# A virus-bounce ruleset, suitable for use by anyone receiving a lot of joe-job
# virus-blowback, or spam-blowback bounce messages.
#
# Please don't modify this file as your changes will be overwritten with
# the next update. Use @@LOCAL_RULES_DIR@@/local.cf instead.
# See 'perldoc Mail::SpamAssassin::Conf' for details.
#
# <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
#
###########################################################################
#
# If you use this, set up procmail or your mail app to spot the
# "ANY_BOUNCE_MESSAGE" rule hits in the X-Spam-Status line, and move
# messages that match that to a 'vbounce' folder.
#
# You should also add 'whitelist_bounce_relays' lines, describing the names of
# your own outgoing mail relays, like so:
#
# whitelist_bounce_relays dogma.boxhost.net
#
# This is used to 'rescue' legitimate bounce messages that were generated in
# response to mail you really *did* send. If you don't do this, the
# "BOUNCE_MESSAGE" rule will not fire. See 'perldoc VBounce.pm' for more
# details.
#
# This ruleset is substantially based on
# http://www.timj.co.uk/linux/bogus-virus-warnings.cf ; the main difference is
# that I (jm) prefer to keep bounces and spam separate, so it now uses a single
# rule for each type of message, instead of having multiple individual rules
# with high scores. That way, you can spot the individual rule names, as
# described in the paragraph above. There's a couple of rules that were FPing,
# too, so I fixed or removed them; and there's been substantial additions, too.
#
###########################################################################
ifplugin Mail::SpamAssassin::Plugin::VBounce
body __MY_SERVERS_FOUND eval:check_whitelist_bounce_relays()
tflags __MY_SERVERS_FOUND nice
score __MY_SERVERS_FOUND -0.001
body __HAVE_BOUNCE_RELAYS eval:have_any_bounce_relays()
tflags __HAVE_BOUNCE_RELAYS nice
endif
# ---------------------------------------------------------------------------
# General bounce messages
header __BOUNCE_FROM_DAEMON From =~ /(?:(?:daemon|deamon|majordomo|postmaster|virus|scanner|devnull|automated-response|SMTP.gateway|mailadmin|mailmaster|surfcontrol|You_Got_Spammed)\S+\@|<>)/i
header __BOUNCE_RPATH_NULL Return-Path =~ /<>/
header __BOUNCE_RPATH_MD Return-Path =~ /(?:mailer-(?:daemon|deamon)|quotaagent|pleaseforward|autoresponder|autoresponse-\S+|devnull\S*)\@/i
# __AUTO_GEN_AS can appear in non-bounce mails with __XM_VBULLETIN,
# or with X-Cron-Env headers, so exclude those cases
header __AUTO_GEN_AS Auto-Submitted =~ /auto-(?:generated|replied)/
header __XM_VBULLETIN X-Mailer =~ /^vBulletin Mail/
header __X_CRON_ENV X-Cron-Env =~ /^</
header __AUTO_GEN_MS exists:X-MS-Embedded-Report
header __AUTO_GEN_AG exists:X-autogenerated
header __AUTO_GEN_CM exists:X-Choicemail-Registration-Request
header __AUTO_GEN_3 X-MailScanner =~ /generated/
header __AUTO_GEN_4 X-Mailer =~ /autoresponder/i
header __AUTO_GEN_XXSP X-XSP-Msgclass =~ /NOTIFICATION/
header __AUTO_GEN_PREC Precedence =~ /auto/
meta __BOUNCE_AUTO_GENERATED ((__AUTO_GEN_AS||__AUTO_GEN_MS||__AUTO_GEN_3||__AUTO_GEN_4||__AUTO_GEN_AG||__AUTO_GEN_XXSP ||__AUTO_GEN_CM||__AUTO_GEN_PREC) && !__XM_VBULLETIN && !__X_CRON_ENV)
header __BOUNCE_Y_AUTOGEN Subject =~ /^Yahoo! Auto Response/
header __BOUNCE_SYMANTEC Subject =~ /^Returned mail.{0,5}(?:Error During Delivery|see transcript for details|)$/i
header __BOUNCE_X_ERR_STAT X-Error-Status =~ /User unknown/
header __BOUNCE_RETURNED Subject =~ /^Returned mail: User unknown/
header __BOUNCE_MAILDELFAIL Subject =~ /^Mail delivery failed: /
header __BOUNCE_MSGDELFAIL Subject =~ /^Message Delivery Failure/
body __BOUNCE_ESMTP /^This messages was created automatically by mail delivery software/
