Virus Filter

I’ve written before about one of the various forms of Internet pestilence: messages bounced back from virus filters that claim you emailed them a virus, when in fact the mail header was forged and the virus originated elsewhere. It’s particularly frustrating to those of us who use GNU/Linux and thus are practically immune from viruses, at least those that propagate through email.

Here’s my latest attempt at an omnibus virus bounce procmail filter. Put this in ~/.procmailrc and most if not all of these messages should go away. Note that you need to increase from the default LINEBUF length to pack this all into one expreession:

LINEBUF=3000
:0

* ((^Subject: (Virus infection notice|New Network Security Upgrade|Newest Net Update|Newest Internet Upgrade|Newest Internet Security Patch|Internet Security Pack|New Internet Security Patch|Latest Critical Pack|Latest Net Upgrade|Latest Network Critical Update|(Latest|Current|Newest|New) (Microsoft|Net(work)?|Internet) (Security|Critical) (Update|Patch|Pack)|Current Microsoft Critical Pack|Newest Critical Pack|Latest Net Security Pack|Current Net Critical (Pack|Patch)|Latest Network Critical Pack|Abort Report|A virus has been detected in a document you authored.|RAV Antivirus:|BitDefender found an infected object|Virus Detected by Network Associates, Inc. Webshield|—— Virus Detected ——|Virus detected|Virus Alert|InterScan NT Alert|Virus found in the message|Message quarantined|VIRUS ALERT!|MDaemon Warning – Virus Found|Warning: E-mail viruses detected|ScanMail Message: To Sender virus found|VIRUS IN YOUR MAIL|Norton AntiVirus detected|VIRUS .* IN YOUR MAIL|Antigen found VIRUS|Filter incident|V.rus figyelmeztetés! Virus warning!|Symantec AVF detected|Returned due to virus;|Anti-Virus Notification|BANNED FILENAME|File blocked – ScanMail for Lotus|NAV detected a virus|RAV AntiVirus scan|VIRUS .+ IN MAIL FROM YOU|Virus Notification:|Virus found in a message you sent|Virus found in sent message|VIRUS EN SU CORREO|Warning: antivirus system report|M..Daemon Notification — Attachment Removed|Information – Antivirus|Symantec AntiVirus detected a violation|WARNING: YOU WERE SENT A VIRUS|SAV detected a violation in a document|MailMarshal has detected a suspect attachment|A virus was detected in your mail|Recipient Virus-alert|Virus Found in message|E-?mail viruses detected|Undelivered mail: VIRUS FOUND|Quarantined Mail: virus from|Failed to clean virus|Virusveszely! Virus warning!|Virus in mail from you.|Possible virus found in mess..age you sent|AntiVir ALERT|Centrale Anti-Virus melding|Vexira ALERT|You sent potentially unsafe content|ID.*thanks ScanMail has detected a virus!|\{Virus\?\}))|(^X-BLTSYMAVREINSERT|^X-Virus-Scan-Result: Repaired|^X-AtHome-MailScanner: Found to be infected|^X-Scanned: Symantec Antivirus Scan – Virus found|^X-Sender: NetMail AntiVirus Agent|^X-yoursite-MailScanner: Found to be infected|^X-ELTE-VirusStatus: was_infected)|(^To:.*MS Network Security))
virus

Suggestions for additional filter strings are welcome. This is an obvious case where there should be some standard for this kind of message, but of course each proprietary virus scanner company wants to have its own distinct announcement so as to advertise its product in the bounce message. The best thing would be something in the mail header other than the subject line.

I’ve also found the following recipe useful for filtering out a very common viral email that appears to be going around:

:0 BH
* ^Content-Type:.*(audio/x-wav|applica/x-msdownlo)
* > 100000
virus

You could probably substitute virus with /dev/null without any ill effects in both of these recipes.

Finally, a neat trick if you use SpamAssassin. This is covered in the documentation, but I only recently discovered it. Here’s a way to filter very certain spam into one folder, and pretty certain spam into another:

:0
* ^X-Spam-Level: \*\*\*\*\*\*\*\*\*\*
verycertainspam

:0
* ^Subject:.*\*\*\*\*SPAM\*\*\*\*
probablyspam

Set the number of stars in the first recipe to be the SpamAssassin score you’d like to count as “very certain.”

1 comment

  1. Stewart Vardaman Jan 28

    I just trash any message with dangerous attachments, like:

    :0 B
    * name=.*\.(vbs\”|wsf\”|vbe\”|wsh\”|hta\”|scr\”|pif\”|shs\”|bat\”|bas\”|scr\”|dll\”|cmd\”|com\”|cpl\”|zip\”)
    .virus/

Leave a Reply

(Markdown Syntax Permitted)