2 rawbody PIC_GIF /^Content-ID: <pic\d*\.gif>/i
3 describe PIC_GIF pic*.gif in attachment, common spam/virus
6 header POSSIBLEVIRUS Subject =~ /\{Virus\?\} /
7 describe POSSIBLEVIRUS possible or cleaned virus tag found in Subject
10 # cjwatson, 2003/09/22 2003/10/02
11 header AV_SCAN Subject =~ /AntiVirus scan results/
12 describe AV_SCAN virus fallout
15 # cjwatson, 2003/09/24
16 body CORREO_TERRA /Antivirus de Correo de Terra/
17 describe CORREO_TERRA virus fallout
20 # cjwatson, 2003/09/24
21 body WEBSHIELD /Network Associates WebShield SMTP.*detected virus/
22 describe WEBSHIELD virus fallout
25 # cjwatson, 2003/09/25, joy 2003-10-01
26 header AV_ALERT Subject =~ /^(Anti)?Virus Alert/
27 describe AV_ALERT virus fallout
30 # cjwatson, 2003/09/29
31 body INFECTED_OBJ /because contains an infected object/
32 describe INFECTED_OBJ virus fallout
36 header AV_RESULTS Subject =~ /AntiVirus scan results/i
37 describe AV_ALERT anti-virus spam
40 # cjwatson, 2004-01-27
41 header IOL_ALERTA Subject =~ /IOL - ALERTA de Virus/
42 describe IOL_ALERTA misdirected antivirus
46 rawbody ZIPCOMPRESSED /application\/x-zip-compressed/i
47 describe ZIPCOMPRESSED zip compressed attachment
51 header MICROVIRUS subject =~ /(?:Current|Latest|Newest|New) (?:Microsoft|Internet|Net) (?:Security|Critical)? ?(?:Patch|Pack|Update|Upgrade)/i
52 describe MICROVIRUS microsoft email virus
56 rawbody AVGMAIL /\b\-\-\=\=\=\=\=\=\=AVGMAIL/
57 describe AVGMAIL avg virus claim
60 # don 2007-06-25 blarson 2007-06-28
61 # This is %PDF-1.1 base64 encoded
62 full PDFATTACH /JVBERi0xLjE/
63 describe PDFATTACH PDF Attachment
67 header PDFNAME subject =~ /\w\.pdf\b/i
68 describe PDFNAME pdf spam
72 rawbody APPPDF /\bContent-Type\:\s+application\/pdf/i
73 describe APPPDF pdf attachment
77 body NOVIR /^No virus found in this incoming message\./
78 describe NOVIR bogus no virus