That was way too simple. I've been growing the script as false negatives
trickle in, and the current results are below. By the way, I've come to the
realization that filtering this with pattern matching is probably an
exercise in futility, but it's still fun to try (and it's blocking several
hundred mails per hour, so that's kind of worthwhile).
############################################################
#### Virus detection
# 2003-09-18: Something stupid and Microsofty
if anyof(
# This one is super-annoying; it mimics real bounce messages
allof(
# First, check that the sender matches a pattern
header :matches "From" [
"email *",
"inet *",
"internet *",
"mail *",
"microsoft *",
"ms *",
"net *",
"network *" ],
header :matches "From" [
"* service",
"* system"
],
# Second, look at the subject line
anyof(
# Short phrases
header :is "Subject" [
"advice",
"announcement",
"failure report",
"letter",
"report" ],
# Weird errors
allof(
header :matches "Subject" [
"abort *",
"bug *",
"error *" ],
header :matches "Subject" [
"* advice",
"* letter",
"* message",
"* notice" ]
),
# Faked bounce messages
header :matches "Subject" [
"mail: *",
"message*",
"returned mail*",
"returned message*",
"undeliverable message*",
"undelivered message*" ]
)
),
# "Current Security Pack", "New Security Update", etc.
allof(
header :matches "Subject" [
"current *",
"internet *",
"last *",
"latest *",
"microsoft *",
"net *",
"new *",
"newest *" ],
header :matches "Subject" [
"* upgrade",
"* update",
"* pack",
"* patch" ]
)
)
{
fileinto "INBOX.virus.2003-09-18";
}
############################################################
--
Kirk Strauser
Attachment:
pgpWSPDTizdlN.pgp
Description: PGP signature