Re: [exim] Filtering Garbage Warnings and other Junk bounce …

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Philip Hazel
Fecha:  
A: Brian Candler
Cc: exim-users, Marc Perkel
Asunto: Re: [exim] Filtering Garbage Warnings and other Junk bounce type or postmaster messages
On Thu, 31 Mar 2005, Brian Candler wrote:

> Where you *could* write a filter is for bounces of the form "you are
> infected with a virus". These are entirely useless, because viruses always
> forge the return address (so even if you *were* infected with a virus, the
> bounce would go somewhere else). I don't have a filter ruleset for these,
> but perhaps someone else on this list has one that they would share.


See below. This list seems to catch most of them; the numbers do seem to
be reducing somewhat. The origins of this list were a set of patterns
sent to me by Jean-loup Gailly. I have subsequently added substantially
to it.

Note: I do not expect get a copy of this posting; my filter will
probably throw it away. :-)

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book




$h_From: contains "Procmail Security daemon" or
$h_From: contains "MAILsweeper@" or
$h_from: contains "antivirus" or

$sender_address begins "navmse-" or

$rh_subject: contains "=?iso-8859-1?Q?Virus_D=E9tect=E9_dans_votre_message_hello?=" or
$rh_subject: contains "=?iso-8859-1?Q?d=E9tect=E9_un_virus_dans_un_document_dont_vous_=EAtes_l'?=" or
$rh_subject: contains "[Virus =?iso-8859-1?q?d=E9tect=E9?= =?us-ascii?q?]?=" or

$rh_subject: contains "=?iso-8859-1?Q?Vous_avez_envoy=E9_un_message_infect=E9.?=" or
$rh_subject: contains "Rapport =?iso-8859-1?Q?=E0_l'exp=E9diteur?=" or
$rh_subject: contains "=?iso-8859-1?Q?virus_trouv=E9?=" or

$h_Subject: matches "\\NInterScan NT Alert|AntiVir ALARM" or
$h_Subject: matches "\\NALERT - Virus|Virus (Alert|warning|incident)" or
$h_Subject: matches "\\NVirus(es)? (detected|found|in (your )?(message|mail)|quarantined)" or
$h_Subject: matches "\\NQuarantined message|Executable Attachment not Stripped" or
$h_Subject: matches "\\NWARNING. You (sent|tried to send) a potential virus" or
$h_Subject: matches "\\Ndetected an unrepairable virus" or
$h_Subject: matches "\\NVirus or Forbidden File Type Warning" or

$h_subject: contains "Virus infection notice" or
$h_subject: contains "Virus intercepted" or
$h_subject: contains "Virus detectado" or
$h_subject: contains "Remitente su eMail Tiene Virus" or
$h_subject: contains "'Watchdog': Attachment denied" or
$h_subject: contains "Incidencia de virus" or
$h_subject: contains "Mail rejected by Attachment Filter" or
$h_subject: contains "Virus detectado por ARNET" or
$h_subject: contains "Mail with virus refused" or
$h_subject: contains "InterScan eManager_CM Notification" or
$h_subject: contains "'Watchdog': error during virus check" or
$h_Subject: matches "\\NSender Virus-alert" or
$h_Subject: matches "\\NWarning: E-mail viruses detected" or
$h_Subject: matches "\\NWarning: antivirus system report" or
$h_Subject: matches "\\NYour email to (.*?) was blocked" or
$h_subject: contains "['securiQ.Watchdog': denied attachment]" or
$h_subject: contains "GWAVA Sender Notification" or
$h_subject: contains "Receipt of non conform e-mail" or

