#	myDoom
:0 B
* >30000
* <38000
* UEsDBAoAAAAAA
{
	LOG="killing MyDoom virus by body match"
	:0:
	KILL.virus
	}





# Detect Hybris when sent as an anonymous message.
#
:0
* > 20000
* !^Subject:
* !^To:
* ^Content-Type:.*multipart/mixed;
{
 :0 B hi
 * 1^1 ^Content-Disposition:.*\.EXE
 * 1^1 ^Content-Type:.*\.EXE
 KILL.virus
 }

 # Trap SirCam (signature as of 08/01/2001)
 #
 :0
 * > 130000
 * ^Content-Type:.*multipart/mixed;
 {
 :0 B hi
 * ^Content-Disposition: attachment;
 * ^Content-Transfer-Encoding: base64
 * AAAAGgU0NhbTMyABCDTUlN|AAAAAaBTQ2FtMzIAEINNSU1F|ABkAAAABoFNDYW0zMgAQg01J
 KILL.virus
 }

 # Trap BadTrans (signature as of 11/26/2001)
 #
 :0
 * > 40000
 * < 50000
 * ^Subject: Re:
 * ^Content-Type:.*multipart/.*boundary="====_ABC1234567890DEF_===="
 {
 :0 B hi
 * ^Content-Type: audio/x-wav;
 * ^Content-ID: <EA4DMGBP9p>
 * ^Content-Transfer-Encoding: base64
 KILL.virus
 }


 # Trap Klez (signature as of 04/26/2002)
 # Trap BugBear (signature as of 10/06/2002)
 #
 :0
 * > 50000
 * ^Content-Type:.*multipart/alternative;
 {
 :0 B
 * \<i?frame +src=(3D)?cid:.* height=(3D)?[0-9] +width=(3D)?[0-9]>
 * ^Content-Type:.*audio/
 * ^Content-ID:.*<
 * ^Content-Transfer-Encoding: base64
 * ^TVqQAAMAAAAEAAAA
 KILL.virus
 }

 :0 B E hi
 * H ?? ^Subject: A( (special|very))?[ ][ ][a-z]
 * ^Content-Type:.*application/octet-stream
 * ^Content-ID:
 * ^Content-Transfer-Encoding: base64
 * ^TVqQAAMAAAAEAAAA
 KILL.virus


 # Attempt to trap sendmail header exploit (signature as of 03/05/3003)
 #
 # CRITICAL NOTE: this WILL NOT protect the system it is installed on.
 # It is intended to prevent a patched Sendmail from relaying an attack
 # message onwards.
 #
 :0 hi
 * ^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notification|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
KILL.virus


 # Trap SoBig (signature as of 06/26/2003)
 #
 :0
 * > 100000
 * < 120000
 * ^Content-Type:.*multipart/mixed;
 {
 :0 B hi
 * ^Please see the attached zip file for details\.
 * ^Content-Disposition: attachment;
 * ^Content-Transfer-Encoding: base64
 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"?
 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|screensaver|movie)[0-9]*\.zip"?
 KILL.virus
 }


 # Trap MiMail (08/01/2003)
 #
 :0
 * > 10000
 * < 50000
 * ^Content-Type:.*multipart/mixed;
 * ^From:.*admin@
 * ^Subject:.*your account
 {
 :0 B hi
 * ^Content-Disposition: attachment;
 * ^Content-Transfer-Encoding: base64
 * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?message\.zip"?
 * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?message\.zip"?
 KILL.virus
 }
 



#	large collection of spam/virus recipes off the net
#	I need to comment the logs so I can tell what's working...
#	runs near the bottom because it's computationally expensive


# filter out W32.Sobig.E@mm
:0
* ^Content-Type: multipart/
* B ?? ^Content-Type: (audio/x-|application).*;.*$?.*name=.*\.(scr|com|bat|pif|lnk|exe|zip).*$
* B ?? ^Content-Disposition.*;.*$?.*filename=.*\.(sc|co|ba|pi|ln|ex|zi)".*$
{
	LOG="killing sobig by headers"
	:0:
	KILL.virus
	}

##################################
#	klez
##################################

#	klez stuff 

:0 B
* ^135AAItEjhyJRI8ci0SOGIlEjxiLRI4UiUSPFItEjhCJRI8Qi0SODIlEjwyLRI4IiUSPCItE$
{
	LOG="killing **klez** by signature"

	:0:
	KILL.virus.klez
	}

:0: B
*^Content-Type: (application|audio)
*^.*name=.*\.(vb[esx]|jse?|ws[hf]|c[ho]m|bat|cmd|shb|hta|exe|lnk|pif|scr|shs)
KILL.virus.executable