# JM: prev versions used "automaticly", that was a typo
body __BOUNCE_OOO_1 /\bI(?:.m| am| will be|.ll be) (?:(?:out of|away from) the office|on vacation) (?:from|to|until|after)\b/i
body __BOUNCE_OOO_2 /\bI ?.m away until .{10,20} and am unable to read your message\b/
body __BOUNCE_OOO_3 /\bI am currently out of the office\b/
header __BOUNCE_OOO_H1 Subject =~ /^Mensaje de respuesta autom.tica/
header __BOUNCE_OOO_H2 Subject =~ /^R.ponse automatique d'absence du bureau/
header __BOUNCE_OOO_H3 Subject =~ / \(away from the office\)$/
body __BOUNCE_NEVER_SEE /\bThis is an autoresponder. I'll never see your message\b/i
body __BOUNCE_NONWORKING /\bYou have reached a non.?working address. Please check\b/i
header __BOUNCE_UNDELIVERABLE Subject =~ /^Undeliverable: /
header __BOUNCE_UNDELIVERABLE_ML Subject =~ /^Undeliver(?:able|ed) Mail\b/
header __BOUNCE_NOTDEL Subject =~ /^MESSAGE NOT DELIVERED: /
header __BOUNCE_ADDR_ERR Subject =~ /^e-mail addressing error \(/
header __BOUNCE_NO_VAL Subject =~ /^No valid recipient in /
header __BOUNCE_DATA_FORMAT Subject =~ /^Returned mail: Data format error$/
header __BOUNCE_COULD_NOT Subject =~ /^Mail could not be delivered$/
header __BOUNCE_UNDEL_MSG Subject =~ /^Undeliverable Message$/
header __BOUNCE_CTYPE Content-Type =~ /\bmultipart\/report\b/
header __BOUNCE_DEL_FAIL Subject =~ /^Delivery Failure Notification/
# Return-path: <delete@errmail.kagoya.net>
# 'Invalid e-mail address.'
header __BOUNCE_RPATH_ERRMAIL Return-Path =~ /delete\@errmail\./i
header __BOUNCE_AUTO_RESPOND Subject =~ /^(?:Automatically Generated Response from |Auto-Respond E-Mail from )/
header __BOUNCE_AUTO_RESPONSE Subject =~ /^automated response$/i
body __BOUNCE_ETRUST /^eTrust Secure Content Manager SMTPMAIL could not deliver the e-mail /
header __BOUNCE_INTERSCAN From =~ /\bInterscan MSS Notification\b/
body __BOUNCE_NO_RESEND /\bPlease do not resend your original message\./
meta BOUNCE_MESSAGE __HAVE_BOUNCE_RELAYS && (!__MY_SERVERS_FOUND && (__BOUNCE_FROM_DAEMON || __BOUNCE_RPATH_NULL || __BOUNCE_RPATH_MD || __BOUNCE_AUTO_GENERATED || __BOUNCE_Y_AUTOGEN || __BOUNCE_SYMANTEC || __BOUNCE_X_ERR_STAT || __BOUNCE_RETURNED || __BOUNCE_MAILDELFAIL || __BOUNCE_MSGDELFAIL || __BOUNCE_ESMTP || __BOUNCE_OOO_1 || __BOUNCE_OOO_2 || __BOUNCE_NEVER_SEE || __BOUNCE_NONWORKING || __BOUNCE_UNDELIVERABLE || __BOUNCE_UNDELIVERABLE_ML || __BOUNCE_NOTDEL || __BOUNCE_CTYPE || __BOUNCE_DEL_FAIL || __BOUNCE_ADDR_ERR || __BOUNCE_NO_VAL || __BOUNCE_DATA_FORMAT || __BOUNCE_COULD_NOT || __BOUNCE_UNDEL_MSG || __BOUNCE_OOO_H1 || __BOUNCE_OOO_H2 || __BOUNCE_OOO_H3 || __BOUNCE_RPATH_ERRMAIL || __BOUNCE_OOO_3 || __BOUNCE_INTERSCAN || __BOUNCE_ETRUST || __BOUNCE_AUTO_RESPONSE || __BOUNCE_AUTO_RESPOND || __BOUNCE_NO_RESEND))
describe BOUNCE_MESSAGE MTA bounce message
# ---------------------------------------------------------------------------
# Challenge/Response bounces
header __CRBOUNCE_UOL From =~ /\bAntiSpam UOL\b/
header __CRBOUNCE_VERIF Subject =~ /^(?:Your email requires verification verify:\S|Please Verify Your Email Address)/
header __CRBOUNCE_RP Return-Path =~ /<(?:spamblocker-challenge|spambush|apd\.sspam|spamhippo|devnull-quarantine)\@/i
header __CRBOUNCE_RP_2 Return-Path =~ /\@(?:spamstomp\.com|ipermitmail\.com)>$/i
header __CRBOUNCE_VANQ From =~ /<confirm-\S+\@spamguard\.vanquish\.com>/
header __CRBOUNCE_QURB Subject =~ /\[Qurb .\d+\]$/
uri __CRBOUNCE_0SPAM1 /^http:\/\/www\.0spam\.com\/v/
header __CRBOUNCE_0SPAM2 From:addr =~ /^verify\@0spam.com$/
meta __CRBOUNCE_0SPAM (__CRBOUNCE_0SPAM1 && __CRBOUNCE_0SPAM2)
# http://mailinblack.com , a French C/R system with no other reliable
# signatures. annoying!
header __CRBOUNCE_MIB Content-Type =~ /mUlTiPaRtBoUnDaRy_MailInBlack/
uri __CRBOUNCE_SI1 m,^http://si20.com/auth,
header __CRBOUNCE_SI2 From:addr =~ /^siweb\@si20\.com/
meta __CRBOUNCE_SI (__CRBOUNCE_SI1 && __CRBOUNCE_SI2)
