| 1 |
don |
2 |
# joy, 2003-08-15 |
| 2 |
|
|
rawbody PIC_GIF /^Content-ID: <pic\d*\.gif>/i |
| 3 |
|
|
describe PIC_GIF pic*.gif in attachment, common spam/virus |
| 4 |
|
|
score PIC_GIF 3 |
| 5 |
|
|
|
| 6 |
|
|
header POSSIBLEVIRUS Subject =~ /\{Virus\?\} / |
| 7 |
|
|
describe POSSIBLEVIRUS possible or cleaned virus tag found in Subject |
| 8 |
|
|
score POSSIBLEVIRUS 2 |
| 9 |
|
|
|
| 10 |
|
|
# cjwatson, 2003/09/22 2003/10/02 |
| 11 |
|
|
header AV_SCAN Subject =~ /AntiVirus scan results/ |
| 12 |
|
|
describe AV_SCAN virus fallout |
| 13 |
|
|
score AV_SCAN 4 |
| 14 |
|
|
|
| 15 |
|
|
# cjwatson, 2003/09/24 |
| 16 |
|
|
body CORREO_TERRA /Antivirus de Correo de Terra/ |
| 17 |
|
|
describe CORREO_TERRA virus fallout |
| 18 |
|
|
score CORREO_TERRA 2 |
| 19 |
|
|
|
| 20 |
|
|
# cjwatson, 2003/09/24 |
| 21 |
|
|
body WEBSHIELD /Network Associates WebShield SMTP.*detected virus/ |
| 22 |
|
|
describe WEBSHIELD virus fallout |
| 23 |
|
|
score WEBSHIELD 3 |
| 24 |
|
|
|
| 25 |
|
|
# cjwatson, 2003/09/25, joy 2003-10-01 |
| 26 |
|
|
header AV_ALERT Subject =~ /^(Anti)?Virus Alert/ |
| 27 |
|
|
describe AV_ALERT virus fallout |
| 28 |
|
|
score AV_ALERT 4.5 |
| 29 |
|
|
|
| 30 |
|
|
# cjwatson, 2003/09/29 |
| 31 |
|
|
body INFECTED_OBJ /because contains an infected object/ |
| 32 |
|
|
describe INFECTED_OBJ virus fallout |
| 33 |
|
|
score INFECTED_OBJ 4 |
| 34 |
|
|
|
| 35 |
|
|
# joy, 2003-10-01 |
| 36 |
|
|
header AV_RESULTS Subject =~ /AntiVirus scan results/i |
| 37 |
|
|
describe AV_ALERT anti-virus spam |
| 38 |
|
|
score AV_ALERT 4 |
| 39 |
|
|
|
| 40 |
|
|
# cjwatson, 2004-01-27 |
| 41 |
|
|
header IOL_ALERTA Subject =~ /IOL - ALERTA de Virus/ |
| 42 |
|
|
describe IOL_ALERTA misdirected antivirus |
| 43 |
|
|
score IOL_ALERTA 4 |
| 44 |
|
|
|
| 45 |
|
|
# blarson 2004-04-10 |
| 46 |
|
|
rawbody ZIPCOMPRESSED /application\/x-zip-compressed/i |
| 47 |
|
|
describe ZIPCOMPRESSED zip compressed attachment |
| 48 |
|
|
score ZIPCOMPRESSED 2 |
| 49 |
|
|
|
| 50 |
|
|
# blarson 2005-04-29 |
| 51 |
|
|
header MICROVIRUS subject =~ /(?:Current|Latest|Newest|New) (?:Microsoft|Internet|Net) (?:Security|Critical)? ?(?:Patch|Pack|Update|Upgrade)/i |
| 52 |
|
|
describe MICROVIRUS microsoft email virus |
| 53 |
|
|
score MICROVIRUS 4 |
| 54 |
|
|
|
| 55 |
|
|
# blarson 2006-11-21 |
| 56 |
|
|
rawbody AVGMAIL /\b\-\-\=\=\=\=\=\=\=AVGMAIL/ |
| 57 |
|
|
describe AVGMAIL avg virus claim |
| 58 |
|
|
score AVGMAIL 3 |
| 59 |
|
|
|
| 60 |
|
|
# don 2007-06-25 blarson 2007-06-28 |
| 61 |
|
|
# This is %PDF-1.1 base64 encoded |
| 62 |
|
|
full PDFATTACH /JVBERi0xLjE/ |
| 63 |
|
|
describe PDFATTACH PDF Attachment |
| 64 |
|
|
score PDFATTACH 2 |
| 65 |
|
|
|
| 66 |
|
|
# blarson 2007-06-29 |
| 67 |
|
|
header PDFNAME subject =~ /\w\.pdf\b/i |
| 68 |
|
|
describe PDFNAME pdf spam |
| 69 |
|
|
score PDFNAME 3.5 |
| 70 |
|
|
|
| 71 |
|
|
# blarson 2007-07-18 |
| 72 |
|
|
rawbody APPPDF /\bContent-Type\:\s+application\/pdf/i |
| 73 |
|
|
describe APPPDF pdf attachment |
| 74 |
|
|
score APPPDF 2 |
| 75 |
|
|
|
| 76 |
|
|
# blarson 2007-09-01 |
| 77 |
|
|
body NOVIR /^No virus found in this incoming message\./ |
| 78 |
|
|
describe NOVIR bogus no virus |
| 79 |
|
|
score NOVIR 1 |
| 80 |
|
|
|
| 81 |
don |
236 |
# blarson 2008-08-09 |
| 82 |
|
|
header ANTIGEN subject=~/Antigen Notification/ |
| 83 |
|
|
describe ANTIGEN Antigen Notification |
| 84 |
|
|
score ANTIGEN 4 |
| 85 |
cord |
339 |
|
| 86 |
|
|
# cord 2010-05-04 |
| 87 |
|
|
body AUTOMATIC_MESSAGE /This is an automat(ic|ed) message/i |
| 88 |
|
|
describe AUTOMATIC_MESSAGE body indicates it is an automated message |
| 89 |
|
|
score AUTOMATIC_MESSAGE 2.0 |
| 90 |
|
|
|
| 91 |
formorer |
395 |
# formorer 2012-02-15 |
| 92 |
formorer |
396 |
header XEROX subject=~/Scan from a Xerox W./i |
| 93 |
formorer |
395 |
describe XEROX Scanner malware |
| 94 |
|
|
score XEROX 4 |
| 95 |
|
|
|
Parent Directory
| 
Revision Log