RAVR is a Procmail recipe that performs content-based (as opposed to signature-based) filtering for common email viruses using Procmail's scoring feature. Emails that are determined to contain viruses are stamped with a header indicating the name of the virus and are then filtered into a user-specified quarantine folder. The purpose of RAVR is to quarantine emails containing the most common viruses currently in the wild.
455b251d307695aa66a3998087e4b042c3fba59b6c0da70a7ac7d6fbaa12ab02#=============================================================================
# Ryan's Anti-Virus Recipe
#
# Copyright (c) 2004 Ryan Grove (ryan@wonko.com).
# All rights reserved.
#
# Performs content-based (as opposed to signature-based) filtering for
# common email viruses using Procmail scoring.
#
# Emails that don't contain attachments are passed through immediately. All
# other messages start with -500 points. Points are added for each test the
# message fails. At the end of all the tests, if the message has a positive
# score, "X-VirusPoints" and "X-VirusName" headers are added to it and it is
# moved to the specified quarantine folder.
#
# All virus information was obtained from https://www.viruslist.com/.
#
# For updates, visit https://wonko.com/software/ravr/.
#=============================================================================
##############################################################################
# User Configurable Settings
############################
# Folder in which to quarantine virus-infected emails.
VFOLDER=Virus
##############################################################################
# End of User Configurable Settings
###################################
LINEBUF=32768
NL="
"
:0B
* Content-Disposition: attachment;
{
# Test virus
:0WHBf
* -500^0
* 600^0 ^Subject: virusfiltertest
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: Test"
:0 a:
$VFOLDER
# I-Worm.Bagle.a
:0WHBf
* -500^0
* 100^0 ^Subject: Hi$
* 300^0 Test \=\)
* 300^0 Test, yep\.
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Bagle.a"
:0 a
$VFOLDER
# I-Worm.Bagle.b
:0WHBf
* -500^0
* 300^0 ^Subject: ID [a-z]+\.\.\. thanks
* 300^0 Yours ID [a-z]+
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Bagle.b"
:0 a
$VFOLDER
# I-Worm.Bagle.c
# I-Worm.Bagle.d
# I-Worm.Bagle.e
:0WHBf
* -500^0
* 300^0 (Cya|Empty|Everything inside the attach|Look it through|Request|Response|Subj)
* 300^0 ^Subject: (Hi!|New Price-list|Price|Price list|Price-list|Pricelist|Well...)
* 300^0 name=.*\.zip
* 400^0 ^Subject: (Accounts department|Ahtung!|Camila|Daily activity report|Flayers among us|Freedom for everyone|From (Hair-cutter|me)|Greet the day|Hardware devices price-list|Hello my friend|Jenny|Jessica|Looking for the report|Maria|Melissa|Monthly incomings summary|Proclivity to servitude|Registration confirmation|The (account|employee|summary)|USA government abolishes the capital punishment|Weekly activity report|Well\.\.\.|You are dismissed|You really love me\? he he)
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Bagle.c/d/e"
:0 a
$VFOLDER
# I-Worm.Bagle.f
:0WHBf
* -500^0
* 200^0 ^Subject: :\)
* 300^0 (archive password:|password for archive:)
* 300^0 ^Subject: (Aline|Anne|Audra|Barbi|Caitie|caroline|Jammie|Juli|Julie|kate|Katrina|Kelley|kleopatra|Lisa|Mandy|Mary|Mary-Anne|rebecca|Rena|Sara|stacy|Tammy)
* 300^0 ^Subject: (Bad girl|beautiful|Fotograf|Gallery photos|groom|My beautiful person|My photos)
* 300^0 Argh, i don't like the plaintext :\)
* 300^0 Don''''t worry I don''''t bite
* 300^0 Fell free to chat with me I accept all ages.
* 300^0 Hey people whats goin on\? If there is anything you want to know about me ask me...
* 300^0 Hey, guys! by the way, I have no problems with my sexual life,
* 300^0 I am from Taiwan but I study in Camden, New Jersey now.
* 300^0 name=.*\.(exe|scr|zip)
* 400^0 ^Subject: (ello! =\)\)|Hey, dude, it's me \^_\^ :P|Hey, ya! =\)\)|Hi! :-\)|Hokki =\)|Wau... beautiful \(-:|Weah, hello! :-\)|Weeeeee! ;\)\)\))
* 400^0 ^Subject: (My Name is Frenk|My photoalbum|Myphotos|Photoalbum)
* 400^0 ^Subject: \^_\^ (meay-meay!|mew-mew \(-:)
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Bagle.f"
:0 a
$VFOLDER
# I-Worm.Bagle.i
:0WHBf
* -500^0
* 200^0 (For more information|Further details|Advanced details|For details|For further details|Please,|Pay attention) (see the|can be obtained from|can be found in|read the|on) (attached file|attach)
* 200^0 (the attached file is password protected|Attached file protected with the password|In order to read the attach)
* 200^0 account has been temporarily disabled because of unauthorized access\.
