# VIRUSCRUFT-PATTERNS.RC # # Patterns for various types of backscatter, blowback, and # !$)(*%$#@)(*@!! *STUPID* anti-virus products that send # "virus notifications" to the forged senders of virus emails. # :( # # Last updated: 12/22/2005 # bdp.it backscatter with recipient address forged in # From: field, instead of put in the To: field, the morons. :0 * ^Received: from posta[0-9]*\.bdp\.it \(\[193\.43\.1[6-7]\.[0-9][0-9]?[0-9]?\]\) * ^Subject: Returned due to virus; { SBLOG="A1R-bdp.it backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # BorderWare MXtreme Mail Firewall # :0 * ^From:.*[^0-9a-z]BorderWare MXtreme Mail Firewall([^0-9a-z]|$) * ^Subject: Discarded Mail: { SBLOG="A1R-BorderWare MXtreme backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # Juno backscatter. # :0 * ^From: \"Juno Customer Care\" $ * ^Subject: ALERT: Email you sent may have contained a virus$ { SBLOG="A1R-Juno backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # MailFrontier backscatter. # :0 * H ?? ^Subject: Summary of junk emails blocked$ * H ?? ^X-Mlf-Communication-Key: * H ?? ^X-Mlf-loginurl: * H ?? ^X-Mlf-version: { SBLOG="A1R-MailFrontier backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # MailMarshall Backscatter # :0 BH * -1000^0 * 1100^0 ^From:.*mailmarshall?@ * 1100^0 ^From:.*jbhblockedmail@jbhunt\.com([^a-z0-9.]|$) * 500^0 ^Subject: Your email message was blocked$ * 600^0 (^|[^-_0-9a-z]|=2E)MailMarshal(ÿ|\.|=2E)com([^a-z0-9.]|\. |\.$|$) * 500^0 (^|[^-_0-9a-z]|=2E)Marshal Software([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-MailMarshall backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # McAfee WebShield backscatter # # Lots of server-based antivirus products are sending notifications to # the email address in the From: line of each virus they get, including # to addresses in the Klez virus From: line. Since those addresses are # almost never the ones belonging to the owner of the infected computer, # these notifications are essentially spam, and extremely annoying. This # filter treats these notices as spam and gets rid of them. # :0 BH * -1000^0 * 1100^0 ^Subject: \{VIRUS?\} * 1100^0 ^Subject: Virus Detected by Network Associates * 1100^0 ^Subject: Virus Detected.*Webshield * 1100^0 ^X-Mailer: Network Associates * 800^0 ^X-NAI-WebShielde500-mimepp: * 1100^0 ^The.*WebShield.*(detected|discovered).* virus([^a-z0-9.]|\. |\.$|$) * 1100^0 (^|[^-_0-9a-z]|=2E)mcafeeb2b(ÿ|\.|=2E)com([^a-z0-9.]|\. |\.$|$) { SBLOG="A1R-McAfee backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # Qmail Backscatter # :0 * H ?? ^Received: \(qmail [0-9]+ invoked by uid [0-9]+\); * H ?? ^Subject: FAILURE:( ) * B ?? ^Your message contained a possible virus attachment listed below:$ { SBLOG="A1R-Qmail backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # ScanMail forged junk :( # # ScanMail not only sends notifications to forgery victims, but # forges the victim's domain into the From: line of the response. # The jerks! # :0 HD * -1000^0 * 600^0 ^Thread-Topic: ScanMail Message: * 600^0 ^thread-index: * 1100^0 ^Subject: ScanMail Message: { SBLOG="A1R-ScanMail AntiVirus notification spam" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } :0 B * -1000^0 * 1100^0 ^ScanMail for Microsoft Exchange has detected virus-infected attachment\(s\)\.$ * 1100^0 ^Warning to sender\. ScanMail has detected a virus in an email you sent\.$ { SBLOG="A1R-ScanMail AntiVirus notification spam" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # Schoolteam.net backscatter # # Stupid system responds to forged virus notifications, is inundating # REVEAL and a number of other addresses. # :0 * ^Received:.*[^0-9a-z]smtp[0-9]\.schoolteam\.net([^0-9a-z.]