# VIRUSCRUFT-PATTERNS.RC
#
# Patterns for various types of backscatter, blowback, and
# !$)(*%$#@)(*@!! *STUPID* anti-virus products that send
# "virus notifications" to the forged senders of virus emails.
# :(
#
# Last updated: 12/22/2005
# bdp.it backscatter with recipient address forged in
# From: field, instead of put in the To: field, the morons.
:0
* ^Received: from posta[0-9]*\.bdp\.it \(\[193\.43\.1[6-7]\.[0-9][0-9]?[0-9]?\]\)
* ^Subject: Returned due to virus;
{
SBLOG="A1R-bdp.it backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# BorderWare MXtreme Mail Firewall
#
:0
* ^From:.*[^0-9a-z]BorderWare MXtreme Mail Firewall([^0-9a-z]|$)
* ^Subject: Discarded Mail:
{
SBLOG="A1R-BorderWare MXtreme backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# Juno backscatter.
#
:0
* ^From: \"Juno Customer Care\" <security@support\.juno\.com>$
* ^Subject: ALERT: Email you sent may have contained a virus$
{
SBLOG="A1R-Juno backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# MailFrontier backscatter.
#
:0
* H ?? ^Subject: Summary of junk emails blocked$
* H ?? ^X-Mlf-Communication-Key:
* H ?? ^X-Mlf-loginurl:
* H ?? ^X-Mlf-version:
{
SBLOG="A1R-MailFrontier backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# MailMarshall Backscatter
#
:0 BH
* -1000^0
* 1100^0 ^From:.*mailmarshall?@
* 1100^0 ^From:.*jbhblockedmail@jbhunt\.com([^a-z0-9.]|$)
* 500^0 ^Subject: Your email message was blocked$
* 600^0 (^|[^-_0-9a-z]|=2E)MailMarshal(я|\.|=2E)com([^a-z0-9.]|\. |\.$|$)
* 500^0 (^|[^-_0-9a-z]|=2E)Marshal Software([^a-z0-9.]|\. |\.$|$)
{
SBLOG="A1R-MailMarshall backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# McAfee WebShield backscatter
#
# Lots of server-based antivirus products are sending notifications to
# the email address in the From: line of each virus they get, including
# to addresses in the Klez virus From: line. Since those addresses are
# almost never the ones belonging to the owner of the infected computer,
# these notifications are essentially spam, and extremely annoying. This
# filter treats these notices as spam and gets rid of them.
#
:0 BH
* -1000^0
* 1100^0 ^Subject: \{VIRUS?\}
* 1100^0 ^Subject: Virus Detected by Network Associates
* 1100^0 ^Subject: Virus Detected.*Webshield
* 1100^0 ^X-Mailer: Network Associates
* 800^0 ^X-NAI-WebShielde500-mimepp:
* 1100^0 ^The.*WebShield.*(detected|discovered).* virus([^a-z0-9.]|\. |\.$|$)
* 1100^0 (^|[^-_0-9a-z]|=2E)mcafeeb2b(я|\.|=2E)com([^a-z0-9.]|\. |\.$|$)
{
SBLOG="A1R-McAfee backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# Qmail Backscatter
#
:0
* H ?? ^Received: \(qmail [0-9]+ invoked by uid [0-9]+\);
* H ?? ^Subject: FAILURE:( )
* B ?? ^Your message contained a possible virus attachment listed below:$
{
SBLOG="A1R-Qmail backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# ScanMail forged junk :(
#
# ScanMail not only sends notifications to forgery victims, but
# forges the victim's domain into the From: line of the response.
# The jerks!
#
:0 HD
* -1000^0
* 600^0 ^Thread-Topic: ScanMail Message:
* 600^0 ^thread-index:
* 1100^0 ^Subject: ScanMail Message:
{
SBLOG="A1R-ScanMail AntiVirus notification spam"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
:0 B
* -1000^0
* 1100^0 ^ScanMail for Microsoft Exchange has detected virus-infected attachment\(s\)\.$
* 1100^0 ^Warning to sender\. ScanMail has detected a virus in an email you sent\.$
{
SBLOG="A1R-ScanMail AntiVirus notification spam"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# Schoolteam.net backscatter
