# VIRUSCRUFT-PATTERNS.RC
#
#  Patterns for various types of backscatter, blowback, and
#  !$)(*%$#@)(*@!! *STUPID* anti-virus products that send
#  "virus notifications" to the forged senders of virus emails.
#  :(
#
#  Last updated: 12/22/2005

# bdp.it backscatter with recipient address forged in
# From: field, instead of put in the To: field, the morons.
:0
* ^Received: from posta[0-9]*\.bdp\.it \(\[193\.43\.1[6-7]\.[0-9][0-9]?[0-9]?\]\)
* ^Subject:  Returned due to virus;
{
 SBLOG="A1R-bdp.it backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# BorderWare MXtreme Mail Firewall
#
:0
* ^From:.*[^0-9a-z]BorderWare MXtreme Mail Firewall([^0-9a-z]|$)
* ^Subject: Discarded Mail:
{
 SBLOG="A1R-BorderWare MXtreme backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# Juno backscatter.
#
:0
* ^From: \"Juno Customer Care\" <security@support\.juno\.com>$
* ^Subject: ALERT: Email you sent may have contained a virus$
{
 SBLOG="A1R-Juno backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# MailFrontier backscatter.
#
:0
* H ?? ^Subject: Summary of junk emails blocked$
* H ?? ^X-Mlf-Communication-Key:
* H ?? ^X-Mlf-loginurl:
* H ?? ^X-Mlf-version:
{
 SBLOG="A1R-MailFrontier backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# MailMarshall Backscatter
#
:0 BH
* -1000^0
*  1100^0   ^From:.*mailmarshall?@
*  1100^0   ^From:.*jbhblockedmail@jbhunt\.com([^a-z0-9.]|$)
*   500^0   ^Subject: Your email message was blocked$
*   600^0   (^|[^-_0-9a-z]|=2E)MailMarshal(я|\.|=2E)com([^a-z0-9.]|\. |\.$|$)
*   500^0   (^|[^-_0-9a-z]|=2E)Marshal Software([^a-z0-9.]|\. |\.$|$)
{
 SBLOG="A1R-MailMarshall backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}


# McAfee WebShield backscatter
#
#  Lots of server-based antivirus products are sending notifications to
#  the email address in the From: line of each virus they get, including
#  to addresses in the Klez virus From: line.  Since those addresses are
#  almost never the ones belonging to the owner of the infected computer,
#  these notifications are essentially spam, and extremely annoying.  This
#  filter treats these notices as spam and gets rid of them.
#
:0 BH
* -1000^0
*  1100^0   ^Subject: \{VIRUS?\}
*  1100^0   ^Subject: Virus Detected by Network Associates
*  1100^0   ^Subject: Virus Detected.*Webshield
*  1100^0   ^X-Mailer: Network Associates
*   800^0   ^X-NAI-WebShielde500-mimepp:
*  1100^0   ^The.*WebShield.*(detected|discovered).* virus([^a-z0-9.]|\. |\.$|$)
*  1100^0   (^|[^-_0-9a-z]|=2E)mcafeeb2b(я|\.|=2E)com([^a-z0-9.]|\. |\.$|$)
{
 SBLOG="A1R-McAfee backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}


# Qmail Backscatter
#
:0
*  H ?? ^Received: \(qmail [0-9]+ invoked by uid [0-9]+\);
*  H ?? ^Subject: FAILURE:( )
*  B ?? ^Your message contained a possible virus attachment listed below:$
{
 SBLOG="A1R-Qmail backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}


# ScanMail forged junk :(
#
#   ScanMail not only sends notifications to forgery victims, but
#   forges the victim's domain into the From: line of the response.
#   The jerks!
#
:0 HD
* -1000^0
*   600^0   ^Thread-Topic: ScanMail Message:
*   600^0   ^thread-index:
*  1100^0   ^Subject: ScanMail Message:
{
 SBLOG="A1R-ScanMail AntiVirus notification spam"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