# very frequent, using unrelated From lines; either spam or C/R, not yet
# sure which
header __CRBOUNCE_GETRESP Return-Path =~ /<bounce\S+\@\S+\.getresponse\.com>/
header __CRBOUNCE_TMDA Message-Id =~ /\@\S+\-tmda\-confirm>$/
header __CRBOUNCE_ASK X-AskVersion =~ /\d/
header __CRBOUNCE_SZ X-Spamazoid-MD =~ /\d/
header __CRBOUNCE_SPAMLION Spamlion =~ /\S/
# something called /cgi-bin/notaspammer does this!
header __CRBOUNCE_PREC_SPAM Precedence =~ /spam/
header __AUTO_GEN_XBT exists:X-Boxtrapper
header __AUTO_GEN_BBTL exists:X-Bluebottle-Request
meta __CRBOUNCE_HEADER (__AUTO_GEN_XBT || __AUTO_GEN_BBTL)
header __CRBOUNCE_EXI X-ExiSpam =~ /ExiSpam/
header __CRBOUNCE_UNVERIF Subject =~ /^Unverified email to /
meta CRBOUNCE_MESSAGE !__MY_SERVERS_FOUND && (__CRBOUNCE_UOL || __CRBOUNCE_VERIF || __CRBOUNCE_RP || __CRBOUNCE_VANQ || __CRBOUNCE_HEADER || __CRBOUNCE_QURB || __CRBOUNCE_0SPAM || __CRBOUNCE_GETRESP || __CRBOUNCE_TMDA || __CRBOUNCE_ASK || __CRBOUNCE_EXI || __CRBOUNCE_PREC_SPAM || __CRBOUNCE_SZ || __CRBOUNCE_SPAMLION || __CRBOUNCE_MIB || __CRBOUNCE_SI || __CRBOUNCE_UNVERIF || __CRBOUNCE_RP_2)
describe CRBOUNCE_MESSAGE Challenge-response bounce message
# ---------------------------------------------------------------------------
# "Virus found in your mail" bounces
# source: VirusBounceRules from the exit0 SA wiki
body __VBOUNCE_EXIM /a potentially executable attachment /
body __VBOUNCE_STRIP_ATTACH /\bhas stripped one or more attachments from the following message\b/
body __VBOUNCE_GUIN /message contains file attachments that are not permitted/
body __VBOUNCE_CISCO /^Found virus \S+ in file \S+/m
body __VBOUNCE_SMTP /host \S+ said: 5\d\d\s+Error: Message content rejected/
body __VBOUNCE_AOL /TRANSACTION FAILED - Unrepairable Virus Detected. /
body __VBOUNCE_DUTCH /bevatte bijlage besmet welke besmet was met een virus/
body __VBOUNCE_MAILMARSHAL /Mail.?Marshal Rule: Inbound Messages : Block Dangerous Attachments/
header __VBOUNCE_MAILMARSHAL2 Subject =~ /^MailMarshal has detected possible spam in your message/
header __VBOUNCE_NAVFAIL Subject =~ /^Norton Anti.?Virus failed to scan an attachment in a message you sent/
header __VBOUNCE_REJECTED Subject =~ /^EMAIL REJECTED$/