$h_subject: contains "Rejected mail: Spam detected" or
$h_subject: contains "Notification antivirale" or
$h_subject: contains "Echec de remise : virus" or
$h_subject: contains "Sirenza Anti-Virus System:" or
$h_subject: contains "Message automatique de notification de virus" or
$h_subject: begins   "Norton AntiVirus " or
$h_subject: contains "Norton detectou virus em um documento" or
$h_subject: contains "[MPP virus scan]" or
$h_subject: contains "Notification virus" or
$h_subject: contains "ATTENZIONE: virus rilevato" or
$h_subject: contains "ilse virus protectie" or
$h_subject: contains "ScanMail Notification:" or
$h_subject: contains "** Mensagem excluída **" or
$h_subject: is       "EMAIL REJECTED" or
$h_subject: contains "WIRUS W TWOJEJ POCZCIE" or
$h_subject: CONTAINS "VIRUS" or
$h_subject: contains "Vexira ALERT" or
$h_subject: contains "Aviso: Detectado" or
$h_subject: contains "Violacion de contenido" or
$h_Subject: contains "Warning: Possible Virus Infection" or
$h_Subject: contains "This is an alert from" or
$h_subject: contains "Quarantined Email Message" or
$h_subject: contains "Email quarantined" or
$h_subject: contains "Message quarantined" or
$h_subject: contains "Documento enviado com possibilidade de Vírus" or
$h_subject: contains "VIRUS in versendeter Email" or
$h_subject: contains "AntiVir ALERT" or
$h_subject: contains "ATTENTION VIRUS" or