:0 B
* -1000^0
*  1100^0   ^ScanMail for Microsoft Exchange has detected virus-infected attachment\(s\)\.$
*  1100^0   ^Warning to sender\. ScanMail has detected a virus in an email you sent\.$
{
 SBLOG="A1R-ScanMail AntiVirus notification spam"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# Schoolteam.net backscatter
#
#  Stupid system responds to forged virus notifications, is inundating
#  REVEAL and a number of other addresses.
#
:0
* ^Received:.*[^0-9a-z]smtp[0-9]\.schoolteam\.net([^0-9a-z.]|$)
* ^Subject: Error: undelivered email -
{
 SBLOG="A1R-Schoolteam.net backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# Symantec Norton Antivirus "Notifications" :/
#
#  Lots of server-based antivirus products are sending notifications to
#  the email address in the From: line of each virus they get, including
#  to addresses in the Klez virus From: line.  Since those addresses are
#  almost never the ones belonging to the owner of the infected computer,
#  these notifications are essentially spam, and extremely annoying.  This
#  filter treats these notices as spam and gets rid of them.
#
#  Norton AntiVirus is one of these products.
#
:0
* -1000^0
* H ??  1100^0   ^From:.*Symantec_AntiVirus_for_SMTP_Gateways@
* H ??  1100^0   ^From: NAV for Microsoft Exchange([^0-9a-z]|$)
* H ??  1100^0   ^From:.*Norton_AntiVirus(_Gateway)?s?@
* H ??   800^0   ^Subject: Virus Found in message \".*\"$
* H ??  1100^0   ^Subject: NAV detected a virus $
* H ??  1100^0   ^Subject: Norton AntiVirus detected (and quarantined )?a virus([^0-9a-z]|$)
* H ??  1100^0   ^Subject: Symantec Mail Security detected([^0-9a-z]|$)
* H ??  1100^0   ^Thread-Topic: Symantec([^0-9a-z]|$)
* H ??  1100^0   ^X-Virus-Scanned: Symantec AntiVirus Scan Engine$X-Virus-Scan-Result: Repaired( )
* B ??   300^0   ^Norton AntiVirus found a virus in an attachment you$
* B ??   300^0   ^\([0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?\) sent to [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?\.$
* B ??   300^0   ^To ensure the recipient\(s\) are able to use the files you sent, perform a$
* B ??   300^0   ^virus scan on your computer, clean any infected files, then resend this$
* B ??   300^0   ^attachment\.$
* B ??   300^0   ^Attachment:  [-_0-9a-z\.]+\.[0-9a-z]+$
* B ??   300^0   ^Virus name: [-_0-9a-z\.@]+$
* B ??   300^0   ^Action taken:  Clean failed : Quarantine succeeded :$
* B ??   600^0   ^All infected components in the scanned document were deleted\.$
* B ??   600^0   ^Subject of the message: .*$Recipient of the message:
{
 SBLOG="A1R-Symantec/Norton AntiVirus backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# Topica bounces to viruses/forged From: :/
#
#   Topica is a spammer -- this stuff was previously treated as
#   spam by the SpamBouncer.  This stuff isn't direct spam, though;
#   it's badly-implemented notifications going to the From: addresses
#   of email posted to a mailing list.
#
:0
* ^From: Topica Customer Support <support@get\.topica\.com>$
* ^Subject: Your recent message to Topica\.com$
{
 SBLOG="A1R-Topica backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}

# Travelex.com backscatter
#
:0
* H ?? ^Received:.*[^0-9a-z]mail\.travelex\.com([^0-9a-z.]|$)
* H ?? ^From: postmaster@Travelex\.com$
* B ?? (^|[^0-9a-z])contained a virus which could not be removed\.
{
 SBLOG="A1R-Travelex.com backscatter"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * $ ${SBSCORE}^0
 * 10^0
 { SBSCORE=$= }
}