|$) * ^Subject: Error: undelivered email - { SBLOG="A1R-Schoolteam.net backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # Symantec Norton Antivirus "Notifications" :/ # # Lots of server-based antivirus products are sending notifications to # the email address in the From: line of each virus they get, including # to addresses in the Klez virus From: line. Since those addresses are # almost never the ones belonging to the owner of the infected computer, # these notifications are essentially spam, and extremely annoying. This # filter treats these notices as spam and gets rid of them. # # Norton AntiVirus is one of these products. # :0 * -1000^0 * H ?? 1100^0 ^From:.*Symantec_AntiVirus_for_SMTP_Gateways@ * H ?? 1100^0 ^From: NAV for Microsoft Exchange([^0-9a-z]|$) * H ?? 1100^0 ^From:.*Norton_AntiVirus(_Gateway)?s?@ * H ?? 800^0 ^Subject: Virus Found in message \".*\"$ * H ?? 1100^0 ^Subject: NAV detected a virus $ * H ?? 1100^0 ^Subject: Norton AntiVirus detected (and quarantined )?a virus([^0-9a-z]|$) * H ?? 1100^0 ^Subject: Symantec Mail Security detected([^0-9a-z]|$) * H ?? 1100^0 ^Thread-Topic: Symantec([^0-9a-z]|$) * H ?? 1100^0 ^X-Virus-Scanned: Symantec AntiVirus Scan Engine$X-Virus-Scan-Result: Repaired( ) * B ?? 300^0 ^Norton AntiVirus found a virus in an attachment you$ * B ?? 300^0 ^\([0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?\) sent to [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?\.$ * B ?? 300^0 ^To ensure the recipient\(s\) are able to use the files you sent, perform a$ * B ?? 300^0 ^virus scan on your computer, clean any infected files, then resend this$ * B ?? 300^0 ^attachment\.$ * B ?? 300^0 ^Attachment: [-_0-9a-z\.]+\.[0-9a-z]+$ * B ?? 300^0 ^Virus name: [-_0-9a-z\.@]+$ * B ?? 300^0 ^Action taken: Clean failed : Quarantine succeeded :$ * B ?? 600^0 ^All infected components in the scanned document were deleted\.$ * B ?? 600^0 ^Subject of the message: .*$Recipient of the message: { SBLOG="A1R-Symantec/Norton AntiVirus backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # Topica bounces to viruses/forged From: :/ # # Topica is a spammer -- this stuff was previously treated as # spam by the SpamBouncer. This stuff isn't direct spam, though; # it's badly-implemented notifications going to the From: addresses # of email posted to a mailing list. # :0 * ^From: Topica Customer Support $ * ^Subject: Your recent message to Topica\.com$ { SBLOG="A1R-Topica backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # Travelex.com backscatter # :0 * H ?? ^Received:.*[^0-9a-z]mail\.travelex\.com([^0-9a-z.]|$) * H ?? ^From: postmaster@Travelex\.com$ * B ?? (^|[^0-9a-z])contained a virus which could not be removed\. { SBLOG="A1R-Travelex.com backscatter" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 10^0 { SBSCORE=$= } } # Bogus Virus Notifications # # Lots of server-based antivirus products are sending notifications to # the email address in the From: line of each virus they get, including # to addresses in the Klez virus From: line. Since those addresses are # almost never the ones belonging to the owner of the infected computer, # these notifications are essentially spam, and extremely annoying. This # filter treats these notices as spam and gets rid of them. # :0 BH * ! VIRUSTAG ?? yes * ! DANGEROUS ?? yes * -1000^0 * 1100^0 ^From:.*[^0-9a-z](alert@notification\.messagelabs\.com([^a-z0-9.]|$)|\ amavisd-new([^a-z0-9.]|$)|\ ANTIGEN_|\ \"Anti-Virus Administrator\"|\ antivirus@|\ antivirus-daemon@|\ avadmin@|\ avgroup@|\ AvMailGate@|\ Barracuda Spam Firewall <>|\ blackhole@linklaters\.com|\ (\")?DrWEB-DAEMON(\"|@)|\ eSafe@|\ GroupShield for Exchange|\ if@|\ interscan@|\ ltkwhite@intergate\.bc\.ca([^a-z0-9.]|$)|\ \"Mail Anti-Virus Protector\"|\ mailengine@rocketmail\.net([^a-z0-9.]|$)|\ \"MailScanner\"|\ MAILsweeper@|\ mms-notifier@|\ spamCactus\.com([^a-z0-9.]|$)|\ spampepper\.com([^a-z0-9.]