#
# Stupid system responds to forged virus notifications, is inundating
# REVEAL and a number of other addresses.
#
:0
* ^Received:.*[^0-9a-z]smtp[0-9]\.schoolteam\.net([^0-9a-z.]|$)
* ^Subject: Error: undelivered email -
{
SBLOG="A1R-Schoolteam.net backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# Symantec Norton Antivirus "Notifications" :/
#
# Lots of server-based antivirus products are sending notifications to
# the email address in the From: line of each virus they get, including
# to addresses in the Klez virus From: line. Since those addresses are
# almost never the ones belonging to the owner of the infected computer,
# these notifications are essentially spam, and extremely annoying. This
# filter treats these notices as spam and gets rid of them.
#
# Norton AntiVirus is one of these products.
#
:0
* -1000^0
* H ?? 1100^0 ^From:.*Symantec_AntiVirus_for_SMTP_Gateways@
* H ?? 1100^0 ^From: NAV for Microsoft Exchange([^0-9a-z]|$)
* H ?? 1100^0 ^From:.*Norton_AntiVirus(_Gateway)?s?@
* H ?? 800^0 ^Subject: Virus Found in message \".*\"$
* H ?? 1100^0 ^Subject: NAV detected a virus $
* H ?? 1100^0 ^Subject: Norton AntiVirus detected (and quarantined )?a virus([^0-9a-z]|$)
* H ?? 1100^0 ^Subject: Symantec Mail Security detected([^0-9a-z]|$)
* H ?? 1100^0 ^Thread-Topic: Symantec([^0-9a-z]|$)
* H ?? 1100^0 ^X-Virus-Scanned: Symantec AntiVirus Scan Engine$X-Virus-Scan-Result: Repaired( )
* B ?? 300^0 ^Norton AntiVirus found a virus in an attachment you$
* B ?? 300^0 ^\([0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?\) sent to [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?\.$
* B ?? 300^0 ^To ensure the recipient\(s\) are able to use the files you sent, perform a$
* B ?? 300^0 ^virus scan on your computer, clean any infected files, then resend this$
* B ?? 300^0 ^attachment\.$
* B ?? 300^0 ^Attachment: [-_0-9a-z\.]+\.[0-9a-z]+$
* B ?? 300^0 ^Virus name: [-_0-9a-z\.@]+$
* B ?? 300^0 ^Action taken: Clean failed : Quarantine succeeded :$
* B ?? 600^0 ^All infected components in the scanned document were deleted\.$
* B ?? 600^0 ^Subject of the message: .*$Recipient of the message:
{
SBLOG="A1R-Symantec/Norton AntiVirus backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# Topica bounces to viruses/forged From: :/
#
# Topica is a spammer -- this stuff was previously treated as
# spam by the SpamBouncer. This stuff isn't direct spam, though;
# it's badly-implemented notifications going to the From: addresses
# of email posted to a mailing list.
#
:0
* ^From: Topica Customer Support <support@get\.topica\.com>$
* ^Subject: Your recent message to Topica\.com$
{
SBLOG="A1R-Topica backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# Travelex.com backscatter
#
:0
* H ?? ^Received:.*[^0-9a-z]mail\.travelex\.com([^0-9a-z.]|$)
* H ?? ^From: postmaster@Travelex\.com$
* B ?? (^|[^0-9a-z])contained a virus which could not be removed\.
{
SBLOG="A1R-Travelex.com backscatter"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* $ ${SBSCORE}^0