#	big
:0:
*^From: <big@boss.com>
KILL.virus


# Klez.e worm, 4/23/2002
:0 B
*^I expect you would like it.
*^.*name=.*\.exe
*^Content-Transfer-Encoding: base64
KILL.virus.klez

# Klez.g worm (W32.Elkern variant), 4/23/2002
:0
*^Subject: W32\..*removal tools
{
:0 B
*^Content-type: text/html
*^Content-type: application/octet-stream
*^.*name=install\.exe
KILL.virus.klez
}

# Klez.h worm, 4/19/2002
:0
*^Subject: Worm Klez.E immunity$
*^MIME-Version: 1.0
KILL.virus.klez

# Klez.h worm (variant #2), 4/26/2002
:0 B
*^Content-Type: text/html;
*^.*(This is a special humour game|This game is my first work.|You're the first player.|I would expect you would enjoy it|I wish you would like it.)
*^Content-Type: application/octet-stream;
*^.*name=.*\.exe
KILL.virus.klez

# Generic Klez worm filter; catches some Klez variants based on Subject
# headers
:0
*^Subject: (How are you$|Let's be friends|Darling$|Don't drink too much|Your password|Honey$|Please try again|Welcome to my hometown|the Garden of Eden|introduction on ADSL$|Meeting notice|Sos\!|japanese girl VS playboy|Look,my beautiful girl friend|Eager to see you|Spice girls' vocal concert|Japanese lass' sexy pictures)
*^Content-Type: multipart
KILL.virus.klez




##################################
#	less common stuff here
##################################



# It turns out this is a worm, not spam; keep the rule, but relabel it. (2/18/02)
:0 
*^From:.*hahaha@sexyfun\.net
KILL.virus

# SirCam worm sign
# note that all must be present. jc.
:0 B
*^Hi! How are you?
*^I send you this file in order to have your advice
*^See you later.*Thanks
KILL.virus.executable

# Badtrans worm sign
:0
*^From:.*_
*^Subject: Re:$
*^.*boundary.*ABC1234567890DEF
KILL.virus

# W32/Shoho@MM worm sign
:0
*^Subject: Welcome to Yahoo! Mail
*^.*boundary.*_ABC1234567890DEF_
KILL.virus

# "My party" worm sign
:0 
*^Subject: new photos from my party!$
KILL.virus

# Nimda.E worm sign
:0 B
*^.*boundary.*ABC09876j54321DEF
*^.*Content-Type: audio.*x-wav
*^.*name.*sample\.exe
KILL.virus

# I don't know what this one's called; added 4/19/02 after two
# instances appeared.
# Modified 4/24 to be more general and less error-prone.
:0
*^Received:.*powweb\.com
*^From: postmaster <postmaster@mousetrap.net>
*^MIME-Version: 1\.0
*^Content-type: multipart/alternative
KILL.virus


:0
*^X-Content-Security
KILL.virus


# A general-purpose worm-block. Many worms seem to include an
# attachment of type audio/x-wav or audio/x-midi, so kill
# these....
:0 B 
*^Content-Type: audio/x-(wav|midi);
KILL.virus

:0 B 
*^AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v$
KILL.virus


:0 B
* boundary=L1db82sd319dm2ns0f4383dhG
	{
	LOG="killing *frethem* based on string
	"
	
	:0:
	KILL.virus
}


# Fake Microsoft Patch recipe
:0 B
* R0lGODlhaAA7APcAAP///+rp6puSp6GZrDUjUUc6Zn53mFJMdbGvvVtXh2xre8bF1x8cU4yLprOy
/dev/null

# Worm.automat.ahb trojan
:0 B
* TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
/dev/null

# W32.Dumaru@mm trojan
:0 B
* TVpQAAIAAAAEAA8A//8AALgAAAAAAAAAQAAaAAAAAAAAAAAAAAAA
/dev/null

# http://www.xs4all.nl/~rsmith/spamblock.html
# gaaaah!
:0 BHh
* ^Content-Type: multipart/(mixed|alternative)
* ^Content-Type:.*(audio/x-|application|x-rasmol)
* name=.*\.(scr|com|bat|pif|lnk|exe)
KILL.virus

:0
* > 140000
* < 165000
{
:0 BD
* b3IAAABBZG1pbgAAAEdFVCBodHRwOi8vd3cyLmZjZS52dXRici5jei9iaW4vY291bnRlci5naWYv
/dev/null
}