|$)|\ \"System Anti-Virus Administrator\"|\ virus-checker@|\ virusengelleme@|\ VirusList Automaler System|\ virusscanner@|\ wsadmin@timewarner\.com([^a-z0-9.]|$)) * 600^0 ^From:.*[^0-9a-z](mailsupport|mms)@ * 600^0 ^Subject: Antigen found VIRUS= * 600^0 ^Subject: BANNED FILENAME * 1100^0 ^Subject: Caution: E-MAIL Quarantine Notification$ * 600^0 ^Subject: Content violation * 600^0 ^Subject: Disallowed attachment type([^a-z0-9.]|\. |\.$|$) * 600^0 ^Subject: eTrust Antivirus Gateway SMTP: Virus notification message$ * 600^0 ^Subject: \*\*\* FhG-Mailgateway: Virus-Warnung/virus alert \*\*\*$ * 1100^0 ^Subject: Failed to clean virus file([^a-z0-9.]|$) * 1100^0 ^Subject: File blocked - ScanMail for Lotus Notes -->( )*$ * 600^0 ^Subject: Illegal attachment type found([^a-z0-9.]|$) * 1100^0 ^Subject: InterScan NT Alert$ * 1100^0 ^Subject: [MailServer Notification] To External Sender: a virus was found([^a-z0-9.]|$) * 1100^0 ^Subject: MESSAGE COULD NOT BE DELIVERED$ * 1100^0 ^Subject: MMS notification$ * 600^0 ^Subject: Norton AntiVirus detected and quarantined a virus([^a-z0-9.]|$) * 600^0 ^Subject: PostMaster@[0-9a-z]+ notification$ * 600^0 ^Subject: Report to Sender$ * 600^0 ^Subject: Returned due to virus; * 600^0 ^Subject: SAV detected a violation([^a-z0-9]|$) * 600^0 ^Subject: Server Report$ * 1100^0 ^Subject: \[\*\*SPAM\*\*\] * 1100^0 ^Subject: Notification : Uncleanable Virus Detected$ * 600^0 ^Subject: Unsolicited commercial email rejected$ * 600^0 ^Subject: Virus (Alert|Warning)$ * 600^0 ^Subject: VIRUS Detected in message([^a-z0-9.]|$) * 600^0 ^Subject: virus found in sent message([^a-z0-9]|$) * 1100^0 ^Subject: VIRUS \([^)]*\) IN MAIL FROM YOU$ * 600^0 ^Subject: (VIRUS NOTIFICATION|Worm Klez\.E immunity)$ * 600^0 ^Subject: \{Virus\?\} Undelivered Message$ * 600^0 ^Subject: Warning! Check you computer, there is new viruses you may be infected! * 600^0 ^Subject: Warning: E-mail viruses detected$ * 1100^0 ^Subject: Warning: Possible Virus Infection$ * 600^0 ^Subject: WARNING. You tried to send a potential virus([^a-z0-9.]|\. |\.$|$) * 1100^0 ^Subject: Virus found in the mail$ * 1100^0 ^Thread-Topic: ScanMail Message: * 1100^0 ^X-Mailer: GWAVA Notification Service$ * 600^0 ^ contained a virus that could not be cleaned by our gateway\. * 600^0 ^A virus was found in a message([^a-z0-9.]|\. |\.$|$) * 600^0 ^Antivirus resources for.*can be found on the web at [^ ]+$ * 600^0 ^BANNED FILENAME ALERT$cell-direct.net * 600^0 ^Found virus [_0-9a-z.]+ in file [_0-9a-z.]+$ * 600^0 ^The uncleanable file [_0-9a-z.]+ is moved to /[-_0-9a-z.]+\.$ * 600^0 (^|[^-_0-9a-z])V I R U S A L E R T([^a-z0-9.]|\. |\.$|$) * 600^0 ^Our virus scanner found a virus in your email to the following$ * 600^0 ^recipient\(s\) and your email was NOT delivered:$ * 600^0 ^ALERT!!!$This e-mail contained one or more infected files\.$ * 600^0 ^The following attachments were infected and have been repaired:$ * 600^0 ^The following infected attachments were deleted:$ * 600^0 ^The following infected attachments were blocked because of Mail Policy violations:$ * 600^0 ^You may wish to contact the sender to notify them about their infected file\(s\)\.$ * 600^0 ^VIRUS-WARNUNG: Am .* hat der Viren-Checker([^a-z0-9.]|\. |\.$|$) * 600^0 ^The mail message (file: [0-9a-z][-_0-9a-z.]+) you sent to \ [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z]+ contains\ a virus\. \([ 0-9a-z]+\)$ * 600^0 ^The virus [0-9a-z][-_/@!.0-9a-z]+ was found in an attachment$ * 600^0 ^eTrust Antivirus Gateway SMTP on [0-9a-z][-_0-9a-z.]+$\ detected a virus infection in an e-mail from$ * 600^0 ^the message with following attributes has not been delivered,$ * 600^0 ^

The WebShield.* Appliance discovered a virus in this file\.$ * 600^0 ^

Copyright © 1993-2002, Networks Associates Technology, Inc\.