header __VBOUNCE_PROBLEME Subject:raw =~ /^=?iso-8859-1?Q?Messagerie_.{1,100}_=3A_probl=E8me_de_s=E9curit=E9=2E?=/
header __VBOUNCE_NAV Subject =~ /^Norton Anti.?Virus detected and quarantined/
header __VBOUNCE_MELDING Subject =~ /^Virusmelding$/
body __VBOUNCE_VALERT /The mail message \S+ \S+ you sent to \S+ contains the virus/
body __VBOUNCE_REJ_FILT /Reason: Rejected by filter/
header __VBOUNCE_YOUSENT Subject =~ /^Warning - You sent a Virus Infected Email to /
body __VBOUNCE_MAILSWEEP /MAILsweeper has found that a \S+ \S+ \S+ \S+ one or more virus/
header __VBOUNCE_SCREENSAVER Subject =~ /(Re: ?)+Wicked screensaver\b/i
header __VBOUNCE_DISALLOWED Subject =~ /^Disallowed attachment type found/
header __VBOUNCE_FROMPT From =~ /Security.?Scan Anti.?Virus/
header __VBOUNCE_WARNING Subject =~ /^Warning:\s*E-?mail virus(es)? detected/i
header __VBOUNCE_DETECTED Subject =~ /^Virus detected /i
header __VBOUNCE_AUTOMATIC Subject =~ /\b(automatic reply|AutoReply)\b/
header __VBOUNCE_INTERSCAN Subject =~ /^Failed to clean virus\b/i
header __VBOUNCE_VIOLATION Subject =~ /^Content violation/i
header __VBOUNCE_ALERT Subject =~ /^Virus Alert\b/i
header __VBOUNCE_NAV2 Subject =~ /^NAV detected a virus in a document /
body __VBOUNCE_NAV3 /^Reporting-MTA: Norton Anti.?Virus Gateway/
header __VBOUNCE_INTERSCAN2 Subject =~ /^InterScan MSS for SMTP has delivered a message/
header __VBOUNCE_INTERSCAN3 Subject =~ /^InterScan NT Alert/
header __VBOUNCE_ANTIGEN Subject =~ /^Antigen found\b/i
header __VBOUNCE_LUTHER From =~ /\blutherh\@stratcom.com\b/
header __VBOUNCE_AMAVISD Subject =~ /^VIRUS IN YOUR MAIL /i
body __VBOUNCE_AMAVISD2 /\bV I R U S\b/
header __VBOUNCE_GSHIELD Subject =~ /^McAfee GroupShield Alert/
# off: got an FP in a simple forward
# rawbody __VBOUNCE_SUBJ_IN_MAIL /^\s*Subject:\s*(Re: )*((my|your) )?(application|details)/i
# rawbody __VBOUNCE_SUBJ_IN_MAIL2 /^\s*Subject:\s*(Re: )*(Thank you!?|That movie|Wicked screensaver|Approved)/i
header __VBOUNCE_SCANMAIL Subject =~ /^Scan.?Mail Message: .{0,30} virus found /i
header __VBOUNCE_DOMINO1 Subject =~ /^Report to Sender/
body __VBOUNCE_DOMINO2 /^Incident Information:/
header __VBOUNCE_RAV Subject =~ /^RAV Anti.?Virus scan results/
body __VBOUNCE_ATTACHMENT0 /(?:Attachment.{0,40}was Deleted|Virus.{1,40}was found|the infected attachment)/i
