sions)
  #action
}

# these tests are expensive, skip if we already know it's rubbish
:0
* ISVIRUSNOTIFICATION ?? ^^^^
#* ! BOUNDARY ?? ^^^^
{

:0 B
* $ $VIRUS_MIME_AUDIO_RE
{ VIRUS_MIME_AUDIO=1 }

:0 B
* $ ^Content-Transfer-Encoding:[ $TAB]*base64
{ VIRUS_MIME_BASE64=1 }

:0 B
* $ ^Content-Type:.*;$NL?[ $TAB]*name=.*\.$MICKEY_EXE
{ VIRUS_MIME_MICKEY_EXE=1 }

}


##### Undeliverable / Undelivered
#####
##
## Either because of unknown recipient or because of disallowed attachment
## or any other reason.
## Not necessarily virus warnings, but undoubtedly caused by a virus.

## One of the bigger blights on the internet are dipshits who tell *me* when
## *someone else* sends them an email which they don't like. Doh!
#
# These emails often contain in the body (as multipart?) the received: headers
# of the email from someone else to them. If those received: don't show our own
# domain or IP, or the domain and IP don't match, we can safely dump it.
#
#VERBOSE=1
:0
* ISVIRUSNOTIFICATION ?? ^^^^
* ! SENDER_DOMAIN ?? ^^^^
* ! SENDER_IP ?? ^^^^
* 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^
* 1^0 SUBJECT_VIRUSALERT ?? ^^1^^
* 1^0 FROM_NOTIFY ?? ^^1^^
{
  # Check that the received: line which contains our domain also contains our IP
  # address. 
  :0 B
  * $ ^Received:\/.*from.*[^@a-z0-9._-]$SENDER_DOMAIN([^a-z0-9_-].*|)$([ $TAB].*$)*
  * ! MATCH ^^^^
  * MATCH ?? .?[[(][0-9]+\.[0-9]+\.[0-9]+\.[0-9]+[])]
  {
    :0
    * ! $ MATCH ?? .?[[(]$SENDER_IP[])]
    { ISVIRUSNOTIFICATION=1 }
  }
  
  # If there are >=2 received: lines, at least one should contain our email
  # address. Or perhaps either our email or domain?
  
  # Check that any of the received: lines (if there are any one of course)
  # contains our domain (and/or IP?)
  
  # If there is a message-ID in the bounce, it must show my/our domain
  :0 B
  * ^Message-id:
  {
    :0 B
    * ! $ ^Message-id:.*@$SENDER_DOMAIN
    { ISVIRUSNOTIFICATION=1 }
  }
}
#VERBOSE=0

## Body contains delivery failure typically used by viruses. Or MTAs?
VIRUS_BODY_DELIVERFAIL__=
:0 B
* ISVIRUSNOTIFICATION ?? ^^^^
*  1^0 ^(|<.*> *)I\'m sorry to have to inform you
*  1^0 ^(|<.*> *)the message returned below could not be delivered
*  1^0 ^(|<.*> *)to (one or more destinations|the following address)
*  1^0 ^(|<.*> *)Undeliver(able|ed) *([^ ]* *|)to
*  1^0 ^(|<.*> *)Message follows:
*  1^0 ^(|<.*> *)This is the qmail program
# this is used by a real MTA bounce, however as virii try to look like a real
# bounce, it's indistinguishable:
*  1^0 ^(|<.*> *)Your message was not delivered for the following reason
* -1^0 .
{ VIRUS_BODY_DELIVERFAIL__=1 }

#VERBOSE=1
:0
* ISVIRUSNOTIFICATION ?? ^^^^
* 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^
* 1^0 $ ^Subject:.*$VIRUS_SUBJ_SOBIGF
# encapsulate to speed up processing
{
  ## body contains a virus filter notice
  VIRUS_BODY_FILTERNOTICE__=
  :0 B
  *     1^0 (is|was) infected (with|by)
  *   0.7^0 antivirus
  *     1^0 message.*contain.*virus
  *     1^0 virus.*(was|were).*detect
  *     1^0 antivirus.*found.*virus
  *     1^0 found.*virus.*in file
  *     1^0 removed.*because.*contain.*virus
  *     1^0 reason.*infected
  *     1^0 was infected with.*(virus|worm)
  *   0.7^0 Antiviral Toolkit
  *   0.7^0 attachment.*removed
  * $ 0.7^0 ^Subject: *$VIRUS_SUBJ_SOBIGF$
  * -1.99^0 .
  { VIRUS_BODY_FILTERNOTICE__=1 }