$ * 600^0 ^Sender, InterScan has detected virus(es) in your e-mail attachmen\.$ * 600^0 ^This Email scanner intercepted it and stopped the entire message$ * 600^0 ^Halo Boss, Virus telah ditemukan dalam salah satu email anda$ * 600^0 ^the message with following attributes has not been delivered,$ * 600^0 ^because contains an infected object\.$ * 600^0 ^Incident Information:-$ * 600^0 ^Our virus detector has just been triggered by a message you sent:-$ * 600^0 ^The scanned document was QUARANTINED\.$ * 600^0 ^The Declude Virus software on ([0-9a-z][-_0-9a-z]+\.)[a-z][a-z][a-z]?[a-z]? has reported that you $ * 600^0 ^sent an E-mail to [0-9a-z][-_0-9a-z.]+@([0-9a-z][-_0-9a-z]+\.)[a-z][a-z][a-z]?[a-z]?, containing the : [^ ]+ virus in the$ * 1100^0 ^The file you have sent was infected with a virus but \ InterScan E-Mail VirusWall could not clean it\.$ { SBLOG="A1R-Useless Automatic Virus Notification" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * NUKEBOUNCES ?? yes /dev/null :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # De-Fanged Virus Remnants (totally worthless) # # A number of virus filters, rather than blocking virus-laden emails # outright, just remove the virus binary section and then send the # "disinfected" email on to you. That results in a flood of useless # virus-produced emails that don't have a virus, but don't have anything # else you want either. # :0 BH * ! VIRUSTAG ?? yes * ! DANGEROUS ?? yes * -1000^0 * 500^0 ^FROM: \"(Inet System|Internet Delivery Service)\" * 500^0 ^Subject: [VIRUS DETRUIT-DESTROYED] * 500^0 ^X-MailScanner: Found to be clean$ * 600^0 ^$(Please )?see the attached file for details\.$ * 600^0 ^this is the latest version of security update, the$ * 600^0 ^\"October 2003, Cumulative Patch\" update which fixes$ * 600^0 ^Install now to help maintain the security of your computer$ * 600^0 ^Windows 95/98/Me/2000/NT/XP$ * 600^0 ^/\+n2/\+74//P6/\+3w8hOh/xOW6yCm/iuu/zWv/0m4/XTH/IXK95TP9qPV9bfi/tDn9tfp9OP0/93r$ * 600^0 ^9L3Izy6Vzj22/lrC/mfG/JvJ5JGntAyd6IbX/3zD6GzP/3jV/2uoxHqbqujv8g6MvJTj/2HF5pXV$ * 600^0 ^606zz6Hp/63v/7j1/8Ps88b8/rbj5RKOkE2wr3OGhoKGhv7///Dx8V2alqvm4Zni1YPRvx5uVwyO$ * 600^0 ^Content-type:.*name=virus_detruit-destroyed\.[0-9a-z]+$ * 600^0 ^()---------------- Virus Warning Message([^a-z0-9.]|\. |\.$|$) * 600^0 ^Found virus [^ ]+ in file [^ ]+$ * 600^0 ^()
I'm sorry =$the message returned below could not be delivered =$to one or more destinations.