$h_subject: contains "illegal signs in your mail" or
$h_subject: contains "an attachment sent to you has been blocked" or
$h_subject: contains "Verbotenes Attachment" or
$h_subject: contains "Wykryto wirusa w Twoim mailu" or
$h_subject: contains "Cambio Correo" or
$h_subject: contains "Attention: Returned e-mail" or
$h_subject: contains "Mensagem de vírus" or
$h_subject: contains "VIRUS EN MAIL ENVIADO" or
$h_subject: contains "Bloqueo de correo" or
$h_subject: contains "Suspicious mail received" or
$h_subject: contains "SSD Prohibited File Notification" or
$h_subject: is       "Content violation" or
$h_subject: contains "MDaemon Notification -- Attachment Removed" or
$h_subject: contains "VIRUS EN TU E-MAIL" or
$h_subject: contains "ATTENZIONE: AVETE SPEDITO UN VIRUS" or
$h_subject: contains "E-mail recusado" or
$h_subject: contains "file blocking settings matched" or
$h_Subject: contains "ATENCION. Usted ha enviado un mail posiblemente infectado" or
$h_Subject: contains "Disallowed attachment type found in sent message" or
$h_Subject: contains "WARNING: Bad Attachment - Message Dropped" or
$h_Subject: contains "Network Associates Webshield -  e-mail Content Alert" or
$h_Subject: contains "WARNING: YOU MAY HAVE A VIRUS" or
$h_Subject: contains "Your mail server sent us a virus" or
$h_Subject: contains "VIRUS IN IHRER (YOUR) MAIL" or
$h_Subject: contains "Re: *****SPAM***** Thank you!" or
$h_Subject: begins   "VIRUS? Re:" or
$h_Subject: contains "Virusvaroitus/warning/varning" or
$h_Subject: contains "Antigen found " or
$h_Subject: contains "Virus notification" or
$h_subject: contains "Message contained an illegal attachment" or
$h_SUbject: contains "Warning: Check your PC with Virus Vaccin!" or
$h_Subject: contains "ALERT: Potentially Harmful E-Mail Attachment Removed" or
$h_Subject: contains "Warning: antivirus system report" or
$h_subject: contains "has detected a virus" or
$h_Subject: contains "Symantec AVF" or
$h_subject: contains "FAV Symantec" or
$h_Subject: contains "Symantec_AntiVirus" or
$h_Subject: contains "Symantec AntiVirus" or
$h_Subject: contains "Symantec AV/F" or
$h_subject: contains "Symantec Mail Security detected" or
$h_Subject: contains "NAV detected a virus" or
$h_subject: contains "NAV has located a virus in your document" or
$h_subject: contains "NAV hat einen Virus" or
$h_subject: contains "NAV ha rilevato un virus" or
$h_subject: contains "[Virus Mail] Detection and Blocking Information" or
$h_subject: contains "Echec de Distribution du Message" or
$h_Subject: contains "SAV detected a" or
$h_Subject: contains "Virus Uncleanable" or
$h_Subject: contains "Network Associates Webshield" or
$h_Subject: contains "USNPS detected an executable attachment" or
$h_Subject: contains "Spam mail warning notification!" or
$h_Subject: contains "Detected worm:" or
$h_Subject: contains "ScanMail Message: To Sender file blocking settings:" or
$h_Subject: contains "virusCENSOR has blocked an email" or
$h_Subject: contains "RAV AntiVirus" or
$h_Subject: contains "We found VIRUS=" or
$h_Subject: contains "Attachments not Delivered by MailScan!" or
$h_Subject: contains "You sent potentially unsafe content" or
$h_Subject: contains "Attachment block message notification" or
$h_Subject: contains "Your message has been held:  THANK YOU!" or
$h_Subject: contains "A VIRUS WAS DETECTED IN YOUR MAIL TO" or
$h_Subject: contains "A virus was found in an e-mail message!" or
$h_Subject: contains "ALERT -  GroupShield ticket number" or
$h_Subject: contains "Virus detect message notification" or
$h_Subject: contains "WARNING: Your Computer Has A Virus" or
$h_Subject: contains "ATTENZIONE: RILEVAZIONE VIRUS" or
$h_Subject: contains "McAfee Rapport aan Verzender" or
$h_Subject: contains "McAfee GroupShield Alert" or
$h_Subject: contains "Virus information" or
$h_Subject: contains "Virus was found in incoming message" or
$h_Subject: contains "Failed to clean virus file" or
$h_Subject: contains "Virus protection system found VIRUS" or
$h_Subject: contains "Mailscanner warning notification!" or
$h_Subject: contains "ALERT. You sent a potential virus" or
$h_Subject: contains "ScanMail Message: To Sender" or
$h_Subject: contains "a virus was found" or
$h_Subject: contains "[wirus] UWAGA! znaleziono wirusa w Twojej wiadomosci !" or
$h_Subject: contains "POTENTIALY DANGEROUS ATTACHMENT IN YOUR MAIL" or
$h_Subject: contains "ScanMail has detected a virus!" or
$h_Subject: contains "ScanMail has found a virus" or
$h_subject: contains "Found a virus in the email you sent" or
$h_Subject: contains "Warning: E-mail viruses detected" or
$h_Subject: matches  "\\NVirus \\S+ found; message not delivered" or
$h_Subject: matches  "\\NVIRUS DANS VOTRE MAIL" or
$h_Subject: contains "VIRUS EN SU" or
$h_Subject: matches  "\\N^Virus \\S+ found; message not delivered" or
$h_Subject: contains "File blocking warning notification! (Attachment Removal)" or
$h_Subject: contains "VIRUS ALARM" or
$h_Subject: is       "Warning: E-mail viruses detected" or
$h_Subject: is       "Wirus w poczcie od Ciebie" or
$h_Subject: contains "File blocked - ScanMail for Lotus Notes" or
$h_subject: is       "Banned attachment found" or
$h_subject: contains "A virus was detected in the message" or
$h_subject: contains "A virus was detected in your mail" or
$h_subject: contains "WARNING: YOU ATTEMPTED TO SEND A VIRUS" or
$h_subject: contains "you've just sent a virus" or
$h_subject: contains "Hov, du har sendt Jubii en virus" or
$h_subject: contains "Virus détecté dans le message" or
$h_subject: contains "Tu mensaje ha sido bloqueado" or
$h_subject: contains "VIRUS IN IHRER NACHRICHT" or
$h_subject: contains "Virus gefunden" or
$h_subject: contains "Viirus kirjas" or
$h_subject: contains "Virus Prevention: Attachment denied" or
$h_subject: contains "Infected Message Stopped Before Delivery" or
$h_subject: contains "BLOQUEADO el envio de un email" or
$h_subject: matches  "\\NVIRUS= .* detected" or
$h_subject: contains "WatchDog: denied attachment" or
$h_subject: contains "WIRUS W TWOJEJE POCZCIE" or
$h_Subject: contains "InterScan MSS" or
$h_Subject: contains "Your mail server may have sent us a virus" or
$h_subject: contains "Blocked Mail Notification" or
$h_subject: contains "Blocked message" or
