# Sample of well-known viruses that perlscan_scanner can use
#
# This is case-insensitive, and TAB-delimited. 
#
# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after 
# this file is modified
# ******
#
# Format: three columns
# 
# filename<TAB>size (in bytes)<TAB>Description of virus/whatever
#
# OR:
#
# string<TAB>Header<TAB>Description of virus/whatever
# 
# [this one allows you to match on (e.g.) Subject line.
#
# NOTE 1: This is the crudest "virus scanning" you can do - we are
# arbitrarily deciding that particular filenames of certain sizes contain
# viruses - when they may not. However this can be useful for the times
# when a new virus is discovered and your scanner cannot detect it (yet).
#
# NOTE 2: This is only good for picking up stand-alone viruses like the
# following. Macro viruses are impossible to detect with this method as
# they infect users docs.
#
# NOTE 3: Wildcards are supported. This system can also be used to deny
# Email containing "bad" extensions (e.g. .exe, .mp3, etc). No other
# wildcard type is supported. Be very careful with this feature. With 
# wildcards, the size field is ignored (i.e. any size matches).
#
# .exe	0	Executable attachment too large
#
# That would ban .EXE files from your site (but would
# still allow .zip files...
#
# .mp3	0	MP3 attachments disallowed
#
# ...would stop any Email containing MP3 attachments passing.
#
# NOTE 4: No you can't use  this to ban any file (i.e. *.*) that's over 
# a certain size  - you should 
# "echo 10000000 > /var/qmail/control/databytes" 
# to set the maximum SMTP message size to 10Mb.
#
# NOTE 5: The second option allows you to match on header. This would allow 
# you to block Email viruses when you don't know anything else other than 
# there's a wierd Subject line (or From line, or X-Spanska: header, ...). 
# Note that it's a case-sensitive, REGEX string, and the system will 
# automatically surround it with ^ and $ before matching. i.e. if you 
# want wildcards, explicitly put them in...
#
# The string _must_be_ "Virus-" followed by the header you wish to match
# on - followed by a colon (:).
#
# e.g.
#
# Pickles.*Breakfast	Virus-Subject:	Fake Example Pickles virus
#
# will match "Subject: Pickles for Breakfast" - and 
# not "Subject: Pickles - where did you go?"
#
#
# NOTE 6: Similar to the headers option, you can match on the mail ENVELOPE
# headers - i.e. "MAIL FROM:" and "RCPT TO:". These are identical to
# Virus-<header>, except that the header names are MAILFROM and RCPTTO only.
#
# e.g.
#
# bogus@address.here	Virus-MAILFROM:	Bad mail envelope not allowed here!
#
# NOTE 7: Another "faked" header - "Virus-TCPREMOTEIP" can be used to match
# actions against the IP address of the SMTP client.
#

EICAR.COM		69	EICAR Test Virus
Happy99.exe		10000	Happy99 Trojan
zipped_files.exe	120495	W32/ExploreZip.worm.pak virus
ILOVEYOU		Virus-Subject:	Love Letter Virus/Trojan
message/partial.*		Virus-Content-Type:	Message/partial MIME attachments blocked by policy
#The following matches Date: headers that are over 100 chars in length
#these are impossible in the wild
.{100,}			Virus-Date:		MIME Header Buffer Overflow
.{100,}			Virus-Mime-Version:	MIME Header Buffer Overflow 
.{100,}			Virus-Resent-Date:	MIME Header Buffer Overflow
#
#Let's stop that nasty BadTrans virus from uploading your keystrokes...
ZVDOHYIK@yahoo.com|udtzqccc@yahoo.com|DTCELACB@yahoo.com|I1MCH2TH@yahoo.com|WPADJQ12@yahoo.com|smr@eurosport.com|bgnd2@canada.com|muwripa@fairesuivre.com|eccles@ballsy.net|S_Mentis@mail-x-change.com|YJPFJTGZ@excite.com|JGQZCD@excite.com|XHZJ3@excite.com|OZUNYLRL@excite.com|tsnlqd@excite.com|cxkawog@krovatka.net|ssdn@myrealbox.com	Virus-To:	BadTrans Trojan exploit!

#
# These are examples of prudent defaults to set for most sites.
# Commented out by default
#.vbs	0	VBS files not allowed per Company security policy
#.lnk	0	LNK files not allowed per Company security policy
#.scr	0	SCR files not allowed per Company security policy
#.wsh	0	WSH files not allowed per Company security policy
#.hta	0	HTA files not allowed per Company security policy
#.pif	0	PIF files not allowed per Company security policy


# ******
# REMEMBER: run /var/qmail/bin/qmail-scanner-queue.pl -g after 
# this file is modified
# ******
#
# EOF 