* 10^0
{ SBSCORE=$= }
}
# Bogus Virus Notifications
#
# Lots of server-based antivirus products are sending notifications to
# the email address in the From: line of each virus they get, including
# to addresses in the Klez virus From: line. Since those addresses are
# almost never the ones belonging to the owner of the infected computer,
# these notifications are essentially spam, and extremely annoying. This
# filter treats these notices as spam and gets rid of them.
#
:0 BH
* ! VIRUSTAG ?? yes
* ! DANGEROUS ?? yes
* -1000^0
* 1100^0 ^From:.*[^0-9a-z](alert@notification\.messagelabs\.com([^a-z0-9.]|$)|\
amavisd-new([^a-z0-9.]|$)|\
ANTIGEN_|\
\"Anti-Virus Administrator\"|\
antivirus@|\
antivirus-daemon@|\
avadmin@|\
avgroup@|\
AvMailGate@|\
Barracuda Spam Firewall <>|\
blackhole@linklaters\.com|\
(\")?DrWEB-DAEMON(\"|@)|\
eSafe@|\
GroupShield for Exchange|\
if@|\
interscan@|\
ltkwhite@intergate\.bc\.ca([^a-z0-9.]|$)|\
\"Mail Anti-Virus Protector\"|\
mailengine@rocketmail\.net([^a-z0-9.]|$)|\
\"MailScanner\"|\
MAILsweeper@|\
mms-notifier@|\
spamCactus\.com([^a-z0-9.]|$)|\
spampepper\.com([^a-z0-9.]|$)|\
\"System Anti-Virus Administrator\"|\
virus-checker@|\
virusengelleme@|\
VirusList Automaler System|\
virusscanner@|\
wsadmin@timewarner\.com([^a-z0-9.]|$))
* 600^0 ^From:.*[^0-9a-z](mailsupport|mms)@
* 600^0 ^Subject: Antigen found VIRUS=
* 600^0 ^Subject: BANNED FILENAME
* 1100^0 ^Subject: Caution: E-MAIL Quarantine Notification$
* 600^0 ^Subject: Content violation
* 600^0 ^Subject: Disallowed attachment type([^a-z0-9.]|\. |\.$|$)
* 600^0 ^Subject: eTrust Antivirus Gateway SMTP: Virus notification message$
* 600^0 ^Subject: \*\*\* FhG-Mailgateway: Virus-Warnung/virus alert \*\*\*$
* 1100^0 ^Subject: Failed to clean virus file([^a-z0-9.]|$)
* 1100^0 ^Subject: File blocked - ScanMail for Lotus Notes -->( )*$
* 600^0 ^Subject: Illegal attachment type found([^a-z0-9.]|$)
* 1100^0 ^Subject: InterScan NT Alert$
* 1100^0 ^Subject: [MailServer Notification] To External Sender: a virus was found([^a-z0-9.]|$)
* 1100^0 ^Subject: MESSAGE COULD NOT BE DELIVERED$
* 1100^0 ^Subject: MMS notification$
* 600^0 ^Subject: Norton AntiVirus detected and quarantined a virus([^a-z0-9.]|$)
* 600^0 ^Subject: PostMaster@[0-9a-z]+ notification$
* 600^0 ^Subject: Report to Sender$
* 600^0 ^Subject: Returned due to virus;
* 600^0 ^Subject: SAV detected a violation([^a-z0-9]|$)
* 600^0 ^Subject: Server Report$
* 1100^0 ^Subject: \[\*\*SPAM\*\*\]
* 1100^0 ^Subject: Notification : Uncleanable Virus Detected$
* 600^0 ^Subject: Unsolicited commercial email rejected$
* 600^0 ^Subject: Virus (Alert|Warning)$
* 600^0 ^Subject: VIRUS Detected in message([^a-z0-9.]|$)
* 600^0 ^Subject: virus found in sent message([^a-z0-9]|$)
* 1100^0 ^Subject: VIRUS \([^)]*\) IN MAIL FROM YOU$
* 600^0 ^Subject: (VIRUS NOTIFICATION|Worm Klez\.E immunity)$
* 600^0 ^Subject: \{Virus\?\} Undelivered Message$
* 600^0 ^Subject: Warning! Check you computer, there is new viruses you may be infected!
* 600^0 ^Subject: Warning: E-mail viruses detected$
* 1100^0 ^Subject: Warning: Possible Virus Infection$
* 600^0 ^Subject: WARNING. You tried to send a potential virus([^a-z0-9.]|\. |\.$|$)
* 1100^0 ^Subject: Virus found in the mail$
* 1100^0 ^Thread-Topic: ScanMail Message:
* 1100^0 ^X-Mailer: GWAVA Notification Service$
* 600^0 ^ contained a virus that could not be cleaned by our gateway\.