$h_subject: contains "WARNING: w32.sobig" or
$h_subject: contains "Inflex scan report" or
$h_subject: contains "WARNING The Infected E-mail Message you have sent" or
$h_subject: contains "Executable in Your mail" or
$h_subject: contains "Attention: E-mail virus détecté" or
$h_subject: contains "Virus Quarantine Notification" or
$h_subject: contains "Message blocked" or
$h_subject: contains "Prohibited Mail Attachment" or
$h_subject: contains "This is an alert from eSafe" or
$h_subject: contains "Our antivirus systems detected \
  that you sent a message with a prohibited attachment" or
$h_subject: contains "An E-mail addressed from you has been blocked" or
$h_subject: contains "File was infected with a virus" or
$h_subject: contains "Votre courrier est rejeté" or
$h_subject: contains "Attachment Removal" or
$h_subject: contains "Attachment blocked" or
$h_subject: contains "File Blocked" or
$h_subject: contains "E-mail Blocked" or
$h_subject: contains "Mail ist geblockt worden" or
$h_subject: contains "Mail has been blocked" or
$h_subject: contains "Piece jointe supprimee" or
$h_subject: contains "Avast Alert!" or
$h_subject: contains "A virus has been detected in your email" or
$h_subject: contains "Infected file detected" or
$h_subject: contains "Unable to clean an infected file" or
$h_subject: contains "Infected file was deleted" or
$h_subject: contains "Invalid Email Attachments" or
$h_subject: contains "Non-delivery of virus infected e-mail" or
$h_subject: contains "Blocked Delivery of email" or
$h_subject: contains "Blocked delivery of your email" or
$h_subject: contains "Mahdollinen virushuomautus!" or
$h_subject: contains "A virus or potentially harmful code was found" or
$h_subject: contains "Waarschuwing: E-mail virus ontdekt" or
$h_subject: contains "Mailer Daemon returned emails with virus" or
$h_subject: contains "Email Quarantined Due to Virus" or
$h_subject: contains "ALCATEL POLICY" or
$h_subject: contains "'Watchdog': denied attachment" or
$h_subject: contains "A virus was detected in your message" or
$h_subject: contains "MailMonitor for Exchange has processed a \
  suspicious" or
$h_subject: contains "file filter has blocked your attachment" or
$h_subject: contains "Corrupt message detected" or
$h_subject: contains "message cannot be accepted, message rejected" or
$h_subject: contains "contenait un virus" or
$h_subject: contains "Virus scan results" or
$h_subject: contains "Sie haben eine mit einem Virus" or
$h_subject: contains "Virus Sobig F" or
$h_subject: contains "{Virus?}" or
$h_subject: contains "You have sent me a virus" or
$h_subject: contains "and action was taken." or
$h_subject: contains "eTrust Antivirus Gateway SMTP: Virus notification message" or
$h_subject: contains "Sorry We Do Not Accept Executable Files" or
$h_subject: contains "WIRUS W TWOJEJ POCZCIE E-MAIL" or
$h_subject: contains "encontrado" or
$h_subject: contains "Virus no seu e-mail" or
$h_subject: contains "Mensaje en cuarentena" or
$h_subject: contains "Alerta de Vírus" or
$h_subject: contains "Seu email contem um arquivo com virus" or
$h_subject: contains "Possible virus infection" or
$h_subject: contains "found VIRUS" or
$h_subject: contains "blocked e-mail" or
$h_subject: contains "VIRUS WARNUNG !" or
$h_subject: contains "VIRUS EM SEU EMAIL" or
$h_subject: contains "VIRUS EM SEU E-MAIL" or
$h_subject: contains "Vírus em seu e-mail" or
$h_subject: contains "EMAIL com Virus" or
$h_subject: contains "Virus in your letter" or
$h_subject: contains "Virus infection detected" or
$h_subject: contains "Easy to shop at our Online" or
$h_subject: contains "ALERTE - Vous avez envoye un mail avec virus" or
$h_subject: contains "Virus content refused" or
$h_subject: contains "WARNING RE:MAIL DELIVERY SYSTEM" or
$h_subject: contains "Your mail could not be processed and has been blocked" or
$h_subject: contains "VÍRUST TALÁLTUNK A LEVÉLBEN" or
$h_subject: contains "Virenchecker Information" or
$h_subject: contains "WIRUS w Twoim mailu" or
$h_subject: contains "VIRUS NO SEU MAIL" or
$h_subject: contains "VÍRUS NO SEU E-MAIL" or
$h_subject: contains "ATTENTION ALERTE VIRUS" or
$h_subject: contains "alerte zonepro (z)> antivirus" or
$h_subject: contains "VIRUS RE:" or
$h_subject: contains "Content Filtering has detected a sensitive e-mail" or
$h_subject: contains "Your message contains a Virus" or
$h_subject: contains "antivirus system found VIRUS" or
$h_subject: contains "Blocked Delivery" or
$h_subject: contains "Blocked Attachments (Replaced with text)" or
$h_subject: begins   "Security Alert !" or
$h_subject: contains "VIRUS-ALERT warning" or
$h_subject: contains "is infected by virus" or
$h_subject: contains "Infected mail sent by you" or
$h_subject: contains "Infected Email Found" or
$h_subject: contains "VIRUS NELLA SUA EMAIL" or
$h_subject: CONTAINS "CONTAINS A VIRUS" or
$h_subject: contains "Trovato virus nel messaggio" or
$h_subject: contains "Your message was discarded" or
$h_subject: contains "NO E-MAIL ENVIADO" or
$h_subject: CONTAINS "MAIL FAILURE" or
$h_subject: contains "Invalid Attachment in message" or
$h_subject: contains "The COWI antivirus system detected an illegal file type" or
$h_subject: contains "Skynet Mail Protection scan results" or
$h_subject: contains "Mail with virus blocked" or
$h_subject: contains "Alerte de l'Anti-virus" or
$h_subject: contains "contained a virus" or
$h_subject: contains "Disapproved attachment" or
$h_subject: contains "Warning: A possible virus has been detected" or
$h_subject: contains "Fml status report" or
$h_subject: contains "ADVERTENCIA VIRUS" or
$h_subject: contains "Bad data found in mail with subject" or
$h_subject: contains "Moderando su mensaje" or
$h_subject: contains "Entrega cancelada" or
$h_subject: contains "A message you sent was found to contain a Virus" or
$h_subject: contains "Alert from Teleflex Corporate Mail Scanner" or
$h_subject: contains "Virus entdeckt" or
$h_subject: contains "Message with Video or Executable File Attached" or
$h_subject: contains "e-mail bloqueado" or
$h_subject: contains "Violazione di contenuto" or
$h_subject: contains "Message deleted" or
$h_subject: contains "Quarantine Attachments" or
$h_subject: contains "Mensagem não autorizada" or
$h_subject: CONTAINS " - Blocked File Type" or


