bvw_mfrom_acl: accept condition = ${if match {${lc:$sender_address_local_part}}\ {(symantec_mail|smtp_gateway|viruscheck|antivir|\ navmse-|drweb-daemon|virusalert|virusadmin|\ kavdaemon|kavkeeper|antivirus_gateway|antigen_)}} deny bvw_data_acl: warn set acl_m7 = 0 # Human senders warn condition = ${if def:h_user-agent:} set acl_m7 = ${eval10:$acl_m7-2000} # Suspicus headers warn condition = ${if match {${lc:$h_x-mirapoint-virus:}}\ {virusdeleted}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: Mirapoint AntiVirus warn condition = ${if match {${lc:$h_x-virus-scan-result:}}\ {repaired}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: Symantec antivirus warn condition = ${if match {${lc:$message_headers}}\ {-mailscanner[\-a-z]*: found to be infected}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: MailScanner/MailScan warn condition = ${if match {${lc:$h_x-originator:}}{mailscan}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: MailScanner/MailScan warn condition = ${if match {${lc:$h_x-auto-generated:}}\ {mcafee antivirus}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: McAfee Antivirus warn condition = ${if match {${lc:$h_x-av-status:}}{infected}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: Infected header 1 warn condition = ${if def:h_x-infected-received-from:} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: Infected header 2 warn condition = ${if match {$h_x-nai-seconday-action:}{Notification}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: Infected header 2 warn condition = ${if match {${lc:$h_x-loop:}}{email security warning}} set acl_m7 = ${eval10:$acl_m7+6000} add_header = X-OLS-BogusWarn: Email security warning warn condition = ${if eqi {$h_auto-submitted:}{failure}} set acl_m7 = ${eval10:$acl_m7+1500} add_header = X-OLS-BogusWarn: Bounce (auto-submited) warn condition = ${if match {$h_content-type:}{multipart/report}} set acl_m7 = ${eval10:$acl_m7+1500} add_header = X-OLS-BogusWarn: Bounce (multipart/report) warn condition = ${if match {$h_precedence:}{(bulk|junk)}} set acl_m7 = ${eval10:$acl_m7+1000} add_header = X-OLS-BogusWarn: Junk precedence # Suspicius mailers warn condition = ${if match {${lc:$h_x-mailer:}}\ {(webshield|kavkeeper|kaspersky|avpkeeper|\ ravmd|odeiavir|proscan mail scanner|\ messagesoft stormmail|trendmicro)}} set acl_m7 = ${eval10:$acl_m7+12000} add_header = X-OLS-BogusWarn: Sent by antivirus mailer warn condition = ${if match {${lc:$h_x-mailer:}}\ {(imail|microsoft cdo|novell groupwise internet agent|\ raidenmaild|superscout|mailing system|wall|\ internet mail service|tobit)}} set acl_m7 = ${eval10:$acl_m7+2500} add_header = X-OLS-BogusWarn: Sent by mailer warn condition = ${if def:h_x-mailer:{no}{yes}} set acl_m7 = ${eval10:$acl_m7+1500} add_header = X-OLS-BogusWarn: No x-mailer header # Suspicius sender warn condition = ${if match {${lc:$sender_address_local_part}}\ {((mail|mime)(sweeper|keeper|scan)|groupshield|\ filter|navmse|warning|avpcheck|bitdefender|\ esafe|vscan|savconsole|panda|navmse|antigen|virus|\ mail.security|platinum|symantec|avadmin|clamav)}} set acl_m7 = ${eval10:$acl_m7+6000} add_header = X-OLS-BogusWarn: Sent by antivirus (Return-Path:) warn condition = ${if match {${lc:$sender_address_local_part}}\ {(mail|daemon|autorespon|system|no-reply|\ nobody|noreply|server|proxy|postmaster|\ root|relay|robot|admin|smtp)}} set acl_m7 = ${eval10:$acl_m7+2000} add_header = X-OLS-BogusWarn: Sent by robot (mfrom) warn senders = : set acl_m7 = ${eval10:$acl_m7+3000} add_header = X-OLS-BogusWarn: Is a bounce # Suspicius From: warn condition = ${if match {${lc:$h_from:}}\ {(warning|(mail|mime)sweeper|drweb|virus|navmse|\ interscan|nemx|symantec|watchdog|firewall|\ scanner|filter|kav for|groupshield|\ antigen|wall|scan|nortonav|amavis|viren|\ gatelock|monitor|clamav notify)}} set acl_m7 = ${eval10:$acl_m7+6000} add_header = X-OLS-BogusWarn: Sent by antivirus (From:) warn condition = ${if match {${lc:$h_from:}}\ {(mailer|daemon|postmaster|mail-server|\ admin|system attendant)}} set acl_m7 = ${eval10:$acl_m7+1500} add_header = X-OLS-BogusWarn: Sent by robot (From:) # Suspicius Subject warn set acl_m9 = ${lc:$h_subject:} warn condition = ${if match {$h_subject:}{=\?utf-8\?