# Bart says: it appears that _ATTACHMENT0 is an alternate for _NAV -- both match the same messages.
body __VBOUNCE_AVREPORT0 /(antivirus system report|the antivirus module has|illegal attachment|Unrepairable Virus Detected)/i
header __VBOUNCE_SENDER Subject =~ /^Virus to sender/
body __VBOUNCE_MAILSWEEP2 /\bblocked by Mailsweeper\b/i
header __VBOUNCE_MAILSWEEP3 From =~ /\bmailsweeper\b/i
# Bart says: This one could replace both MAILSWEEP2 and MAILSWEEP as far as I can tell.
# Perhaps it's too general?
body __VBOUNCE_CLICKBANK /\bvirus scanner deleted your message\b/i
header __VBOUNCE_FORBIDDEN Subject =~ /\bFile type Forbidden\b/
header __VBOUNCE_MMS Subject =~ /^MMS Notification/
# added by JoeyKelly
header __VBOUNCE_JMAIL Subject =~ /^Message Undeliverable: Possible Junk\/Spam Mail Identified$/
body __VBOUNCE_QUOTED_EXE /> TVqQAAMAAAAEAAAA/
# majordomo is really stupid about this stuff
header __MAJORDOMO_SUBJ Subject =~ /^Majordomo results: /
rawbody __MAJORDOMO_HELP_BODY /\*\*\*\* Help for [mM]ajordomo\@/
rawbody __MAJORDOMO_HELP_BODY2 /\*\*\*\* Command \'.{0,80}\' not recognized\b/
meta __VBOUNCE_MAJORDOMO_HELP (__MAJORDOMO_SUBJ && __MAJORDOMO_HELP_BODY && __MAJORDOMO_HELP_BODY2)
header __VBOUNCE_AV_RESULTS Subject =~ /AntiVirus scan results/
header __VBOUNCE_EMVD Subject =~ /^Warning: E-mail viruses detected/
header __VBOUNCE_UNDELIV Subject =~ /^Undeliverable mail, invalid characters in header/
header __VBOUNCE_BANNED_MAT Subject =~ /^Banned or potentially offensive material/
header __VBOUNCE_NAV_DETECT Subject =~ /^Norton AntiVirus detected and quarantined/
header __VBOUNCE_DEL_WARN Subject =~ /^Delivery (?:warning|error) report id=/
header __VBOUNCE_MIME_INFO Subject =~ /^The MIME information you requested/
header __VBOUNCE_EMAIL_REJ Subject =~ /^EMAIL REJECTED/
header __VBOUNCE_CONT_VIOL Subject =~ /^Content violation/
header __VBOUNCE_SYM_AVF Subject =~ /^Symantec AVF detected /
header __VBOUNCE_SYM_EMP Subject =~ /^Symantec E-Mail-Proxy /
header __VBOUNCE_VIR_FOUND Subject =~ /^Virus Found in message/
header __VBOUNCE_INFLEX Subject =~ /^Inflex scan report \[/
header __VBOUNCE_INF_ATTACH Subject =~ /^\[Mail Delivery .{20,100} infected attachment *removed/
header __VBOUNCE_RAPPORT Subject =~ /^Spam rapport \/ Spam report \S+ -\s+\(\S+\)$/