* 200^0 Our antivirus software has detected a large ammount of viruses
* 200^0 Our main mailing server will be temporary unavailable for next two days,
* 200^0 Some of our clients complained about the spam \(negative e-mail content\)
* 200^0 We warn you about some attacks on your e-mail account\.
* 200^0 Your e-mail account will be disabled because of improper using
* 300^0 (Dear user of .*,|Hello user of .* e-mail server,|Dear user, the management of .* mailing system wants to let you know that,)
* 300^0 ^Subject: (E-mail|Email) account (security|utilization|disabling) warning
* 300^0 ^Subject: (Notify|Warning|Important notify) about (using the|your) e-mail account
* 300^0 name="(Attach|Information|Readme|Document|Info|TextDocument|TextFile|MoreInfo|Message)\.(exe|pif|zip)
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Bagle.i"
:0 a
$VFOLDER
# I-Worm.Dumaru.a
:0WHBf
* -500^0
* 300^0 ^From: "Microsoft" <security@microsoft.com>
* 500^0 ^More than 500.000 already infected!
* 500^0 ^Subject: Use this patch immediately !
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Dumaru.a"
:0 a
$VFOLDER
# I-Worm.Gibe
:0WHBf
* -500^0
* 200^0 (MS|Microsoft) (Client|Consumer|Customer|Partner|User)
* 200^0 name="(patch|install|q|update).*\.exe"
* 200^0 of all previously released patches\.
* 200^0 this is the latest version of security update, the
* 200^0 This update includes the functionality
* 500^0 200(3|4), Cumulative Patch"
* 500^0 MS Internet Explorer, MS Outlook and MS Outlook Express
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Gibe"
:0 a
$VFOLDER
# I-Worm.Hybris
:0WHBf
* -500^0
* 300^0 ^From: Hahaha <hahaha@sexyfun.net>
* 300^0 ^Subject: Snowhite and the Seven Dwarfs - The REAL story!
* 300^0 Suddlently, the door open, and the Seven Dwarfs enter
* 300^0 The 7 Dwarfs always where very educated
* 300^0 Today, Snowhite was turning 18
* 300^0 When they go out work at mirnign, they promissed
* 500^0 filename="midgets\.scr"
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Hybris"
:0 a
$VFOLDER
# I-Worm.Klez
:0WHBf
* -500^0
* 100^0 ^Subject: (how are you|let's be friends|darling|your password|honey|some questions|please try again)
* 100^0 name=.*\.(txt|htm|wab|asp|doc|rtf|xls|jpg|cpp|c|pas|mpg|mpeg|bak|mp3|pdf)
* 400^0 ^Subject: (so cool a flash,enjoy it|japanese girl VS playboy|look,my beautiful girl friend|spice girls' vocal concert|japanese lass' sexy pictures|Undeliverable mail --|Returned mail --)
* 500^0 ^Subject: (W32.Elkern|W32.Klez.E) removal tools
* 500^0 ^Subject: Worm Klez.E immunity
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Klez"
:0 a
$VFOLDER
# I-Worm.Mimail
:0WHBf
* -500^0
* 100^0 ^Subject: your account
* 200^0 Please read attachment for details
* 200^0 This email address will be expiring
* 300^0 Best regards, Administrator
* 300^0 I would like to inform you about important information regarding your
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Mimail"
:0 a
$VFOLDER
# I-Worm.Mimail.c
:0WHBf
* -500^0
* 300^0 ^Subject: Re\[2\]: our private photos.+
* 300^0 All our photos which i've made at the beach \(even when u're without ur bh:\)\)
* 300^0 Finaly i've found possibility to right u, my lovely girl :\)
* 300^0 name="photos\.zip"
* 300^0 photos are great! This evening i'll come and we'll make the best SEX :\)
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Mimail.c"
:0 a
$VFOLDER
# I-Worm.Mimail.h
# I-Worm.Mimail.k
:0WHBf
* -500^0
* 100^0 It's all written there\. See you\.
* 200^0 And yes, by the way here is the file you asked for
* 200^0 Will meet tonight as we agreed, because on Wednesday I don't think I'll make it
* 300^0 name="readnow\.zip"
* 300^0 WUNKoF6iXiGHHdIIpKYRqLLjPM2qIKxjsF422R57D7dNg8cut3ALFiIn2yqmdHgq/MwwWF9qCmg4
* 400^0 ^Subject: don't be late![ ]+
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Mimail.h/k"
:0 a
$VFOLDER
# I-Worm.Mimail.i
:0WHBf
* -500^0
* 100^0 secure application within the next five business days then
* 100^0 services then you will need to run the application that we
* 100^0 will be expiring within five business days\. We apologize
* 200^0 ^From: donotreply@paypal\.com
* 300^0 ^Subject: YOUR PAYPAL\.COM ACCOUNT EXPIRES
* 400^0 name="www\.paypal\.com\.scr"
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Mimail.i"
:0 a
$VFOLDER
# I-Worm.Mimail.j
:0WHBf
* -500^0
* 50^0 Dear PayPal member,
* 200^0 ^Subject: IMPORTANT
* 300^0 ^From: Do_Not_Reply@paypal\.com
* 300^0 name="(www\.paypal\.com\.pif|InfoUpdate\.exe)"
* 300^0 We regret to inform you that your account is about to be expired in next five business days
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Mimail.j"
:0 a
$VFOLDER
# I-Worm.Moodown.b
:0WHBf
* -500^0
* 300^0 ^Subject: (fake|hello|hi|information|read it immediately|something for you|stolen|unknown|warning)
* 300^0 (about me|anything ok\?|AnythingOk\?|do you\?|from the chatter|greetings|here|here is the document\.|here it is|here, the (cheats|introduction|serials)|i found this document about you|I have your password!|i hope it is not true!|i wait for a reply!|i'm waiting|information about you|is that (from you|true|your account|your name)\?|kill the writer of this document!|misc|my hero|ok|read (it immediately!|the details\.)|reply|see you|something about you!|something is (fool|going wrong)|stuff about you\?|take it easy|that is bad|that's funny|thats wrong|what does it mean\?|why\?|yes, really\?|you (are a bad writer|are bad|earn money|feel the same|try to steal)|your name is wrong)
* 300^0 name=.*\.(exe|pif|scr)
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Moodown.b"
:0 a
$VFOLDER
# I-Worm.Mydoom.b
:0WHBf
* -500^0
* 100^0 ^Subject: (test|hi|hello|Mail Delivery System|Mail Transaction Failed|Server Report|Status|Error)
* 300^0 Mail transaction failed\. Partial message is available\.
* 300^0 sendmail daemon reported: Error #804 occured during SMTP session\. Partial message has been received
* 300^0 The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment\.
* 300^0 The message contains MIME-encoded graphics and has been sent as a binary attachment
* 300^0 The message contains Unicode characters and has been sent asa binary attachment\.
* 400^0 name="(document|readme|doc|text|file|data|test|message|body|scdjjno)\.(pif|scr|exe|cmd|bat|zip)"
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Mydoom.b"
:0 a
$VFOLDER
# I-Worm.Mydoom.e
:0WHBf
* -500^0
* 200^0 (Greetings|See you|Here it is|You are bad|Take it|Reply|Please, reply|Okay|OK|Everything ok\?|Check the attached document|The document was sent in compressed format\.|Please see the attached file for details\.)
* 200^0 ^Subject: (hello|hi|Announcement|forget|bug|unknown|fake|Wanted)
* 200^0 name="(body|message|test|data|file|text|readme|document|doc|msg|photo|resume|image|object|website|friend|joke|approved|paypal|disc|misc|part|mail|list|story|about|money|check|product|notes|your_document|note|information|textfile|posting|post|stuff|attachment|creditcard|details)
* 300^0 (Details are in the attached document\. You need Microsoft Office to open it\. Information about you|We have received this document from your e-mail\.|Kill the writer of this document!|Something about you|I have your password :\)|You are a bad writer|Is that yours\?|Is that from you\?|I wait for your reply\.|Here is the document\.|Read the details\.|I'm waiting)
* 300^0 ^Subject: (read now!|recent news|Read this message|please read|please reply|Thank You very very much|You use illegal File Sharing...|Your IP was logged|Your account is about to be expired|Love is)
* 300^0 ^Subject: (Your (order|request) (was registered|is being processed)|Your credit card|Read it immediately|Something for you|For your information|You have 1 day left|Your account has expired)
* 300^0 name=.*\.(exe|scr|com|pif|bat|cmd|zip|doc|htm|rtf|xls|jpg|gif|png|txt)
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Mydoom.e"
:0 a
$VFOLDER
# I-Worm.Netsky.c
# I-Worm.Netsky.e
:0WHBf
* -500^0
* 200^0 (believe me|dear|Delivery Failed|denied!|error|exception|excuse me|fake\?|good morning|hello|Here is it|hey|hi|I'm back!|illegal...|important|info|its me|last chance!|lol|moin|notice!|notification|private\?|Question|question|re:|Re: <5664ddff\?\$\?\?\?2>|Re: does it\?|Re: does it\?|Re: excuse me|Re: hello|Re: hey|Re: hi|Re: important|Re: information|Re: Re: Re: Re:|Re: unknown|read it immediatelly|report|something for you|Status|stolen|take it|trust me|warning|what's up\?|Yep|you\?)
* 300^0 (\*lol\*|09580985869gj|;-\)|\<\.\.\.\>|\<\<\<FAILURE\>\>\>|\<ANTISPAM complete\>|\<ATTACHMENT 34933920 Signature\>|\<ATTACHMENT Poland from\>|\<AUTOMAILER\>|\<CLICK decrypt to attachment the\>|\<DELIVER Error\>|\<FAILED available message\>|\<MAIL failed\>|\<MESSAGE Error\>|\<NULL\>|\<SERVER Error\>|\<TRANSFER complete\>|\?|a crazy doc about you|abuse\?|account\?|already\?|another pic, have fun! \.\.\. :-\>|Antispam is turned off\. See file!|are you (a photographer\?|a teacherin the picture\?|cranky\?|the naked one\?|the naked person!|the one\?)|Attached Msg|attachi#|Authentification required\. Read the att\.\.\.|bad gateway|be mad\?|best\?|bob the builder|child or adult\?|child porn\?|classroom test of you\?|copyright\?|correct it!|did you (ask me for that\?|know from this document\?|know that\?|see her already\?|sent it to me\?)|do not (give up!|open the attachment!|show this anyone!|use my document!|visit the pages on the list I se\.\.\.)|do you have (an orgasm in the picture\?|sex in the picture\?|the bug also\?|\?)|do you (know the thief\?|know this\?\?\?\?|think so\?)|doc about me\?|doc\?|docs\?|does it (belong to you\?|match\?|matter\?)|drugs\? \.\.\.|excellent!|explain!|fast food\.\.\.|feel free to use it|File is (bad\.|damaged\.|self-decryting\.)|forgotten\?|from the chatter \(my photo!\)|from your lover ;-\)|gonna\?|good work!|great job!|great xxx!|great!|greetings|help attached|her\.|here is (it\.|my advice|my photo!|the \$%%454\$|the \<CENSORED\>|the document\.|the next one!|yours!)|here, the (cheats|introduction|serials)|how\?|I 've found your bill!|i am (desperate|speachless about your document!)|I don't (know your document!|think so\.|want your xxx pics!)|i found (that about you!|this document about you\.)|i have (received this\.|your password!)|i hope thats not true!|i know your document!|i like your doc!|i lost that|i need you!|i saw you last week!|I wait for (an answer!|your comment about it\.)|i want more\.\.\.|i've found it about you|illegal st\. of you\?|important\?|in your mind\?|incest\?|information about you\?|Instant patches|instruct me about this!|is that (criminal|possible|the reality|true)\?|is that your (account|attachment|beast|car|cd|creditcard|domain|family|finger|message|name|photo|porn pic|privacy|slip|TAN|website|wife|work)\?|is that yours\?|is the pic a fake\?|is this information about you\?|it's a secret!|it's so similar as yours!|its private from me|kill him on the picture!|kill the writer of this document!|let it!|lets talk about it!|Login required! Read the attachment!|love letter\?|man or women\?|meaning of that\?|message\?|Microsoft|misc\. and so on\. see you!|modifications\?|money\?|msg|my advice\.\.\.\.|never!|new patch is available!|ok\.\.\.|old photos about you\?|only encrypted!|pages\?|personal message!|picture\?|poor quality!|possible\?|pretty pic about you\?|pwd\?|read it immediately!|read the details\.|really\?|reply|scanned by norton antivirus|schoolfriend\?|see this!|see your name!|solve the problem!|something about you!|something is (going \.\.\.|going wrong!|not ok)|stuff about you\?|such as yours\?|take it easy!|tell me more about your document!|test it|that is interesting\.\.\.|that's a funny text\.|that's not the truth\?|thats wrong!|the information is wrong!|the truth\?|this file is bad!|this is (an attachment message!|nothing for kids!)|time to fear\?|Transaction failed\. Show the doc!|trial\?|try this patch!|Warning from the Government|what do you think about it\?|what means that\?|what still\?|what\?|who\?|why should I\?|why\?|wrong calculation! \(see the attachment!\.\.\.|xxx \?|xxx about you\?|xxx service|yes\.|you are (a bad writer|bad|infected\. Read the details!|naked in this document!|sexy in this doc!)|you cannot hide yourself! \(see photo\)|you earn money, see the attachment!|you feel the same\.|you have a sexy body in the pic!|you have done a mistake in the document\.\.\.|you have tried to steal!|you look like an (ape!rat\?)|you won the rk!|your account is expired!|your are naked\?|your attachment\? verify it\.|Your bill\.|your body\?|your design is not good!|your document is (not goodsilly!)|your eyes\?|your face\?|your hero in the picture\?|your icq number\?|your job\? \(I found that!\)|your lie is going around the world!|your name is wrong!|your personal record\?|your photo is poor|Your provider will be disabled!|your TAN number\?|yours\?)