}} set acl_m9 = ${lc:${from_utf8:$h_subject:}} add_header = X-Decoded-Subject: $acl_m9 warn condition = ${if match {$acl_m9}\ {((illegal content|policy) violation|\ mcafee groupshield alert|\ symantec (avf|mail security) detected|\ scanmail notification)}} set acl_m7 = ${eval10:$acl_m7+6000} add_header = X-OLS-BogusWarn: Virus infection subject warn condition = ${if match {$acl_m9}\ {(mail delivery)}} set acl_m7 = ${eval10:$acl_m7+6000} add_header = X-OLS-BogusWarn: Bounce subject warn condition = ${if match {$acl_m9}\ {(virus|viren|atachment|attachment|antigen|bitdefender|\ content|groupshield|mail|vírus|esafe)}} condition = ${if match {$acl_m9}\ {(found|deleted|warning|suspect|alert|detect|\ suppression|notifica(t|c)ion|infec(t|c)ion|\ quarentined|rejected|trovato|achtung|incident|\ returned|banned|restricted|blocked|sent|failed|\ violation|retour|aviso|portador|encontrado)}} set acl_m7 = ${eval10:$acl_m7+6000} add_header = X-OLS-BogusWarn: Subject talks about virus infection warn condition = ${if match {$acl_m9}\ {\N^(re: ||autonotify: )(error|hello|hi|server|\ report|status|photos|good day|test|report to sender)$\N}} set acl_m7 = ${eval10:$acl_m7+2500} add_header = X-OLS-BogusWarn: Subject generated by virus warn condition = ${if match {$acl_m9}\ {\N(voicemessage|paris hilton|be happy)\N}} set acl_m7 = ${eval10:$acl_m7+2500} add_header = X-OLS-BogusWarn: Subject generated by virus # Suspicius body warn regex = (ANTIVIRUS DE CORREO TERRA|MESSAGE IS BLOCKED|\ A L E R T A V I R U S|V I R U S A L E R T|\ ALERTA DE (VIRUS|INFECCION|V=CDRUS)|\ VIRUS INFECTION ALERT|BLOCKED DELIVERY OF EMAIL|\ UPOZORNENIE NA VIRUS|\\?InterScan MSS\\?|\ ScanMail for Microsoft Exchange took action|\ eShield has detected|A virus was found|\ Danone Group Antivirus|KAV Report|\ Message generated by exiscan|of containing a Virus|\ SAV has detected a violation|eTrust SCM for SMTP|\ Dangerous Attachment has been Removed|\ --- Dr.Web report ---|Virus Warning Message|\ ---perlscanner results ---|\ --- Scan information follows ---|\ Se ha detectado un virus|Message d'alerte virus|\ scanned by MDaemon AntiVirus|\ infected with the W32/Mydoom@MM virus and was deleted|\ un virus a ete detecte|message with VIRUS|\ Incident Information|Antigen Quarantine Area|\ Scanned by ScanMail for Lotus Notes|\ This message has been scanned by MDaemon AntiVirus|\ A virus has been detected|Virus detected|\ contains a virus):InterScan_NT_MIME_Boundary|\ (is removed from here because it contains a virus|\ added by MailScan Anti-Virus|\ (M|m)essage has been (deleted|quarantined)|\ X-NAIMIME-Modified|and has detected the Virus|\ X-NAI-WebShield|Attachment removed|\ McAfee GroupShield discovered a problem|\ InterScan has blocked your infected email|\ Virus Protection Services detected|\ Detected by ScanMail|eTrust SCM Warning|\ Network Associates WebShield SMTP intercepted a mail|\ (Symantec AntiVirus|email scanner) found a virus|\ This message has been processed by Symantec AntiVirus|\ Mail transaction failed\. Partial message is available\.|\ Este correo contenia archivo con virus|\ Se ha detectado virus en su mensaje|\ MailMonitor for SMTP|Louis Group Antivirus Protection System|\ This e-mail has been altered by MIMEDefang|\ ScanMail for Microsoft Exchange has detected|\ The following message had attachment\(s\) which contained viruses|\ This e-mail is to notify you of a possible virus infection on your PC|\ File quarantined as) set acl_m7 = ${eval10:$acl_m7+9000} add_header = X-OLS-BogusWarn: Body talks about virus infection accept