header __VBOUNCE_GWAVA Subject =~ /^GWAVA Sender Notification .RBL block.$/
header __VBOUNCE_EMANAGER Subject =~ /^\[MailServer Notification\]/
header __VBOUNCE_MSGLABS Return-Path =~ /alert\@notification\.messagelabs\.com/i
body __VBOUNCE_ATT_QUAR /\bThe attachment was quarantined\b/
body __VBOUNCE_SECURIQ /\bGROUP securiQ.Wall\b/
header __VBOUNCE_PT_BLOCKED Subject =~ /^\*\*\*\s*Mensagem Bloqueada/i
meta VBOUNCE_MESSAGE !__MY_SERVERS_FOUND && (__VBOUNCE_MSGLABS || __VBOUNCE_EXIM || __VBOUNCE_GUIN || __VBOUNCE_CISCO || __VBOUNCE_SMTP || __VBOUNCE_AOL || __VBOUNCE_DUTCH || __VBOUNCE_MAILMARSHAL || __VBOUNCE_MAILMARSHAL2 || __VBOUNCE_NAVFAIL || __VBOUNCE_REJECTED || __VBOUNCE_PROBLEME || __VBOUNCE_NAV || __VBOUNCE_MELDING || __VBOUNCE_VALERT || __VBOUNCE_REJ_FILT || __VBOUNCE_YOUSENT || __VBOUNCE_MAILSWEEP || __VBOUNCE_SCREENSAVER || __VBOUNCE_DISALLOWED || __VBOUNCE_FROMPT || __VBOUNCE_WARNING || __VBOUNCE_DETECTED || __VBOUNCE_AUTOMATIC || __VBOUNCE_INTERSCAN || __VBOUNCE_VIOLATION || __VBOUNCE_ALERT || __VBOUNCE_NAV2 || __VBOUNCE_NAV3 || __VBOUNCE_INTERSCAN2 || __VBOUNCE_INTERSCAN3 || __VBOUNCE_ANTIGEN || __VBOUNCE_LUTHER || __VBOUNCE_AMAVISD || __VBOUNCE_AMAVISD2 || __VBOUNCE_SCANMAIL || __VBOUNCE_DOMINO1 || __VBOUNCE_DOMINO2 || __VBOUNCE_RAV || __VBOUNCE_GSHIELD || __VBOUNCE_ATTACHMENT0 || __VBOUNCE_AVREPORT0 || __VBOUNCE_SENDER || __VBOUNCE_MAILSWEEP2 || __VBOUNCE_MAILSWEEP3 || __VBOUNCE_CLICKBANK || __VBOUNCE_FORBIDDEN || __VBOUNCE_MMS || __VBOUNCE_QUOTED_EXE || __VBOUNCE_MAJORDOMO_HELP || __VBOUNCE_AV_RESULTS || __VBOUNCE_EMVD || __VBOUNCE_UNDELIV || __VBOUNCE_BANNED_MAT || __VBOUNCE_NAV_DETECT || __VBOUNCE_DEL_WARN || __VBOUNCE_MIME_INFO || __VBOUNCE_EMAIL_REJ || __VBOUNCE_CONT_VIOL || __VBOUNCE_SYM_AVF || __VBOUNCE_SYM_EMP || __VBOUNCE_ATT_QUAR || __VBOUNCE_SECURIQ || __VBOUNCE_VIR_FOUND || __VBOUNCE_EMANAGER || __VBOUNCE_JMAIL || __VBOUNCE_GWAVA || __VBOUNCE_PT_BLOCKED || __VBOUNCE_INFLEX || __VBOUNCE_INF_ATTACH || __VBOUNCE_STRIP_ATTACH)
describe VBOUNCE_MESSAGE Virus-scanner bounce message
# ---------------------------------------------------------------------------
# a catch-all type for all the above
meta ANY_BOUNCE_MESSAGE (CRBOUNCE_MESSAGE||BOUNCE_MESSAGE||VBOUNCE_MESSAGE)
describe ANY_BOUNCE_MESSAGE Message is some kind of bounce message