* 600^0 ^A virus was found in a message([^a-z0-9.]|\. |\.$|$)
* 600^0 ^Antivirus resources for.*can be found on the web at [^ ]+$
* 600^0 ^BANNED FILENAME ALERT$cell-direct.net
* 600^0 ^Found virus [_0-9a-z.]+ in file [_0-9a-z.]+$
* 600^0 ^The uncleanable file [_0-9a-z.]+ is moved to /[-_0-9a-z.]+\.$
* 600^0 (^|[^-_0-9a-z])V I R U S A L E R T([^a-z0-9.]|\. |\.$|$)
* 600^0 ^Our virus scanner found a virus in your email to the following$
* 600^0 ^recipient\(s\) and your email was NOT delivered:$
* 600^0 ^ALERT!!!$This e-mail contained one or more infected files\.$
* 600^0 ^The following attachments were infected and have been repaired:$
* 600^0 ^The following infected attachments were deleted:$
* 600^0 ^The following infected attachments were blocked because of Mail Policy violations:$
* 600^0 ^You may wish to contact the sender to notify them about their infected file\(s\)\.$
* 600^0 ^VIRUS-WARNUNG: Am .* hat der Viren-Checker([^a-z0-9.]|\. |\.$|$)
* 600^0 ^The mail message (file: [0-9a-z][-_0-9a-z.]+) you sent to \
[0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z]+ contains\
a virus\. \([ 0-9a-z]+\)$
* 600^0 ^The virus [0-9a-z][-_/@!.0-9a-z]+ was found in an attachment$
* 600^0 ^eTrust Antivirus Gateway SMTP on [0-9a-z][-_0-9a-z.]+$\
detected a virus infection in an e-mail from$
* 600^0 ^the message with following attributes has not been delivered,$
* 600^0 ^<p>The WebShield.* Appliance discovered a virus in this file\.$
* 600^0 ^<p>Copyright © 1993-2002, Networks Associates Technology, Inc\.<br>$
* 600^0 ^Sender, InterScan has detected virus(es) in your e-mail attachmen\.$
* 600^0 ^This Email scanner intercepted it and stopped the entire message$
* 600^0 ^Halo Boss, Virus telah ditemukan dalam salah satu email anda$
* 600^0 ^the message with following attributes has not been delivered,$
* 600^0 ^because contains an infected object\.$
* 600^0 ^Incident Information:-$
* 600^0 ^Our virus detector has just been triggered by a message you sent:-$
* 600^0 ^The scanned document was QUARANTINED\.$
* 600^0 ^The Declude Virus software on ([0-9a-z][-_0-9a-z]+\.)[a-z][a-z][a-z]?[a-z]? has reported that you $
* 600^0 ^sent an E-mail to [0-9a-z][-_0-9a-z.]+@([0-9a-z][-_0-9a-z]+\.)[a-z][a-z][a-z]?[a-z]?, containing the : [^ ]+ virus in the$
* 1100^0 ^The file you have sent was infected with a virus but \
InterScan E-Mail VirusWall could not clean it\.$
{
SBLOG="A1R-Useless Automatic Virus Notification"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* NUKEBOUNCES ?? yes
/dev/null
:0
{ SPAMTAG=yes }
:0
{ DANGEROUS=yes }
}
# De-Fanged Virus Remnants (totally worthless)
#
# A number of virus filters, rather than blocking virus-laden emails
# outright, just remove the virus binary section and then send the
# "disinfected" email on to you. That results in a flood of useless
# virus-produced emails that don't have a virus, but don't have anything
# else you want either.
#
:0 BH
* ! VIRUSTAG ?? yes
* ! DANGEROUS ?? yes
* -1000^0
* 500^0 ^FROM: \"(Inet System|Internet Delivery Service)\"
* 500^0 ^Subject: [VIRUS DETRUIT-DESTROYED]
* 500^0 ^X-MailScanner: Found to be clean$
* 600^0 ^$(Please )?see the attached file for details\.$
* 600^0 ^this is the latest version of security update, the$
* 600^0 ^\"October 2003, Cumulative Patch\" update which fixes$
* 600^0 ^Install now to help maintain the security of your computer$
* 600^0 ^<TD NOWRAP><FONT SIZE=3D\"1\">Windows 95/98/Me/2000/NT/XP</FONT></TD>$
* 600^0 ^/\+n2/\+74//P6/\+3w8hOh/xOW6yCm/iuu/zWv/0m4/XTH/IXK95TP9qPV9bfi/tDn9tfp9OP0/93r$
* 600^0 ^9L3Izy6Vzj22/lrC/mfG/JvJ5JGntAyd6IbX/3zD6GzP/3jV/2uoxHqbqujv8g6MvJTj/2HF5pXV$
* 600^0 ^606zz6Hp/63v/7j1/8Ps88b8/rbj5RKOkE2wr3OGhoKGhv7///Dx8V2alqvm4Zni1YPRvx5uVwyO$
* 600^0 ^Content-type:.*name=virus_detruit-destroyed\.[0-9a-z]+$
* 600^0 ^()---------------- Virus Warning Message([^a-z0-9.]|\. |\.$|$)
* 600^0 ^Found virus [^ ]+ in file [^ ]+$
* 600^0 ^()<BR>I'm sorry =$the message returned below could not be delivered =$to one or more destinations.<BR>$
* 600^0 ^()<BR><BR><BR>Undelivered message to <B>[0-9a-z][-_0-9a-z]+@yahoo\.com</B>$
* 600^0 ^()<iframe src="cid:[a-z]+" height=0 width=0></iframe>$<BR>This is the qmail program<BR>$
* 1100^0 ^The message cannot be represented in 7-bit ASCII encoding and has been sent$\
as a binary attachment\.
