At 2003-09-19T03:33:53Z, Kirk Strauser <kirk@strauser.com> writes:
OK, last iteration (I promise). Enough people have found this helpful, or
at least amusing, that I'm posting my final script update.
I'm using the "MICROSOFT_EXECUTABLE" block in SpamAssassin in junction with
this script. Overnight hit rates look like:
My script : about 4,000 emails
SpamAssasin: another few hundred that snuck through
My inbox : about 15-20
<alan>
IF YOU DON'T USE MY SCRIPT, THEN YOU MUST BE A WORM AUTHOR.
</alan>
############################################################
#### Virus detection
# 2003-09-18: Something stupid and Microsofty
if anyof(
# This one is super-annoying; it mimics real bounce messages
allof(
# Sender
anyof(
# Check that the sender matches a pattern...
allof(
header :contains "From" [
"email",
"inet",
"internet",
"mail",
"microsoft",
"ms",
"net",
"network"
],
header :contains "From" [
"service",
"section",
"system"
]
),
# ...or is one of several words
header :is "From" [
"administrator",
"admin" ]
),
# Subject
anyof(
# Short phrases
header :is "Subject" [
"advice",
"announcement",
"failure report",
"letter",
"mail",
"notice",
"report" ],
# Weird errors
allof(
header :matches "Subject" [
"abort *",
"bug *",
"error *" ],
header :matches "Subject" [
"* advice",
"* announcement",
"* letter",
"* message",
"* notice" ]
),
# Faked bounce messages
header :matches "Subject" [
"mail: *",
"message*",
"returned mail*",
"returned message*",
"undeliverable message*",
"undelivered message*" ],
# No subject
not exists "Subject"
)
),
# "Current Security Pack", "New Security Update", etc.
allof(
header :matches "Subject" [
"critical *",
"current *",
"internet *",
"last *",
"latest *",
"microsoft *",
"net *",
"network *",
"new *",
"newest *",
"security *"
],
header :matches "Subject" [
"* upgrade",
"* update",
"* pack",
"* patch"
]
)
)
{
fileinto "INBOX.virus.2003-09-18";
}
############################################################
--
Kirk Strauser
Attachment:
pgps1DtI3EovI.pgp
Description: PGP signature