  ## body contains a delivery failure notice
  ## (result is the score, if > 0.0, i.e. at least one condition matched)
  VIRUS_BODYBOUNCE_SCORE__=
  :0 B
  # AOL
  * 1^0 ^Your e-mail is being returned to you because there was a problem
  * 1^0 ^--AOL Postmaster
  # qmail @miami.edu
  * 1^0 ^Hi. This is the qmail-send program
  * 1^0 ^I\'m afraid I wasn\'t able to deliver your message to
  # Postfix
  * 1^0 ^This is the Postfix program at
  * 1^0 ^(I\'m sorry to have to inform you|below could not be delivered)
  # ??
  * 1^0 ^A message (|that )you sent could not be delivered
  * 1^0 ^(message has been rejected because|potentially executable attachment)
  #
  * 2^0 VIRUS_BODY_DELIVERFAIL__ ?? ^^1^^
  { VIRUS_BODYBOUNCE_SCORE__=$= }
  
  :0
  * FROM_NOTIFY ?? ^^1^^
  * VIRUS_BODY_FILTERNOTICE__ ?? ^^1^^
  { ISVIRUSNOTIFICATION=1 }

  :0 B
  # this condition is a must
  * $ $FROM_NOTIFY_FAIL_RE
  * $ ^Subject: *$VIRUS_SUBJ_SOBIGF$
  # score of VIRUS_BODYBOUNCE_SCORE__
  * $ $VIRUS_BODYBOUNCE_SCORE__^0 .
  #
  * $ 1^0 name=\"?$VIRUS_DOCNAMES_1
  * 1^0   ^X-Mailer:.*Microsoft
  * 1^0   ^Virus (identity found|name):
  * 1^0   (was infected with (the|a)|virus has been (deleted|removed))
  # require a score of 2 for a match
  * -1^0 .
  { ISVIRUSNOTIFICATION=1 }

  :0 B
  * FROM_NOTIFY ?? ^^1^^
  * ^-* *Virus Warning Message
  * 1^0 removed from here because it
  * 1^0 was cleaned by
  { ISVIRUSNOTIFICATION=1 }
  
  :0
  * VIRUS_BODY_FILTERNOTICE__ ?? ^^1^^
  * $ $VIRUS_BODYBOUNCE_SCORE__^0
  * -1^0 .
  { ISVIRUSNOTIFICATION=1 }
}
#VERBOSE=0


##### Rejected - virus, disallowed extension, unknown
#####

:0
* ^From: *System Anti-Virus Administrator
* ^Subject: Disallowed attachment type found
* B ?? ^A Disallowed attachment type was found in an Email message you sent.
* B ?? ^This Email scanner intercepted it and stopped the entire message
* B ?? ^reaching its destination.
{ ISVIRUSNOTIFICATION=1 }

:0 B
* ISVIRUSNOTIFICATION ?? ^^^^
* ^-* *Virus Warning Message
* removed from here because it contains a virus
* ^Found virus.*file
* 1^0 ^<.*Undeliver(able|ed) *([^ ]* *|)to
{ ISVIRUSNOTIFICATION=1 }

:0
* ^From:.*Notifier
* ^Subject:.*Unsafe attachment.*blocked
{ ISVIRUSNOTIFICATION=1 }


##### Matched by the Paradise.net.nz virus filter
#####

:0 B
* ISVIRUSNOTIFICATION ?? ^^^^
* ^This message has been processed by paradise.net using Brightmail... Anti-Virus Technology powered by Symantec
* ^The file .* was infected with .* has been deleted
* ^For more information on anti-virus tips and technology, visit
* ^http://www.paradise.net.nz/virus_faq.html
{
  ISVIRUSNOTIFICATION=1
  :0
  * ! LISTFOLDER ?? ^^^^
  { LISTFOLDER=$LISTFOLDER.paradise }
}