* 300^0 name=.*\.(com|doc|exe|htm|pif|rtf|scr|txt|zip)
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Netsky.c/e"
:0 a
$VFOLDER
# I-Worm.Netsky.d
:0WHBf
* -500^0
* 200^0 (Your document is attached.|Here is the file.|See the attached file for details.|Please have a look at the attached file|Please read the attached file.|Your file is attached.)
* 300^0 ^Subject: Re: (Thanks!|Your document|Here is the document|Your picture|Hi|Hello|Here|Your music|Your software|Approved|Details|Excel file|Word file|My details|Your details|Your bill|Your text|Your archive|Your letter|Your product|Your website)
* 300^0 ^Subject: Re: Re: (Document|Thanks!|Message)
* 300^0 ^Subject: Re: Re: Re: Your document
* 300^0 name=.*\.pif
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Netsky.d"
:0 a
$VFOLDER
# I-Worm.Sobig.a
:0WHBf
* -500^0
* 300^0 ^From: big@boss\.com
* 300^0 ^Subject: Re: (Movies|Sample|Document|Here is that sample)
* 300^0 name="(Movie_0074\.mpeg|Document003|Untitled1|Sample)\.pif"
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Sobig.a"
:0 a
$VFOLDER
# I-Worm.Sobig.f
:0WHBf
* -500^0
* 50^0 Please see the attached file for details
* 50^0 See the attached file for details
* 200^0 ^Subject: (Re: )?Thank you!
* 200^0 ^X-MailScanner: Found to be clean
* 400^0 ^Subject: (Re: )?That movie
* 400^0 ^Subject: (Re: )?Wicked screensaver
* 400^0 ^Subject: Re: Approved
* 400^0 ^Subject: Re: Details
* 400^0 ^Subject: Re: Re: My details
* 400^0 ^Subject: Re: Your application
* 400^0 ^Subject: Your details
* 400^0 name="(movie0045|wicked_scr|application|document_9446|details|your_details|thank_you|document_all|your_document)\.pif"
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Sobig.f"
:0 a
$VFOLDER
# I-Worm.Torvil.a
:0WHBf
* -500^0
* 100^0 ^Subject: (Pr0n!|Undeliverable mail--|Returned mail--|here's the document|Hello,)
* 200^0 ^Subject: Who should read this bulletin: Users running Microsoft Windows
* 300^0 ^Subject: (Do not release, its the internal rls!|Here's a nice Picture|NewInternal RIs\.\.\.|here's the archive you requested)
* 300^0 dOnT gIvE iT aWaY\.\.\. iTs cOnFiDeNtIaL \=\)
* 300^0 It's Important that you apply this fix now since we estimate the Buffer
* 300^0 Overflow is at a Critical Level
* 300^0 Real outtakes from Sex in the City!! Adult content!!!
* 300^0 Vulnerability described in MS05-023
* 400^0 name="(Q723523_W9X_WXP_x86_EN|yourwin|probsolv|flt-xb5|document|sexinthecity|torvil|win\$shitrulez|sex|flt-ixb23|readit|document1)\.(bat|exe|jpg|pif|rar|scr|zip)"
|formail -I "X-VirusPoints: $= ${NL}X-VirusName: I-Worm.Torvil.a"
:0 a
$VFOLDER
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed