here are some postfix patterns i found useful today

• Previous message (by thread): [OT] need att.net postmaster contact
• Next message (by thread): Sup2/MSFC2 Working netflow config for hybrid
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

several of you thanked me privately for the earlier post on this thread, and
in the time since then i have been inundated with even more variations of
antivirus messages, so i'm posting an update.  the bad news is, you have to
use body checks as well as header checks.  the good news is, i don't think
the antivirus companies are going to start swizzling their headers and bodies
in order to bypass these checks.  about half of them include commercial
advertising in their warnings, but that doesn't make them spammers (does it?)

the stronger these viruses become, the more antivirus warnings i receive.
to that end, i've made rejecting this chatter at the smtp level a priority.
(otherwise i'd end up blackholing them at the ip source level, which would
cause subsequent false positives on the non-antivirus mail they send out.)

> what you do is, install postfix 2.0 or later, set header_checks to some
> filename (in your main.cf),

header_checks = regexp:/var/local/sa/postfix/headfilt.regex
body_checks = regexp:/var/local/sa/postfix/bodyfilt.regex

> and in that file, you put the following:

bodyfilt.regex:

/^Sorry Dangerous Attachment has been Removed/          	REJECT body4
/ is removed from here because it contains a virus$/    	REJECT body5
/^WARNING: This e-mail has been altered by MIMEDefang/  	REJECT body6

headfilt.regex:

/^Subject:.*ALERTE \- Vous avez envoye un mail avec virus/      REJECT av
/^Subject:.*ALERTE\: un virus a /                               REJECT av
/^Subject:.*ALERT\! Virus found in your mail/                   REJECT av
/^Subject:.*Anti-Virus Notification/                            REJECT av
/^Subject:.*AntiVir ALERT/                                      REJECT av
/^Subject:.*Anti\-Virus Notification/                           REJECT av
/^Subject:.*Antigen Notification/                               REJECT av
/^Subject:.*Antigen found VIRUS/                                REJECT av
/^Subject:.*Antivirus stopped your message/                     REJECT av
/^Subject:.*BANNED FILENAME/                                    REJECT av
/^Subject:.*Disallowed attachment type found/                   REJECT av
/^Subject:.*Email Quarantined Due to Virus/                     REJECT av
/^Subject:.*Failed to clean virus file/                         REJECT av
/^Subject:.*File blocked - ScanMail for Lotus/                  REJECT av
/^Subject:.*Inflex scan report \[\d+\]/                         REJECT av
/^Subject:.*InterScan NT Alert/                                 REJECT av
/^Subject:.*MMS Notification/                                   REJECT av
/^Subject:.*MailSure Virus Alert/                               REJECT av
/^Subject:.*Message deleted/                                    REJECT av
/^Subject:.*NAV detected a virus/                               REJECT av
/^Subject:.*Norton Anti.* detected/                             REJECT av
/^Subject:.*Ochrona antywirusowa/                               REJECT av
/^Subject:.*RAV AntiVirus scan/                                 REJECT av
/^Subject:.*RECIPIENT \! Virus Notify \!/                       REJECT av
/^Subject:.*Report to Sender/                                   REJECT av
/^Subject:.*Returned due to virus\; was\:/                      REJECT av
/^Subject:.*SAV detected a violation in a /                     REJECT av
/^Subject:.*SENDER \! Virus Notify \!/                          REJECT av
/^Subject:.*ScanMail Message\: To Sender\, virus found /        REJECT av
/^Subject:.*Symantec AntiVirus/                                 REJECT av
/^Subject:.*This message contains unsolicited data/             REJECT av
/^Subject:.*VIRUS .* IN MAIL FROM YOU/                          REJECT av
/^Subject:.*VIRUS .*IN YOUR MAIL/                               REJECT av
/^Subject:.*VIRUS NO SEU EMAIL/                                 REJECT av
/^Subject:.*Virus Alert/                                        REJECT av
/^Subject:.*Virus Check Alert/                                  REJECT av
/^Subject:.*Virus Detected by Network Assoc/                    REJECT av
/^Subject:.*Virus Notification from Redstone/                   REJECT av
/^Subject:.*Virus Notification\:/                               REJECT av
/^Subject:.*Virus Quarantine Notification/                      REJECT av
/^Subject:.*Virus Warning/                                      REJECT av
/^Subject:.*Virus found in /                                    REJECT av
/^Subject:.*Virus in Ihrer Nachricht/                           REJECT av
/^Subject:.*Virus in\:/                                         REJECT av
/^Subject:.*Votre message contient un virus/                    REJECT av
/^Subject:.*Warning\: E-mail viruses detected/                  REJECT av
/^Subject:.*WorldSecure Server notification/                    REJECT av
/^Subject:.*\[SmartFilter\] Virus Alert /                       REJECT av
/^Subject:.*\[Virus detected\]/                                 REJECT av
/^Subject:.*\{VIRUS\?\}/                                        REJECT av
/^Subject:.*message .* contains a virus/                        REJECT av
/^Subject:.*virus found in sent message/                        REJECT av
/^Subject:.*virus trouve dans le message envoye/                REJECT av
/^Subject:.*virus trovato in un messaggio inviato /             REJECT av

and as before, i cannot recommend the following article highly enough:

> see also <http://www.attrition.org/security/rant/av-spammers.html>.

• Previous message (by thread): [OT] need att.net postmaster contact
• Next message (by thread): Sup2/MSFC2 Working netflow config for hybrid
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]