##### Virus, or virus was removed without a note being added
####
##
## The virus may still be in the email!!

:0
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* VIRUS_MIME_MICKEY_EXE ?? ^^1^^
{
VERBOSE=1
  :0
  * 1^0 HB ?? $ ^From:.*((Microsoft Corporation|MS|Program).*Security.*<.*@|<.*@$VIRUS_MS_DOMAIN)>
  * 1^0 HB ?? $ ^(From|Subject):.*$VIRUS_SUBJ_1
  * 1^0 HB ?? $ $VIRUS_MIME_AUDIO_RE$NL?[ $TAB]*name=.*\.$MICKEY_EXE\"?[ $TAB]*$
  * -1^0 .
  { ISVIRUSNOTIFICATION=1 }

  # A bit more ruthless (an audio file shouldn't be executable):
  :0 B
  * VIRUS_MIME_BASE64 ?? ^^1^^
  * $ $VIRUS_MIME_AUDIO_RE$NL?[ $TAB]*name=.*\.$MICKEY_EXE
  { ISVIRUSNOTIFICATION=1 }
  
  # Even more ruthless (any MS program which comes by email = virus):
  :0 B
  * VIRUS_MIME_BASE64 ?? ^^1^^
  * VIRUS_MIME_MICKEY_EXE ?? ^^1^^
  * $ ^Content-Type:[ $TAB]*application/x-msdownload
  { ISVIRUSNOTIFICATION=1 }
  
  # Could append .virus to $LISTFOLDER here to indicate the virus may still be
  # in the email
VERBOSE=0
}

## Virus with bounce text in body, type wav, base 64
:0
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* VIRUS_BODY_DELIVERFAIL__ ?? ^^1^^
* VIRUS_MIME_AUDIO ?? ^^1^^
* VIRUS_MIME_BASE64 ?? ^^1^^
{ ISVIRUSNOTIFICATION=1 }

## MS-exe or virus-docnames, plus html, plus hint of delivery failure
:0
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^
* 1^0 VIRUS_BODY_DELIVERFAIL__ ?? ^^1^^
{
  :0 B
  * $ ^Content-Type:.*;$NL?[ $TAB]*name=\"?(.*\.$MICKEY_EXE|$VIRUS_DOCNAMES_2)
  * $ ^Content-Type:[ $TAB]*text/html
  { ISVIRUSNOTIFICATION=1 }
}

## typical virus
:0
* ISVIRUSNOTIFICATION ?? ^^^^
* 1^0 SUBJECT_DELIVERFAIL ?? ^^1^^
* 1^0 FROM_NOTIFY ?? ^^1^^
{
  :0 B
  * $ ^Content-Type:[^;]*;$NL?[ $TAB]*name=\"?$VIRUS_DOCNAMES_3
  { ISVIRUSNOTIFICATION=1 }
}

## Jan 04 virus
:0 B
* ISVIRUSNOTIFICATION ?? ^^^^
* SUBJECT_DELIVERFAIL ?? ^^1^^
* charset=\"?windows-1252
* ^The message cannot be represented in 7-bit ASCII encoding
{ ISVIRUSNOTIFICATION=1 }

## 1 Mar 04 virus
:0
* ^Content-type: multipart/mixed
{
  :0 B
  #  I am from Taiwan but I study in Camden, New Jersey now. I like to know people from different places .
  * ^I am from .*study in.*now.*know people from different places
  { ISVIRUSNOTIFICATION=1 }
}

## May/Jun/Jul 04?
:0
* ISVIRUSNOTIFICATION ?? ^^^^
* VIRUS_MIME_BASE64 ?? ^^1^^
* ^From: *\"?Bigamons\"? +
{ ISVIRUSNOTIFICATION=1 }