* 600^0 ^\*\*\*\*\*\*\*\* McAfee GroupShield for Microsoft Exchange \*\*\*\*\*\*\*\*\*\*$
* 600^0 ^The file ([0-9a-z][-_0-9a-z]+\.)+[a-z]+ has been replaced\.
* 600^0 (^|[^-_0-9a-z])Reason: The file met the blocking options set in the anti-virus system\.
* 600^0 ^Content-Type: text/plain; charset=us-ascii$Content-Transfer-Encoding: 7bit$$why\?$
* 600^0 ^Content-Type: application/x-zip-compressed; name=\"[0-9a-z]+\.zip\"$\
Content-Transfer-Encoding: base64$\
Content-Disposition: attachment; filename=\"[0-9a-z]+\.zip\"$$$--
* 1100^0 ^----------[a-z]+$\
Content-Type: application/octet-stream; name=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$\
Content-Transfer-Encoding: base64$\
Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$([^0-9a-z]*$)+\
----------[a-z]+--$
* 600^0 (^|[^0-9a-z])replaced by Sophos Anti-Virus([^0-9a-z]|$)
* 300^0 (^|[^0-9a-z])infected by a virus([^0-9a-z]|$)
* 300^0 (^|[^0-9a-z])attachment of this message([^0-9a-z]|$)
* 1100^0 (^|[^0-9a-z])------=_NextPart_[^ ]+$Content-Type: application/octet-stream;$\
[^0-9a-z]*name=\"[0-9a-z]+\.[a-z][a-z]+\"$Content-Transfer-Encoding: base64$\
Content-Disposition: attachment;$\[^0-9a-z]*filename=\"[0-9a-z]+\.[a-z][a-z]+\"$$+\
------=_NextPart_[^ ]+$
* 1100^0 ^\+\+\+ Attachment: .*$\
\+\+\+ Panda AntiVirus - www\.pandasoftware\.com$
* 1100^0 ^\-\-[^ ]+$\
Content-Type: application/octet-stream; name=[^ ]+$\
Content-Transfer-Encoding: base64$\
Content-Disposition: attachment; filename=[^ ]+$$+\
\-\-[^ ]+$
* 1100^0 ^\-\-[^ ]+$\
Content-Type: application/octet-stream;$\
[^0-9a-z]*name=[^ ]+$\
Content-Transfer-Encoding: base64$\
Content-Disposition: attachment;$\
[^0-9a-z]*filename=[^ ]+$$+\
\-\-[^ ]+$
* 1100^0 ^--[0-9]+$\
Content-Type: application/x-zip-compressed; name=\"[^ "]\.zip\"$\
Content-Transfer-Encoding: base64$\
Content-Disposition: attachment; filename=\"[^ "]\.zip\"$$$\
--[0-9]+--$
* 400^0 ^Sorry Dangerous Attachment has been Removed\.$
* 400^0 ^The file \"[-_0-9a-z]+\.[a-z][a-z]+\" has been removed because of a virus\.$
* 400^0 ^It was infected with the \"[^ ]+\" virus\.$
* 400^0 ^Sorry Dangerous Attachment has been Removed\.$
* 400^0 ^The file \"[0-9a-z][-_0-9a-z]+\.[a-z]+\" has been removed because of a virus\.$
* 400^0 ^It was infected with the \"[^ ]+\" virus\.$
* 400^0 ^File quarantined as: \"[0-9a-z][-_0-9a-z]+\.data\.zip\"\.$
* 1100^0 ^The original message content contained a virus or was blocked due \
to blocking rules and has been removed\.$
* 400^0 ^Found virus [^ ]+ in file [^ ]+ \(in [^ ]+\)$
* 400^0 ^If you have questions, contact [0-9a-z][-_0-9a-z]+@([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?$
* 400^0 ^[^ ]+ is removed from here because it contains a virus.$
* 1100^0 ^--[^ ]+$\
Content-Type: application/x-msdownload; name=\"[0-9a-z][-_0-9a-z]+\.exe\"$\
Content-Transfer-Encoding: base64$\
Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.exe\"$$$+\
--[^ ]+$
* 1100^0 ^------------------ Virus Warning Message \(on [^ ]+\)$$\
[^ ]+ is removed from here because it contains a virus\.$
{
SBLOG="A1R-Defanged Virus email (worthless)"
INCLUDERC=${SBDIR}/functions/loglevel.rc
:0
* NUKEBOUNCES ?? yes
/dev/null
:0
{ SPAMTAG=yes }
:0
{ DANGEROUS=yes }
}