That was way too simple. I've been growing the script as false negatives trickle in, and the current results are below. By the way, I've come to the realization that filtering this with pattern matching is probably an exercise in futility, but it's still fun to try (and it's blocking several hundred mails per hour, so that's kind of worthwhile).
############################################################
#### Virus detection
# 2003-09-18: Something stupid and Microsofty
if anyof(
# This one is super-annoying; it mimics real bounce messages
allof(
# First, check that the sender matches a pattern
header :matches "From" [
"email *",
"inet *",
"internet *",
"mail *",
"microsoft *",
"ms *",
"net *",
"network *" ],
header :matches "From" [
"* service",
"* system"
],
# Second, look at the subject line
anyof(
# Short phrases
header :is "Subject" [
"advice",
"announcement",
"failure report",
"letter",
"report" ],
# Weird errors
allof(
header :matches "Subject" [
"abort *",
"bug *",
"error *" ],
header :matches "Subject" [
"* advice",
"* letter",
"* message",
"* notice" ]
),
# Faked bounce messages
header :matches "Subject" [
"mail: *",
"message*",
"returned mail*",
"returned message*",
"undeliverable message*",
"undelivered message*" ]
)
),
# "Current Security Pack", "New Security Update", etc.
allof(
header :matches "Subject" [
"current *",
"internet *",
"last *",
"latest *",
"microsoft *",
"net *",
"new *",
"newest *" ],
header :matches "Subject" [
"* upgrade",
"* update",
"* pack",
"* patch" ]
)
)
{
fileinto "INBOX.virus.2003-09-18";
}
############################################################
--
Kirk Strauser
pgp00000.pgp
Description: PGP signature