## These subjects are a virus
:0
* ISVIRUSNOTIFICATION ?? ^^^^
* ^Subject: ^_^ mew-mew .-.
{ ISVIRUSNOTIFICATION=1 }

## virus itself
VIRUS_BODY_SCORE_1=
:0 B
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* 1^0 this is the latest version of security update
* 1^0 Cumulative Patch
* 1^0 all known security vulnerabilities affecting
* 1^0 MS Internet Explorer, MS Outlook and MS Outlook Express
* 1^0 as well as three newly discovered vulnerabilities
* 1^0 Install now to (help| )maintain the security of your computer
* 1^0 from these vulnerabilities, the most serious of which could
* 1^0 allow an attacker to run executable on your computer
* 1^0 This update includes the functionality
* 1^0 of all previously released patches
* 1^0 System requirements: Windows
* 1^0 This update applies to
* 1^0 Recommendation: Customers should install the patch
* 1^0 at the earliest opportunity.
* 1^0 How to install: Run attached file
* 1^0 For security-related information about Microsoft products
* 1^0 ^http://www.microsoft.com/security/
* 1^0 ^Please do not reply to this message.
* -7^0 .
{ VIRUS_BODY_SCORE_1=$= }

## either a suspicious subject or from, plus a high score of virus body
:0
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* $ 1^0 ^Subject:.*$VIRUS_SUBJ_1
* $ 1^0 ^From:.*$VIRUS_MS_DOMAIN
{
  :0
  * $ $VIRUS_BODY_SCORE_1^0
  *   -3^0 .
  { ISVIRUSNOTIFICATION=1 }
}

## ( MS-exe or ( html and virus-docnames) ) and VIRUS_BODY_SCORE_1
:0 B
* ! ISVIRUSNOTIFICATION ?? ^^1^^
*   1^0 VIRUS_MIME_MICKEY_EXE ?? ^^1^^
*   1^0 $ Content-Type:[ $TAB]*text/html(.|$[ $TAB])*name=\"?$VIRUS_DOCNAMES_2(\"|$)
{
  :0
  * ! VIRUS_BODY_SCORE_1 ?? ^^^^
  { ISVIRUSNOTIFICATION=1 }
}

## WARNING: THIS MAY CATCH DISCUSSIONS ABOUT VIRUS FILTERS!!!!!
## Virus attachment name, base 64, and some suspicious words in body
## (This may be an outgoing mail scan)
#VERBOSE=1
:0 B
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* VIRUS_MIME_BASE64 ?? ^^1^^
* $ ^(Content-Type:.*;|)[ $TAB]*name=\"?$VIRUS_DOCNAMES_2
* 1^1 (infected|virus|worm|malicious|attachment|scan(ed|ning)|security threat)
* -7^0 .
{ ISVIRUSNOTIFICATION=1 }
#VERBOSE=0


##### Some generalised patterns
####

#VERBOSE=1
:0
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* 1^0 $ ^From:.*$VIRUS_FROM_1
* 1^0 $ ^To:.*$VIRUS_TO_1
{
  # if previous score > 1 = virus
  :0
  * $ $=^0
  *   -1^0 .
  { ISVIRUSNOTIFICATION=1 }
  
  :0 B
  *  1^1 virus
  *  1^1 worm
  *  1^1 $ $VIRUS_NAMES
  *  1^1 $ \.$MICKEY_EXE($|[^a-z])
  * -1^0 .
  { ISVIRUSNOTIFICATION=1 }
}

## Suspicious subject: and from:
:0
* $ ^From:.*$VIRUS_SUBJ_1
* SUBJECT_DELIVERFAIL ?? ^^1^^
{ ISVIRUSNOTIFICATION=1 }
#VERBOSE=0

## Certain attachment filename extensions and mail not from whitelisted sender
:0
* ! ISVIRUSNOTIFICATION ?? ^^1^^
* ! ATTACHMENTWHITELIST ?? ^^^^
{
  :0B
  * $ ^--$\BOUNDARY$(.+$)*Content-(Type|Disposition):(.|$[   ])*name=\"?$ATTACHMENT_BLOCK_NAME
  {
    ADDRESSLIST="$ATTACHMENTWHITELIST"
    INCLUDERC=$PROCDIR/addrlistlookup.rc
    :0
    * ! INLIST ?? ^^1^^
    { ISVIRUSNOTIFICATION=1 }
  }
}  


##### If match occurred and LISTFOLDER is set, save to LISTFOLDER
#####

:0
* ISVIRUSNOTIFICATION ?? ^^1^^
* ! LISTFOLDER ?? ^^^^
{
  :0
  * ! LISTFOLDER_UMASK ?? ^^^^
  { UMASK=$LISTFOLDER_UMASK }
  :0 :
  $LISTFOLDER
}

LISTFOLDER=

##### EOF virusnotification.rc