1 # -*- mode: spamassassin -*-
3 rawbody PIC_GIF /^Content-ID: <pic\d*\.gif>/i
4 describe PIC_GIF pic*.gif in attachment, common spam/virus
7 header POSSIBLEVIRUS Subject =~ /\{Virus\?\} /
8 describe POSSIBLEVIRUS possible or cleaned virus tag found in Subject
11 # cjwatson, 2003/09/22 2003/10/02
12 header AV_SCAN Subject =~ /AntiVirus scan results/
13 describe AV_SCAN virus fallout
16 # cjwatson, 2003/09/24
17 body CORREO_TERRA /Antivirus de Correo de Terra/
18 describe CORREO_TERRA virus fallout
21 # cjwatson, 2003/09/24
22 body WEBSHIELD /Network Associates WebShield SMTP.*detected virus/
23 describe WEBSHIELD virus fallout
26 # cjwatson, 2003/09/25, joy 2003-10-01
27 header AV_ALERT Subject =~ /^(Anti)?Virus Alert/
28 describe AV_ALERT virus fallout
31 # cjwatson, 2003/09/29
32 body INFECTED_OBJ /because contains an infected object/
33 describe INFECTED_OBJ virus fallout
37 header AV_RESULTS Subject =~ /AntiVirus scan results/i
38 describe AV_ALERT anti-virus spam
41 # cjwatson, 2004-01-27
42 header IOL_ALERTA Subject =~ /IOL - ALERTA de Virus/
43 describe IOL_ALERTA misdirected antivirus
47 rawbody ZIPCOMPRESSED /application\/x-zip-compressed/i
48 describe ZIPCOMPRESSED zip compressed attachment
52 header MICROVIRUS subject =~ /(?:Current|Latest|Newest|New) (?:Microsoft|Internet|Net) (?:Security|Critical)? ?(?:Patch|Pack|Update|Upgrade)/i
53 describe MICROVIRUS microsoft email virus
57 rawbody AVGMAIL /\b\-\-\=\=\=\=\=\=\=AVGMAIL/
58 describe AVGMAIL avg virus claim
61 # don 2007-06-25 blarson 2007-06-28
62 # This is %PDF-1.1 base64 encoded
63 full PDFATTACH /JVBERi0xLjE/
64 describe PDFATTACH PDF Attachment
68 header PDFNAME subject =~ /\w\.pdf\b/i
69 describe PDFNAME pdf spam
73 rawbody APPPDF /\bContent-Type\:\s+application\/pdf/i
74 describe APPPDF pdf attachment
78 body NOVIR /^No virus found in this incoming message\./
79 describe NOVIR bogus no virus
83 header ANTIGEN subject=~/Antigen Notification/
84 describe ANTIGEN Antigen Notification
88 body AUTOMATIC_MESSAGE /This is an automat(ic|ed) message/i
89 describe AUTOMATIC_MESSAGE body indicates it is an automated message
90 score AUTOMATIC_MESSAGE 2.0
93 header XEROX subject=~/Scan from a Xerox W./i
94 describe XEROX Scanner malware
98 header FEDEXPACKAGE subject=~/FedEx International|((unable to|could not) deliver|problems? with).*(item|parcel)|shipment delivery problem|delivery notification/i
99 describe FEDEXPACKAGE Fedex Package Virus spam
103 header SHIPPING_ID subject =~ /(ID:?|ID|\#|n\.)\s*\d{7,}\s*($|shipment|delivery)/
104 describe SHIPPING_ID Contains a long ID number at the end or folled by shipment
107 header SHIP_ID_INT subject =~ /(ID:?|ID|\#|n\.)\s*\d{7,}\s*/
108 describe SHIP_ID_INT Contains a long ID number inside
111 rawbody MSWORD /application\/msword/
112 describe MSWORD Has a word attachment
115 meta FEDEX_ZIP (FEDEXPACKAGE || SHIPPING_ID || SHIP_ID_INT ) && ( ZIPCOMPRESSED || ZIPFILE || MSWORD )
116 describe FEDEX_ZIP Fedex package with zip file