$h_subject: contains "ATTENZIONE: Virus trovato" or
$h_subject: contains "Voce pode ter um virus" or
$h_subject: contains "Virus sent from your computer" or
$h_subject: contains "Esta es una alerta del antivirus" or
$h_subject: contains "Virus received at" or
$h_subject: contains "A mail you have sent contained dangerous files" or
$h_subject: contains "You have sent a mail infected by a virus" or
$h_subject: contains "bevat een virus" or
$h_subject: contains "has detected a virus" or
$h_subject: contains "Invalid content in mail message" or
$h_subject: contains "Er is een virus gevonden" or
$h_subject: contains "Notificación de Panda Antivirus" or
$h_subject: contains "Your mail was found to contain a virus" or
$h_subject: contains "Atencão: Detectado virus na mensagem" or
$h_subject: contains "The AntiVirus agent detected a violation" or
$h_subject: contains "mailfilter scan report" or
$h_subject: contains "Antigen encontró" or
$h_subject: contains "GroupShield-Ticket" or
$h_subject: contains "Correo rechazado" or
$h_subject: contains "Potential Virus identified" or
$h_subject: contains "Illegal Content Violation" or
$h_subject: contains "Refus des emails" or
$h_subject: contains "Alerta de virus do MailScan" or
$h_subject: contains "Notification from Viruswall" or
$h_subject: contains "Lotus Notes Domino Option detected virus" or