# Bogus Virus Notifications
#
#  Lots of server-based antivirus products are sending notifications to
#  the email address in the From: line of each virus they get, including
#  to addresses in the Klez virus From: line.  Since those addresses are
#  almost never the ones belonging to the owner of the infected computer,
#  these notifications are essentially spam, and extremely annoying.  This
#  filter treats these notices as spam and gets rid of them.
#
:0 BH
* ! VIRUSTAG ?? yes
* ! DANGEROUS ?? yes
* -1000^0
*  1100^0   ^From:.*[^0-9a-z](alert@notification\.messagelabs\.com([^a-z0-9.]|$)|\
                              amavisd-new([^a-z0-9.]|$)|\
                              ANTIGEN_|\
                              \"Anti-Virus Administrator\"|\
                              antivirus@|\
                              antivirus-daemon@|\
                              avadmin@|\
                              avgroup@|\
                              AvMailGate@|\
                              Barracuda Spam Firewall <>|\
                              blackhole@linklaters\.com|\
                              (\")?DrWEB-DAEMON(\"|@)|\
                              eSafe@|\
                              GroupShield for Exchange|\
                              if@|\
                              interscan@|\
                              ltkwhite@intergate\.bc\.ca([^a-z0-9.]|$)|\
                              \"Mail Anti-Virus Protector\"|\
                              mailengine@rocketmail\.net([^a-z0-9.]|$)|\
                              \"MailScanner\"|\
                              MAILsweeper@|\
                              mms-notifier@|\
                              spamCactus\.com([^a-z0-9.]|$)|\
                              spampepper\.com([^a-z0-9.]|$)|\
                              \"System Anti-Virus Administrator\"|\
                              virus-checker@|\
                              virusengelleme@|\
                              VirusList Automaler System|\
                              virusscanner@|\
                              wsadmin@timewarner\.com([^a-z0-9.]|$))
*   600^0   ^From:.*[^0-9a-z](mailsupport|mms)@
*   600^0   ^Subject: Antigen found VIRUS=
*   600^0   ^Subject: BANNED FILENAME
*  1100^0   ^Subject: Caution: E-MAIL Quarantine Notification$
*   600^0   ^Subject: Content violation
*   600^0   ^Subject: Disallowed attachment type([^a-z0-9.]|\. |\.$|$)
*   600^0   ^Subject: eTrust Antivirus Gateway SMTP: Virus notification message$
*   600^0   ^Subject: \*\*\* FhG-Mailgateway: Virus-Warnung/virus alert \*\*\*$
*  1100^0   ^Subject: Failed to clean virus file([^a-z0-9.]|$)
*  1100^0   ^Subject: File blocked - ScanMail for Lotus Notes -->( )*$
*   600^0   ^Subject: Illegal attachment type found([^a-z0-9.]|$)
*  1100^0   ^Subject: InterScan NT Alert$
*  1100^0   ^Subject: [MailServer Notification] To External Sender: a virus was found([^a-z0-9.]|$)
*  1100^0   ^Subject: MESSAGE COULD NOT BE DELIVERED$
*  1100^0   ^Subject: MMS notification$
*   600^0   ^Subject: Norton AntiVirus detected and quarantined a virus([^a-z0-9.]|$)
*   600^0   ^Subject: PostMaster@[0-9a-z]+ notification$
*   600^0   ^Subject: Report to Sender$
*   600^0   ^Subject: Returned due to virus;
*   600^0   ^Subject: SAV detected a violation([^a-z0-9]|$)
*   600^0   ^Subject: Server Report$
*  1100^0   ^Subject: \[\*\*SPAM\*\*\]
*  1100^0   ^Subject: Notification : Uncleanable Virus Detected$
*   600^0   ^Subject: Unsolicited commercial email rejected$