$ * 600^0 ^()


Undelivered message to [0-9a-z][-_0-9a-z]+@yahoo\.com$ * 600^0 ^()$
This is the qmail program
$ * 1100^0 ^The message cannot be represented in 7-bit ASCII encoding and has been sent$\ as a binary attachment\. * 600^0 ^\*\*\*\*\*\*\*\* McAfee GroupShield for Microsoft Exchange \*\*\*\*\*\*\*\*\*\*$ * 600^0 ^The file ([0-9a-z][-_0-9a-z]+\.)+[a-z]+ has been replaced\. * 600^0 (^|[^-_0-9a-z])Reason: The file met the blocking options set in the anti-virus system\. * 600^0 ^Content-Type: text/plain; charset=us-ascii$Content-Transfer-Encoding: 7bit$$why\?$ * 600^0 ^Content-Type: application/x-zip-compressed; name=\"[0-9a-z]+\.zip\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=\"[0-9a-z]+\.zip\"$$$-- * 1100^0 ^----------[a-z]+$\ Content-Type: application/octet-stream; name=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$([^0-9a-z]*$)+\ ----------[a-z]+--$ * 600^0 (^|[^0-9a-z])replaced by Sophos Anti-Virus([^0-9a-z]|$) * 300^0 (^|[^0-9a-z])infected by a virus([^0-9a-z]|$) * 300^0 (^|[^0-9a-z])attachment of this message([^0-9a-z]|$) * 1100^0 (^|[^0-9a-z])------=_NextPart_[^ ]+$Content-Type: application/octet-stream;$\ [^0-9a-z]*name=\"[0-9a-z]+\.[a-z][a-z]+\"$Content-Transfer-Encoding: base64$\ Content-Disposition: attachment;$\[^0-9a-z]*filename=\"[0-9a-z]+\.[a-z][a-z]+\"$$+\ ------=_NextPart_[^ ]+$ * 1100^0 ^\+\+\+ Attachment: .*$\ \+\+\+ Panda AntiVirus - www\.pandasoftware\.com$ * 1100^0 ^\-\-[^ ]+$\ Content-Type: application/octet-stream; name=[^ ]+$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=[^ ]+$$+\ \-\-[^ ]+$ * 1100^0 ^\-\-[^ ]+$\ Content-Type: application/octet-stream;$\ [^0-9a-z]*name=[^ ]+$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment;$\ [^0-9a-z]*filename=[^ ]+$$+\ \-\-[^ ]+$ * 1100^0 ^--[0-9]+$\ Content-Type: application/x-zip-compressed; name=\"[^ "]\.zip\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=\"[^ "]\.zip\"$$$\ --[0-9]+--$ * 400^0 ^Sorry Dangerous Attachment has been Removed\.$ * 400^0 ^The file \"[-_0-9a-z]+\.[a-z][a-z]+\" has been removed because of a virus\.$ * 400^0 ^It was infected with the \"[^ ]+\" virus\.$ * 400^0 ^Sorry Dangerous Attachment has been Removed\.$ * 400^0 ^The file \"[0-9a-z][-_0-9a-z]+\.[a-z]+\" has been removed because of a virus\.$ * 400^0 ^It was infected with the \"[^ ]+\" virus\.$ * 400^0 ^File quarantined as: \"[0-9a-z][-_0-9a-z]+\.data\.zip\"\.$ * 1100^0 ^The original message content contained a virus or was blocked due \ to blocking rules and has been removed\.$ * 400^0 ^Found virus [^ ]+ in file [^ ]+ \(in [^ ]+\)$ * 400^0 ^If you have questions, contact [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?$ * 400^0 ^[^ ]+ is removed from here because it contains a virus.$ * 1100^0 ^--[^ ]+$\ Content-Type: application/x-msdownload; name=\"[0-9a-z][-_0-9a-z]+\.exe\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.exe\"$$$+\ --[^ ]+$ * 1100^0 ^------------------ Virus Warning Message \(on [^ ]+\)$$\ [^ ]+ is removed from here because it contains a virus\.$ { SBLOG="A1R-Defanged Virus email (worthless)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * NUKEBOUNCES ?? yes /dev/null :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } }