# Sample of well-known viruses that perlscan_scanner can use
#
# This is TAB-delimited. 
#
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after 
# this file is modified
# ******
#
# Format: three columns
#
# [this is case-insensitive] 
# <filename><TAB>SIZE=<size in bytes><TAB><Description of virus/whatever>
#
#
# OR:
#
# [the string is case-sensitive] 
# <string><TAB>Policy-<Header><TAB><Description of virus/whatever>
# 
# [this one allows you to case-SENSITIVELY match on (e.g.) Subject line.
#
# NOTE 1: This is a "policy enforcer" - we can use it as a crude virus
# scanner by deciding that particular filenames of certain sizes contain
# viruses - when they may not. However this can be useful for the times
# when a new virus is discovered and your scanner cannot detect it (yet).
# 
#
# NOTE 2: This is only good for picking up stand-alone viruses like the
# following. Macro viruses are impossible to detect with this method as
# they infect users docs.
#
# NOTE 3: Blocking attachments is supported. This system can be used to deny
# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other
# wildcard type is supported. Be very careful with this feature. 
#
# Attachment blocking takes a filesize as as required option: this can be
# set to "-1" (to block any size), "0" (to block exactly zero-length
# files), "number" (to block files/attachments that are *exactly* that
# length), "<number" (to block attachments smaller than "number"), or ">number"
# (to block attachments larger than "number")
#
# This will block email containing .exe attachments that are EXACTLY 10Mbytes 
# in size
#
# .exe	SIZE=10000000	Executable attachments of 10M not accepted
#
# A size of "-1" bytes matches any size 
#
# .mp3	SIZE=-1	MP3 attachments disallowed
#
# ...would stop any Email containing MP3 attachments passing.
# 
# .zip	SIZE=<1024	Tiny zip files not allowed
# 
# ...would stop any Email containing very small ZIP attachments
#
#
# .doc	SIZE=0	Zero-length corrupt viruses - ignore
#
# ...would mean block *.doc files that are 0 bytes in length.

# NOTE 4: Don't use this to ban any message that's over 
# a maximum size  - you should use Qmail's databytes instead
# "echo 10000000 > /var/qmail/control/databytes" 
# would set the maximum SMTP message size to 10Mb.
#
# NOTE 5: The second option allows you to match on header. This would allow 
# you to block Email viruses when you don't know anything else other than 
# there's a wierd Subject line (or From line, or X-Spanska: header, ...). 
# Note that it's a *case-insensitive*, REGEX string, and the system will 
# automatically surround it with ^ and $ before matching. i.e. if you 
# want wildcards, explicitly put them in...
#
# The string _must_be_ "Policy-" followed by the header you wish to match
# on - followed by a colon (:).
#
# e.g.
#
# Pickles.*Breakfast	Policy-Subject:	Fake Example Pickles virus
#
# will match "Subject: Pickles for Breakfast" - and 
# will match "Subject: PICKLES for BreAKfast"
# but not    "Subject: Pickles - where did you go?"
#
#
# NOTE 6: Normally (i.e. the default "--notify psender"), when an AV component of Q-S
# finds a virus, no notification is sent to the sender. But when this "policy"
# parser runs and matches, an alert is sent to the sender (e.g. "you are
# not allowed to send MP3 into our network"). However, if the description
# field (the last field) contains the word "virus", then it acts like the 
# AV components and *doesn't* send any notifications. This allows you to use
# this as a "policy blocker" for some records, and an "antivirus" for others
#
# NOTE 7: Similar to NOTE 6, if the description field contains the word
# "greylisted", then Qmail-Scanner will exit with an error that will cause
# qmail-smtpd (which called it) to declare a "temporary failure" to the
# SMTP client attempting to send the message. This is an "emergency measure"
# aimed at allowing you to put in place temporary blocks on particular
# classes of files (say, all ZIP files) without actually quarantining them.
# e.g. there's a new ZIP-based virus on the loose, and none of your AV can
# detect it. In the past you may have decided on blocking all ZIP files
# until your AV can detect it - but this means you could be potentially
# blocking 100s or 1000s of "honest" ZIP files until then. This way you
# can instead cause a temporary failure on the delivery, and can remove
# this block when your AV are updated. No loss of mail, no complaints from
# users, and no digging through the quarantine maildir looking for 
# all those essential emails people absolutely need. Please realize this
# causes a SMTP "temp fail" message, so the actual message doesn't end
# up on your system - but requeues on the other. It is up to the other
# system to retry later.
#
# e.g.
#
# .zip	SIZE=-1	Currently greylisted zip files awaiting AV update
#
#
# NOTE 8: Some internal details discovered in each mail message are converted
# into "virtual" headers so that you can trigger Policy-blocks on them using
# the same method you'd use for real headers (they are "virtual" in that they
# only exist while Qmail-Scanner is running - they don't magically appear
# in the actual message)
# 
# i.e. "MAIL FROM:" and "RCPT TO:" envelope headers are mapped to
# virtual headers MAILFROM: and RCPTTO: respectively. If some hacker
# actually created headers with those names, they would be lowercased and would 
# appear as "mailfrom" and "rcptto" - i.e. no conflict :-)
#
# e.g.
#
# xx@addr.here	Policy-MAILFROM:	Bad mailfrom envelope not allowed here!
#
# would block all mail coming from the SMTP sender "xx@addr.here", 
# (and would notify them - see NOTE 6).