$h_from:    contains "F-Secure Anti-Virus" or


$h_subject: matches "\\NYour e-mail sent to .*? contained a virus" or
$h_subject: matches "\\NYour e-mail to .*? was not delivered" or


$h_X-NAI-WebShielde500-mimepp: matches "\\NAttachment removed" or
$h_X-Filter: matches "\\N[0-9]+ attachments? changed to"

or
$message_body contains
"A virus has been detected in a"

or
$message_body begins
"WARNING: A possibly harmful virus or an encrypted message has been \
detected"

or
$message_body contains
"A suspicious file (executable code) was found in the message"

or
  $message_body contains
    "Panda Platinum Internet Security warning"


or
  $message_body contains
    "Il est possible que vous ayez un Virus sur votre machine!"


or
  $message_body contains
    "This mail item contained attachments which were  virus-infected."


or
  $message_body contains
    "The UB Central Email System Virus Scanner has identified a virus"


or
$message_body contains
"has been blocked as it may have contained a virus"

or
$message_body contains
"ScanMail for Microsoft Exchange has blocked an attachment"

or
$message_body contains
"name=\"Suppression de Norton AntiVirus1.txt\""

or
$message_body matches
"\\Nname=\"Norton AntiVirus \\S+1.txt\""

or
$message_body contains "Un VIRUS a =E9t=E9 trouv=E9 dans le message suivant."

or
 $message_body matches
   "\\NPlease resend in a Zipped format|\
   You sent potentially unsafe content|\
   You recently sent a message that contains an attachment|\
   as it is suspected of containing a virusd|\
   \\*\\*\\* The e-mail you tried to send has been blocked.|\
   Your message was isolated due to a file attachment of a type that is not \
     permitted.|\
   Content violation found in email message.|\
   Contacting Ixis Research, Ltd.|\
   Our virus checker found virus(es) in your email.|\
   This message has been rejected because it has\\s+a potentially executable \
     attachment|\
   An automatic program has determined that this is an executable \
     attachment.|\
   A message has been quarantined|\
   Your mail has contained attachments which caused an error during a virus \
     scan.|\
     eTrust Content Inspection Gateway SMTP on \S+ detected a virus \
     infection in an e-mail|\
   Virus \"I-Worm.Sobig.f.txt\" found in message.|\
   This is a virus prevention measure.|\
   AntiVirus Results\\.\\.\\. >>> Virus"


 or
  $message_body matches
   "\\NPlease be informed that the contents of a document sent from you \
   violates the policy of HKPC.|\
   This message has been rejected because it has\\s+\
     a potentially executable attachment|\
   Your e-mail message has been rejected because it contains at least \
     one\\s+potentially executable attachment|\
   550 This message contains a banned extension"


or
$message_body matches
"\\N\\s*The file .*? attached to mail \\(with subject:.*?\\) sent by \
\\S* to \\S* is infected with virus:"

or
$message_body contains "The Sherwood International email gateway has \
detected what is thought to be a virus in an email message attachment \
you tried to send."

or
$message_body contains "A mail message has been found containing a \
computer virus."

or
$message_body contains "Due to security reasons, we do not accept any \
executable attachment."

or
$message_body contains "Virus Warning Message (on "

or
$message_body matches
"\\NYour message could not be delivered .* as the attachement included \
in your message was infected with a virus."

 or
   $message_body matches
    "\\NThe message you sent to .* was infected or contained an \
    attachment that is not permitted by our Antivirus software."


 or
   $message_body matches
     "\\NA message you\\s*\\(.*\\) sent to .* contains\\s*=?\\s*a virus"


or
$message_body contains "Your email was not received by"

or
$message_body contains "The infected email was NOT delivered"

or
$message_body contains "The e-mail contains attachments that are restricted"

 or
  $message_body contains "Your email was found to contain a file that \
    had an extension"


or
$message_body contains "The file attachmentwas quarantined"

 or
  $message_body matches "\\NContent-Disposition: attachment;\\s+\
    filename=\"Norton AntiVirus Deleted1\\.txt\""


or
$message_body contains "due to existance of virus"

or
$message_body contains "Found virus WORM_MYDOOM.A in file"

 or
  $message_body contains "This email has been quarantined due to the \
    attached executable file"


or
$message_body contains "Our email gateway has detected that your message to"

or
${sg{$message_body}{=\\s}{}} matches
"\\NThe message from \\S* sent on .* had one \
or several files with forbidden extensions."

or
$message_body matches
"\\NYour message to \\S* on .* may have contained a virus."

or
$message_body contains
"BitDefender found an infected object in a message that was sent"

or
$message_body contains
"This e-mail is suspected to have a virus"

or
$message_body contains
"The attachment file in the message has been removed"

or
$message_body contains
"Our email scanner has detected a virus"

 or
  $message_body matches
    "\\NYour message titled .* contained an attachment that is \
    infected with a Virus."


or
$message_body matches
"\\NThe message you sent to .* contained a possibly harmful \
virus that was blocked according to our security rules."

 or
   $message_body contains
     "This email account does not accept emails containing executables"


 or
  $message_body matches
    "\\NYour message to\\s+.*\\s+has been returned as it contains an \
    attachment that does not conform"


 or
  $message_body contains
    "The message you sent was deleted because of a Virus"


 or
  $message_body contains
    "U verstuurde een E-mail bericht waarin zich mogelijk een virus bevond."


 or
  $message_body matches
    "\\Nsome mail from you (\\S+) to \\S+ was stopped and discarded at \
    \\S+ because it appeared to contain one or more viruses."


 or
  $message_body contains
    "The email message you sent has been deleted because it potentially \
    contains a virus."


 or
   $message_body matches
     "\\NThe message entitled .* has been quarantined"


 or
   $message_body contains
     "This is an automated message from the University of Cambridge's \
     central email virus filter."


 or
   $message_body matches "\\N\
     Sorry, but your last message to \\S+ was rejected by our Spam \
     Filter for the following reason"


 or
   $message_body matches "\\N\
     The message from \\S+ sent on .*? had one \
     or several files with forbidden extensions."


 or
   $message_body matches "\\N\
     The file attachment \\S+ you sent to the recipients listed above was \
     infected with the \\S+ virus"


 or
   $message_body contains
     "The following message sent by this account has violated system policy"


 or
   $message_body contains
     "Due to the excessive spam mail which comes through on this account, it \
     is no longer used."


 or
   $message_body matches "\\N\
    This is a multi-part message in MIME format.\\s+\
    Content-Type: text/plain\\s+\
    The original email was deleted because it contained the virus Sober.I"