*   600^0   ^Subject: Virus (Alert|Warning)$
*   600^0   ^Subject: VIRUS Detected in message([^a-z0-9.]|$)
*   600^0   ^Subject: virus found in sent message([^a-z0-9]|$)
*  1100^0   ^Subject: VIRUS \([^)]*\) IN MAIL FROM YOU$
*   600^0   ^Subject: (VIRUS NOTIFICATION|Worm Klez\.E immunity)$
*   600^0   ^Subject: \{Virus\?\} Undelivered Message$
*   600^0   ^Subject: Warning! Check you computer, there is new viruses you may be infected!
*   600^0   ^Subject: Warning: E-mail viruses detected$
*  1100^0   ^Subject: Warning: Possible Virus Infection$
*   600^0   ^Subject: WARNING. You tried to send a potential virus([^a-z0-9.]|\. |\.$|$)
*  1100^0   ^Subject: Virus found in the mail$
*  1100^0   ^Thread-Topic: ScanMail Message:
*  1100^0   ^X-Mailer: GWAVA Notification Service$
*   600^0   ^ contained a virus that could not be cleaned by our gateway\.
*   600^0   ^A virus was found in a message([^a-z0-9.]|\. |\.$|$)
*   600^0   ^Antivirus resources for.*can be found on the web at [^ ]+$
*   600^0   ^BANNED FILENAME ALERT$cell-direct.net
*   600^0   ^Found virus [_0-9a-z.]+ in file [_0-9a-z.]+$
*   600^0   ^The uncleanable file [_0-9a-z.]+ is moved to /[-_0-9a-z.]+\.$
*   600^0   (^|[^-_0-9a-z])V I R U S  A L E R T([^a-z0-9.]|\. |\.$|$)
*   600^0   ^Our virus scanner found a virus in your email to the following$
*   600^0   ^recipient\(s\) and your email was NOT delivered:$
*   600^0   ^ALERT!!!$This e-mail contained one or more infected files\.$
*   600^0   ^The following attachments were infected and have been repaired:$
*   600^0   ^The following infected attachments were deleted:$
*   600^0   ^The following infected attachments were blocked because of Mail Policy violations:$
*   600^0   ^You may wish to contact the sender to notify them about their infected file\(s\)\.$
*   600^0   ^VIRUS-WARNUNG: Am .* hat der Viren-Checker([^a-z0-9.]|\. |\.$|$)
*   600^0   ^The mail message (file: [0-9a-z][-_0-9a-z.]+) you sent to \
             [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z]+ contains\
             a virus\. \([ 0-9a-z]+\)$
*   600^0   ^The virus [0-9a-z][-_/@!.0-9a-z]+ was found in an attachment$
*   600^0   ^eTrust Antivirus Gateway SMTP on [0-9a-z][-_0-9a-z.]+$\
             detected a virus infection in an e-mail from$
*   600^0   ^the message with following attributes has not been delivered,$
*   600^0   ^<p>The WebShield.* Appliance discovered a virus in this file\.$
*   600^0   ^<p>Copyright &copy; 1993-2002, Networks Associates Technology, Inc\.<br>$
*   600^0   ^Sender, InterScan has detected virus(es) in your e-mail attachmen\.$
*   600^0   ^This Email scanner intercepted it and stopped the entire message$
*   600^0   ^Halo Boss, Virus telah ditemukan dalam salah satu email anda$
*   600^0   ^the message with following attributes has not been delivered,$
*   600^0   ^because contains an infected object\.$
*   600^0   ^Incident Information:-$
*   600^0   ^Our virus detector has just been triggered by a message you sent:-$
*   600^0   ^The scanned document was QUARANTINED\.$
*   600^0   ^The Declude Virus software on ([0-9a-z][-_0-9a-z]+\.)[a-z][a-z][a-z]?[a-z]? has reported that you $
*   600^0   ^sent an E-mail to [0-9a-z][-_0-9a-z.]+@([0-9a-z][-_0-9a-z]+\.)[a-z][a-z][a-z]?[a-z]?, containing the : [^ ]+ virus in the$
*  1100^0   ^The file you have sent was infected with a virus but \
             InterScan E-Mail VirusWall could not clean it\.$
{
 SBLOG="A1R-Useless Automatic Virus Notification"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * NUKEBOUNCES ?? yes
 /dev/null

 :0
 { SPAMTAG=yes }

 :0
 { DANGEROUS=yes }
}


# De-Fanged Virus Remnants (totally worthless)
#
#  A number of virus filters, rather than blocking virus-laden emails
#  outright, just remove the virus binary section and then send the
#  "disinfected" email on to you.  That results in a flood of useless
#  virus-produced emails that don't have a virus, but don't have anything
#  else you want either.
#
:0 BH
* ! VIRUSTAG ?? yes
* ! DANGEROUS ?? yes
* -1000^0
*   500^0   ^FROM: \"(Inet System|Internet Delivery Service)\"
*   500^0   ^Subject: [VIRUS DETRUIT-DESTROYED]
*   500^0   ^X-MailScanner: Found to be clean$
*   600^0   ^$(Please )?see the attached file for details\.$
*   600^0   ^this is the latest version of security update, the$
*   600^0   ^\"October 2003, Cumulative Patch\" update which fixes$
*   600^0   ^Install now to help maintain the security of your computer$
*   600^0   ^<TD NOWRAP><FONT SIZE=3D\"1\">Windows 95/98/Me/2000/NT/XP</FONT></TD>$
*   600^0   ^/\+n2/\+74//P6/\+3w8hOh/xOW6yCm/iuu/zWv/0m4/XTH/IXK95TP9qPV9bfi/tDn9tfp9OP0/93r$
*   600^0   ^9L3Izy6Vzj22/lrC/mfG/JvJ5JGntAyd6IbX/3zD6GzP/3jV/2uoxHqbqujv8g6MvJTj/2HF5pXV$
*   600^0   ^606zz6Hp/63v/7j1/8Ps88b8/rbj5RKOkE2wr3OGhoKGhv7///Dx8V2alqvm4Zni1YPRvx5uVwyO$
*   600^0   ^Content-type:.*name=virus_detruit-destroyed\.[0-9a-z]+$
*   600^0   ^()----------------  Virus Warning Message([^a-z0-9.]|\. |\.$|$)
*   600^0   ^Found virus [^ ]+ in file [^ ]+$
*   600^0   ^()<BR>I'm sorry =$the message returned below could not be delivered =$to one or more destinations.<BR>$
*   600^0   ^()<BR><BR><BR>Undelivered message to <B>[0-9a-z][-_0-9a-z]+@yahoo\.com</B>$
*   600^0   ^()<iframe src="cid:[a-z]+" height=0 width=0></iframe>$<BR>This is the qmail program<BR>$
*  1100^0   ^The message cannot be represented in 7-bit ASCII encoding and has been sent$\
             as a binary attachment\.
*   600^0   ^\*\*\*\*\*\*\*\*   McAfee GroupShield for Microsoft Exchange    \*\*\*\*\*\*\*\*\*\*$
*   600^0   ^The file ([0-9a-z][-_0-9a-z]+\.)+[a-z]+ has been replaced\.
*   600^0   (^|[^-_0-9a-z])Reason: The file met the blocking options set in the anti-virus system\.
*   600^0   ^Content-Type: text/plain; charset=us-ascii$Content-Transfer-Encoding: 7bit$$why\?$
*   600^0   ^Content-Type: application/x-zip-compressed; name=\"[0-9a-z]+\.zip\"$\
             Content-Transfer-Encoding: base64$\
             Content-Disposition: attachment; filename=\"[0-9a-z]+\.zip\"$$$--
*  1100^0   ^----------[a-z]+$\
             Content-Type: application/octet-stream; name=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$\
             Content-Transfer-Encoding: base64$\
             Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$([^0-9a-z]*$)+\
             ----------[a-z]+--$
*   600^0   (^|[^0-9a-z])replaced by Sophos Anti-Virus([^0-9a-z]|$)
*   300^0   (^|[^0-9a-z])infected by a virus([^0-9a-z]|$)
*   300^0   (^|[^0-9a-z])attachment of this message([^0-9a-z]|$)
*  1100^0   (^|[^0-9a-z])------=_NextPart_[^ ]+$Content-Type: application/octet-stream;$\
            [^0-9a-z]*name=\"[0-9a-z]+\.[a-z][a-z]+\"$Content-Transfer-Encoding: base64$\
            Content-Disposition: attachment;$\[^0-9a-z]*filename=\"[0-9a-z]+\.[a-z][a-z]+\"$$+\
            ------=_NextPart_[^ ]+$
*  1100^0   ^\+\+\+ Attachment: .*$\
             \+\+\+ Panda AntiVirus - www\.pandasoftware\.com$
*  1100^0   ^\-\-[^ ]+$\
             Content-Type: application/octet-stream; name=[^ ]+$\
             Content-Transfer-Encoding: base64$\
             Content-Disposition: attachment; filename=[^ ]+$$+\
             \-\-[^ ]+$
*  1100^0   ^\-\-[^ ]+$\
             Content-Type: application/octet-stream;$\
             [^0-9a-z]*name=[^ ]+$\
             Content-Transfer-Encoding: base64$\
             Content-Disposition: attachment;$\
             [^0-9a-z]*filename=[^ ]+$$+\
             \-\-[^ ]+$
*  1100^0   ^--[0-9]+$\
             Content-Type: application/x-zip-compressed; name=\"[^ "]\.zip\"$\
             Content-Transfer-Encoding: base64$\
             Content-Disposition: attachment; filename=\"[^ "]\.zip\"$$$\
             --[0-9]+--$
*   400^0   ^Sorry Dangerous Attachment has been Removed\.$
*   400^0   ^The file \"[-_0-9a-z]+\.[a-z][a-z]+\" has been removed because of a virus\.$
*   400^0   ^It was infected with the \"[^ ]+\" virus\.$
*   400^0   ^Sorry Dangerous Attachment has been Removed\.$
*   400^0   ^The file \"[0-9a-z][-_0-9a-z]+\.[a-z]+\" has been removed because of a virus\.$
*   400^0   ^It was infected with the \"[^ ]+\" virus\.$
*   400^0   ^File quarantined as: \"[0-9a-z][-_0-9a-z]+\.data\.zip\"\.$
*  1100^0   ^The original message content contained a virus or was blocked due \
             to blocking rules and has been removed\.$
*   400^0   ^Found virus [^ ]+ in file [^ ]+ \(in [^ ]+\)$
*   400^0   ^If you have questions, contact [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?$
*   400^0   ^[^ ]+ is removed from here because it contains a virus.$
*  1100^0   ^--[^ ]+$\
             Content-Type: application/x-msdownload; name=\"[0-9a-z][-_0-9a-z]+\.exe\"$\
             Content-Transfer-Encoding: base64$\
             Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.exe\"$$$+\
             --[^ ]+$
*  1100^0   ^------------------  Virus Warning Message \(on [^ ]+\)$$\
             [^ ]+ is removed from here because it contains a virus\.$
{
 SBLOG="A1R-Defanged Virus email (worthless)"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 :0
 * NUKEBOUNCES ?? yes
 /dev/null

 :0
 { SPAMTAG=yes }

 :0
 { DANGEROUS=yes }
}