# Similarly the following virtual headers are created
#
# Policy-REMOTEIPADDR: - the IP address of the SMTP client
# e.g
#127.0.0.5	Policy-REMOTEIPADDR:	Blocked IP from 127.0.0.5 blocked

# Policy-ZIPPASSWORDPROTECTED: - value is set to "is-set" if the message 
#                                contains a password-protected zip file
# e.g.
#is-set	Policy-ZIPPASSWORDPROTECTED:	Password-protected Zip disallowed by policy

# Policy-ISSENSITIVEANDNOCRYPTO: - value is set to "is-set" if the message
#                                  is marked as "Sensitive", and yet no
#                                  sign of encryption is used. Don't use this
#                                  option yet - it's a work in progress
# e.g.
#is-set	Policy-ISSENSITIVEANDNOCRYPTO:	Must Encrypt Confidential emails by policy

# Policy-CRYPTODETAILS: - is set to the details of any digital signing 
#                       and/or encryption used within the message.
#                       This would allow you to set a policy that no
#                       "encrypted" e-mail was allowed into or out of 
#                       your network, but "signed" was OK for example.
# e.g.
#encrypted	Policy-CRYPTODETAILS:	Encrypted mail blocked by policy

# Policy-FILELENGTHTOOLONG: - is set if any attachment claims a file length
#                           of >256 chars - the largest file length most 
#                           OSes can have
# i.e.
is-set		Policy-FILELENGTHTOOLONG:	Attachment Filename too long

# Policy-FILEDOUBLEBARRELED: - is set if the message contains an attachment
#                            with a supicious double-barreled filename
# i.e.
is-set		Policy-FILEDOUBLEBARRELED:	Double-barreled extensions disallowed

# Policy-FILECLSID:	- is set if the message contains an attachment with
#                       a CLSID filename
#i.e.
is-set		Policy-FILECLSID:	Disallowed CLSID file extensions
 

###############################################################
#
# Standard blocks enabled by default follow
#
###############################################################

EICAR.COM		SIZE=69	EICAR Test Virus
Happy99.exe		SIZE=10000	Happy99 Trojan virus
zipped_files.exe	SIZE=120495	W32/ExploreZip.worm.pak virus
ILOVEYOU		Policy-Subject:	Love Letter Virus/Trojan
message/partial.*	Policy-Content-Type:	Message/partial MIME attachments blocked by policy
#The following matches Date: headers that are over 100 chars in length
#these are impossible in the wild
.{100,}			Policy-Date:		MIME Header Buffer Overflow
.{100,}			Policy-Mime-Version:	MIME Header Buffer Overflow 
.{100,}			Policy-Resent-Date:	MIME Header Buffer Overflow
#
#Let's stop that nasty BadTrans virus from uploading your keystrokes...
ZVDOHYIK@yahoo.com|udtzqccc@yahoo.com|DTCELACB@yahoo.com|I1MCH2TH@yahoo.com|WPADJQ12@yahoo.com|smr@eurosport.com|bgnd2@canada.com|muwripa@fairesuivre.com|eccles@ballsy.net|S_Mentis@mail-x-change.com|YJPFJTGZ@excite.com|JGQZCD@excite.com|XHZJ3@excite.com|OZUNYLRL@excite.com|tsnlqd@excite.com|cxkawog@krovatka.net|ssdn@myrealbox.com	Policy-To:	BadTrans Trojan virus

#
# These are examples of prudent defaults to set for most sites.
# Commented out by default
#.lnk	SIZE=-1	LNK files not allowed per Company security policy
#.wsh	SIZE=-1	WSH files not allowed per Company security policy
#
# st: nobody must send a file like these...
.vbs	SIZE=-1	VBS files not allowed per Company security policy
.scr	SIZE=-1	SCR files not allowed per Company security policy
.hta	SIZE=-1	HTA files not allowed per Company security policy
.pif	SIZE=-1	PIF files not allowed per Company security policy
.cpl	SIZE=-1	CPL files not allowed per Company security policy

# st: also these may be blocked
#.bat	SIZE=-1	BAT files not allowed per Company security policy
#.com	SIZE=-1	COM files not allowed per Company security policy
#.exe	SIZE=-1	EXE files not allowed per Company security policy

application/hta.*	Policy-Content-Type:	MS03-032 exploit?

.*viagra.*		Policy-Subject:	Spam Viagra
.*Viagra.*		Policy-Subject:	Spam Viagra
.*VIAGRA.*		Policy-Subject:	Spam Viagra
.*via-gra.*		Policy-Subject:	Spam Viagra
.*v1agra.*		Policy-Subject:	Spam Viagra
.*viagara.*		Policy-Subject:	Spam Viagra
.*VIAGARA.*		Policy-Subject:	Spam Viagra
.*v.i.a.g.r.a.*		Policy-Subject:	Spam Viagra
.*V.i.a.g.r.a.*		Policy-Subject:	Spam Viagra
.*V.I.A.G.R.A.*		Policy-Subject:	Spam Viagra
.*V.1.@.G.R.A.*		Policy-Subject:	Spam Viagra
.*VlAGRA.*		Policy-Subject:	Spam Viagra
.*VlAGARA.*		Policy-Subject:	Spam Viagra
.*v+i+a+g+r+a+.*	Policy-Subject:	Spam Viagra
.*ClALlS.*		Policy-Subject:	Spam Viagra
.*Orgies.*		Policy-Subject:	Spam Porn
.*orgies.*		Policy-Subject:	Spam Porn

# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after 
# this file is modified
# ******
#
# EOF 
